krypted.com

Tiny Deathstars of Foulness

Apple has defined some best practices to be taken when using Profiles. Obviously these don’t cover every situation, but they cover all but edge cases and lay out a pretty good description of why you should do the things we’ve mostly figured out to do by trial and error thus far. Great job to the OS X Server documentation team! https://help.apple.com/profilemanager/mac/5.1.5/#/apdE3493-C50A-4E9E-A1B6-CBCBC8C73507

Screen Shot 2016-08-01 at 8.23.04 AM

August 2nd, 2016

Posted In: Mac OS X Server

Tags: , , , ,

May 6th, 2016

Posted In: Mac OS X, Mac OS X Server

Tags: , , , , , , ,

Creating a classroom is a pretty straight forward process in Profile Manager. To do so, open the Profile Manager web interface and click on Classes in the sidebar. For your first class, click Add Class (for future ones, click the plus sign (+).

Screen Shot 2016-04-14 at 9.39.39 PM

At the New Class screen, click into New Class in the title bar and provide a name for the class. Optionally, provide a description, as well. Click on the Save button to save the class.

Screen Shot 2016-04-14 at 9.40.04 PM

Then click on the Instructors tab and use the plus sign towards the bottom of the screen and then choose the user or group you’d like to add as the Instructor for the class. Click on the Students tab to add a user or group as a student.

Screen Shot 2016-04-14 at 9.40.17 PM

Next, click on the Devices tab and then click on the plus sign (+) at the bottom of the screen. Here, click on Add Device Groups to add a group of devices.

Screen Shot 2016-04-14 at 9.41.27 PM

Additionally, check the box for Shared if the iPads will be shared iPads.

Screen Shot 2016-04-14 at 9.41.18 PM

Click OK once you’ve added the appropriate Device Group, and then click on the Save button to save the class setting.

April 15th, 2016

Posted In: Mac OS X, Mac OS X Server, Mac Security

Tags: , , , , ,

I’ve written a number of articles on automating MDM enrollments using Apple Configurator in the past. In Apple Configurator 2, there are some new options that make the process much easier than it’s ever been in the past. To get started, let’s open Apple Configurator 2 and click on a Blueprint we’d like to apply to devices being prepared during a mass iPad or iPhone enrollment through Apple Configurator. Control-click on the Blueprint to set up for automated enrollment and click on the Prepare button.

Screen Shot 2015-11-03 at 11.18.02 PM

At the Organization screen, select the organization you’d like to enroll your device in and click on the Next button.

Screen Shot 2015-11-03 at 6.32.56 PM

At the Server screen, select to enroll in an MDM server.

Screen Shot 2015-11-03 at 6.33.00 PM

At the Define an MDM Server screen, type the name of a server and click Next.

Screen Shot 2015-11-03 at 11.17.22 PM

The server is then located and provided the Apple Configurator 2 system can communicate with the server, you’ll get a choice of the MDM service to enroll into. Select the certificate and click Next.

Screen Shot 2015-11-03 at 11.17.27 PM

At the Supervise Devices screen, select whether you’d like to supervise devices enrolled using Apple Configurator 2. Click Next.

Screen Shot 2015-11-03 at 11.17.32 PM

At the Configure iOS Setup Assistant screen, choose whether to skip some screens during the initial configuration of the device and click on Prepare.

Screen Shot 2015-11-03 at 11.17.38 PM

Now, during the preparation in Apple Configurator, you’ll be able to enroll iOS devices into Profile Manager (or another MDM) en masse.

Additionally, the traditional method of enrollment (Configurator 1) still works. Here, you’d download a trust profile, done using the name in the upper right corner of the Profile Manager interface and then choosing Download Trust Profile.

Screen Shot 2015-11-03 at 11.06.17 PM

You’ll also need the Enrollment Profile, accessed using the plus sign (+) in the lower left corner of the screen and choosing Enrollment Profile.

Screen Shot 2015-11-03 at 11.06.27 PM

The two are then added to the Profiles of a blueprint in Apple Configurator 2. You can also use the Settings for a device group to set placeholders for devices so they’re automatically assigned to a group during mass enrollments like this.

Screen Shot 2015-11-03 at 11.07.09 PM

 

Overall the options in Apple Configurator 2 with Profile Manager or another MDM are way easier to use than in previous versions. I think a lot of new administrators will be able to easily get used to this workflow. Enjoy!

 

 

November 4th, 2015

Posted In: Apple Configurator, iPhone, Mac OS X Server, Mass Deployment

Tags: , , , , , , , , , ,

The latest and greatest of the Enterprise Mac Admin’s Guide is now available for Pre-Order at http://www.amazon.com/Enterprise-Mac-Administrators-Guide-Second/dp/1484217055/ref=sr_1_1?s=books&ie=UTF8&qid=1445529968. This is an interesting update. If you happened to see the previous edition, I’d described more about Casper than most of the other third party products on the market.

Screen Shot 2015-10-22 at 11.06.21 AM

In this edition, there’s still an equal amount of information on Casper, but now there’s also more information on FileWave, and a whole chapter on the open source toolchain of products, including Munki and AutoPKG. The main reason I decided to update this title was actually the change from focusing on directory services (which still has plenty of page count) to focusing on profile management.

The most substantial update to the book was Bill Smith though. Bringing him in as a co-author provided a lot of new insight, new content, and a good bit of cleaned up text. He’s been great to work with!

This was a pretty big update, so hope you enjoy!

 

 

October 22nd, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , ,

Yosemite brought Xsan 4, which included a whole new way to add clients to an Xsan. Xsan Admin is gone. From now on, instead of scanning the network using Xsan Admin. we’ll be adding clients using a Configuration Profile. This is actually a much more similar process to adding Xsan clients to a StorNext environment than it is to adding clients to Metadata Controllers running Xsan 3 and below. But instead of making a fsnameservers file, we’re plugging that information into a profile, which will do that work on the client on our behalf. To make the Xsan configuration profile, we’re going to use Profile Manager. With OS X Server 5, this trend continues.

To get started, open the Profile Manager web interface and click on a device or device group (note, these are scoped to systems so cannot be used with users and user groups). Then click on the Settings tab for the object you’re configuring Xsan for.

Screen Shot 2015-09-25 at 9.21.10 PM

Click Edit for the profile listed (Settings for <objectname>) and scroll down until you see the entry for Xsan.

Screen Shot 2015-09-25 at 9.21.57 PM

From the Xsan screen, click Configure.

Screen Shot 2015-09-25 at 9.22.58 PM

This next screen should look a little similar, in terms of the information you’ve plugged into the Xsan 4 setup screen. Simply enter the name of the Xsan in the Xsan Name field, the IP address or host names of your metadata controllers in the File System Name Servers field and the Authentication Secret from the Xsan screen in the Server app into the Authentication Secret field. Click OK to close the dialog.

Screen Shot 2015-09-25 at 9.23.30 PM

Click Save to save your changes. Then you’ll see the Download button become clickable.

The profile will download to your ~/Downloads directory as Settings_for_<OBJECTNAME>.mobileconfig. So this was called test and will result in a name of Settings_for_test.mobileconfig. That profile will automatically attempt to install. If this is an MDC where you’re just using Profile Manager to bake a quick profile, or if you don’t actually want to install the profile yet, click Cancel.

Screen Shot 2015-09-25 at 9.24.10 PM

If you haven’t worked with profiles that much, note that when you click Show Profile, it will show you what is in the profile and what the profile can do.

Screen Shot 2015-09-25 at 9.24.18 PM

Simply open this file on each client (once you test it of course) and once installed, they’ll automatically configure to join your Xsan. If you don’t have a Profile Manager server, you can customize this file for your environment (YMMV): Settings_for_test.mobileconfig

October 12th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment, Xsan

Tags: , , , , , , ,

In order to use the Apple Volume Purchase Program, you will need an MDM solution (Profile Manager, Casper, MobileIron, Meraki, FileWave, etc). Also, token options were traditionally for one to one (1:1) environments until iOS 9, which marked a change where you can now leverage per-device licensing. This removes the requirement that you need an Apple ID running on each device that you choose to install apps on. Suddenly, VPP is for multi-tenant environments. You can also use codes and options for iOS 7 and up as well as OS X 10.9 and up, but those will use Apple IDs. Also, if you install your vpptoken on OS X Server and you’re running that same vpptoken elsewhere, OS X Server will take all of the codes that have been issued for itself (feature or bug, you decide).

But this article isn’t about the fine print details of the new VPP. Instead, this article is about making Profile Manager work with your new VPP token. Before you get started, know that when you install your vpptoken, if it’s in use by another MDM, Profile Manager will unlicensed all apps with your other MDM. To get started, log into your VPP account. Once logged in, click on your account email address and then select Account Summary.

vpp1

Then, click on the Download Token link and your token will be downloaded to your ~/Downloads (or wherever you download stuff).

vpp2

Once you have your token, open the Server app and click on the Profile Manager service.

ProfileManager

Click on the checkbox for Distribute apps and books from the Volume Purchase Program.

VPP

At the VPP Managed Distribution screen, drag the .vpptoken file downloaded earlier into the screen.

token

Click Continue. The VPP code email address will appear in the screen. Click Done.

Back at the profile manager screen, you should then see that the checkbox is filled and you can now setup Profile Manager.

The rest of the configuration of Profile Manager is covered in a previous article.

Note: The account used to configure the VPP information is not tracked in any serveradmin settings.

September 27th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , ,

Troubleshooting push notification communications between OS X Server and Apple’s Push Notification can be a challenge. Especially with Profile Manager. One great tip I’ve learned over the years is that the APNS daemon, apsd, has a debug mode. To enable APNS debug logging, run these commands:

defaults write /Library/Preferences/com.apple.apsd APSLogLevel -int 7
defaults write /Library/Preferences/com.apple.apsd APSWriteLogs -bool TRUE
killall apsd

Then use tail -f to watch the apsd.log file at /Library/Logs/apsd.log. Be wary, as this can fill up your system. So to disable, use these commands:

defaults write /Library/Preferences/com.apple.apsd APSWriteLogs -bool FALSE
defaults delete /Library/Preferences/com.apple.apsd APSLogLevel
killall apsd

May 18th, 2015

Posted In: Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , ,

Thanks to all the awesome work from Adam and Tanya Engst, Tidbits announced today that my Take Control of OS X Server is now available! To quote some of the Tidbits writeup:

Some projects turn out to be harder than expected, and while Charles Edge’s “Take Control of OS X Server” was one of them, we’re extremely pleased to announce that the full 235-page book is now available in PDF, EPUB, and Mobipocket versions to help anyone in a home or small office environment looking to get started with Apple’s OS X Server.

As you’ll likely remember, we published this book chapter by chapter for TidBITS members, finishing it in early September (see “‘Take Control of OS X Server’ Streaming in TidBITS,” 12 May 2014). Doing so got the information out more quickly, broke up the writing and editing effort, and elicited reader comments that helped us refine the text.

Normally, we would have moved right into final editing and published the book quickly, but from mid-September on, our attention has been focused on OS X 10.10 Yosemite, iOS 8, and our new Take Control Crash Course series. We were working non-stop, and while we wanted to release “Take Control of OS X Server,” we felt it was more important to finish the books about Apple’s new operating systems for the thousands of people who rely on Take Control for technical assistance.

During that time, we had the entire book copyedited by Caroline Rose, who’s best known for writing and editing Inside Macintosh Volumes I through III at Apple and being the editor in chief at NeXT. Plus, we went over the book carefully to ensure that it used consistent terminology and examples, optimized the outline, and improved many of the screenshots.

The main problem with this delay was that Apple has now updated OS X Server from version 3.2.2 (Mavericks Server, which is what we used when writing the book) to 4.0 (Yosemite Server, which is all that works in Yosemite). Updating the book for Yosemite Server would delay it even longer. Luckily for us, veteran system administrators say that you should never upgrade OS X Server on a production machine right away. And even luckier, the changes in Yosemite Server turn out to be extremely minor (a sidebar in the Introduction outlines them), so those who want to get started now can use the instructions in the book with no problem. It’s also still possible to buy Mavericks Server and install it on a Mac running Mavericks, as long as you have the right Mac App Store link from the book. We are planning to update the book for Yosemite Server (which mostly involves retaking screenshots and changing the “mavserver” name used in examples) in early 2015 — it will be a free update for all purchasers.

Screen Shot 2014-11-24 at 7.59.44 PM

You can find out more about the book at http://www.takecontrolbooks.com/osx-server. An update will be due out in early 2015, so stay tuned for more!

November 24th, 2014

Posted In: Articles and Books, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , ,

Apple began rolling out new features with the new Volume Purchasing Program (VPP) program last year. There are lots of good things to know, here. First, the old way should still work. You’re not loosing the stuff you already invested in such as Configurator with those codes you might have used last year with supervision. However, you will need an MDM solution (Profile Manager, Casper, Absolute, FileWave, etc) to use the new tools. Also, the new token options are for one to one (1:1) environments. This isn’t for multi-tenant environments. You can only use these codes and options for iOS 7 and OS X 10.9 and 10.10. Also, if you install your vpptoken on Yosemite Server and you’re running that same vpptoken elsewhere, Yosemite Server will take all of the codes that have been issued for itself (feature or bug, you decide).

But this article isn’t about the fine print details of the new VPP. Instead, this article is about making Profile Manager work with your new VPP token. Before you get started, know that when you install your vpptoken, if it’s in use by another MDM, Profile Manager will unlicensed all apps with your other MDM. To get started, log into your VPP account. Once logged in, click on your account email address and then select Account Summary.

vpp1

Then, click on the Download Token link and your token will be downloaded to your ~/Downloads (or wherever you download stuff).

vpp2

Once you have your token, open the Server app and click on the Profile Manager service.

vpp3

Click on the checkbox for Distribute apps and books from the Volume Purchase Program.

vpp4

At the VPP Managed Distribution screen, drag the .vpptoken file downloaded earlier into the screen.

Click Continue. The VPP code email address will appear in the screen. Click Done.

vpp5

Back at the profile manager screen, you should then see that the checkbox is filled and you can now setup Profile Manager.

vpp6

The rest of the configuration of Profile Manager is covered in a previous article.

Note: The account used to configure the VPP information is not tracked in any serveradmin settings.

October 17th, 2014

Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment

Tags: , , , , , , , , , , , ,

Next Page »