Tag Archives: mdm

iPhone

Apple Configurator 1.4.1 Now Available

About Apple Configurator 1.4.1 is now out, to complement iOS 7.0.3 and OS X 10.9 Mavericks. Configurator 1.4.1 is available from the Updates tab of the Mac App Store and requires OS X Mountain Lion or later, as well as iTunes 11.1 or later.

Per http://support.apple.com/kb/HT5995?viewlocale=en_US&locale=en_US

What’s new in Configurator 1.4.1

• Options to configure which Setup Assistant steps display during device setup
• Fixes an application quitting issue that could occur when saving a profile with invalid options
• No longer removes Mobile device management (MDM) enrollment profile from a supervised device when refreshing it
• Fixes creation of Font profiles for iOS 7
• Renames the Supervision Profile which appears on devices to Configurator Trust Certificate. For more information, see this article.

iPhone Mac OS X Mac OS X Server

Using Profile Manager 3 In Mavericks Server

Profile Manager first appeared in OS X Lion Server as the Apple-provided tool for managing Apple devices, including Mobile Device Management (MDM) for iOS based devices as well as Profile management for OS X based computers, including MacBooks, MacBook Airs, Mac Minis, Mac Pros and iMacs running Mac OS X 10.7 and up. In OS X Mountain Lion, Apple added a number of new features to Profile Manager and revved the software to Profile Manager 2.0, most notably adding the ability to push certain types of apps to mobile devices. In Mavericks Server (Server 3), Apple provides new options and streamlines a bunch of things, most notably App Store and VPP integration. But we can talk about this stuff all day long, instead let’s just show ya’!

Preparing For Profile Manager

Before we get started, let’s prep the system for the service. This starts with configuring a static IP address and properly configuring a host name for the server. In this example, the IP address will be 192.168.210.135 and the hostname will be mlserver3.pretendco.com. We’ll also be using a self-signed certificate, although it’s easy enough to generate a CSR and install it ahead of time. For the purposes of this example, we have installed Server from the App Store (and done nothing else with Server except open it the first time so it downloads all of its components from the web) and configured the static IP address using the Network System Preferences. Next, we’ll set the hostname using scutil.

sudo scutil --set HostName mavserver.pretendco.lan

Then the ComputerName:

sudo scutil --set ComputerName mavserver.pretendco.lan

And finally, the LocalHostName:

sudo scutil --set LocalHostName mdm

Now check changeip:

sudo changeip -checkhostname

The changeip command should output something similar to the following:

Primary address = 192.168.210.201
Current HostName = mavserver.pretendco.lan
DNS HostName = mavserver.pretendco.lan
The names match. There is nothing to change.
dirserv:success = "success"

f you don’t see the success and that the names match, you might have some DNS work to do next, according to whether you will be hosting DNS on this server as well. If you will be hosting your own DNS on the Profile Manager server, then the server’s DNS setting should be set to the IP address of the Server. To manage DNS, start the DNS service and configure as shown in the DNS article I did previously:

Screen Shot 2013-10-07 at 3.04.48 PMProvided your DNS is configured properly then changeip should work. If you’re hosting DNS on an Active Directory integrated DNS server or some other box then just make sure you have a forward and reverse record for the hostname/IP in question.

Profile Manager is built atop the web service, APNS and Open Directory. Next, click on the Web service and just hit start. While not required for Profile Manager to function, it can be helpful. We’re not going to configure anything else with this service in this article so as not to accidentally break Profile Manager. Do not click on anything while waiting for the service to start. While the indicator light can go away early, note that the Web service isn’t fully started until the path to the default websites is shown (the correct entry, as seen here, should be /Library/Server/Web/Data/Sites/Default) and a View Server Website link is shown at the bottom of the screen. If you touch anything too early then you’re gonna’ mess something up, so while I know it’s difficult to do so, be patient (honestly, it takes less than a minute, wait for it, wait for it, there!).

Screen Shot 2013-10-07 at 3.10.32 PMOnce the Web service is started and good, click on the View Server Web Site link at the bottom and verify that the Welcome to OS X Server page loads.

Screen Shot 2013-10-07 at 3.11.42 PM

Setting Up Profile Manager

Provided the Welcome to OS X Server page loads, click on the Profile Manager service. Here, click on the Configure button.

Screen Shot 2013-10-07 at 3.12.53 PMAt the first screen of the Configure Device Management assistant, click on Next.

Screen Shot 2013-10-07 at 3.14.39 PMAssuming the computer is not yet an Open Directory master or Replica, and assuming you wish to setup a new Open Directory Master, click on Create a new Open Directory domain at the Configure Network Users and Groups screen.

Screen Shot 2013-10-07 at 3.22.00 PMThen click on Next. At the Directory Administrator screen, provide the username and password you’d like the Open Directory administrative account to have (note, this is going to be an Open Directory Master, so this example diradmin account will be used to authenticate to Workgroup Manager if we want to make changes to the Open Directory users, groups, computers or computer groups from there). Once you’re done entering the correct information, click Next.Screen Shot 2013-10-07 at 3.22.27 PMAt the Organization Information screen, enter your information (e.g. name of Organization and administrator’s email address). Keep in mind that this information will be in your certificate (and your CSR if you submit that for a non-self-signed certificate) that is used to protect both Profile Manager and Open Directory communications. Click Next.

Screen Shot 2013-10-07 at 3.23.13 PMAt the Confirm Settings screen, make sure the information that will be used to configure Open Directory is setup correctly. Then click Set Up (as I’ve put a nifty red circle next to – although it probably doesn’t help you find it if it’s the only button, right?).

Screen Shot 2013-10-07 at 3.23.40 PMThe Open Directory master is then created. At the Organization Information screen, enter the name of the contact information for an administrator and click on the Next button.

Screen Shot 2013-10-07 at 3.23.40 PMEven if you’re tying this thing into something like Active Directory, this is going to be a necessary step. Once Open Directory is setup you will be prompted to provide an SSL Certificate.

Screen Shot 2013-10-07 at 3.26.04 PMThis can be the certificate provided when Open Directory is initially configured, which is self-signed, or you can select a certificate that you have installed using a CSR from a 3rd party provider. At this point, if you’re using a 3rd party Code Signing certificate you will want to have installed it as well. Choose a certificate from the Certificate: drop-down list and then click on Next.

Screen Shot 2013-10-07 at 3.26.42 PM

If using a self-signed certificate you will be prompted that the certificate isn’t signed by a 3rd party. Click Next if this is satisfactory.

Screen Shot 2013-10-07 at 3.27.39 PM

You will then be prompted to enter the credentials for an Apple Push Notification Service (APNS) certificate. This can be any valid AppleID. It is best to use an institutional AppleID (e.g. push@krypted.com) rather than a private one (e.g. charles@krypted.com). Once you have entered a valid AppleID username and password, click Next.

Screen Shot 2013-10-07 at 3.39.01 PMProvided everything is working, you’ll then be prompted that the system meets the Profile Manager requirements. Click on the Finish button to complete the assistant.

Screen Shot 2013-10-07 at 3.40.05 PMWhen the assistant closes, you will be back at the Profile Manager screen in the Server application. Here, check the box for Sign Configuration Profiles.

Screen Shot 2013-10-07 at 3.40.35 PMThe Code Signing Certificate screen then appears. Here, choose the certificate from the Certificate field.

Screen Shot 2013-10-07 at 3.41.07 PMUnless you’re using a 3rd party certificate there should only be one certificate in the list. Choose it and then click on OK. If you are using a 3rd party certificate then you can import it here, using the Import… selection.

Screen Shot 2013-10-07 at 3.41.33 PMIf you host all of your services on the one server (Mail, Calendars, VPN, etc) then leave the box checked for Include configuration for services; otherwise uncheck it.

One of the upgrades in Profile Manager 2.2 is the ability to distribute objects from the App Store Volume Purchase Program through Profile Manager. To use this option, first sign up on the VPP site. Once done, you will receive a token file. Using the token file, check the box for “Distribute apps and books from the Volume Purchase Program” and then use the Choose button to select the token file.

Screen Shot 2013-10-07 at 3.43.22 PMNow that everything you need is in place, click on the ON button to start the service and wait for it to finish starting (happens pretty quickly).

Screen Shot 2013-10-07 at 3.44.27 PMOnce started, click on the Open Profile Manager link and the login page opens. Administrators can login to Profile Manager to setup profiles and manage devices.Screen Shot 2013-10-07 at 3.45.29 PMThe URL for this (for mavserver.pretendco.lan) is https://mavserver.pretendco.lan/profilemanager. Use the Everyone profile to automatically configure profiles for services installed on the server if you want them deployed to all users. Use custom created profiles for everything else.Screen Shot 2013-10-07 at 3.46.12 PM

Enrolling Into Profile Manager

To enroll devices for management, use the URL https://mavserver.pretendco.lan/MyDevices (replacing the hostname with your own). Click on the Profiles tab to bring up a list of profiles that can be installed manually.

Screen Shot 2013-10-07 at 3.48.18 PMFrom Profiles, click or tap the Enroll button. The profile is downloaded and when prompted to install the profile, click Continue.

Screen Shot 2013-10-07 at 3.50.16 PMThen click Install if installing using a certificate not already trusted.

Screen Shot 2013-10-07 at 3.50.40 PMOnce enrolled, click on the Profile in the Profiles System Preference pane to see the settings being deployed.

Screen Shot 2013-10-07 at 3.51.12 PMYou can then wipe or lock the device from the My Devices portal. Management profiles from the MDM server are then used. Devices can opt out from management at any time. If you’re looking for more information on moving Managed Preferences (MCX) from Open Directory to a profile-based policy management environment, review this article and note that there are new options in dscl for removing all managed preferences and working with profiles in Mavericks (10.9).

If there are any problems when you’re first getting started, an option is always to run the wipeDB.sh script that resets the Profile Manager (aka, devicemgr) database. This can be done by running the following command:

sudo /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/wipeDB.sh

Automating Enrollment & Random Management Tips

The two profiles needed to setup a client on the server are accessible from the web interface of the Server app. Saving these two profiles to a Mac OS X computer then allows you to automatically enroll devices into Profile Manager using Apple Configurator, as shown in this previous article.

When setting up profiles, note that the username and other objects that are dynamically populated can be replaced through a form of variable expansion using payload variables in Profile Manager. For more on doing so, see this article.

Note: As the database hasn’t really changed, see this article for more information on backing up and reindexing the Profile Manager database.

Device Management

Once you’ve got devices enrolled, those devices can easily be managed from a central location. The first thing we’re going to do is force a passcode on a device. Click on Devices in the Profile Manager sidebar.

Screen Shot 2013-10-07 at 3.56.32 PMClick on a device in Profile Manager’s admin portal, located at https://<SERVERNAME>/profilemanager (in this case https://mavserver.pretendco.lan/profilemanager).

Screen Shot 2013-10-07 at 3.58.09 PMThe device screen is where much of the management of each device is handled.

Screen Shot 2013-10-07 at 3.58.09 PMFrom the device (or user, group, user group or device group objects), click on the Settings tab and then click on the Edit button.

Screen Shot 2013-10-07 at 4.00.22 PMHere, you can configure a number of settings on devices. There are sections for iOS specific devices, OS X specific settings and those applicable to both platforms. Let’s configure a passcode requirement for an iPad.

Screen Shot 2013-10-07 at 4.01.05 PMClick on Passcode, then click on Configure.

Screen Shot 2013-10-07 at 4.01.22 PMAt the Passcode settings, let’s check the box for Allow simple value and then set the Minimum Passcode Length to 4. I find that with iOS, 4 characters is usually enough as it’ll wipe far before someone can brute force that. Click OK to commit the changes.

Screen Shot 2013-10-07 at 4.01.22 PM

Once configured, click Save. At the “Save Changes?” screen, click Save. The device then prompts you to set a passcode a few moments later (screens look the same in iOS 7 pretty much).

The next thing we’re going to do is push an app. To do so, first find an app in your library that you want to push out. Right-click (or control-click) on the app and click on Show in Finder. You can install an Enterprise App from your library or browse to it using the VPP program if the app is on the store. Before you start configuring apps, click on the Apps entry in the Profile Manager sidebar.

Screen Shot 2013-10-07 at 4.08.32 PM

At the Apps screen, use the Enterprise App entry to select an app or use the Volume Purchase Program button to open the VPP and purchase an app. Then, from the https://<SERVERNAME>/profilemanager portal, click on an object to manage (in this case it’s a group called Replicants) and click on the Apps tab.

Screen Shot 2013-10-07 at 4.03.42 PMFrom the Apps tab, click on the plus sign icon (“+”).Screen Shot 2013-10-07 at 4.04.49 PMAt the Add Apps screen, choose the app added earlier and then authenticate if needed, ultimately selecting the app. The app is then uploaded and displayed in the list. Click Add to add to the selected group. Then, click on Done. Then click on Save… and an App Installation dialog will appear on the iOS device you’re pushing the app to.

At the App Installation screen on the iPad, click on the Install button and the app will instantly be copied to the last screen of apps on the device. Tap on the app to open it and verify it works. Assuming it does open then it’s safe to assume that you’ve run the App Store app logged in as a user who happens to own the app. You can sign out of the App Store and the app will still open. However, you won’t be able to update the app as can be seen here.

Note: If you push an app to a device and the user taps on the app and the screen goes black then make sure the app is owned by the AppleID signed into the device. If it is, have the user open App Store and update any other app and see if the app then opens.

Finally, let’s wipe a device. From the Profile Manager web interface, click on a device and then from the cog wheel icon at the bottom of the screen, select wipe.

At the Wipe screen, click on the device and then click Wipe. When prompted, click on the Wipe button again, entering a passcode to be used to unlock the device if possible. The iPad then says Resetting iPad and just like that, the technical walkthrough is over.

Screen Shot 2013-10-07 at 4.11.13 PM

Note: For fun, you can use the MyDevices portal to wipe your iPad from the iPad itself.

Conclusion

So where are all these new features that justify a new version number? To quote Apple’s Profile Manager 2 page:

Profile Manager simplifies deploying, configuring, and managing them all. It’s one place where you control everything: You can create profiles to set up user accounts for mail, calendar, contacts, and messages; configure system settings; enforce restrictions; set PIN and password policies; and more. Because it’s integrated with the Apple Push Notification service, Profile Manager can send out updated configurations over the air, automatically. And it includes web-based administration, so you can manage your server from any modern web browser. Profile Manager even gives users access to a self-service web portal where they can download and install new configuration profiles, as well as clear passcodes and remotely lock or wipe their Mac, iPhone, or iPad if it’s lost or stolen.

Wait, it did that before… Which isn’t to say that for the money, Profile Manager isn’t an awesome tool. Apps such as Casper MDM, AirWatch, Zenprise, MaaS360, etc all have far more options, but aren’t as easy to install and nor do they come at such a low price point. Profile Manager is a great option if all of the tasks you need to perform are available within the tool. If not, then it’s worth a look, if only as a means to learn more about the third party tools you’ll ultimately end up using. One thing I can say for it is that Profile Manager is a little faster and seems much more stable (in fact, Apple has now published scalability numbers, which they have rarely done in the past). You can also implement newer features with it, including Gatekeeper and Messages.

iPhone

SimpleMDM Now With Apps

SimpleMDM has updated their Mobile Device Management solution (my original writeup is here) to now include the ability to manage apps. The apps functionality really comes in two flavors. The first is the ability to load up an app. This is handled handed by clicking on Settings in the right hand navigation bar and then at the Settings pop-over, clicking on Apps. Here, you can load up an internal, enterprise app or an App Store app.

Once you’ve loaded an app you can deploy it to devices by clicking on a group and then using the contextual menu to “Assign Apps.” Simple, as the name implies.

The second aspect of SimpleMDM is to white and blacklist apps. Doing so is done by clicking on the contextual menu and then clicking on Rules. Here, you can Allow or Disallow any app that has been loaded into the app catalog.

 

certifications iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment public speaking

Penn State MacAdmins Back for 2013

Last year, I had a great time at the Penn State MacAdmins conference. There were tons of smart people to mingle with and everyone had plenty to discuss when it came to managing the Mac. There were a lot of people from education but also plenty from companies. The talks were well run and the conference location, the Penn Stater, was awesome. I love how it’s like a big winding maze.

Having gone to school in a town like State College (Athens, GA), I’ve always had a warm spot for cute college towns. And State College is clearly a special place. I’d recommend a trip there to anyone that loves places like Ann Arbor, Norman, Stillwater, Opelika, Corvallis, Blacksburg, Madison, Manhattan (Kansas), Ithaca, Iowa City, Ames, Morgantown, Lafayette (Indiana), Lawrence, Champaign, Logan, College Station and of course, Oxford Mississippi (Ole Miss is a truly special place).

So you’re lucky then, ’cause the Penn State MacAdmins Conference is back for 2013, being held in beautiful State College, PA at Penn State University. The Conference is May 22nd through 24th with a new introductory Boot Camp being held the day before (May 21st) to prep admins for the rest of the conference. And May is one of the best times to visit a place like this. Spring is in the air, kids are getting ready to graduate, the flowers are in bloom and of course, there’s no more snow to be shoveled. A month later and the school would practically be shut down, the town a ghost town.

But in late May, college towns are electric. So don’t just stay at the Penn Stater the whole time, go explore downtown and that Nittany Lion thing – and the spot where Joe Pa’s statue used to be. Take a carriage ride, swing by the Governor’s Pub, have some red meat at Otto’s and of course, perform the underclassmen ritual of throwing up on College Ave! And yes, there’s a College Ave, as there should be. Anyway, the social element of a conference like this is great. Meet those people you tell to RTFM on the ‘ole Enterprise List, the people whose feeds you read and the people whose feeds you deleted  ’cause they talk about college football too much…

The Call for Proposals is now open, so to submit a talk, use http://macadmins.psu.edu/conference/submit-proposals.

This year, there will also be sponsors. To sponsor, see http://macadmins.psu.edu/conference/sponsorships.

Or to attend, see http://macadmins.psu.edu/conference/registration.

To sign up for the conference newsletter, see http://psu.us4.list-manage.com/subscribe?u=acd8b6acc541596a7bdf8e517&id=d37a7e26fd.

And for an example of what you are in store for:

PS – There are 12 teams in the Big 10. While at State College, make sure to remind everyone wearing blue of this fact.

Mac OS X Mac OS X Server Mass Deployment

Keynote From JAMF Nation

In case you were there and would like a copy, here’s the slides from the presentation I did this week at the JAMF Nation User Conference 2012. If you weren’t there, then perhaps they will help you in some way.

JNUC2012

The session was recorded so I’ll try and post when it becomes available for download.

iPhone

Restricting Access To Sites On iOS Devices

One of the more common requests we get for iOS devices is to restrict what sites on the web that a device can access. This can be done in a number of ways. The best, in my experience, has been using a proxy.

In Apple Configurator 1.2 there’s an option for a Global HTTP Proxy for Supervised devices. This allows you to have a proxy for HTTP traffic that is persistent across apps.

Each Wi-Fi network that you push to devices also has the ability to have a proxy associated as well. This is supported by pretty much every MDM solution, with screens similar to the following, which is how you do it in Apple Configurator.

The above has I am all about layered defense, though. Or if a proxy is not an option then having an alternative. Another way to disable access to certain sites is to outright disable Safari and use another browser. This can be done with most MDM solutions as well as using a profile. To see what this would look like using Apple Configurator, see the below profile.

Now, once Safari has been disabled, you then need to provide a different browser. There are a number of third party browsers available on the App Store. Some provide enhanced features such as Flash integration while others remove features or restrict site access.

In this example we’re using the K9 Web Protection Browser. This browser is going to just block sites based on what the K9 folks deem appropriate. Other browsers of this type include X3watch, Mobicip (which can be centrally managed and has a ton of pretty awesome features), bSecure (which ties in with their online offerings for reporting, etc) and others.

While this type of thing isn’t likely to be implemented at a lot of companies, it is common in education environments and even on kiosk types of devices. There are a number of reasons I’m a strong proponent of a layered approach to policy management for iOS. By leveraging proxies, application restrictions, reporting and when possible Mobile Device Management, it becomes very possible to control the user experience to an iOS device in such a way that you can limit access to web sites matching a certain criteria.

iPhone

Volume Purchasing Program Now Available In More Countries

The Volume Purchasing Program is a program from Apple that allows you to buy gift codes en masse for distribution to users, either by mail merging them and sending them out or using a special tool for distribution, such as Apple Configurator or an MDM solution. If you’re in the United States and work with iOS, you’ve likely been using the Volume Purchasing Program for awhile. But for users in Australia, Canada, France, Germany, Italy, Japan, New Zealand, Spain and the United Kingdom, the Volume Purchasing Program is new and probably being well received.

The Volume Purchasing Program allows users to receive the codes and install/purchase software without being gifted money to do so, although in most cases the users will need Apple IDs. This is because the Volume Purchasing Program still requires codes to be redeemed, although if you’re using Apple Configurator you can deploy apps without tying them to unique AppleIDs.

Overall, the Volume Purchasing Program is a great way to be able to control and manage app expenditures, and for users in the newly added countries, will help with deployments large and small. To access the Volume Purchasing Program site, see http://www.apple.com/business/vpp. To quote Apple:

Deliver essential business apps to your employees with the Volume Purchase Program, now available in Australia, Canada, France, Italy, Germany, Japan, New Zealand, Spain, the UK, and the US. VPP makes it easy to purchase iOS apps in any quantity and distribute them to your users. You can also have custom apps built for your company’s unique needs. Search thousands of useful apps, specify any quantity, and use a corporate credit card to complete your purchase. Download the updated VPP Guide for details.

iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment Microsoft Exchange Server Network Infrastructure

Configuring & Using Profile Manager 2 in OS X Mountain Lion Server

Profile Manager first appeared in OS X Lion Server as the Apple-provided tool for managing Apple devices, including Mobile Device Management (MDM) for iOS based devices as well as Profile management for OS X based computers, including MacBooks, MacBook Airs, Mac Minis, Mac Pros and iMacs running Mac OS X 10.7 and up. In OS X Mountain Lion, Apple has added a number of new features to Profile Manager, most notably the ability to push certain types of apps to mobile devices.

In this article, we’re going to look at setting up Profile Manager from scratch. If you’re upgrading to OS X Mountain Lion Server (10.8 Server) from OS X Lion Server (10.7 Server) then review this link for upgrade instructions.

Preparing For Profile Manager

Before we get started, let’s prep the system for the service. This starts with configuring a static IP address and properly configuring a host name for the server. In this example, the IP address will be 192.168.210.135 and the hostname will be mlserver3.pretendco.com. We’ll also be using a self-signed certificate, although it’s easy enough to generate a CSR and install it ahead of time. For the purposes of this example, we have installed Server from the App Store (and done nothing else with Server except open it the first time so it downloads all of its components from the web) and configured the static IP address using the Network System Preferences. Next, we’ll set the hostname using scutil.

sudo scutil --set HostName mlserver3.pretendco.com

Then the ComputerName:

sudo scutil --set ComputerName mlserver3.pretendco.com

And finally, the LocalHostName:

sudo scutil --set LocalHostName mdm

Now check changeip:

sudo changeip -checkhostname

The changeip command should output something similar to the following:

Primary address = 192.168.210.135
Current HostName = mlserver3.pretendco.com
DNS HostName = mlserver3.pretendco.com
The names match. There is nothing to change.
dirserv:success = "success"

f you don’t see the success and that the names match, you might have some DNS work to do next, according to whether you will be hosting DNS on this server as well. If you will be hosting your own DNS on the Profile Manager server, then the server’s DNS setting should be set to the IP address of the Server. To manage DNS, start the DNS service and configure as shown in the DNS article I did previously:

 

Provided your DNS is configured properly then changeip should work. If you’re hosting DNS on an Active Directory integrated DNS server or some other box then just make sure you have a forward and reverse record for the hostname/IP in question.

Now let’s open the Server app from the Applications directory. Here, use the Next Steps drawer at the bottom and verify that the Configure Network section reads that “Your network is configured properly” as can be seen here:

Profile Manager is built atop the web service, APNS and Open Directory. Therefore, let’s close the Next Steps drawer, click on the Web service and just hit start. While not required for Profile Manager to function, it can be helpful. We’re not going to configure anything else with this service in this article so as not to accidentally break Profile Manager. Do not click on anything while waiting for the service to start. While the indicator light can go away early, note that the Web service isn’t fully started until the path to the default websites is shown (the correct entry, as seen here, should be /Library/Server/Web/Data/Sites/Default) and a View Server Website link is shown at the bottom of the screen. If you touch anything too early then you’re gonna’ mess something up, so while I know it’s difficult to do so, be patient (honestly, it takes less than a minute, wait for it, wait for it, there!).

Once the Web service is started and good, click on the View Server Web Site link at the bottom and verify that the Welcome to Lion Server page loads.

Setting Up Profile Manager

Provided the Welcome to Lion Server page loads, click on the Profile Manager service. Here, click on the Configure button.

At the first screen of the Configure Device Management assistant, click on Next.

Assuming the computer is not yet an Open Directory master or Replica, and assuming you wish to setup a new Open Directory Master, click on Create a new Open Directory domain at the Configure Network Users and Groups screen. Then click on Next.

At the Directory Administrator screen, provide the username and password you’d like the Open Directory administrative account to have (note, this is going to be an Open Directory Master, so this example diradmin account will be used to authenticate to Workgroup Manager if we want to make changes to the Open Directory users, groups, computers or computer groups from there). Once you’re done entering the correct information, click Next.

At the Organization Information screen, enter your information (e.g. name of Organization and administrator’s email address). Keep in mind that this information will be in your certificate (and your CSR if you submit that for a non-self-signed certificate) that is used to protect both Profile Manager and Open Directory communications. Click Next.

At the Confirm Settings screen, make sure the information that will be used to configure Open Directory is setup correctly. Then click Set Up (as I’ve put a nifty red circle next to – although it probably doesn’t help you find it if it’s the only button, right?).

The Open Directory master is then created. Even if you’re tying this thing into something like Active Directory, this is going to be a necessary step. Once Open Directory is setup you will be prompted to provide an SSL Certificate.

This can be the certificate provided when Open Directory is initially configured, which is self-signed, or you can select a certificate that you have installed using a CSR from a 3rd party provider. At this point, if you’re using a 3rd party Code Signing certificate you will want to have installed it as well. Choose a certificate from the Certificate: drop-down list and then click on Next.

If using a self-signed certificate you will be prompted that the certificate isn’t signed by a 3rd party. Click Next if this is satisfactory.

You will then be prompted to enter the credentials for an Apple Push Notification Service (APNS) certificate. This can be any valid AppleID. It is best to use an institutional AppleID (e.g. push@krypted.com) rather than a private one (e.g. charles@krypted.com). Once you have entered a valid AppleID username and password, click Next.

Provided everything is working, you’ll then be prompted that the system meets the Profile Manager requirements. Click on the Finish button to complete the assistant.

When the assistant closes, you will be back at the Profile Manager screen in the Server application. Here, check the box for Sign Configuration Profiles.

The Code Signing Certificate screen then appears. Here, choose the certificate from the Certificate field.

Unless you’re using a 3rd party certificate there should only be one certificate in the list. Choose it and then click on OK. If you are using a 3rd party certificate then you can import it here, using the Import… selection.

If you host all of your services on the one server (Mail, Calendars, VPN, etc) then leave the box checked for Include configuration for services; otherwise uncheck it.

Now that everything you need is in place, click on the ON button to start the service and wait for it to finish starting.

Once started, click on the Open Profile Manager link and the login page will open. Adminsitrators can login to Profile Manager to setup profiles and manage devices.

The URL for this (for mlserver3.pretendco.com) is https://mlserver3.pretendco.com/profilemanager. Use the Everyone profile to automatically configure profiles for services installed on the server if you want them deployed to all users. Use custom created profiles for everything else.

Enrolling Into Profile Manager

To enroll devices for management, use the URL https://mdm.pretendco.com/MyDevices (replacing the hostname with your own). Click on the Profiles tab to bring up a list of profiles that can be installed manually.

From Profiles, you’ll need to install a Trust profile in order for the client to enroll. Tap or click on the Install button for the Trust Profile and complete the installation process.

Click back on the Devices tab. From here, click or tap on the Enroll button and complete the enrollment process on the client (following the defaults will suffice).

On the devices, you’ll then be prompted to install the profile. On iOS tap Install then Install then Done. On OS X, click Continue, then Install.

Once enrolled, you can wipe or lock the device from the My Devices portal. Management profiles from the MDM server are then used. Devices can opt out from management at any time. If you’re looking for more information on moving Managed Preferences (MCX) from Open Directory to a profile-based policy management environment, review this article.

If there are any problems when you’re first getting started, an option is always to run the wipeDB.sh script that resets the Profile Manager (aka, devicemgr) database. This can be done by running the following command:

sudo /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/wipeDB.sh

Automating Enrollment & Random Management Tips

The two profiles needed to setup a client on the server are accessible from the web interface of the Server app. Saving these two profiles to a Mac OS X computer then allows you to automatically enroll devices into Profile Manager using Apple Configurator, as shown in this previous article.

When setting up profiles, note that the username and other objects that are dynamically populated can be replaced through a form of variable expansion using payload variables in Profile Manager. For more on doing so, see this article.

Note: As the database hasn’t really changed, see this article for more information on backing up and reindexing the Profile Manager database.

Device Management

Once you’ve got devices enrolled, those devices can easily be managed from a central location. The first thing we’re going to do is force a passcode on a device. In this case, it’s an iPad. We’re going to click on the device in Profile Manager’s admin portal, located at https://<SERVERNAME>/profilemanager (in this case https://mdm.pretendco.com/profilemanager).

From the device (or user, group, user group or device group objects), click on the Profile tab and then click on the Edit button.

Here, you can configure a number of settings on devices. There are sections for iOS specific devices, OS X specific settings and those applicable to both platforms. Let’s configure a passcode requirement for an iPad. Click on Passcode, then click on Configure.

At the Passcode settings, let’s check the box for Allow simple value and then set the Minimum Passcode Length to 4. I find that with iOS, 4 characters is usually enough as it’ll wipe far before someone can brute force that. Click OK to commit the changes. Once configured, click Save.

At the “Save Changes?” screen, click Save. The device then prompts you to set a passcode a few moments later.

The next thing we’re going to do is push an app. To do so, first find an app in your library that you want to push out. Right-click (or control-click) on the app and click on Show in Finder. You can copy the app from your library or browse to it at the location it is in later.

Then, from the https://<SERVERNAME>/profilemanager portal, click on an object to manage (in this case it’s a group called Demo) and click on the Apps tab.

From the Apps tab, click on the cog wheel icon and then click on Edit Apps.

At the Add Apps screen, click on upload and then browse to the app we found earlier.

The app is then uploaded and displayed in the list. Click Add to add to the selected group. Then, click on Done. Then click on Save… and an App Installation dialog will appear on the iOS device you’re pushing the app to.

At the App Installation screen on the iPad, click on the Install button and the app will instantly be copied to the last screen of apps on the device. Tap on the app to open it and verify it works. Assuming it does open then it’s safe to assume that you’ve run the App Store app logged in as a user who happens to own the app. You can sign out of the App Store and the app will still open. However, you won’t be able to update the app as can be seen here.

This brings up an interesting limitation of how Profile Manager interacts with the App Store. It kinda’ doesn’t. If I were pushing apps to elementary school iPads in a 1:1 I could either use Apple Configurator (if I wanted to burn up a VPP code per student per year) or I could use iTunes (if I wanted a labor intensive process of restoring an iPad per computer rather than a parallel process). But either way, I’m gonna’ stay away from Profile Manager for apps.

So if you push an app to a device and the user taps on the app and the screen goes black then make sure the app is owned by the AppleID signed into the device. If it is, have the user open App Store and update any other app and see if the app then opens.

Finally, let’s wipe a device. From the Profile Manager web interface, click on a device and then from the cog wheel icon at the bottom of the screen, select wipe.

At the Wipe screen, click on the device and then click on the Wipe button again. The iPad then says Resetting iPad and just like that, the technical walkthrough is over.

Note: For fun, you can use the MyDevices portal to wipe your iPad from the iPad itself.

Conclusion

So where are all these new features that justify a new version number? To quote Apple’s Profile Manager 2 page:

Profile Manager simplifies deploying, configuring, and managing them all. It’s one place where you control everything: You can create profiles to set up user accounts for mail, calendar, contacts, and messages; configure system settings; enforce restrictions; set PIN and password policies; and more. Because it’s integrated with the Apple Push Notification service, Profile Manager can send out updated configurations over the air, automatically. And it includes web-based administration, so you can manage your server from any modern web browser. Profile Manager even gives users access to a self-service web portal where they can download and install new configuration profiles, as well as clear passcodes and remotely lock or wipe their Mac, iPhone, or iPad if it’s lost or stolen.

Wait, it did that before… Which isn’t to say that for the money, Profile Manager isn’t an awesome tool. Apps such as Casper MDM, AirWatch, Zenprise, etc all have far more options, but aren’t as easy to install and nor do they come at such a low price point. Profile Manager is a great option if all of the tasks you need to perform are available within the tool. If not, then it’s worth a look, if only as a means to learn more about the third party tools you’ll ultimately end up using. One thing I can say for it is that Profile Manager is a little faster and seems much more stable (in fact, Apple has now published scalability numbers, which they have rarely done in the past). You can also implement newer features with it, including Gatekeeper and Messages.

iPhone Mass Deployment

Using Apple Configurator To Automate Casper MDM Enrollment

Enrolling iPads into the JAMF Casper MDM solution is done through Apple Configurator, messages or using links deployed to iOS devices as web clips. When doing larger deployments the enrollment process can be automated so that devices are automatically enrolled into Casper MDM when they are set up using an Enrollment Profile that is manually downloaded from Casper and deployed to device. Additionally, a certificate can be needed if the certificate is not included in the profile, an option available as a checkbox in the setup. While you hopefully won’t need to download the certificate, we’ll start there:

Obtain the Certificate for the JSS Server

To obtain the trust certificate from the JSS Server:

  1. Open the web interface for the JSS.
  2. When prompted to trust the certificate, click on the disclosure triangle and then the checkbox to trust the cert, providing the administrative credentials when prompted.
  3. Open Keychain Utility.
  4. Click in the search field.
  5. Search for JSS.
  6. Control-click on the name of your server’s “Built-in Certificate Authority” entry.
  7. Choose the option to Export.
  8. When prompted, provide a name for the certificate in the Save As fiel.
  9. Choose a location to save the certificate to using the Where field.
  10. The .cer format is sufficient for our purposes.
  11. Click Save.

Download the Enrollment Profile

To download an enrollment profile from Casper MDM:

  1. Log into the web interface of the JSS.
  2. Click on the link for Mobile Device Enrollment
  3. At the Mobile Device Enrollment Invitations screen, click on the Enrollment Profiles tab.
  4. At the Enrollment Profiles screen, click on Download for the appropriate profile (for most environments there should only be one)
  5. Once the profile is downloaded, it will automatically attempt to enroll the computer you are downloading it from in the Profiles System Preferences pane.
  6. Click on Cancel.
  7. Click on the downloads link in Safari.
  8. Click on the magnifying glass icon to see the .mobileconfig file.

You have now downloaded the .mobileconfig file that will enroll devices into Casper MDM.

Add the Profile To Apple Configurator:

To deploy the profile through Apple Configurator:

  1. Open Apple Configurator on the client computer.
  2. Click on Prepare in the row of icons along the top of the screen.
  3. Drag the profile (by default currently called MDM-iOS5.mobileconfig) from the Finder into the list of Profiles.
  4. The profile then appears in Apple Configurator (in this example, called MDM-iOS5).

Deploy The Casper MDM Enrollment Profile Through Apple Configurator

Once the profile is installed in Apple Configurator, let’s deploy it. In this example, don’t configure any other options. To deploy:

  1. Set the name to be blank, numbering should be disabled, Supervision should be off, iOS should be set to No Change, “Erase before installing” should be unchecked, Don’t Restore Backup should be set in the Restore field.
  2. Check the box for the newly added profile (MDM-iOS5 in this example).
  3. Click on the Prepare button.
  4. At the “Are you sure you want to apply these settings to all USB-connected devices?” screen, click on the Apply button.
  5. The subsequent screen shows when devices are being configured. Here, dock the device to receive the profile (note, all docked iOS devices are going to be configured with this profile).
  6. Once the device is connected, the profile will begin to install. You are then prompted to “Tap device to install profile”.
  7. On the device, tap on the Install button.
  8. At the Warning screen, tap Install.
  9. Once the Profile is installed, tap Done.
  10. You have now been enrolled.

If you then wish to unenroll, simply remove the profiles by tapping on profiles and then tapping on the Remove button. Per the MDM API, a user can elect to remove their device from management at any point, so expect this will happen occasionally, even if only by accident.

iPhone

Free Hosted Mobile Device Management for iOS

SimpleMDM is a newish Mobile Device Management service that is free, from MJVLabs, the makers of Presense. Now, it’s newish and currently completely free, so there are specific cases where it’s appropriate. Currently, SimpleMDM can be used to:

  • Setup very specific mail
  • Setup SSIDs and passwords (those are the only two options)
  • Disable the App Store or require a password to access the app store
  • Configure Basic, Strong or Very Secure password requirements
  • Restrict content
  • Disable Camera &/or FaceTime
  • Disable Safari
  • Disable iCloud
  • Disable YouTube
  • Disable Multiplayer Gaming

The solution is simple to use. Just visit the website at simplemdm.com, click on Create New Account, enter your information and click the link in the email they send you. Then log in. Once logged in, the layout is very basic and workflow oriented.

Each block indicates a group of devices. By default, there’s a Default Group (similar to Everyone in Profile Manager environments) and a Quarantine Group. Click on Add Group to bring up a screen that allows you to configure most of the policies for the group.

Here, provide a name for the group and then configure the displayed options required by your organization. Click Save to save the changes. Then click on Settings in the right-hand sidebar and then click on Email Providers. Here, enter the information for your mail server, provided all required options are available.

Once you are satisfied with your mail settings, click Save (note, that accounts will be prompted for account/password at the time the profile is installed). You can also click Wireless Networks here, which has an option for SSID and Password.

Now, one thing that I find interesting about SimpleMDM is that it has the option to set a minimum version of iOS as well as block apps. To configure these options, click on the disclosure triangle to the right of a group name and click on Rules.

At the Rules screen, set the “Minimum required version of iOS” and choose whether to allow or deny apps, checking those you wish to allow or deny as needed.

I like to configure all my settings and then enroll devices. To enroll, click on the Add Device button in the right-hand sidebar.

Click on which group to add a device to, provide a name for the device that will be referenced within SimpleMDM and choose whether to text or email the enrollment profile to the user. If SMS, enter the users phone number. If Email, enter the email address and then click on the Create button.

When the user taps the profile they will be able to enroll in the SimpleMDM service.

Some things you will need a different MDM solution to do:

  • Anything that involves certificates (other than telling mail to use one, but not provide it)
  • Anything about 802.1x
  • Any pushing out of applications
  • Pushing out webclips
  • VPN, LDAP (for Contacts), Calendar (CalDAV), Contacts (CardDAV), SCEP
  • OS X management
  • APN configuration
  • Disable Siri
  • Customize In-App purchasing
  • Disable screen capture
  • Manage Photo Stream
  • Disable Popups, cookies, javascript and force the fraud warning in Safari
  • Set ratings region
  • Manage diagnostic data
  • Configure profiles to be non-removable
  • Use a web portal for enrollment from devices rather than through email/sms

Now, none of these things are anything against SimpleMDM. Features make things more complicated and it’s simple. I think more features will come. For now, if you just need these basic options then why bother with your own infrastructure. If there’s just one more thing you think you might need, make a feature request and see if it gets added. Either way, it’s cool to see what I consider the next step in the evolution of MDM, a free tool. I’d also like to see a self-serviceable open source option as well eventually, of which I know of a few projects in the works but none ready to mention. Either way, excellent first try and kudos to the developers of SimpleMDM.