Mac OS X,  Mac OS X Server,  Mac Security,  Mass Deployment

Automating Profile Manager Enrollment Through DeployStudio

When planning to migrate from managed preferences to profiles, one of the important aspects to consider is automated enrollment. One of the more important aspects of automating a traditional managed preferences environment is to automate the binding to directory services. You do not bind to Profile Manager; however, you do enroll devices. Much like binding computers to Lion Server’s Open Directory (by default), certificates and host names are important aspects of the enrollment process.

Much as with local managed preferences, management via profiles can be done through the command line and without any involvement from a centralized source. I had written an article awhile back on using profiles from the command line.

You can also instead enroll devices into Profile Manager. Previously, I had looked at configuring Profile Manager. Manual enrollment in Profile Manager is the same as enrollment from iOS. But instead of using Apple Configurator to automate enrollment, you’ll use your existing imaging solution for automated enrollment of Mac OS X based clients. Therefore, we’ll use DeployStudio as an example for automating enrollment at imaging time.

To get started, you’ll need a functional DeployStudio configuration. You’ll also need a functional Profile Manager configuration. From within Profile Manager, click on the plus sign (“+”) in the lower left corner of DeployStudio and click on Enrollment Profile. Then click on the New Enrollment Profile entry that was created and click on the Download button to download the profile onto the server (when it attempts to install, simply click cancel to cache it to your ~/Downloads directory).

Click in the drop-down menu in the upper right hand corner of the screen and then click on Download Trust Profile. This will download the Trust Profile for the MDM solution to the client (when it attempts to install, simply click cancel to cache it to your ~/Downloads directory).

Next, drag the cached profiles into the ConfigurationProfiles directory of the DeployStudio repository. Now that you have the profiles that will be required for automated enrollment, open DeployStudio Admin (if it was open before, close it and then re-open it once you have copied the profiles to the DeployStudio repository). From within DeployStudio, we will create a new workflow, here called “Deploy Lion with Enrollment”. We will then choose to restore a target volume and automate the task.

Next, click on the plus sign (“+”) to add a new workflow item, sliding the task selection screen out automatically.

Next, drag the Automatic Enrollment Task item into the workflow. Once present, choose Previous task target from the Target Volume field. Next, choose the enrollment profile in the Enrollment profile field. Also choose the Trust profile that you just downloaded from the Trust profile field. Finally, check the Automate box and save your workflow.

Finally, we’ll add a Configure task to set the hostname (note that your workflows may already be far more flushed out than mine here. Click on Save and then test the workflow.

Once booted, if you are automatically enrolled then the process was a success. You should be able to see the device in Profile Manager.