krypted April 28th, 2012
Apple has put tickets on sale for the WorldWide Developer Conference, from June 11th to June 15th in San Francisco’s Moscone Center. Last year, the conference sold out really quickly, so might want to jump on buying tickets if you want to go. One thing can be pretty easily assumed, there will be plenty of talk about Mountain Lion (and maybe a new beta/DP as well).
krypted April 25th, 2012
Who knew, Monster is getting in on the whole Z-wave thing. I can’t even find “Z-wave” on their official website. But their Z-wave dimmers are available at a few different websites, including Smarthome: http://www.smarthome.com/8500SD/Monster-Wall-Dimmer-Switch-Z-Wave-Lighting-Control/p.aspx. I ordered one of these and my system automatically saw it (as a Leviton btw) and I was controlling yet another light in my basement within about 5 minutes. Total Z-wave win.
While I don’t see the dimmers, what I do see on Monster’s website is a new Z-wave remote in their Revolution 200: http://www.monsterproducts.com/productdisplay.asp?pin=3369&id=9139.
It’s a little fancy for me (I prefer things that are beige and covered in DIP switches), but it’s cool to see another household name with lots of sales people pushing their products into Target, Best Buy (who use Control4 systems in their stores) and Home Depot, as well as other large chains.
krypted April 23rd, 2012
Posted In: Home Automation
Apple has released version 1.0.1 of the Apple Configurator tool. To install the first update to Apple’s new tool, go to the App Store on a computer that has Apple Configurator installed, click on Updates and then click on the Update button for Apple Configurator.
The update has a number of new features and fixes. The first is that Enterprise Apps can be installed. Previously, when you went to install internally developed applications, you would get an error that the installation could not proceed. Another great fix is that commas are now escaped when importing application codes from the VPP spreadsheets (a comma in a CSV/comma separated value would kill the ability to import VPP codes before). Another fix is to let you pull redemption codes from unsupervised device (this makes me very happy).
The redemption codes that you buy an app with can also now be used in Configurator, according to the release notes. This worked for me anyway, but I’ve read reports that people had to burn an additional code to use them with Configurator. The remaining redemption codes are now listed properly, as well. Another fix is that Notes and Bookmarks pushed into iBooks and iTunes U are restored properly when supervising devices. The WPA2 passwords had been wonky (according to the content of that payload), so that’s been fixed as well.
Also, a bug I hadn’t noticed, the capacity of an 8GB iPod Touch is now displaying properly…
krypted April 18th, 2012
I wasn’t very happy with how images were handled on krypted.com. Which is why I added a new plugin, http://wordpress.org/extend/plugins/wp-jquery-lightbox to provide more of a lightbox feel when you click on my images.
Many of my images are pretty large, so I make them a little smaller on the site so they fit well on the page. Now, when you click on images on the site, it greys the rest of the page and zooms in on the image. I’ve tinkered with a lot of lightbox plugins, but this one makes me happy. You just install and activate and viola, you’re done. It doesn’t get a lot easier than this and it’s a much better way than the default method for handling images in WordPress.
krypted April 17th, 2012
Posted In: WordPress
If you’ve been following my postings for the past few weeks you may have noticed that I’m putting the pieces together for a strategy to transition existing managed preferences in environments to profiles, most notably those managed using Lion Server’s Profile Manager as more than just a mobile device management tool, but also as a computer management tool. To put the articles into a bit more order, let’s look at the order that you’d likely use them to actually do an integration:
Not all of these will be applicable to every deployment, but the tasks covered are worth knowing how to do. Using Profile Manager and migrating the actual managed preferences from existing tools into Profile Manager I saved for last (after all, you need your infrastructure in place to do this). Here, I’m just going to look at Workgroup Manager and manually move each preference from Workgroup Manager into Profile Manager. To get started, I usually like to open a screen with Profile Manager and another with Workgroup Manager, lining them up side by side. This allows me to quickly and easily cut-copy-paste between the two. I also like to be very orderly, choosing to step through the Workgroup Manager list in order, moving each option I have selected in Workgroup Manager over to Profile Manager.
I usually start with user groups, then do computer groups, then look for specific computers I may have applied policies to and finally specific users that might have policies attached to them. The screens, by default, for my initial user groups, would look as follows (where there are some managed preferences in Workgroup Manager but not yet in Profile Manager):
Right off the bat, if you’re going in order of those displayed in the Workgroup Manager GUI, you’ll notice that there aren’t any listed for Applications in Profile Manager. This is because Applications, Media Access and System Preferences are located in the Restrictions payload for Mac OS X in Profile Manager. Click on it and click on Configure to enable the payload. Rather than go through each preference and each setting of each preference, suffice it to say that most are there. In some cases, you won’t see one, such as disabling Front Row, but you’ll have a cool new one, such as disabling AirDrop in its place.
The workflow is a little different in some places. For example, in Workgroup Manager, you can run the Workgroup Manager application on a computer that is not the server and easily add applications and printers to the preference that are not actually installed on the server. Annoyingly, because Profile Manager is a web application, you need to put the .app bundles and install the printers on the server in order to push them out through Profile Manager. While this caused some initial heartache, I just ended up taking the app bundle, copying it to the server temporarily and then adding it, whether the application was installed or not. Printers are easy enough to install on servers as well.
The Classic managed preference is pretty much no longer needed, so it has been removed. Finder and Universal Access are also gone in Profile Manager. But this doesn’t mean you can’t manage them. Just as you could manage custom preferences using the Details tab, you can manage custom preferences using the Custom Settings option as well. Simply open the Custom Settings payload and then use the plus sign to create each preference domain that you would like to manually configure. Click on the Upload File… button to import a property list manually and then delete the items that you don’t want getting pushed to clients (seems similar to how you did things in Managed Preferences, right?). Another managed setting that is missing from Profile Manager is Software Update. Here, we’ll add it by looking at the details in Workgroup Manager and then duplicating the settings in Profile Manager.
You can do this for any of the missing objects as well as any third party software. For example, we’ll click the plus sign (“+”) to add a preference and then enter com.microsoft.autoupdate2 into the Preference Domain field and HowToCheck as a key (String) with a value of Manual. This would disable Microsoft’s automatic updates so we can manage them through our patch management solution.
The biggest change in moving to profiles and Profile Manager is the fact that you no longer have the option to manage settings using the Once Often and Always settings we grew to love in Managed Preferences. There are trade-offs. Such as the fact that you can have many of the settings instantly updated on clients, wipe devices, etc. The way you remove an Always profile is to remove the payload. For those still needing Once and Often, you can stick with Managed Preferences for a bit longer, but you might want to start considering ways of not accessing those manifests. In exchange you can centrally push out SSIDs for wireless networks, automatically configure clients for Exchange (not the password) if you’re using Mail, iCal and Address Book, deploy certificates, configure password policies and even perform some fairly delicate 802.1x foo, without touching a script.
There’s definitely going to be some stir over the fact that, as with iOS, centralized management via Profile Manager is an opt-in experience. Users can remove their enrollment profile as they wish. Of course, if you’ve hidden the Profiles System Preference pane then they might have a problem getting rid of it, but get rid of it they may. Therefore, it’s worth considering a few strategies for dealing with that. One I like is automatically unbinding clients that are not listed in the devices table of the Profile Manager database. Another is to send ninjas to their house so they may be pelted with shurikens (1d6 of damage each, btw, so don’t throw too many). It’s also worth noting that data doesn’t always disappear with profiles in Mac OS X the same way it does with iOS and that profiles are a Lion and above experience, not working with Snow Leopard and older operating systems.
Whichever strategy you take with migrating to profiles, it’s worth starting to think about and test this new type of user experience now. Of course, if you have a 3rd party patch management tool, such as the Casper Suite, that allows for local managed preferences, you’re likely better off deploying policies through there. If not, then don’t feel rushed, as Managed Preferences are still how Profiles deploy their payloads to clients. However, the means with which you have been deploying Managed Preferences may be changing over the next few years, so it’s a good idea to start looking at this now in order to be prepared for future releases.
krypted April 6th, 2012
I have been added as a speaker at MacTech InDepth in New York. If you haven’t signed up yet, and you work with Mac OS X Server then you should really check out the sessions that have been planned:
Overall, this represents a nice, fast way to update your skills to allow for managing Lion Server and to get up to speed with those new to the platform. One thing I like about the session list is that it goes beyond the stock server implementation and looks at DeployStudio, MDM and other important topics not purely server oriented. I hope to see you all there!
These vagabond shoes, are longing to stray
Right through the very heart of it – New York, New York
krypted April 5th, 2012
Posted In: public speaking
Tags: Address Book, Apache, app, Apple Configurator, caldav, carddav, DeployStudio, DNS, FTP, iCal, iChat, iphone configuration utility, jabber, lion server, Mac OS X, MacTech, mdm, mobile device management, NetBoot, NetRestore, new york, server, Snow Leopard, web
When planning to migrate from managed preferences to profiles, one of the important aspects to consider is automated enrollment. One of the more important aspects of automating a traditional managed preferences environment is to automate the binding to directory services. You do not bind to Profile Manager; however, you do enroll devices. Much like binding computers to Lion Server’s Open Directory (by default), certificates and host names are important aspects of the enrollment process.
Much as with local managed preferences, management via profiles can be done through the command line and without any involvement from a centralized source. I had written an article awhile back on using profiles from the command line.
You can also instead enroll devices into Profile Manager. Previously, I had looked at configuring Profile Manager. Manual enrollment in Profile Manager is the same as enrollment from iOS. But instead of using Apple Configurator to automate enrollment, you’ll use your existing imaging solution for automated enrollment of Mac OS X based clients. Therefore, we’ll use DeployStudio as an example for automating enrollment at imaging time.
To get started, you’ll need a functional DeployStudio configuration. You’ll also need a functional Profile Manager configuration. From within Profile Manager, click on the plus sign (“+”) in the lower left corner of DeployStudio and click on Enrollment Profile. Then click on the New Enrollment Profile entry that was created and click on the Download button to download the profile onto the server (when it attempts to install, simply click cancel to cache it to your ~/Downloads directory).
Click in the drop-down menu in the upper right hand corner of the screen and then click on Download Trust Profile. This will download the Trust Profile for the MDM solution to the client (when it attempts to install, simply click cancel to cache it to your ~/Downloads directory).
Next, drag the cached profiles into the ConfigurationProfiles directory of the DeployStudio repository. Now that you have the profiles that will be required for automated enrollment, open DeployStudio Admin (if it was open before, close it and then re-open it once you have copied the profiles to the DeployStudio repository). From within DeployStudio, we will create a new workflow, here called “Deploy Lion with Enrollment”. We will then choose to restore a target volume and automate the task.
Next, click on the plus sign (“+”) to add a new workflow item, sliding the task selection screen out automatically.
Next, drag the Automatic Enrollment Task item into the workflow. Once present, choose Previous task target from the Target Volume field. Next, choose the enrollment profile in the Enrollment profile field. Also choose the Trust profile that you just downloaded from the Trust profile field. Finally, check the Automate box and save your workflow.
Finally, we’ll add a Configure task to set the hostname (note that your workflows may already be far more flushed out than mine here. Click on Save and then test the workflow.
Once booted, if you are automatically enrolled then the process was a success. You should be able to see the device in Profile Manager.
krypted April 4th, 2012
Tags: Command line, Deploy Studio, Enrollment, Lion, lion server, local MCX, Mac OS X, Mac OS X Server, Managed Preferences, mdm, mobile device management, move from MCX to profiles, profile manager, profiles
Over the years, the terms Magic, Golden, Triangle, Augments, Directory, Domains and Active have given the administrators of Mac OS X environments fits. So when you think about using Active Directory to manage iOS devices through the Profile Manager service, built into Lion Server, you may think that it’s a complicated thing to piece together. You may remember those days when you had to manually craft service principals because xgrid wouldn’t play nice with Acive Directory, or you might think of twisting augmented records to support CalDAV. But you’re gonna’ have to forget all that, ’cause getting Profile Manager to talk to Active Directory is one of the easiest things you’ll do.
Before we get started, architecture. Every Profile Manager instance is an Open Directory Master. Apple has included a local group in Mac OS X Server called Profile Manager ACL. Users and groups from any directory domain that can be viewed in dscl can be added to this group. Adding objects to this group enables them to authenticate to the MyDevices portal but not administrate. Kerberos isn’t really used here, nor are nested groups. You’ll apply policies directly to Active Directory groups in Profile Manager. For many long-term Apple administrators, this paragraph is all you need to read. If not, please continue on.
To get started, first set Profile Manager up, as shown in a previous article I did. Once configured, verify that Open Directory or local clients can authenticate, bind to Active Directory.
Bind to Active Directory
From within System Preferences, click on the Users & Groups System Preference pane and click on Login Options. Then click on the Edit… button for the Network Account Server. From here, click on the plus sign (“+”) and enter the domain name into the Server field.
Once bound, you will see the server listed. At this point, if you try to authenticate to the MyDevices portal as an Active Directory user, you will be able to authenticate, but you will not have permission to enroll devices. To log in, access the web service at the address of the server followed by /MyDevices (e.g. https://mdm.pretendco.com/MyDevices).
Provide the user name and password to the service. The Active Directory users are unable to access the MyDevices service.
Click on Logout and we’ll fix this. There is no further configuration required for the Active Directory groups to function properly in regards to how they work with the server. However, we will need to open Workgroup Manager and nest some groups. You might think that you’d be doing something all kinds of complicated, but notsomuch. You also might think that you would be nesting the Active Directory users and groups inside Open Directory groups, given that you have to enable Open Directory in order to use Profile Manager. Again, notsomuch. To nest the groups, browse to the local directory and then then click on the com.apple.access_devicemanagement group.
Drag the user or group from the menu into the list of members and then click on the Save button.
Now log in again using the MyDevices portal and you’ll be able to Enroll. From within Profile Manager (log in here as a local administrator), you’ll see all of the users and groups and be able to apply policies directly to them by clicking on the Edit button for each (the information isn’t saved in the directory service on the server, but is cached into the directory service client on the client when using Mac OS X 10.7, Lion based clients).
Moving Mac OS X Management From MCX
You keep hearing that you need to move some of your managed preferences to profiles (or Profile Manager in most cases), but you can’t really think about that until you get Profile Manager integrated with Active Directory, can you? And getting those pesky iOS devices working with Active Directory style policies has been on your radar, but really, who has time?
Profiles then have a few distinct benefits over Managed Preferences (MCX) for some, which we’ll look at through the lens of Profile Manager. The first is that they’re instant. You can make a change to a profile on a device enrolled in an MDM service and you instantly see the changes on the client (most profile settings that is, not all), rather than having to log the client out and then back in. You can also wipe and lock devices and the interface is easier (I mean, no nesting thankyouverymuch).
But there are a few drawbacks as well. You can’t cluster Profile Manager, so there are some benefits to using 3rd party services in a move to profile based management. You also manage settings using the Always option, rather than being able to use the Once or Often settings. You can use custom property lists, though and importantly, MCX is used to actually implement most of these profiles on client systems, so those skills you’ve been honing for managing Managed Client workflows will not be totally lost in the transition. Overall, I had initially thought that management by profile would be much less granular than management via managed preferences, but I’ve found ways around any issues and have found it’s actually much easier and works as reliably as dual directory or Active Directory based managed preferences worked.
krypted April 3rd, 2012
Tags: Active Directory integration, Contact your system administrator., directory services, Groups, integration, Lion, Logout, Mac OS X Server, Magic Triangle, MyDevices, Open Directory, profile manager, You do not have permission to access the page you were looking for.