Cimian is an open-source software deployment solution designed for managing and automating software installations on Windows. Heavily inspired by the wonderful and dearly loved Munki project, Cimian allows Windows admins to manage software packages through a webserver-based repository of packages and metadata, enabling automated deployments, updates, and removals at scale in a programmatic manner. Cimian is built with modern Windows environments in mind, supporting both x64 and ARM64 architectures, and is optimized for integration with Microsoft Intune and device management services.

Cimian aims to allow Mac Admins that manage Windows with Munki to have a similar experience on Windows and to provide Windows Admins with a powerful and flexible tool for software management or those looking to transition away from traditional imaging and towards modern management with Git and DevOps principles.

Cimian is developed in C# using .NET 10. It leverages a YAML-based configuration system for easy management and customization, and includes native a WPF GUI application for end-user self-service software installation.

Cimian is ideal for organizations of all sizes looking to streamline their Windows software deployment processes. It can be used in small environments with just a few machines, or scaled up to manage thousands of systems across multiple locations.

• Automated Package Management: Streamline software packaging, metadata management, and distribution
• Flexible YAML Configuration: Easily configure and manage settings through clear, YAML-based config files
• Multi-format Installer Support: Supports MSI, MSIX, EXE, PowerShell scripts, and NuGet .nupkg custom packages formats
• Bootstrap Mode: for zero-touch deployment and system provisioning
• Conditional Items: Advanced evaluation system for dynamic software deployment based on system facts (hostname, architecture, OS version, domain, machine type, etc.) with simplified string syntax
• Enterprise Integration: Built for Microsoft Intune with .intunewin support and other Deployment Management Services.

Cimian consists of a comprehensive suite of command-line tools, services, and GUI applications that work together to provide a complete software management solution:

All binaries are built for both x64 and ARM64 architectures and installed to C:\Program Files\Cimian\.

managedsoftwareupdate.exe - Primary Client Agent

• Core client-side component for software installation and management
• Handles automatic software updates, installations, and removals
• Supports bootstrap mode for zero-touch deployments
• Manages software manifests and catalog synchronization
• Features comprehensive logging and error handling
• Supports multiple installer types (MSI, EXE, PowerShell, file copying)
• Includes self-update capabilities and privilege elevation
• Provides command-line interface for administrative tasks

manifestutil.exe - Manifest Management Tool

• Command-line utility for managing deployment manifests
• Creates, modifies, and maintains software deployment lists
• Supports adding/removing packages from managed installations
• Handles self-service software request management
• Provides manifest validation and organization

cimiimport.exe - Package Import and Metadata Generator

• Automates importing software installers and generating deployment metadata
• Supports MSI, EXE, PowerShell scripts, and file-based installations
• Extracts metadata automatically (version, product codes, dependencies)
• Generates YAML pkginfo files with installation instructions
• Integrates with cloud storage (AWS S3, Azure Blob Storage) for package distribution
• Handles script integration (pre/post install and uninstall scripts)
• Features interactive and non-interactive configuration modes

cimipkg.exe - NuGet Package Creator

• Creates deployable NuGet packages (.nupkg) from project directories
• Supports both installer-type and copy-type package deployments
• Generates Chocolatey-compatible installation scripts
• Handles PowerShell script signing and embedding
• Optionally creates .intunewin packages for Microsoft Intune deployment
• Manages version normalization and metadata validation

makecatalogs.exe - Software Catalog Generator

• Scans repository and generates software catalogs from pkginfo metadata
• Creates organized YAML catalog files (Testing, Production, All, etc.)
• Validates package payload integrity and reports missing files
• Supports catalog-based software targeting and deployment

makepkginfo.exe - Package Info Generator

• Creates pkginfo metadata files for software packages
• Extracts installer metadata and generates deployment configurations
• Supports direct package analysis and metadata generation workflows

repoclean.exe - Repository Cleaner

• Removes older, unused software items from a Cimian repository
• Keeps a configurable number of recent versions per package (--keep, default 2)
• Runs as a dry-run by default; use --remove to actually delete
• Supports --auto for non-interactive cleanup in CI/CD pipelines

cimitrigger.exe - Deployment Trigger Tool

• Initiates software deployment processes on-demand
• Supports both GUI and headless deployment modes
• Handles privilege elevation and process management
• Provides diagnostic capabilities for troubleshooting
• Integrates with CimianWatcher service for responsive deployments

cimiwatcher.exe - Bootstrap Monitoring Service

• Windows service that monitors for deployment trigger files
• Enables near-real-time software deployment via MDM platforms
• Supports dual-mode operation (GUI and headless bootstrap)
• Handles automatic service recovery and error management
• Integrates with self-update system for service maintenance
• Provides comprehensive event logging for enterprise monitoring

Managed Software Center.exe - End-User Self-Service Application

• WinUI 3 application providing a self-service software catalog
• Browse, install, update, and remove optional software without admin rights
• Organized pages for Software, Categories, My Items, Updates, and History
• Item detail views with descriptions, screenshots, and version info
• Built-in log viewer for diagnosing installation issues
• Theme-aware UI that follows the Windows system light/dark setting

A typical Cimian repository follows this structure:

CimianRepo/
├── catalogs/           # Generated catalog files
│   ├── All.yaml
│   ├── Testing.yaml
│   └── Production.yaml
├── manifests/          # Client deployment manifests
│   ├── site_default.yaml
│   └── computer_groups/
├── pkgs/              # Software package storage
│   ├── Adobe/
│   ├── Microsoft/
│   └── ...
└── pkgsinfo/          # Package metadata
    ├── Adobe/
    └── Microsoft/

managedsoftwareupdate:

sudo managedsoftwareupdate --help   
Usage of C:\Program Files\Cimian\managedsoftwareupdate.exe:
      --auto                         Perform automatic updates.
      --cache-status                 Show cache status and statistics.
      --check-selfupdate             Check if self-update is pending.
      --checkonly                    Check for updates, but don't install them.
      --clear-bootstrap-mode         Disable bootstrap mode.
      --clear-selfupdate             Clear pending self-update flag.
      --installonly                  Install pending updates without checking for new ones.
      --item strings                 Install only the specified package name(s). Can be repeated or given as a comma-separated list.
      --local-only-manifest string   Use specified local manifest file instead of server manifest.
      --manifest string              Process only the specified manifest from server (e.g., 'Shared/Curriculum/RenderingFarm'). Automatically skips preflight.
      --no-postflight                Skip postflight script execution.
      --no-preflight                 Skip preflight script execution.
      --perform-selfupdate           Perform pending self-update (internal use).
      --postflight-only              Run only the postflight script and exit.
      --preflight-only               Run only the preflight script and exit.
      --restart-service              Restart CimianWatcher service and exit.
      --selfupdate-status            Show self-update status and exit.
      --set-bootstrap-mode           Enable bootstrap mode for next boot.
      --show-config                  Display the current configuration and exit.
      --show-status                  Show status window during operations (bootstrap mode).
      --validate-cache               Validate cache integrity and remove corrupt files.
  -v, --verbose count                Increase verbosity (e.g. -v, -vv, -vvv, -vvvv)
      --version                      Print the version and exit.
pflag: help requested

# Import a new software package
cimiimport.exe "C:\Installers\Firefox.exe" --arch x64

# Create a NuGet package from project directory
cimipkg.exe "C:\Projects\MyApp"

# Generate catalogs from repository
makecatalogs.exe

# Add software to managed installations
manifestutil.exe --add-pkg "Firefox" --manifest "site_default"

# Check for and install updates
managedsoftwareupdate.exe --auto

# Run only preflight script for testing
managedsoftwareupdate.exe --preflight-only

# Run only postflight script for testing
managedsoftwareupdate.exe --postflight-only

# Trigger GUI update process
cimitrigger.exe gui

# Run diagnostic tests
cimitrigger.exe debug

Cimian is distributed in multiple formats to support different deployment scenarios:

• MSI Packages: Cimian-x64-{version}.msi and Cimian-arm64-{version}.msi for traditional Windows deployment
• NuGet Packages: CimianTools-x64-{version}.nupkg and CimianTools-arm64-{version}.nupkg for Chocolatey-based deployment
• Intune Packages: .intunewin files for Microsoft Intune deployment

1. Download and Install: Deploy the appropriate MSI package for your architecture
2. Configure Repository: Edit C:\ProgramData\ManagedInstalls\Config.yaml with your repository settings
3. Import Software: Use cimiimport.exe to import software packages into your repository
4. Generate Catalogs: Run makecatalogs.exe to create software catalogs
5. Deploy: Use bootstrap mode or direct execution for software deployment

Cimian includes a bootstrap system similar to Munki's, designed for zero-touch deployment scenarios where machines must complete all required software installations before users can log in.

1. Trigger Files:

   • C:\ProgramData\ManagedInstalls\.cimian.bootstrap - Bootstrap with GUI status window
   • C:\ProgramData\ManagedInstalls\.cimian.headless - Bootstrap without GUI (silent)

2. CimianWatcher Service: A Windows service monitors bootstrap trigger files every 10 seconds and automatically initiates software deployment

3. Dual Mode Operation:

   • GUI Mode: Shows CimianStatus window for visual progress monitoring
   • Headless Mode: Silent operation for automated scenarios

4. Automatic Process Management: The service handles process elevation, error recovery, and cleanup automatically

5. Integration Points: Works seamlessly with MDM platforms like Microsoft Intune for enterprise deployment

• Zero-touch deployment: Ship Windows machines with only Cimian installed; bootstrap completes the configuration
• System rebuilds: Ensure all required software is installed before first user login
• Provisioning automation: Integrate with deployment tools for fully automated system setup
• MDM Integration: Deploy via Microsoft Intune with .intunewin packages
• Responsive Updates: Near-real-time software deployment when triggered by management systems

# Example: Automated package import workflow
$packages = Get-ChildItem "C:\Installers" -Filter "*.exe"
foreach ($package in $packages) {
    & "C:\Program Files\Cimian\cimiimport.exe" $package.FullName --arch x64
}

# Generate catalogs after import
& "C:\Program Files\Cimian\makecatalogs.exe"

The project uses a comprehensive PowerShell build system (build.ps1) that:

• Builds all binaries for x64 and ARM64 architectures
• Handles code signing with enterprise certificates
• Creates MSI and NuGet packages automatically
• Supports development mode for rapid iteration
• Integrates with CI/CD pipelines

# Full build with automatic signing
.\build.ps1 -Sign

# Build specific binary only
.\build.ps1 -Binary cimistatus -Sign

# Build all binaries without packaging
.\build.ps1 -Sign -Binaries

# Create Intune packages
.\build.ps1 -Sign -IntuneWin

# Package existing binaries without rebuilding
.\build.ps1 -Sign -PackageOnly

The build system uses environment variables for sensitive configuration data such as code signing certificates.

1. Copy .env.example to .env:

   Copy-Item .env.example .env

2. Edit .env with your organization's certificate information:

   CIMIAN_CERT_CN=YourOrganization Enterprise Certificate
   CIMIAN_CERT_SUBJECT=YourOrganization
   

Security Note: The .env file is automatically ignored by git and should never be committed. Always use .env.example as a template for new environments.

Cimian uses a YAML-based configuration system located at C:\ProgramData\ManagedInstalls\Config.yaml:

# Basic Configuration
software_repo_url: https://cimian.yourdomain.com/
client_identifier: MyComputer-01
force_basic_auth: false
default_arch: x64
default_catalog: Testing

# Repository Settings  
repo_path: "C:\\CimianRepo"
cloud_provider: none  # Options: aws, azure, none
managed_installs_dir: "C:\\ProgramData\\ManagedInstalls"

# Update Behavior
auto_update_enabled: true
auto_update_check_interval: 24  # hours
installer_timeout_minutes: 30
max_concurrent_downloads: 3

# Logging Configuration
log_level: INFO  # Options: DEBUG, INFO, WARNING, ERROR
log_max_size_mb: 10
log_retention_days: 30

# Bootstrap Settings
bootstrap_timeout_minutes: 120
bootstrap_retry_attempts: 3

# Advanced Options
use_tls_verification: true
proxy_server: ""
custom_user_agent: "Cimian/1.0"

• Interactive Setup: Run cimiimport.exe --config for guided configuration
• Automatic Setup: Use cimiimport.exe --config-auto for non-interactive configuration
• Validation: Configuration is validated on startup with detailed error reporting

Manifests define what software should be installed on specific groups of computers. They are stored in the manifests/ directory of your repository.

name: "Site Default - Corporate Baseline"
catalogs:
  - Production

# Base software for all systems
managed_installs:
  - Firefox
  - GoogleChrome
  - AdobeReader
  - 7zip
  - WindowsUpdates

# Optional software available for installation
optional_installs:
  - VLCMediaPlayer
  - GIMP
  - NotePadPlusPlus

# Software to remove if found
managed_uninstalls:
  - OldSoftware
  - BloatwareApp

name: "Lab Computers - Educational Environment"
catalogs:
  - Testing
  - Education

# Base software for all lab computers
managed_installs:
  - BaseSecurityAgent
  - StudentMonitoringSoftware
  - SharedPrinterDrivers

# Conditional software based on system facts
conditional_items:
  # Engineering labs get CAD software
  - condition: "hostname CONTAINS ENG-LAB"
    managed_installs:
      - AutoCAD
      - SolidWorks
      - MATLAB
    
  # Art labs get creative software  
  - condition: "hostname CONTAINS ART-LAB"
    managed_installs:
      - AdobeCreativeSuite
      - Blender
      - SketchUp
      
  # x64 systems get modern applications
  - condition: "arch == x64"
    managed_installs:
      - ModernVideoEditor
    managed_uninstalls:
      - LegacyX86Software

# Microsoft Intune integration
managed_profiles:
  - EducationalWiFiProfile
  - StudentEmailProfile
  
managed_apps:
  - "Microsoft Teams"
  - "Microsoft Office"
  - "OneNote"

name: "Corporate Desktops"
catalogs:
  - Production
  - Corporate

managed_installs:
  - EnterpriseAntivirus
  - OfficeTools
  - CorporateVPN

# Complex conditional logic
conditional_items:
  # Executive desktops
  - conditions:
      - "hostname BEGINSWITH EXEC"
      - "domain == CORPORATE"
    condition_type: "AND"
    managed_installs:
      - ExecutiveSuite
      - PremiumOfficeAddins
      - VIPSupportTools
      
  # Developer machines
  - condition: "hostname CONTAINS DEV"
    managed_installs:
      - VisualStudio
      - GitForWindows
      - DockerDesktop
    optional_installs:
      - AdvancedDebugger
      - PerformanceProfiler
      
  # Domain join type specific software
  - condition: "joined_type == entra"
    managed_installs:
      - EntraIDTools
      - AzureADSync
  - condition: "joined_type == domain"
    managed_installs:
      - TraditionalDomainTools

Package info files define individual software packages and their installation details. They are stored in the pkgsinfo/ directory.

name: AdobeReader
display_name: "Adobe Acrobat Reader DC"
identifier: com.adobe.reader.dc
version: "24.003.20054"
description: "Adobe Acrobat Reader DC - Free PDF viewer"
catalogs:
  - Testing
  - Production
category: "PDF Tools"
developer: "Adobe Inc."

# Installation details
installer:
  type: msi
  size: 245760000
  location: Adobe/AcroRdrDC_2400320054_MUI.msi
  hash: "sha256:a1b2c3d4e5f6789..."
  product_code: "{AC76BA86-7AD7-1033-7B44-AC0F074E4100}"
  upgrade_code: "{AC76BA86-7AD7-1033-7B44-AC0F074E4100}"

# What files this package installs
installs:
  - type: file
    path: "C:\Program Files\Adobe\Acrobat DC\Reader\AcroRd32.exe"
    md5checksum: "d41d8cd98f00b204e9800998ecf8427e"
    version: "24.003.20054"

# System requirements
supported_architectures:
  - x64
  - x86
minimum_os_version: "10.0.19041"
unattended_install: true
unattended_uninstall: true

name: VisualStudio
display_name: "Microsoft Visual Studio Community 2022"
identifier: com.microsoft.visualstudio.community.2022
version: "17.8.3"
description: "Microsoft Visual Studio Community 2022 - Free IDE"
catalogs:
  - Development
  - Testing
category: "Development Tools"
developer: "Microsoft Corporation"

# EXE installer with custom arguments
installer:
  type: exe
  size: 4294967296
  location: Microsoft/VisualStudio/vs_community_2022.exe
  hash: "sha256:f8e7d6c5b4a39..."
  flags:
    - quiet
    - wait
    - add Microsoft.VisualStudio.Workload.ManagedDesktop
    - add Microsoft.VisualStudio.Workload.NetWeb

# Installation tracking
installs:
  - type: file
    path: "C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\devenv.exe"
    version: "17.8.34316.72"

# Custom scripts
preinstall_script: |
  # Check system requirements
  $ram = (Get-WmiObject -Class Win32_ComputerSystem).TotalPhysicalMemory / 1GB
  if ($ram -lt 8) {
    throw "Visual Studio requires at least 8GB RAM"
  }
  Write-Host "System meets requirements"

postinstall_script: |
  # Configure Visual Studio settings
  $vsPath = "${env:ProgramFiles}\Microsoft Visual Studio\2022\Community"
  if (Test-Path $vsPath) {
    Write-Host "Visual Studio installed successfully"
    # Additional configuration here
  }

# Uninstaller
uninstaller:
  location: Microsoft/VisualStudio/vs_community_2022.exe
  arguments:
    - uninstall
    - --quiet
    - --wait

supported_architectures:
  - x64
minimum_os_version: "10.0.17763"
unattended_install: true
unattended_uninstall: true

name: SystemConfiguration
display_name: "Corporate System Configuration"
identifier: com.company.systemconfig
version: "1.2.0"
description: "Applies corporate system configuration settings"
catalogs:
  - Production
category: "System Configuration"
developer: "IT Department"

# PowerShell script installer
installer:
  type: ps1
  size: 8192
  location: Scripts/SystemConfiguration.ps1
  hash: "sha256:1a2b3c4d5e6f..."

# Script content (can also be external file)
preinstall_script: |
  # Backup current settings
  $backupPath = "C:\Temp\SystemBackup-$(Get-Date -Format 'yyyyMMdd-HHmmss')"
  New-Item -ItemType Directory -Path $backupPath -Force

postinstall_script: |
  # Verify configuration applied successfully
  Write-Host "System configuration completed"
  
  # Set registry values
  Set-ItemProperty -Path "HKLM:\SOFTWARE\Company\Config" -Name "LastUpdate" -Value (Get-Date)

# This is a script-only package - no file tracking needed
supported_architectures:
  - x64
  - arm64
  - x86
unattended_install: true
unattended_uninstall: false  # Scripts can't be "uninstalled"
OnDemand: false  # Run during normal update cycles

name: Office365
display_name: "Microsoft 365 Apps for Enterprise"
identifier: com.microsoft.office365.enterprise
version: "16.0.17126.20132"
description: "Microsoft 365 Apps for Enterprise suite"
catalogs:
  - Production
  - Corporate
category: "Office Applications"
developer: "Microsoft Corporation"

# Complex installer with configuration
installer:
  type: exe
  size: 6442450944
  location: Microsoft/Office365/setup.exe
  hash: "sha256:9f8e7d6c5b4a3..."
  arguments:
    - /configure
    - /quiet
    - /config:configuration.xml

# Multiple file installations tracked
installs:
  - type: file
    path: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    version: "16.0.17126.20132"
  - type: file  
    path: "C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"
    version: "16.0.17126.20132"
  - type: file
    path: "C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE" 
    version: "16.0.17126.20132"

# Prerequisites and dependencies
requires:
  - DotNetFramework48
  - VisualCPPRedistributable

# Advanced uninstall handling
uninstaller:
  type: exe
  location: Microsoft/Office365/setup.exe
  arguments:
    - /configure
    - /quiet
    - /uninstall

uninstalls:
  - type: directory
    path: "C:\Program Files\Microsoft Office"
    recursive: true
    force: true
  - type: registry
    path: "HKLM\SOFTWARE\Microsoft\Office"
    recursive: true

# System requirements
supported_architectures:
  - x64
minimum_os_version: "10.0.19041"
maximum_os_version: ""
unattended_install: true
unattended_uninstall: true

Cimian features a powerful conditional items system inspired by Munki's NSPredicate-style conditions, allowing dynamic software deployment based on system facts like hostname, architecture, domain membership, and more. The system supports complex expressions with OR/AND operators, nested conditional items for hierarchical logic, and both simple string format and structured conditions.

Use natural language patterns with condition: for complex expressions:

conditional_items:
  # Basic hostname exclusion
  - condition: hostname DOES_NOT_CONTAIN "Camera"
    managed_installs:
      - StandardSoftware
      
  # Architecture-specific deployment
  - condition: arch == "x64"
    managed_installs:
      - ModernApplication
      
  # Multiple values using IN operator
  - condition: hostname IN "LAB-01,LAB-02,LAB-03"
    managed_installs:
      - LabSoftware

The conditional system supports complex OR/AND expressions within a single condition string:

conditional_items:
  # Complex OR expression in single condition
  - condition: hostname CONTAINS "Design-" OR hostname CONTAINS "Studio-" OR hostname CONTAINS "Edit-"
    managed_installs:
      - CreativeApplications
      - AdvancedTools
      
  # Complex AND expression with OS version
  - condition: os_vers_major >= 11 AND arch == "x64"
    managed_installs:
      - ModernApplications
      - x64OptimizedTools
      
  # Mixed AND/OR with special operators
  - condition: NOT hostname CONTAINS "Kiosk" AND (domain == "CORP" OR domain == "EDU")
    managed_installs:
      - EnterpriseApplications
      
  # Enrollment-based conditions (Enhanced)
  - condition: enrolled_usage == "Shared" AND enrolled_area != "Classroom"
    managed_installs:
      - SharedWorkspaceTools

Create hierarchical conditional logic with nested conditional items:

conditional_items:
  # Main condition with nested subconditions
  - condition: enrolled_usage == "Shared"
    conditional_items:
      # Nested conditions within the main condition
      - condition: enrolled_area != "Classroom" AND enrolled_area != "Podium"
        managed_installs:
          - CollaborativeTools
          - GroupSoftware
      
      # Architecture-specific nested deployment
      - condition: machine_type == "desktop"
        conditional_items:
          # Further nesting for granular control
          - condition: os_vers_major >= 11 AND arch == "x64"
            managed_installs:
              - HighEndApplications
              - PerformanceTools
        
        managed_installs:
          - BasicDesktopTools
    
    # Items for all machines matching the main condition
    managed_installs:
      - SharedMachineConfiguration
      - SecurityHardening

For compatibility, the system still supports the legacy format with explicit conditions arrays:

conditional_items:
  # Legacy AND logic (prefer complex expressions)
  - conditions:
      - key: "domain"
        operator: "=="
        value: "CORPORATE"
      - key: "arch" 
        operator: "=="
        value: "x64"
    condition_type: "AND"  # Default is AND
    managed_installs:
      - CorporateX64App
      
  # Legacy OR logic (prefer complex expressions)  
  - conditions:
      - key: "hostname"
        operator: "CONTAINS"
        value: "DEV"
      - key: "hostname"
        operator: "CONTAINS" 
        value: "TEST"
    condition_type: "OR"
    managed_installs:
      - DeveloperTools

Recommendation: Use complex expressions instead:

conditional_items:
  # Preferred: Complex expression format
  - condition: domain == "CORPORATE" AND arch == "x64"
    managed_installs:
      - CorporateX64App
      
  - condition: hostname CONTAINS "DEV" OR hostname CONTAINS "TEST"
    managed_installs:
      - DeveloperTools

• == / EQUALS: Exact equality
• != / NOT_EQUALS: Not equal
• CONTAINS: String contains substring
• DOES_NOT_CONTAIN: String does not contain substring
• BEGINSWITH: String starts with value
• ENDSWITH: String ends with value
• > / < / >= / <=: Comparison operators (version-aware)
• IN: Value is in a comma-separated list
• LIKE: Wildcard pattern matching

• NOT: Negates the following condition (e.g., NOT hostname CONTAINS "Kiosk")
• OR: Logical OR operator for complex expressions
• AND: Logical AND operator for complex expressions

Note: The ANY operator for array operations is planned for future implementation.

• hostname: System hostname
• arch / architecture: System architecture (x64, arm64, x86)
• os_version: Windows OS version (full version string)
• os_vers_major: Major OS version number (e.g., 10, 11)
• domain: Windows domain name
• machine_type: "laptop" or "desktop"
• machine_model: Computer model
• joined_type: "domain", "hybrid", "entra", or "workgroup"
• catalogs: Available catalogs (array)
• username: Current username
• date: Current date and time

• enrolled_usage: Device enrollment usage type (from registration or environment)
• enrolled_area: Device enrollment area (from registration or environment)
• os_build_number: Windows build number
• battery_state: Battery state for mobile devices

conditional_items:
  # Corporate environment with nested departmental logic
  - condition: domain == "CORPORATE"
    conditional_items:
      # Executive desktops with complex hostname patterns
      - condition: hostname CONTAINS "EXEC-" OR hostname CONTAINS "C-SUITE-" OR hostname CONTAINS "BOARD-"
        managed_installs:
          - ExecutiveSuite
          - PremiumOffice
          - VIPSupport
          
      # Development environment with role-based deployment
      - condition: hostname CONTAINS "DEV-" OR hostname CONTAINS "TEST-"
        conditional_items:
          # Senior developers get additional tools
          - condition: hostname CONTAINS "SENIOR" OR hostname CONTAINS "LEAD"
            managed_installs:
              - AdvancedDebugger
              - PerformanceProfiler
        
        managed_installs:
          - VisualStudio
          - GitForWindows
          - DockerDesktop
    
    # Base corporate software for all domain machines
    managed_installs:
      - EnterpriseAntivirus
      - CorporateVPN
      - ComplianceTools

  # Educational shared machines
  - condition: enrolled_usage == "Shared" AND enrolled_area != "Classroom"
    managed_installs:
      - CollaborativeTools
      - SharedWorkspaceApps
      - SecurityHardening

  # High-performance desktops (complex requirements)
  - condition: os_vers_major >= 11 AND arch == "x64" AND NOT hostname CONTAINS "Legacy"
    managed_installs:
      - ModernApplications
      - NextGenTools
      - PerformanceOptimization

conditional_items:
  # Modern Windows 11 x64 systems only
  - condition: os_vers_major >= 11 AND arch == "x64"
    managed_installs:
      - Windows11OptimizedApps
      - ModernWebApps
      
  # ARM64 specific applications
  - condition: arch == "arm64"
    managed_installs:
      - ARMNativeApps
    managed_uninstalls:
      - x64OnlyLegacyApps
      
  # Exclude older systems from resource-intensive software
  - condition: NOT (os_vers_major < 11 OR arch == "x86")
    managed_installs:
      - ResourceIntensiveApps

Preferred:

- condition: domain == "CORPORATE" AND arch == "x64"

Instead of:

- conditions:
    - key: "domain"
      operator: "=="
      value: "CORPORATE"
    - key: "arch"
      operator: "=="
      value: "x64"
  condition_type: "AND"

Use nested conditional items to mirror your organizational structure and avoid redundant conditions.

Start with simple conditions and build complexity:

# Start simple
- condition: hostname != ""
  managed_installs: [TestPackage]

# Add complexity gradually  
- condition: hostname CONTAINS "LAB" OR hostname CONTAINS "DEV"
  managed_installs: [TestPackage2]

• Place most restrictive conditions first
• Use nested conditionals to reduce redundant fact evaluation
• Order OR operations with most likely matches first

Monitor logs for "System facts gathered" entries to verify available facts.

Test complex expressions with simple managed_installs items:

conditional_items:
  # Test parentheses parsing
  - condition: (domain == "CORP" OR domain == "EDU") AND NOT hostname CONTAINS "Kiosk"
    managed_installs: [ParenthesesTest]
      
  # Test OR/AND precedence
  - condition: hostname CONTAINS "A" OR hostname CONTAINS "B" AND arch == "x64"
    managed_installs: [PrecedenceTest]

Cimian components write to Windows Event Log under:

• Application Log: General application events
• System Log: Service-related events
• Custom Logs: Detailed operation logs in C:\ProgramData\ManagedInstalls\logs\

Cimian uses a modern structured logging system with timestamped session directories:

The CimianStatus GUI provides real-time monitoring with:

• Installation Progress: Visual progress bars and status updates
• Package Queue: List of pending installations
• Error Reporting: Detailed error messages and troubleshooting guidance
• System Information: Hardware, OS, and configuration details

1. Service Not Running: sc start CimianWatcher
2. Permission Issues: Ensure Local System has access to repository paths
3. GUI Not Visible: Check for Session 0 isolation in service environments
4. Package Import Failures: Verify repository paths and write permissions
5. Network Connectivity: Check repository URL and proxy settings

# Service status check
Get-Service CimianWatcher

# Process monitoring
tasklist /fi "imagename eq cimistatus.exe"

# Trigger diagnostic mode  
cimitrigger.exe debug

# Manual update check
managedsoftwareupdate.exe --checkonly --verbose

1. Package Creation: Use cimipkg.exe --nupkg --intunewin <project> to create .intunewin packages
2. Upload to Intune: Import .intunewin files into Microsoft Endpoint Manager
3. Assignment: Deploy to device groups with appropriate targeting
4. Monitoring: Use Intune reporting for deployment status

Deploy Cimian configuration via Group Policy:

• Registry Settings: Configure via Group Policy Preferences
• File Deployment: Deploy config.yaml via Group Policy file copy
• Service Management: Use Group Policy to manage service startup

Cimian can complement SCCM deployments:

• Package Distribution: Use Cimian for rapid updates between SCCM cycles
• Self-Service: Provide user-initiated software installation
• Reporting: Centralized logging and status reporting

• Concurrent Downloads: Configurable parallel download limits
• Delta Updates: Only download changed package components
• Bandwidth Throttling: Configurable download speed limits
• Retry Logic: Automatic retry with exponential backoff
• Cache Management: Intelligent local caching for frequently used packages

• Clients per Repository: Tested with 10,000+ concurrent clients
• Package Repository Size: Supports multi-TB repositories
• Update Frequency: Sub-minute update deployment capability
• Concurrent Operations: Handles multiple simultaneous installations

• Binary Signing: All executables signed with enterprise certificates
• Package Verification: Automatic signature validation for imported packages
• PowerShell Signing: Automatic script signing during package creation
• Certificate Management: Automatic enterprise certificate detection

• Privilege Elevation: Minimal privilege escalation with automatic de-elevation
• Input Validation: Comprehensive input sanitization and validation
• Secure Communications: TLS encryption for repository communications
• Audit Logging: Comprehensive audit trails for all operations

• Change Tracking: Full audit trail of software changes
• Approval Workflows: Configurable approval processes for software deployment
• Compliance Reporting: Built-in reporting for regulatory compliance
• Access Controls: Role-based access control for administrative functions

Cimian is distributed under the MIT License. See LICENSE for details.

We welcome contributions! Feel free to submit pull requests, report issues, or suggest improvements via our GitHub repository.