Tiny Deathstars of Foulness

When planning to migrate from managed preferences to profiles, one of the important aspects to consider is automated enrollment. One of the more important aspects of automating a traditional managed preferences environment is to automate the binding to directory services. You do not bind to Profile Manager; however, you do enroll devices. Much like binding computers to Lion Server’s Open Directory (by default), certificates and host names are important aspects of the enrollment process. Much as with local managed preferences, management via profiles can be done through the command line and without any involvement from a centralized source. I had written an article awhile back on using profiles from the command line. You can also instead enroll devices into Profile Manager. Previously, I had looked at configuring Profile Manager. Manual enrollment in Profile Manager is the same as enrollment from iOS. But instead of using Apple Configurator to automate enrollment, you’ll use your existing imaging solution for automated enrollment of Mac OS X based clients. Therefore, we’ll use DeployStudio as an example for automating enrollment at imaging time. To get started, you’ll need a functional DeployStudio configuration. You’ll also need a functional Profile Manager configuration. From within Profile Manager, click on the plus sign (“+”) in the lower left corner of DeployStudio and click on Enrollment Profile. Then click on the New Enrollment Profile entry that was created and click on the Download button to download the profile onto the server (when it attempts to install, simply click cancel to cache it to your ~/Downloads directory). Click in the drop-down menu in the upper right hand corner of the screen and then click on Download Trust Profile. This will download the Trust Profile for the MDM solution to the client¬†(when it attempts to install, simply click cancel to cache it to your ~/Downloads directory). Next, drag the cached profiles into the ConfigurationProfiles directory of the DeployStudio repository.¬†Now that you have the profiles that will be required for automated enrollment, open DeployStudio Admin (if it was open before, close it and then re-open it once you have copied the profiles to the DeployStudio repository). From within DeployStudio, we will create a new workflow, here called “Deploy Lion with Enrollment”. We will then choose to restore a target volume and automate the task. Next, click on the plus sign (“+”) to add a new workflow item, sliding the task selection screen out automatically. Next, drag the Automatic Enrollment Task item into the workflow. Once present, choose Previous task target from the Target Volume field. Next, choose the enrollment profile in the Enrollment profile field. Also choose the Trust profile that you just downloaded from the Trust profile field. Finally, check the Automate box and save your workflow. Finally, we’ll add a Configure task to set the hostname (note that your workflows may already be far more flushed out than mine here. Click on Save and then test the workflow. Once booted, if you are automatically enrolled then the process was a success. You should be able to see the device in Profile Manager.

April 4th, 2012

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , , , , , ,

  • nbalonso

    Quick question, do you know if when you enroll the device with the enrollment profile and you manually install a downloaded .mobileconfig of settings for a device group, does this make the device automatically to be a member of that group? or just applies the settings without making it member?

    I am asking because currently don’t have the equipment to test, and I’m planning migrate clients from OD to profilemanager using Munki.


    • Sorry for the delay. It would enroll but not add it to a member of that device group. Would be cool if you could automate something like that!

  • Pingback: Moving Managed Preferences to Profiles |

  • Avi

    Charles Hi,
    I’ve been using Profile Manager since it’s introduction in 10.7 and despite love/hate it (easy to configure/limited control and luck of documentation) it worked just fine. I use it in an environment where the workstations are bind to AD and no iOS devices. All was working until I started upgrading to 10.7.4, clients and server. Now when I enroll a new device using the simple method of web accessing /Profilemanager/Mydevices and installing the trust and managed certificate, the first workstation looks fine but when I go to enroll another workstation after installing the trust certificate from the profile window profile manager reports that the machine is enrolled, it reports the “This Device” is in the list even though the serial number is for the first machine. Removing it and the first machine reports it is not enrolled. Seems like the managed certificate is not unique for the machine. I tried all that I could think of like deleting all certificates in keychain and logging off and back on as local admin but no difference. I looked around and can’t find mention to this problem but find it hard to believe I am the only one with this problem.
    Any Suggestion would be appreciated.


    • Which button are you clicking on to cache the trust and enrollment profiles?

      • Jens

        Hi Charles, hi Avi

        We have the exact same problem: “How to enroll a Mac client into a Profile Manager device group at the enrollment of the Mac?” We are able to enroll the Mac into Profile Manager at setup in Deploy Studio. But we need to push out some settings that are device group dependent (e.g. certificates for WiFi, munki settings, …).

        Is there a way to auto enroll Macs into device groups right after enrolling them into Profile Manager? The setting we’d like to push out is set on a device group.


  • Bill Opcam

    Same problem here. iMac lab imaged with Deploy Studio. When manually adding trust profile and enrolling via web interface I get the same: first one works and the rest then think they are enrolled. If I “remove” one of the others then the original appears to be “removed” .

    Some common identifier must be pushed down with the image.

    Have you found a solution yet?


    • Are you renaming the machines before enrollment? which enrollment profile are you using?