New in Lion Server, Profile Manager is the most substantial new service added to Mac OS X Server in recent memory. A lot of engineering has gone into it since the introduction in 10.7.0 and in 10.7.3, Profile Manager represents a service that is ready for actual deployments. I have written a number of articles about Profile Manager, but they all revolved around working with Profile Manager once the service is setup and configured. Therefore, I have decided to document the steps used to take a system out of the box and configure it for Profile Manager.
Before we get started, let’s prep the system for the service. This starts with configuring a static IP address and properly configuring a host name for the server. In this example, the IP address will be 192.168.210.75 and the hostname will be mdm.pretendco.com. We’ll also be using a self-signed certificate, although it’s easy enough to generate a CSR and install it ahead of time. For the purposes of this example, we have installed Server from the App Store (and done nothing else with Server except open it the first time so it downloads all of its components from the web) and configured the static IP address using the Network System Preferences. Next, we’ll set the hostname using scutil.
sudo scutil --set HostName mdm.pretendco.com
Then the ComputerName:
sudo scutil --set ComputerName mdm.pretendco.com
And finally, the LocalHostName:
sudo scutil --set LocalHostName mdm
Now check changeip:
sudo changeip -checkhostname
The changeip command should output something similar to the following:
Primary address = 192.168.210.75
Current HostName = mdm.pretendco.com
DNS HostName = mdm.pretendco.com
The names match. There is nothing to change.
dirserv:success = "success"
Provided the IP address and hostname are correct, then if you don’t see the success and that the names match, you might have some DNS work to do next, according to whether you will be hosting DNS on this server as well. If you will be hosting your own DNS on the Profile Manager server, then the server’s DNS setting should be set to the IP address of the Server. I have downloaded and installed the Server Admin Tools and then opened Server Admin, connected to the server and configured just the mdm server as a single record in the pretendco.com zone:
Provided your DNS looks just like this (your host name not mine) then changeip should work. If you’re hosting DNS on an Active Directory integrated DNS server or some other box then just make sure you have a forward and reverse record for the hostname/IP in question.
Now let’s open the Server app from the Applications directory. Here, use the Next Steps drawer at the bottom and verify that the Configure Network section reads that “Your network is configured properly” as can be seen here:
Profile Manager is built atop the web service, APNS and Open Directory. Therefore, let’s close the Next Steps drawer, click on the Web service and just hit start. We’re not going to configure anything else with this service in this article so as not to accidentally break Profile Manager. Do not click on anything while waiting for the service to start. While the indicator light can go away early, note that the Web service isn’t fully started until the path to the default website is shown instead of /var/empty (the correct entry, as seen here, should be /Library/Server/Web/Data/Sites/Default). If you touch anything too early then you’re gonna’ mess something up, so while I know it’s difficult to do so, be patient (honestly, it takes less than a minute, wait for it, wait for it, there!).
At the Directory Administrator screen, provide the username and password you’d like the Open Directory administrative account to have (note, this is going to be an Open Directory Master, so this example diradmin account will be used to authenticate to Workgroup Manager if we want to make changes to the Open Directory users, groups, computers or computer groups from there). Once you’re done entering the correct information, click Next.
At the Organization Information screen, enter your information (e.g. name of Organization and administrator’s email address). Keep in mind that this information will be in your certificate (and your CSR if you submit that for a non-self-signed certificate) that is used to protect both Profile Manager and Open Directory communications. Click Next.
At the Confirm Settings screen, make sure the information that will be used to configure Open Directory is setup correctly. Then click Set Up (as I’ve put a nifty red circle next to – although it probably doesn’t help you find it if it’s the only button, right?).
The Open Directory master is then created. Even if you’re tying this thing into something like Active Directory, this is going to be a necessary step. Once Open Directory is setup you will be prompted to provide an SSL Certificate.
This can be the certificate provided when Open Directory is initially configured, which is self-signed, or you can select a certificate that you have installed using a CSR from a 3rd party provider. At this point, if you’re using a 3rd party Code Signing certificate you will want to have installed it as well. Choose a certificate from the Certificate: drop-down list and then click on Next.
If using a self-signed certificate you will be prompted that the certificate isn’t signed by a 3rd party. Click Next if this is satisfactory.
You will then be prompted to enter the credentials for an Apple Push Notification Service (APNS) certificate. This can be any valid AppleID. It is best to use an institutional AppleID (e.g. email@example.com) rather than a private one (e.g. firstname.lastname@example.org). Once you have entered a valid AppleID username and password, click Next.
Provided everything is working, you’ll then be prompted that the system meets the Profile Manager requirements. Click on the Finish button to complete the assistant.
When the assistant closes, you will be back at the Profile Manager screen in the Server application. Here, check the box for Sign Configuration Profiles.
Unless you’re using a 3rd party certificate there should only be one certificate in the list. Choose it and then click on OK. If you are using a 3rd party certificate then you can import it here, using the Import… selection.
Now that everything you need is in place, click on the ON button to start the service and wait for it to finish starting.
The URL for this (for mdm.pretendco.com) is https://mdm.pretendco.com/profilemanager. Use the Everyone profile to automatically configure profiles for services installed on the server if you want them deployed to all users. Use custom created profiles for everything else.
Once enrolled, you can wipe or lock the device from the My Devices portal. Management profiles from the MDM server are then used. Devices can then opt out from management at any time. Saving these two profiles to a Mac OS X computer then allows you to automatically enroll devices into Profile Manager using Apple Configurator.