Integrating Mac OS X Lion Server's Profile Manager With Active Directory

Over the years, the terms Magic, Golden, Triangle, Augments, Directory, Domains and Active have given the administrators of Mac OS X environments fits. So when you think about using Active Directory to manage iOS devices through the Profile Manager service, built into Lion Server, you may think that it’s a complicated thing to piece together. You may remember those days when you had to manually craft service principals because xgrid wouldn’t play nice with Acive Directory, or you might think of twisting augmented records to support CalDAV. But you’re gonna’ have to forget all that, ’cause getting Profile Manager to talk to Active Directory is one of the easiest things you’ll do.

Before we get started, architecture. Every Profile Manager instance is an Open Directory Master. Apple has included a local group in Mac OS X Server called Profile Manager ACL. Users and groups from any directory domain that can be viewed in dscl can be added to this group. Adding objects to this group enables them to authenticate to the MyDevices portal but not administrate. Kerberos isn’t really used here, nor are nested groups. You’ll apply policies directly to Active Directory groups in Profile Manager. For many long-term Apple administrators, this paragraph is all you need to read. If not, please continue on.

To get started, first set Profile Manager up, as shown in a previous article I did. Once configured, verify that Open Directory or local clients can authenticate, bind to Active Directory.

Bind to Active Directory

From within System Preferences, click on the Users & Groups System Preference pane and click on Login Options. Then click on the Edit… button for the Network Account Server. From here, click on the plus sign (“+”) and enter the domain name into the Server field.

Once bound, you will see the server listed. At this point, if you try to authenticate to the MyDevices portal as an Active Directory user, you will be able to authenticate, but you will not have permission to enroll devices. To log in, access the web service at the address of the server followed by /MyDevices (e.g. https://mdm.pretendco.com/MyDevices).

Provide the user name and password to the service. The Active Directory users are unable to access the MyDevices service.

Nest Groups Using Workgroup Manager

Click on Logout and we’ll fix this. There is no further configuration required for the Active Directory groups to function properly in regards to how they work with the server. However, we will need to open Workgroup Manager and nest some groups. You might think that you’d be doing something all kinds of complicated, but notsomuch. You also might think that you would be nesting the Active Directory users and groups inside Open Directory groups, given that you have to enable Open Directory in order to use Profile Manager. Again, notsomuch. To nest the groups, browse to the local directory and then then click on the com.apple.access_devicemanagement group.

Click on the lock icon to unlock the directory domain, authenticating when prompted.

Click on the Members tab and then click on the plus sign (“+”) to add members to the group.

Then in the menu that slid out, click on the domain browser at the top of that menu and select the Active Directory entry.

Test Access

Drag the user or group from the menu into the list of members and then click on the Save button.

Now log in again using the MyDevices portal and you’ll be able to Enroll. From within Profile Manager (log in here as a local administrator), you’ll see all of the users and groups and be able to apply policies directly to them by clicking on the Edit button for each (the information isn’t saved in the directory service on the server, but is cached into the directory service client on the client when using Mac OS X 10.7, Lion based clients).

 

Moving Mac OS X Management From MCX

You keep hearing that you need to move some of your managed preferences to profiles (or Profile Manager in most cases), but you can’t really think about that until you get Profile Manager integrated with Active Directory, can you? And getting those pesky iOS devices working with Active Directory style policies has been on your radar, but really, who has time?

Profiles then have a few distinct benefits over Managed Preferences (MCX) for some, which we’ll look at through the lens of Profile Manager. The first is that they’re instant. You can make a change to a profile on a device enrolled in an MDM service and you instantly see the changes on the client (most profile settings that is, not all), rather than having to log the client out and then back in. You can also wipe and lock devices and the interface is easier (I mean, no nesting thankyouverymuch).

But there are a few drawbacks as well. You can’t cluster Profile Manager, so there are some benefits to using 3rd party services in a move to profile based management. You also manage settings using the Always option, rather than being able to use the Once or Often settings. You can use custom property lists, though and importantly, MCX is used to actually implement most of these profiles on client systems, so those skills you’ve been honing for managing Managed Client workflows will not be totally lost in the transition. Overall, I had initially thought that management by profile would be much less granular than management via managed preferences, but I’ve found ways around any issues and have found it’s actually much easier and works as reliably as dual directory or Active Directory based managed preferences worked.

22 Comments

  • Thomas B.
    April 19, 2012 - 10:06 am | Permalink

    Thanks for the helpfull hints. Unfortunately, we are still seeing funkyness when binding to a .local AD domain. Centrify have a great troubleshooting guide at http://www.centrify.com/downloads/public/centrify-directcontrol-for-mac-local-domain-workaround.pdf

    Unfortunately, even with these steps we still see authentication working for some time (hours), then suddenly stopping, only to work fine again after a reboot. “id ” and “login ” seem to work during these episodes, and dscl list /Active Directory allows browsing of the domain.

    I think I’ll be spending some time in the directory debug log…

    • April 25, 2012 - 7:37 am | Permalink

      Good luck. .local has always been a bit of an issue with Mac OS X and AD…

  • Gareth
    April 25, 2012 - 4:01 am | Permalink

    I’ve managed to almost get all this working. When I run Workgroup Manager and connect to /Local/Default and then click on the groups icons, I see no local groups.

    I’ve done several rebuilds to get this all work so should be in a reasonably clean state, but no groups visible.

    Any ideas why or have I missed something?

    • April 25, 2012 - 7:36 am | Permalink

      Ah, they’re hidden. You have to select Show System Records under the View menu.

  • Jim
    June 15, 2012 - 9:14 am | Permalink

    I got everything set up but when it comes to my active directory accounts the profile is not working. My local OD users have all the restrictions apply whenever they log into any mac but I just cannot seem to get the same working for my active directory users. Is there some trick to this that I am missing?

    • June 18, 2012 - 7:16 pm | Permalink

      I’ve heard a few people say that. My AD schema is extended, so I’ll check and see if that makes a difference against a new AD that hasn’t been extended…

  • Chris
    June 22, 2012 - 5:51 pm | Permalink

    Hi Charles,

    This was very helpful and I have managed to enroll devices using active directory accounts.

    One thing that I did notice though is that the user will show up in the Users library for a short period of time after enrollment then disappear. The devices remain and I have no issues with them, I just can’t see the users.

    I also see all the AD groups in the Groups library but I don’t see any members. Seems to be a bit of a bug here or I have missed something.

    • June 29, 2012 - 9:41 pm | Permalink

      If you search for the users do they show up? Can you see group membership using id or dscl?

  • Eric
    June 25, 2012 - 9:09 am | Permalink

    After binding to AD and adding the “Domain Users” group to the local “com.apple.access_devicemanagement” all our users are able to log into the My Devices page using AD auth.

    The problem is, in Profile Manager the local “Everyone” group had disappeared.
    Also I have to use the search field for AD groups to display. Although I think that is a feature if you have a lot of AD groups.

    • June 28, 2012 - 8:45 pm | Permalink

      Correct, once you are bound the server no longer assumes services are hosted locally and stops displaying Everyone. And if there are a lot of groups, AD groups often don’t appear but have to be searched for. Thanks for pointing out those facts. Sometimes the limitations that I don’t consider being a big deal could be a dealbreaker for others.

  • Eric
    July 2, 2012 - 11:06 am | Permalink

    id and dscl both work for looking up users and groups.
    Users and Groups do show up in Profile Manager if I do a search.

    So all of that is working. What I am trying to wrap my head around is how to setup a default policy that everyone will get when they enroll.

  • Luis
    August 1, 2012 - 10:58 am | Permalink

    I have the same issue: I see all the AD groups but no AD users. I run a search for users (under the users tab, of course), and none are found.

  • Luis
    August 1, 2012 - 11:14 am | Permalink

    Has anyone tried to get this working with Mountain Lion Server? I was seeing the AD users before I upgraded to Mountain Lion; now I don’t see the users, but I can’t use Workgroup Manager in Mountain Lion.

  • cmstar0
    August 10, 2012 - 6:25 am | Permalink

    I cannot tell you how helpful these articles have been.

    However, I’m working on Moutain Lion, at at least for that OS there is a non obvious step here. In order to find/see com.apple.access.devicemanagement in Workgroup Manager, you will need to choose “Show System Records” from the ‘View” menu.

    Thanks for all your helpful info.

    • August 10, 2012 - 6:31 am | Permalink

      You can still use Workgroup Manager w/ Mountain Lion. I’ll do an article on Profile Manager in Mountain Lion this weekend probably.

  • August 24, 2012 - 8:04 am | Permalink

    Does anyone have any input on the following problem? My Lion Server Profile Manager refuses to cooperate after I’ve deployed 1500 macbooks. The profile is there and working but it will not load that profile so that I can make changes to it and push to clients. Can I add modifications to MCX settings and apply those to an AD group… basically can I use the profile and MCX settings without harm. Any advice here would be useful. I find profile manager to be the most frustrating apple product I’ve ever used. I tried to do it their way but have had no luck getting ruby and profile manager to work after I deployed my client machines.

    • August 27, 2012 - 8:33 pm | Permalink

      Profile Manager can be frustrating. You can use both MCX and Profiles at the same time, but the Profile should win in a conflict and should be ALWAYS, which can be a challenge when there are other layers of management. But it won’t break anything, except maybe a little headache here and there with conflict resolution…

  • Jake
    August 28, 2012 - 9:45 am | Permalink

    I have everything setup as described in your article. Currently, we are using this setup with around 150 iPads, and it is working very well!

    However, there is 1 user that I am unable to drag into the device management group. Is there a way to do this through the command line? Or perhaps a log I can see as to why this user isn’t moving? I couldn’t seem to find any helpful error messages in the console…

    Thanks again!

    • August 28, 2012 - 10:04 am | Permalink

      I’ve not found any logs or command line options. I can say that the users should show up in dscl or id and that I’ve run into a few cases where I had to delete and recreate a user to get it to show up in Profile Manager or Apple Configurator. Hope that helps.

      • Jake
        August 28, 2012 - 11:15 am | Permalink

        Oddly enough when I run id in terminal, the user is in the com.apple.access_devicemanagement group.
        However they do not show up in the Workgroup Manager GUI and cannot log in through the device portal.
        Any ideas? And thanks for the quick reply!

  • Pingback: Server profile | Puisernu

  • Comments are closed.