Tiny Deathstars of Foulness

Dropping network connections can be incredibly frustrating. And finding the source can be a challenge. Over the years, I’ve found a number of troubleshooting methods, but the intermittent drop can be the worse to troubleshoot around. When this happens, I’ve occasionally resorted to scripting around failures, and dumping information into a log file to find the issue. For example, you may find that when a network connection fails, you have a very strong signal somewhere, or that you have a very weak signal on all networks.

I’ve found there are three pretty simple commands to test joining/unjoining, and using networks (beyond the standard pings or port scans on hosts). The first is the airport command, along with –disassociate. This just unjoins all networks:

sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport --disassociate

The second is a quick scan. Here, I’ve grep’d out the network I’m after (aka SSIDofNetwork – a very likely wireless network name), but when looking for environmental issues, you might choose to parse this into a csv and output all networks:

sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s | grep SSIDofNetwork

Finally, you can join a network. You might have to escape out special characters in a password and it’s never wise to put a password into a script, etc. But, quick and dirty, this will join that SSIDofNetwork network:

sudo networksetup -setairportnetwork en0 "SSIDofNetwork" mysecretpassword

Anyway, loop it, invoke it however you invoke it, etc. Hope this helps someone, and if you have other tricks you’ve found helpful, feel free to throw them in the ‘ole comments!

How Users Feel About Intermittent Networking Issues

August 26th, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security, Network Infrastructure, Programming

Tags: , , , , , , ,

I have covered Apple Configurator in a couple of different articles already. But one question I’ve gotten a number of times is how to do automated enrollment of iOS devices into an MDM solution, such as Profile Manager. Each device that gets enrolled into Profile Manager will require a Trust Profile (installed under the Profiles tab of the MyDevices portal) and an Enrollment Profile (installed under the Devices tab of the MyDevices portal). The Trust Profile requires about 3 or 4 taps to install and the Enrollment Profile requires about the same.

The best way I’ve seen for doing automated enrollment is actually to do semi-automated enrollment. Basically, each device gets the Trust Profile deployed in a profile, likely alongside an SSID that the wireless network users will use for actual enrollment. I usually advocate a temporary network according to how complicated the standard wireless network is (e.g. if you use certificates with 802.1x then during enrollment your device won’t necessarily be a supplicant).  Apple Configurator can very easily provide a Trust Profile and the SSID. Should take about 3 minutes worth of work if you have an existing Profile Manager deployment (if you don’t, see this article).

Chances are, many will want their devices tied to a user account. For example, if you use Payload Variables at all, then you’ll need a user associated with a device at enrollment time in order to expand the Payload Variables into short names, email addresses, etc. Therefore, I would recommend deploying a web clip for the enrollment site, along with a Trust Profile and the SSID access to the enrollment network. This makes enrollment 4 taps, a username and a password. This will give users a customized ActiveSync environment, password policies, restrictions, VPN, web clips, as many SSIDs as you care to deploy, etc.

To setup an enrollment environment for users, we’ll first need to download the Trust Profile. To do so, I usually just log into the MyDevices portal of Profile Manager from the computer running Apple Configurator, by first visiting the https://<nameofserver>/MyDevices URL. Here, click on the Profiles tab.

Click on the Install button for the Trust Profile entry, which pulls the mobileconfig file from if the URL were This URL redirects to an administrative page. When the download is complete, Apple Configurator will open automatically as installing Apple Configurator changes the default application for .mobileconfig files from System Preferences to Apple Configurator. Once downloaded, close and then reopen Apple Configurator.

Once re-opened, double-click on the Trust Profile that was just installed.

The General screen shows information about the profile.

This profile can easily act as a Trust profile. But we also need the device enrolled in a wireless network that can be used to access the Profile Manager server. Click on WiFi, click Configure and add the settings for your network.

We’re also going to add a link to enroll the devices using the MyDevices portal. Click on Web Clips and then enter the name that you want the user to see in the Label field and the link to the MyDevices portal in the URL field.

Finally, we don’t want users prompted with petty SSL errors. This server doesn’t have a publicly signed certificate. Click on Credentials and note that the Trust is already added. We will also grab the certificate for the server from Keychain and click the plus sign to add another certificate. Import the one exported from the Keychain.  Then click on Save and you’ll have a good Trust Profile.

Next, we’ll need to export the Enrollment Profile as well. To do so, go to the Profile Manager portal again and click on the Enrollment Profile entry in the sidebar. Uncheck the box to restrict devices (unless you’ve imported all the devices for your environment into Profile Manager) and then click on Download and the Enrollment profile is downloaded to the client.

Quit and re-open Apple Configurator. The Enrollment Profile is now listed in the Profiles field.

Next, click on the checkbox for the Trust profile and then click on Prepare. On the iOS device you’ll then see the the enrollment process. Tap on the Install buttons until the profile is enrolled.

One would think that the device would then be able to be enrolled automatically. You can Enroll manually by logging into the My Devices portal (using the Web Clip) and clicking on the Enroll button and following the default buttons presented to users. You can also email Enrollment Profiles, text them or install them via iPhone Configuration Utility.

To also install the enrollment profile and complete the entire enrollment process, just click that other checkbox in Apple Configurator. Now, the concern in doing so would again be that you don’t know which user is associated with which device, taking Payload Variables out of the equation. Leaving the fields that you might otherwise place those into blank simply allows for user input when that part of the MDM profile is run.

April 2nd, 2012

Posted In: iPhone, Mac OS X Server

Tags: , , , , , , , , , ,