Setting Up Profile Manager in Lion Server

New in Lion Server, Profile Manager is the most substantial new service added to Mac OS X Server in recent memory. A lot of engineering has gone into it since the introduction in 10.7.0 and in 10.7.3, Profile Manager represents a service that is ready for actual deployments. I have written a number of articles about Profile Manager, but they all revolved around working with Profile Manager once the service is setup and configured. Therefore, I have decided to document the steps used to take a system out of the box and configure it for Profile Manager.

Before we get started, let’s prep the system for the service. This starts with configuring a static IP address and properly configuring a host name for the server. In this example, the IP address will be 192.168.210.75 and the hostname will be mdm.pretendco.com. We’ll also be using a self-signed certificate, although it’s easy enough to generate a CSR and install it ahead of time. For the purposes of this example, we have installed Server from the App Store (and done nothing else with Server except open it the first time so it downloads all of its components from the web) and configured the static IP address using the Network System Preferences. Next, we’ll set the hostname using scutil.

sudo scutil --set HostName mdm.pretendco.com

Then the ComputerName:

sudo scutil --set ComputerName mdm.pretendco.com

And finally, the LocalHostName:

sudo scutil --set LocalHostName mdm

Now check changeip:

sudo changeip -checkhostname

The changeip command should output something similar to the following:

Primary address = 192.168.210.75

Current HostName = mdm.pretendco.com
DNS HostName = mdm.pretendco.com

The names match. There is nothing to change.
dirserv:success = "success"

Provided the IP address and hostname are correct, then if you don’t see the success and that the names match, you might have some DNS work to do next, according to whether you will be hosting DNS on this server as well. If you will be hosting your own DNS on the Profile Manager server, then the server’s DNS setting should be set to the IP address of the Server. I have downloaded and installed the Server Admin Tools and then opened Server Admin, connected to the server and configured just the mdm server as a single record in the pretendco.com zone:

Provided your DNS looks just like this (your host name not mine) then changeip should work. If you’re hosting DNS on an Active Directory integrated DNS server or some other box then just make sure you have a forward and reverse record for the hostname/IP in question.

Now let’s open the Server app from the Applications directory. Here, use the Next Steps drawer at the bottom and verify that the Configure Network section reads that “Your network is configured properly” as can be seen here:

Profile Manager is built atop the web service, APNS and Open Directory. Therefore, let’s close the Next Steps drawer, click on the Web service and just hit start. We’re not going to configure anything else with this service in this article so as not to accidentally break Profile Manager. Do not click on anything while waiting for the service to start. While the indicator light can go away early, note that the Web service isn’t fully started until the path to the default website is shown instead of /var/empty (the correct entry, as seen here, should be /Library/Server/Web/Data/Sites/Default). If you touch anything too early then you’re gonna’ mess something up, so while I know it’s difficult to do so, be patient (honestly, it takes less than a minute, wait for it, wait for it, there!).

Once the Web service is started and good, click on the View Server Web Site link at the bottom and verify that the Welcome to Lion Server page loads.

Provided the Welcome to Lion Server page loads, click on the Profile Manager service. Here, click on the Configure button.

At the first screen of the Configure Device Management assistant, click on Next.

At the Configure Network Users and Groups screen, click on Next.

At the Directory Administrator screen, provide the username and password you’d like the Open Directory administrative account to have (note, this is going to be an Open Directory Master, so this example diradmin account will be used to authenticate to Workgroup Manager if we want to make changes to the Open Directory users, groups, computers or computer groups from there). Once you’re done entering the correct information, click Next.

At the Organization Information screen, enter your information (e.g. name of Organization and administrator’s email address). Keep in mind that this information will be in your certificate (and your CSR if you submit that for a non-self-signed certificate) that is used to protect both Profile Manager and Open Directory communications. Click Next.

At the Confirm Settings screen, make sure the information that will be used to configure Open Directory is setup correctly. Then click Set Up (as I’ve put a nifty red circle next to – although it probably doesn’t help you find it if it’s the only button, right?).

The Open Directory master is then created. Even if you’re tying this thing into something like Active Directory, this is going to be a necessary step. Once Open Directory is setup you will be prompted to provide an SSL Certificate.

This can be the certificate provided when Open Directory is initially configured, which is self-signed, or you can select a certificate that you have installed using a CSR from a 3rd party provider. At this point, if you’re using a 3rd party Code Signing certificate you will want to have installed it as well. Choose a certificate from the Certificate: drop-down list and then click on Next.

If using a self-signed certificate you will be prompted that the certificate isn’t signed by a 3rd party. Click Next if this is satisfactory.

You will then be prompted to enter the credentials for an Apple Push Notification Service (APNS) certificate. This can be any valid AppleID. It is best to use an institutional AppleID (e.g. push@krypted.com) rather than a private one (e.g. charles@krypted.com). Once you have entered a valid AppleID username and password, click Next.

Provided everything is working, you’ll then be prompted that the system meets the Profile Manager requirements. Click on the Finish button to complete the assistant.

When the assistant closes, you will be back at the Profile Manager screen in the Server application. Here, check the box for Sign Configuration Profiles.

The Code Signing Certificate screen then appears. Here, choose the certificate from the Certificate field.

Unless you’re using a 3rd party certificate there should only be one certificate in the list. Choose it and then click on OK. If you are using a 3rd party certificate then you can import it here, using the Import… selection.

Now that everything you need is in place, click on the ON button to start the service and wait for it to finish starting.

Once started, click on the Open Profile Manager link and the login page will open. Adminsitrators can login to Profile Manager to setup profiles and manage devices.

The URL for this (for mdm.pretendco.com) is https://mdm.pretendco.com/profilemanager. Use the Everyone profile to automatically configure profiles for services installed on the server if you want them deployed to all users. Use custom created profiles for everything else.

To enroll devices for management, use the URL https://mdm.pretendco.com/MyDevices (replacing the hostname with your own). Click on the Profiles tab to

From Profiles, you’ll need to install a Trust profile in order for the client to enroll. Tap or click on the Install button for the Trust Profile and complete the installation process.

Click back on the Devices tab. From here, click or tap on the Enroll button and complete the enrollment process on the client (following the defaults will suffice).

Once enrolled, you can wipe or lock the device from the My Devices portal. Management profiles from the MDM server are then used. Devices can then opt out from management at any time. Saving these two profiles to a Mac OS X computer then allows you to automatically enroll devices into Profile Manager using Apple Configurator.

45 Comments

  • Dan
    April 1, 2012 - 1:44 pm | Permalink

    I’m a little lost on the certificate needed.

    Does it have to be a “Code Signing Certificate”? Whats the difference between that cert and a regular cert? We have a wildcard cert we use everywhere but it won’t work with Profile Manager.

    If just managing Macs, is the “Code Signing Certificate” needed at all? Or any cert needed?

    I just want to put the profile in my image and move along. Having to mess with a cert is a nightmare so far.

    • June 28, 2012 - 9:07 pm | Permalink

      If you’re just using profiles and not enrolling then you don’t need the cert. If using Profile Manager and enrolling then you will. The self-signed works great and you can put the certs for it into the base image so that you can enroll without trusting. Code signing certs are for MDM, the server also has a cert just for the portal (/MyDevices).

  • Pingback: Using Apple Configurator For Automated Enrollment | Krypted.com

  • Pingback: Integrating Mac OS X Lion Server’s Profile Manager With Active Directory | Krypted.com

  • Greg Hacke
    April 9, 2012 - 8:56 am | Permalink

    Strange Behavior:
    After running the process above and about every iteration therein, I cannot sign configuration profiles.

    I have a trusted DigiCert CodeSigning certificate but when selecting Sign configuration profiles the system spins to write and returns to the unchecked state.

    • June 28, 2012 - 9:01 pm | Permalink

      Can you sign profiles using the original self-signed cert?

    • Mathieu Beaudoin
      July 6, 2012 - 5:37 am | Permalink

      Hi Greg,
      Did you find why your box was returning to uncheck state?? I have the same problem on my new server with certificate bought from digicert. I talk to somebody from apple an suggest me to reinstall from scratch. I did it , but I got the same behavior on a fresh install.

      • July 12, 2012 - 7:38 pm | Permalink

        That’s consistent with what I’ve seen. :(

  • Raoul chin
    May 26, 2012 - 4:49 pm | Permalink

    Dear Charles, just read your post. I am in the process of setting up my server and am reading your book using Mac os x lion server. However, i came across a problem when configuring my server that i couldn’t find a direct answer to in your book. The thing is. I set up profile manager with a ssl certificate all working fine, when im at my server’s end and go on the webportal i profilemanager works ok. Even when im outside of my house (so from the external) and go on mydomain/profilemanager, i get to the webportal. However, if im in my house from my ipad (so on the same network) and try the webportal to enroll my ipad, safari gives me an error stating that it can’t open the page. Do you have any idea what is going wrong here? So from my servers end i can get to profilemanager from on the webportal, but any other device an ipad or an other mac on the same network of my house can’t open the page.

    • May 26, 2012 - 8:35 pm | Permalink

      Normally that would indicate that the server either has a different name or that the port that is being redirected isn’t open. It’s hard to say without much more information, but that’s the most common things that I see that match the symptoms you mention.

  • Pax
    May 30, 2012 - 2:16 pm | Permalink

    What do you do for redundancy with Profile Manager? Can you do replicas or fail overs or any such animal?

    • May 30, 2012 - 2:55 pm | Permalink

      Regrettably the only redundancy would be in a clone of the system or just backing up the databases to a warm or cold spare. There’s definitely no active-active solution around Profile Manager, though. :(

  • Chris
    June 6, 2012 - 4:55 pm | Permalink

    @Charles

    If you haven’t figured out the issue with Safari on your iPad yet, check the cookie settings for Safari. They need to be enabled or the page won’t load, I ran into the same issue.

  • Ben
    June 20, 2012 - 3:39 am | Permalink

    This is, without a doubt, the best walkthrough I have seen on this. I have been struggling to get this set up for weeks, read through this and presto! all working brilliantly.

    You are currently my hero

  • June 21, 2012 - 9:52 am | Permalink

    after setting up profile manager (in 10.7.4 Server), some certs are being removed when i import an open directory archive from a previous snow leopard server. this in turn breaks profile manager. also noticed, the users and groups don’t populate in server.app (even after sacls are removed for services). any ideas?

    • June 22, 2012 - 7:15 am | Permalink

      I always setup Profile Manager after restoring (or promoting or binding to) my directory services for the reason that the certificates get replaced in all of those circumstances. I also always wait to generate a CSR if I’m using a 3rd party cert, until after I’ve done all of that as well, which would just break it anyway if I didn’t.

  • Jimmy J
    June 23, 2012 - 6:09 pm | Permalink

    I have everything set up, but when I go to my iPad to import the trust profile, it shows it is not verified in red letters, I click install and the it tells me certificate “null”. and it does not install it. What am I doing wrong?

    • June 23, 2012 - 6:35 pm | Permalink

      Could be a bad cert or possibly the cert doesn’t match the host name. Does the name of the cert match the output of “serveradmin settings info:computerName”?

  • Jimmy J
    June 23, 2012 - 7:45 pm | Permalink

    I read all your steps and I set up open directory first and the configure profile manager. Could this be the problem?
    I think there is something wrong with the set up and the certificate. I will reset tomorrow and try step by step your method.
    This is my second Mac min server. The other one works fine. I must have done something wrong/

  • June 28, 2012 - 5:11 pm | Permalink

    Personal preference really. I like them to match. The ComputerName is keyed to display what users see in the sidebar, etc. Some like it shorter or more human friendly (e.g. the guy who wrote the instructions you probably saw in the Apple course, who’s a nice guy btw). I like it to be the same so I don’t have to guess if I see one instead of the other. Also makes scripting a little easier here and there…

  • Robert
    July 3, 2012 - 3:38 am | Permalink

    Hello,
    I have set up Lion Server 10.7.4 a while ago and I now want to enrol a new MB Air.
    The problem is I cannot reach the server from the MB Air when I enter https://server.name.private/profilemanager/
    On the server itself I can open the Profile Manager with no problem.
    I have no idea where to search for the solution, whether it is a problem with a certificate or whether it is an DNS issue or other.
    I can, however, open the servers’ Wiki pages from the MB Air.
    Could you give me a hint ?
    Thank you so much,
    Robert

  • Robert
    July 3, 2012 - 3:51 am | Permalink

    Hi,
    sorry, I was wrong: when I try to open the Wiki pages from Server app I likewise get the message from Safari that the server https://serve.name.com/wiki
    could not be found.
    However, when I enter the local IP
    https://10.1.1.xxx/wiki
    I can open the Wiki pages.

    When I try
    https://10.1.1.xxx/profilemanager/
    then Safari redirects to
    https://server.name.com/profilemanager/
    and again says that it can’t find the server.

    Thank you again,
    Robert

    • July 3, 2012 - 7:03 am | Permalink

      Sounds like either a hostname issue or an issue with the Apache configuration. Does server.name.com/mydevices fail as well or does it load?

  • Robert
    July 5, 2012 - 4:38 am | Permalink

    Hi Charles,
    I found the solution:
    the first DNS entry of the *clients* (!) Networking TCP/IP Panel (10.7.4) must be the IP of the local server, e.g. 10.1.1.111.
    If the first entry is 10.1.1.1, which is our router, the DNS query will fail because our private server’s DNS entry is of course not known to a public DNS server.
    So, the solution is to have the IP address of the local server in the first position and the IP of a public DNS server – or the router’s IP address – in the second position.
    When the server is up it will re-direct queries it could not resolve to a public server, if the server is down, client queries will be sent to the second DNS server.
    There is a little documented fact although DNS experts are certainly aware of it. If there are two server entries in the DNS list, and the first server is up but it cannot resolve the client’s DNS query than this is it. The query will *not* be sent to the next DNS server in the list !
    I do not understand why this is so because it would make sense to pass the query on to the next DNS server.

    I hope this makes sense.

  • john
    July 8, 2012 - 12:29 pm | Permalink

    Hi,

    Great page!

    I wonder if you could assist me with an anomaly?

    I set up OSX Lion Server a while back using a dummy domain. Yesterday I finally got the time to continue. I have registered a domain name and I decided to update my server info to reflect this. With the new domain working with OD, network loggings WGM, website, etc I decided to configure Profile manager, all went well until i logged into the portal and saw this:

    trust profile for (old domain name) – install

    where is it getting this “old domain name” from?
    My certificates are all in my new domain and, no dns entries for the old domain, etc

    I have cleared out old certs, and entries, etc
    i really don’t want to have to reinstall everything.

    any ideas?

    john

    • July 8, 2012 - 12:33 pm | Permalink

      Should be pulling that name from “serveradmin settings info:computerName” which is set based on the hostname when the server is first installed. But, if you change it then you need to nuke+pave Profile Manager to get a fresh name applied to the cert.

  • john
    July 8, 2012 - 12:47 pm | Permalink

    ok, sounds like a plan. Have you uninstalled PM before, could you share your experience? I can’t see a clear way to do this via the GUI.

    Thanks for the assistance

    John

  • john
    July 8, 2012 - 1:17 pm | Permalink

    i ran the wipeDB.sh, restarted the server and configured PM again and still the wretched old domain name is there, unbelievable! :O(

    Gee, OSX doesn’t make uninstalling services easy, back to the drawing board.

  • Andy Sims
    July 10, 2012 - 9:54 am | Permalink

    Very helpful!

    I am having an issue I was hoping you could shed some light on…

    I’m wanting to use profile manager to manage applications that appear in the dock of a computer used by several people logging onto it daily. When I click the gear and select “edit apps” I am given the option to upload new apps to the list but when I select apps from my computer it says “Filetype not supported”

    • September 21, 2012 - 6:06 pm | Permalink

      Are you adding from the server itself or from a client?

  • dan
    July 11, 2012 - 3:22 pm | Permalink

    Attempting to enroll a client machine into Profile Manager but get “Profile installation failed. The profile is either missing some required information, or contains information in an invalid format.” Help?

    • July 12, 2012 - 7:36 pm | Permalink

      That’s an error I usually see if I haven’t previously installed a Trust Profile. Have you done that part yet?

  • July 17, 2012 - 9:39 pm | Permalink

    Hey Charles, I have been trying to enrol a device (another mac) for about a month now. I feel like I tried everything under the sun.

    As I mention in my post to Apple discussions (https://discussions.apple.com/thread/4113451) I get the following error:

    Profile installation failed.
    The profile “Remote Management (com.apple.config.server.mydomain.com.mdm)” could not be installed due to an unexpected error.
     
    Within the Console app the following entry gets produced:
    17/07/12 7:05:56.271 AM System Preferences: *** ERROR *** [CPInstallerUI:502] Profile installation (Remote Management (com.apple.config.server.mydomain.com.mdm)) (Checkin ‘Authenticate’ failed: 0 )

    Any help with this would be greatly appreciated.

    • September 21, 2012 - 9:26 am | Permalink

      That error looks like a wonky ACL thing to me. Might try and make the user an admin temporarily and see if it works?

  • Mark
    July 30, 2012 - 4:51 am | Permalink

    Great article, only wish I’d found it before I started rather than now when I’m troubleshooting why profile manager is not working…. :-(

    I am pretty sure I started profile manager in server app (and configured it) before I had all the other components setup. Now I can switch Profile manager on in server app but I get nothing when I click on the link to start up the web interface and get the dreaded “Profile Manager service is turned off”. In the web interface I get a web page but not the nice Welcome to Lion home page.

    Any advice on how I can turn off profile manager at the command line or get it working?

    DNS is all working, I have a valid third party SSL cert

    Thanks in advance

    • September 21, 2012 - 5:57 pm | Permalink

      In Mountain Lion, it would be:

      sudo /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/wipeDB.sh

      Just keep in mind, all of the stuff you’ve put into Profile Manager when this is run will get lost. But you’ll then be able to re-run the configuration assistant and get the service back up and running. Good luck!

  • Kev
    August 10, 2012 - 5:50 am | Permalink

    I’ve got this all set up and working to a degree, seems fine with pushing to devices, but automatic push doesn’t happen with “settings for everyone” which seems a little odd.

    Also I want settings for everyone to set up messages using kerberos for the password and to get the short username for the user itself, but when I download the “settings for everyone” profile it installs, but messages account actually says %short_name% instead of resolving it

    • August 10, 2012 - 6:19 am | Permalink

      I’ve stopped using Everyone as it’s only supposed to be used for services hosted on the single server itself and I haven’t been able to get everything to work even when it is. So I’ve made plenty of custom groups that just have all the users in them and set everything up from scratch. Works way better.

  • Geoffrey O'Brien
    August 15, 2012 - 3:22 pm | Permalink

    If you have a 3rd party cert installed, and choose not to sign the profiles, the trust profile disspears from the “My Devices” page. The problem/oddity im having is that on the clients it shows the profiles as unsigned in red. If I choose to sign profiles, the profiles on the client show green and signed. Am I incorrect in thinking that if I install a third party cert, I do not need the trust, and can still be verified?

    • September 21, 2012 - 9:24 am | Permalink

      If you use a 3rd party code signing cert then that should be the case.

  • Matt
    August 17, 2012 - 11:21 am | Permalink

    I have got to the point where I have accepted trust profile, trying to enroll it it stalls and finally tells me it cannot be installed. Any ideas?

    • August 20, 2012 - 10:33 pm | Permalink

      Can you load the web interface using the hostname referenced in the cert? This is the most common thing I see with that…

  • Andrew
    August 27, 2012 - 6:18 pm | Permalink

    Hi thanks for the walk through.

    On a clean install of 10.8 Server and enrolling a new 10.8.1 client I try to enrol the client after successfully adding the trust but I get the following error:

    The profile “Device Enrollment (com.apple.ota.myservernamehere.bootstrap)” could not be installed due to an unexpected error.

    The only difference in the walkthrough is that I had set up OD first before going through the Profile Manager setup. Would this cause an issue?

    • August 27, 2012 - 6:22 pm | Permalink

      I saw something like this last week. Do me a favor and try trusting the OD cert first, then see if the Trust Profile takes.

      • Andrew
        August 28, 2012 - 12:00 am | Permalink

        Thanks. Had thought of that to and it is currently trusted though.

        But I found the answer, as I’m doing this at home to evaluate 10.8 and everything is setup to run through an Airport Extreme, I presumed this should be auto-configured,
        but I found there was a management setting for the Airport Extreme in the Server app called “Profile Manager”. Once I added this it opened up the right holes in the firewall, specifically TCP ports 80 (http), 443(https) and 1640(cert-responder) which makes sense. Only concern is some environments may stumble on this as keeping 1640 closed is generally a good idea, so if people are trying to get devices joined to a Profile Manager on a reasonably secure network, this could cause a hiccup in the process.

        Cheers for your quick response and sincerely appreciate your blog and advice it has proven invaluable on more than one occasion.

  • Comments are closed.