Active Directory (45)
Articles and Books (92)
Final Cut Server (44)
Home Automation (12)
Mac OS X (852)
Mac OS X Server (672)
Mac Security (410)
Mass Deployment (329)
Microsoft Exchange Server (48)
Network Infrastructure (72)
Network Printing (4)
On the Road (58)
public speaking (59)
Social Networking (32)
Time Machine (6)
Windows Server (97)
Windows XP (105)
Tag Archives: App Store
Profile Manager first appeared in OS X Lion Server as the Apple-provided tool for managing Apple devices, including Mobile Device Management (MDM) for iOS based devices as well as Profile management for OS X based computers, including MacBooks, MacBook Airs, Mac Minis, Mac Pros and iMacs running Mac OS X 10.7 and up. In OS X Mountain Lion, Apple has added a number of new features to Profile Manager, most notably the ability to push certain types of apps to mobile devices.
In this article, we’re going to look at setting up Profile Manager from scratch. If you’re upgrading to OS X Mountain Lion Server (10.8 Server) from OS X Lion Server (10.7 Server) then review this link for upgrade instructions.
Preparing For Profile Manager
Before we get started, let’s prep the system for the service. This starts with configuring a static IP address and properly configuring a host name for the server. In this example, the IP address will be 192.168.210.135 and the hostname will be mlserver3.pretendco.com. We’ll also be using a self-signed certificate, although it’s easy enough to generate a CSR and install it ahead of time. For the purposes of this example, we have installed Server from the App Store (and done nothing else with Server except open it the first time so it downloads all of its components from the web) and configured the static IP address using the Network System Preferences. Next, we’ll set the hostname using scutil.
sudo scutil --set HostName mlserver3.pretendco.com
Then the ComputerName:
sudo scutil --set ComputerName mlserver3.pretendco.com
And finally, the LocalHostName:
sudo scutil --set LocalHostName mdm
Now check changeip:
sudo changeip -checkhostname
The changeip command should output something similar to the following:
Primary address = 192.168.210.135
Current HostName = mlserver3.pretendco.com
DNS HostName = mlserver3.pretendco.com
The names match. There is nothing to change.
dirserv:success = "success"
f you don’t see the success and that the names match, you might have some DNS work to do next, according to whether you will be hosting DNS on this server as well. If you will be hosting your own DNS on the Profile Manager server, then the server’s DNS setting should be set to the IP address of the Server. To manage DNS, start the DNS service and configure as shown in the DNS article I did previously:
Provided your DNS is configured properly then changeip should work. If you’re hosting DNS on an Active Directory integrated DNS server or some other box then just make sure you have a forward and reverse record for the hostname/IP in question.
Now let’s open the Server app from the Applications directory. Here, use the Next Steps drawer at the bottom and verify that the Configure Network section reads that “Your network is configured properly” as can be seen here:
Profile Manager is built atop the web service, APNS and Open Directory. Therefore, let’s close the Next Steps drawer, click on the Web service and just hit start. While not required for Profile Manager to function, it can be helpful. We’re not going to configure anything else with this service in this article so as not to accidentally break Profile Manager. Do not click on anything while waiting for the service to start. While the indicator light can go away early, note that the Web service isn’t fully started until the path to the default websites is shown (the correct entry, as seen here, should be /Library/Server/Web/Data/Sites/Default) and a View Server Website link is shown at the bottom of the screen. If you touch anything too early then you’re gonna’ mess something up, so while I know it’s difficult to do so, be patient (honestly, it takes less than a minute, wait for it, wait for it, there!).
Once the Web service is started and good, click on the View Server Web Site link at the bottom and verify that the Welcome to Lion Server page loads.
Setting Up Profile Manager
At the first screen of the Configure Device Management assistant, click on Next.
Assuming the computer is not yet an Open Directory master or Replica, and assuming you wish to setup a new Open Directory Master, click on Create a new Open Directory domain at the Configure Network Users and Groups screen. Then click on Next.
At the Directory Administrator screen, provide the username and password you’d like the Open Directory administrative account to have (note, this is going to be an Open Directory Master, so this example diradmin account will be used to authenticate to Workgroup Manager if we want to make changes to the Open Directory users, groups, computers or computer groups from there). Once you’re done entering the correct information, click Next.
At the Organization Information screen, enter your information (e.g. name of Organization and administrator’s email address). Keep in mind that this information will be in your certificate (and your CSR if you submit that for a non-self-signed certificate) that is used to protect both Profile Manager and Open Directory communications. Click Next.
At the Confirm Settings screen, make sure the information that will be used to configure Open Directory is setup correctly. Then click Set Up (as I’ve put a nifty red circle next to – although it probably doesn’t help you find it if it’s the only button, right?).
The Open Directory master is then created. Even if you’re tying this thing into something like Active Directory, this is going to be a necessary step. Once Open Directory is setup you will be prompted to provide an SSL Certificate.
This can be the certificate provided when Open Directory is initially configured, which is self-signed, or you can select a certificate that you have installed using a CSR from a 3rd party provider. At this point, if you’re using a 3rd party Code Signing certificate you will want to have installed it as well. Choose a certificate from the Certificate: drop-down list and then click on Next.
If using a self-signed certificate you will be prompted that the certificate isn’t signed by a 3rd party. Click Next if this is satisfactory.
You will then be prompted to enter the credentials for an Apple Push Notification Service (APNS) certificate. This can be any valid AppleID. It is best to use an institutional AppleID (e.g. email@example.com) rather than a private one (e.g. firstname.lastname@example.org). Once you have entered a valid AppleID username and password, click Next.
Provided everything is working, you’ll then be prompted that the system meets the Profile Manager requirements. Click on the Finish button to complete the assistant.
When the assistant closes, you will be back at the Profile Manager screen in the Server application. Here, check the box for Sign Configuration Profiles.
The Code Signing Certificate screen then appears. Here, choose the certificate from the Certificate field.
Unless you’re using a 3rd party certificate there should only be one certificate in the list. Choose it and then click on OK. If you are using a 3rd party certificate then you can import it here, using the Import… selection.
If you host all of your services on the one server (Mail, Calendars, VPN, etc) then leave the box checked for Include configuration for services; otherwise uncheck it.
Now that everything you need is in place, click on the ON button to start the service and wait for it to finish starting.
Once started, click on the Open Profile Manager link and the login page will open. Adminsitrators can login to Profile Manager to setup profiles and manage devices.
The URL for this (for mlserver3.pretendco.com) is https://mlserver3.pretendco.com/profilemanager. Use the Everyone profile to automatically configure profiles for services installed on the server if you want them deployed to all users. Use custom created profiles for everything else.
Enrolling Into Profile Manager
To enroll devices for management, use the URL https://mdm.pretendco.com/MyDevices (replacing the hostname with your own). Click on the Profiles tab to bring up a list of profiles that can be installed manually.
From Profiles, you’ll need to install a Trust profile in order for the client to enroll. Tap or click on the Install button for the Trust Profile and complete the installation process.
Click back on the Devices tab. From here, click or tap on the Enroll button and complete the enrollment process on the client (following the defaults will suffice).
On the devices, you’ll then be prompted to install the profile. On iOS tap Install then Install then Done. On OS X, click Continue, then Install.
Once enrolled, you can wipe or lock the device from the My Devices portal. Management profiles from the MDM server are then used. Devices can opt out from management at any time. If you’re looking for more information on moving Managed Preferences (MCX) from Open Directory to a profile-based policy management environment, review this article.
If there are any problems when you’re first getting started, an option is always to run the wipeDB.sh script that resets the Profile Manager (aka, devicemgr) database. This can be done by running the following command:
Automating Enrollment & Random Management Tips
The two profiles needed to setup a client on the server are accessible from the web interface of the Server app. Saving these two profiles to a Mac OS X computer then allows you to automatically enroll devices into Profile Manager using Apple Configurator, as shown in this previous article.
When setting up profiles, note that the username and other objects that are dynamically populated can be replaced through a form of variable expansion using payload variables in Profile Manager. For more on doing so, see this article.
Note: As the database hasn’t really changed, see this article for more information on backing up and reindexing the Profile Manager database.
Once you’ve got devices enrolled, those devices can easily be managed from a central location. The first thing we’re going to do is force a passcode on a device. In this case, it’s an iPad. We’re going to click on the device in Profile Manager’s admin portal, located at https://<SERVERNAME>/profilemanager (in this case https://mdm.pretendco.com/profilemanager).
From the device (or user, group, user group or device group objects), click on the Profile tab and then click on the Edit button.
Here, you can configure a number of settings on devices. There are sections for iOS specific devices, OS X specific settings and those applicable to both platforms. Let’s configure a passcode requirement for an iPad. Click on Passcode, then click on Configure.
At the Passcode settings, let’s check the box for Allow simple value and then set the Minimum Passcode Length to 4. I find that with iOS, 4 characters is usually enough as it’ll wipe far before someone can brute force that. Click OK to commit the changes. Once configured, click Save.
At the “Save Changes?” screen, click Save. The device then prompts you to set a passcode a few moments later.
The next thing we’re going to do is push an app. To do so, first find an app in your library that you want to push out. Right-click (or control-click) on the app and click on Show in Finder. You can copy the app from your library or browse to it at the location it is in later.
Then, from the https://<SERVERNAME>/profilemanager portal, click on an object to manage (in this case it’s a group called Demo) and click on the Apps tab.
From the Apps tab, click on the cog wheel icon and then click on Edit Apps.
At the Add Apps screen, click on upload and then browse to the app we found earlier.
The app is then uploaded and displayed in the list. Click Add to add to the selected group. Then, click on Done. Then click on Save… and an App Installation dialog will appear on the iOS device you’re pushing the app to.
At the App Installation screen on the iPad, click on the Install button and the app will instantly be copied to the last screen of apps on the device. Tap on the app to open it and verify it works. Assuming it does open then it’s safe to assume that you’ve run the App Store app logged in as a user who happens to own the app. You can sign out of the App Store and the app will still open. However, you won’t be able to update the app as can be seen here.
This brings up an interesting limitation of how Profile Manager interacts with the App Store. It kinda’ doesn’t. If I were pushing apps to elementary school iPads in a 1:1 I could either use Apple Configurator (if I wanted to burn up a VPP code per student per year) or I could use iTunes (if I wanted a labor intensive process of restoring an iPad per computer rather than a parallel process). But either way, I’m gonna’ stay away from Profile Manager for apps.
So if you push an app to a device and the user taps on the app and the screen goes black then make sure the app is owned by the AppleID signed into the device. If it is, have the user open App Store and update any other app and see if the app then opens.
Finally, let’s wipe a device. From the Profile Manager web interface, click on a device and then from the cog wheel icon at the bottom of the screen, select wipe.
At the Wipe screen, click on the device and then click on the Wipe button again. The iPad then says Resetting iPad and just like that, the technical walkthrough is over.
Note: For fun, you can use the MyDevices portal to wipe your iPad from the iPad itself.
So where are all these new features that justify a new version number? To quote Apple’s Profile Manager 2 page:
Profile Manager simplifies deploying, configuring, and managing them all. It’s one place where you control everything: You can create profiles to set up user accounts for mail, calendar, contacts, and messages; configure system settings; enforce restrictions; set PIN and password policies; and more. Because it’s integrated with the Apple Push Notification service, Profile Manager can send out updated configurations over the air, automatically. And it includes web-based administration, so you can manage your server from any modern web browser. Profile Manager even gives users access to a self-service web portal where they can download and install new configuration profiles, as well as clear passcodes and remotely lock or wipe their Mac, iPhone, or iPad if it’s lost or stolen.
Wait, it did that before… Which isn’t to say that for the money, Profile Manager isn’t an awesome tool. Apps such as Casper MDM, AirWatch, Zenprise, etc all have far more options, but aren’t as easy to install and nor do they come at such a low price point. Profile Manager is a great option if all of the tasks you need to perform are available within the tool. If not, then it’s worth a look, if only as a means to learn more about the third party tools you’ll ultimately end up using. One thing I can say for it is that Profile Manager is a little faster and seems much more stable (in fact, Apple has now published scalability numbers, which they have rarely done in the past). You can also implement newer features with it, including Gatekeeper and Messages.
Cryptix is a nice little app available on the App Store that allows you to encrypt and decrypt files using a variety of algorithms. However, while an easy to use encryption tool, it’s actually an even better learning tool for figuring out how various types of encryption techniques actually work.
When you first open Cryptix, you’ll see a list of supported algorithms for encrypting files and passphrases. That part is simple enough, but click on the Tools icon in the toolbar.
Here, you’ll see a number of features along the sidebar, including Checksum, which performs a quick checksum of files dragged on top of the green arrow and tracks hashes, based on the algorithm you choose. Below that can be found more detailed information about interfaces, man page access and a few other things that show the developer was learning how to do a few neat things while writing the tool (such as using DNS from the tool).
Overall, the encryption and decryption aspects of this tool alone are worth the price on the App Store. The checksums are super fast. The other features are interesting as well. I don’t do a lot of app reviews, but this one unexpectedly caught me off guard as something I’d recommend.
I had been trying to work on a command line interface for the App Store for awhile. I learned a lot while doing so, but was never actually able to do more than associate AppleIDs here and there. One of the things I was able to use during my attempts (other than a disassembler) was the Element Inspector for the App Store. The Element Inspector allows you to view the raw source code of the pages being displayed in the App Store. This thing could be pretty handy if you were interested in embedding aspects of the App Store in other items, such as apps or a command line tool (if you could build one). The Element Inspector also gives you the ability to track resource utilization, monitor network connections, check variable contents, see the scripts running in the background and more.
To enable the Element Inspector, send a boolean WebKitDeveloperExtras key into the com.apple.appstore defaults domain:
defaults write com.apple.appstore WebKitDeveloperExtras -bool TRUE
Because it’s no fun to give up half the real estate in the App Store, you can go ahead and quit the App Store, run the following command and reopen to disable the Element Inspector:
defaults write com.apple.appstore WebKitDeveloperExtras -bool FALSE
OK, by now I’m sure everyone has heard that OS X Server is a download off the App Store. For a whoppin’ $50 you get the OS that was once called “Open Source Made Easy” until someone at Apple realized that GPLv3 might mean that Open Source doesn’t always mean “free as in beer”. Wait, did I say that out loud? Point is, there are bigger changes here than just moving the server to the App Store.
There are also some pretty big changes to the GUI of OS X Server. The first and most obvious is the LoginWindow, which is different in OS X in general. It obviously looks different. The ability to click on the items above the username and password is gone. You can still see indicators of green and orange in the username field to indicate directory service availability though, which was one of the bigger things we’ve used that for over the past few years.
Once downloaded, the Server app will be in the /Applications directory, in Launchpad and useable. But the Server Admin tools are a separate (free) download from the Apple downloads page. This is a nice nickel and dime way of keeping the Server app small. Once installed, note that if you open About this Mac, the OS does reflect that you are running Mac OS X Server Lion (not OS X Server Lion btw for all you marketing nerds), so it is actually a registered different version of the operating system.
Now open up Workgroup Manager. The Inspector option in Workgroup Manager is gone. Actually, this is kinda’ true. The option is greyed out in the Workgroup Manager prefs (com.apple.WorkgroupManager.plist) but easily enabled using defaults to add the -dict for “Application Preferences” with a key of ”Show \\”All Records\\” Tab” set to a value of 1. But more importantly, there’s now a tool called the Directory Editor that is part of Directory Utility (still located at /System/Library/CoreServices). It looks a lot like the Inspector, but it’s a bit more appropriate for local stuff.
Now open up Server Admin. Most of the services are gone. We’re left with nat (does anyone really still use OS X Server as a border device?!?!) and a few other services that were either too boring to get moved to the Server app or too unwanted. Expect these to disappear one by one if there are future releases of OS X Server. In fact, if OS X Server is $50 I’d say building a better DHCP (that maybe has a GUI for DHCP options and other cool stuff) or a better DNS is a worthy of a $10 or $20 app on the app store. After all, given the Mini platform it seems a decent platform as a network appliance in that fashion… But back to it.
Now go into Server. Wow. Super easy. The only challenging thing in here is Profile Manager. And the only challenging thing about it is that it a) most people aren’t going to let it build Open Directory for them (but should) and b) some people are going to get stumped when asked for a username and password for a developer account. Get yourself an Apple ID with a developer cert and Profile Manager will be really easy to use, especially if you’re used to working with Workgroup Manager to build Managed Preference manifests. Once in, if you will even note that you can assign specific defaults domains and push keys to clients. Of course, the big thing here is the wipe. The most important thing to note about that is that the clients need to run FileVault and there’s not a great mass deploy strategy for that yet (IMHO).
While I said Profile Manager could be challenging, there are some really cool things waiting for people to start hacking away at. The fist is scripting profile creation and management. Profiles are stored in /var/db/ConfigurationProfiles/Store. Much to the chagrin of 3rd party MDM developers, this solution works great for OS X and iOS. Much to the delight of MDM developers, the whole App Store look and feel that someone like JAMF has is still something that really sets them apart and the ability to have Casper assist you with managing those VPP keys is what will be the crazy huge value add that it will continue to bring to the table. Having said that, a lot of smaller organizations can now use Profile Manager where they might have just used iPhone Config Utility before.
Profiles can be pushed out in a number of ways. The user can download it out of the goodness of their heart. In iOS you’re kinda’ stuck with that deployment methodology. But not in OS X. Help comes in the form of the profiles command, located in /usr/sbin. Profiles is explained further in this other post of mine here.
The serveradmin app (serveradmin list shows a few less results than it used to), slap* commands and other tools server admins are used to are all still there. There’s a better webmail (much, much better), Wiki’s are a little different (not much), NFS (kinda’) and FTP are gone, Podcast Producer keeps getting easier, the twisted stuff (iCal and Address Book Server) is the same as it was in Snow Leopard and Server app gets more functional whereas Server Admin gets less functional. Server got a little easier. Or at least on the outside. But presumably it can, given that it’s likely to be asked to do less than it once was moving forward.
But as with previous versions of OS X Server, there are a lot of settings under the hood that aren’t exposed in any app. Let’s look at the devicemgr service, which is Profile Manager in the GUI:
sudo serveradmin settings devicemgr
One thing I do find interesting is the inclusion of postgres in serveradmin but not in Server app or Server Admin. MySQL is gone, but postgres is there.
You’ll also see settings like mdm_acl and user_timeout that can be pretty helpful (which is why they’re in there in the first place) but aren’t in the GUI. I’m all for keeping GUI’s clean, not giving admins the ability to easily enable something they shouldn’t and keeping away from having screens and screens of rolling settings. So for the most part I’m OK with this. My point with this paragraph (and every paragraph should have a point even though I forget that sometimes) is that if there’s a setting you need that you think got taken out or if there’s a setting that would be cool to have, check serveradmin settings and see if it’s there before just taking the Server app’s word for it…
The Mac OS X App Store was released earlier this month as a part of the Mac OS X 10.6.6 update. The App Store, with over 1,000 applications (including a couple of server tools), allowing people to download and install applications on Mac OS X computers without needing to understand how to click through the screens of a standard package installer, drag applications from disk images into the /Applications folder or basically how to do practically anything except for click and provide a valid credit card number. As with the App Store that debuted with the iPhone, the App Store for Mac OS X is clearly aimed at residential customers, but being that these computers are used in enterprises around the world, the impact to managed environments cannot be discounted. I decided to do plenty of testing and reading before I wrote this up, so hopefully you’ll find it helpful, if not very timely.
The first and probably most important aspect of the App Store to most who are charged with managing large numbers of Mac OS X computers is that only administrative users can install software from the App Store. This little fact makes the App Store itself a non-issue for most enterprises, who do not make typical users administrative users. Because only administrative accounts can download and install applications, there is little risk created from leaving the App Store on client computers.
Applications installed from the App Store can only be deployed into the /Applications directory. These applications are owned by System, with read-only access given to the wheel group and everyone else. No ACLs are used, so while a single user purchases the software any user on the system can open it. If you copy the software to another computer then you will be prompted to authorize it using the same Apple ID that was used to purchase it.
When an administrative user purchases an application, they are not prompted for a system password, only an App Store password, which uses the same Apple ID used for the iTunes Store and the iOS App Store. Application updates are handled using the familiar Updates screen borrowed from the iOS App Store, which includes the nifty Update All option.
As far as controlling the user’s experience with the App Store, there are a few options. Administrators can remove the App Store application bundle (which can be replaced any time) from /Applications. Administrators can also black list the application using managed preferences/parental controls. A Dock item is added by default and can be removed as well. Removing both the Dock item and the Application bundle will then remove the App Store menu item from the Apple menu. You can also block the hosts at apple.com, which includes itunes.apple.com, ax.itunes.apple.com, ax.init.itunes.apple.com, albert.apple.com, metrics.sky.com and possibly gs.apple.com. These will communicate over ports 80 and 443, according to the operation being used. There is also a launch daemon at /System/Library/LaunchAgents/com.apple.storeagent.plist that should be unloaded and likely removed if you’re going to outright disable the App Store. However, the only real way I would personally disable is using a managed preference.
There is also a property list file for the App Store that can be used to manage the application in Workgroup Manager in ~/Library/Preferences/com.apple.storeagent.plist. However, there isn’t much that can be done here at this time.
Because applications are tied to users, when a user moves computers you will want to backup and restore the applications for the user. To do so, here’s the captain obvious article for ya’: http://support.apple.com/kb/HT4482.
The App Store is not a replacement for a good patch management system. Software distribution cannot be managed centrally using the App Store and Software Update Server in Mac OS X Server does not currently cache applications from the App Store. Trying to think of a way to shoehorn the App Store into a software distribution system such as JAMF’s Casper Suite, Absolute Manage or FileWave is just asking for a world of pain, so let’s pretend that we never brought it up. If your organization isn’t able to license one of the aforementioned products, check out Star Deploy from http://www.stardeploy.com/StarDeploy/Home.html or munki from http://code.google.com/p/munki. Finally, I think that Apple’s done a great job with the App Store for a version 1 release. I think that my wife loves it and that over time if Apple chooses to do more with it then great; otherwise, all of the options we’ve been using, from the installer command on, are still at our disposal.
Apple computers and AutoCAD once worked together in a harmonious land known now as 1990. Yes, grunge was on the way in, NES was already in, big hair on the way out and architects across the land embraced and loved their Apple computers. Then, AutoCAD 13 (the unluckiest of numbers) was released and suddenly, in 1992 there was no more AutoCAD. I sadly never knew AutoCAD for the Mac in my professional life. But I’ve heard the tales, sung by Bards (some named Bard) across the land. And the tales are sweet, sung with love and heroism and everything you could want out of the marriage of two great products.
But it was not meant to be. Mortal Kombat was released that year, and I have always thought that Kano must have had something to do with it. But no matter who you play, Liu Kang eventually always wins. And so AutoDesk has at last come back to their senses and AutoCAD for the Mac is on the way after an 18 year hiatus away from the Mac. Many of those architects I know to this day still keep a Mac hidden away in reverence (or hate life and run it a virtual environment), like a religious heretic praying to their god in a land of intolerance. Now they can rejoin the Mac faithful. No more living in shame or trying to hide who you really are!
You can find out more about AutoCAD for the Mac at http://usa.autodesk.com/adsk/servlet/pc/index?id=15421056&siteID=123112
And while you’re at it, no more using crappy CAD tools for the iPhone/iPad. AutoCAD will have you covered there too: https://butterfly.autodesk.com/mobile/
It’s a love affair. Mainly between the architect and his hot rod!
According to a recent O’Reilly Radar report, the fastest growing category on the iTunes App store is books. Some of these are full blown books at full cost. Others are $.99 or even free. This is an interesting potential source of being able to self-publish quickly on micro-topics. For example, a miniature 20 page book on how to do something very specific, sold on the App store for $.99 might be worth the cost to certain people. Like any other app, it might even take off and be uber-popular. On the same token, as an advertising ploy a free book might take off and garner a lot of attention.
No matter how you look at it, the book market is changing, especially with regards to computer books. People don’t buy as many printed books as they used to. And to some degree why would they when there are plenty of web sites that can team them what they want to know. However, as I can tell you from running this site and having written some books, it’s not as simple as all that. When I sit down to write a book I try to organize everything in a manner that will teach a reader a subject. Which is completely different than blogging on 99% of the sites out there, where you might cover installation of Xsan a month after you covered how to change the name of a volume. The problem with trying to learn a subject start-to-finish that way is that you pick up bits and pieces here and there rather than being taught the subject.
Anyway, just food for thought: If you’re interested in writing and don’t know how to break into the market, looking towards the new media outlets such as selling books on iTunes isn’t a terrible way to get started.