Tag Archives: SMB

iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment Microsoft Exchange Server Network Infrastructure Ubuntu Unix VMware

Quick nmap Hacks

The nmap application is a pretty easy-to-use tool that can be used to port scan objects in a network environment. To obtain mmap in an easy-to-use package installer, for OS X check out the download page at http://nmap.org/download.html#macosx (use the same page to grab it for Windows or *nix as well). Once downloaded run the package/rpm/whatever.

Before I scan a system, I like to pull the routing table and eth info to determine how scans are being run, which can be run by using the mmap command anong with the —iflist option:

nmap —iflist

Basic Scanning
To then scan a computer, just use the mmap command followed by the host name or even throw a -v option in there to see more information (you can use a hostname or an IP):

nmap -v www.apple.com

Use the -6 option if scanning via IPv6:

nmap -v -6 8a33:1a2c::83::1a

Can drop the -v for less info on these, but I usually like more than less. Shows ports, states, services (for the ports) and a MAC address for each IP being scanned.

You can also scan a range of IPs. I usually take the lazy way for this, by using a wildcard. I can replace an octet to scan all objects in that octet. For example, to scan all systems running on the 192.168.210 class B:

nmap 192.168.210.*

You can scan a subnet, which can cover more or less than one octet worth of IPs, by including the net mask:

nmap 192.168.210.0/24

You can also just list a range, which is much easier in some cases, using the —exclude option to remove an address that will be angry if port scanned:

nmap 192.168.210.1-100 —exclude 192.168.210.25

Or to do a few hosts within that range:

nmap 192.168.210.1,10,254

Of you can even use the following to read in a list of addresses and subnets where each is on its own line:

nmap -iL ~/nmaplist.txt

By default, mmap is scanning all ports. However, if you know what you’re looking for, scans can be processed much faster if you constrain it to a port or range of ports. Use the -p option to identify a port and then T: for only TCP or U: for only UDP, or neither to do both. Additionally, you can scan a range of ports or separate ports using the same syntax used for identifying multiple hosts. For example, here we’ll scan 53, 80, 110, 443 and 143:

nmap -p 53,80,110,143,443

DO OS detection using the -A option:

nmap -A www.apple.com

For true remote OS detection, use -O with —osscan-guess:

mmap -v -O —osscan-guess mail.krypted.com

We can also output to a text file, using the -o option (or of course > filename but -o is more elegant here unless you’re parsing elsewhere in the line):

mmap -v -o ~/Desktop/nmapresults.txt -O —osscan-guess mail.krypted.com

Firewalls
Next, we’ll look at trying to bypass pesky annoyances like stageful packet inspection on firewalls. First, check whether there is actually a firewall using -s:

nmap -sA www.apple.com

Scan even if the host is protected by a firewall:

nmap -PN www.apple.com

Just check to see if some devices are up even if behind a firewall:

nmap -sP 192.168.210.10-20

Run a scan using Syn and ACK scans, run mmap along with the either -PS or -PA options (shown respectively):

nmap -PS 443 www.apple.com
nmap -PA 443 www.apple.com

Try to determine why ports are in a specific state:

nmap —reason www.apple.com

Show all sent/recvd packets:

nmap —packet-trace www.apple.com

Try to read the header of remote ports to determine a version number of the software:

nmap -sV www.apple.com

Security Scanning
Next, we can look at actually using nmap to test the attacking waters a little bit. First, we’ll try and spoof another MAC address, using the —spoof-mac options. We’ll use the 0 position after that option to indicate that we’re randomly generating a Mac, although we could use a real MAC in place of the 0:

nmap -v -sT —spoof-mac 0 www.apple.com

Next, let’s try to add a decoy, which allows us to spoof some IPs and use that as decoys so our target doesn’t suspect our IP as one that’s actually scanning them (note that our IP we’re testing from is 192.168.210.210):

nmap -n -192.168.210.1,192.168.210.10,192.168.210.210,192.168.210.254

Then, send some crazy packets (not an official term like magic packets, just my own term for throwing a curve ball at things and testing for the viability of syn-flood or Xmas packet attacking):

nmap -sX www.apple.com

Configure a custom mtu:

nmap —mtu 64 www.apple.com

Fragment your packets:

nmap -f www.apple.com

Note: None of Apple’s servers were damaged in the writing of this article. I did a find/replace at the end, when I realized I didn’t want all of you hitting www.krypted.com.

Windows Server Windows XP

Net Stats & Windows Server

Windows Server tracks the sessions that have been authenticated into the system, those that have been timed out, those that have errored, kb sent/received, response time, errors, permission problems, password problems, files opened, print job spooling and buffers quickly and easily. Simply use the net command we’ve all been using for 20 years, followed by stats or statistics:

net statistics

When prompted choose server or workstation. In this case, we’ll use Server.

net statistics Server

Here’s the output from a new server:

Screen Shot 2013-12-01 at 11.21.50 PM

And if you’re trying to troubleshoot client/server communications, keep in mind that you can look at much of this on the workstation side as well, but from the client perspective:

net statistics Workstation

Screen Shot 2013-12-01 at 11.23.34 PM

Mac OS X

AFP IS NOT GONE!!!

Sorry for shouting. I keep hearing people mention that they can’t upgrade to OS X Mavericks, or Mavericks Server because they need AFP. Well, the change that came in Mavericks isn’t that AFP was deprecated. Maybe it doesn’t get to call shotgun any more when running out to the car, but it’s still there.

The sharing output, which shows afp:

List of Share Points
name: Charles Edge’s Public Folder
path: /Users/krypted/Public
afp: {
name: Charles Edge’s Public Folder
shared: 1
guest access: 1
inherit perms: 0
}

The Connect to Server over afp:

Screen Shot 2013-10-24 at 11.06.42 AM

SMB is now the default protocol. Therefore, if you open a Connect to Server dialog and don’t prefix the string with afp:// then you will automagically connect over smb. Either way, we can clearly see more development is going into SMB than afp. However, afp isn’t dead yet. Sure, badly burned, shot in the arm, broken leg, etc.

Uncategorized

Configure A Mavericks File Server

File Services are perhaps the most important aspect of any server because file servers are often the first server an organization purchases. There are a number of protocols built into OS X Mavericks Server dedicated to serving files, including AFP, SMB and WebDAV. These services, combined comprise the File Sharing service in OS X Mavericks Server (Server 3).

File servers have shares. In OS X Mavericks Server we refer to these as Share Points. By default:

  • File Sharing has some built-in Share Points that not all environments will require.
  • Each of these shares is also served by AFP and SMB, something else you might not want (many purely Mac environments might not even need SMB). Or if you have iOS devices, you may only require WebDAV sharing.
  • Each share has permissions that Apple provides which will work for some but not all.

In short, the default configuration probably isn’t going to work for everyone. Therefore, before we do anything else, let’s edit the shares to make them secure. The first step is to create all of your users and groups (or at least the ones that will get permissions to the shares). This is done in Server app using the Users and Groups entries in the List Pane. Once users and groups are created, open the Server app and then click on the File Sharing service in the SERVICES list in the List Pane. Here, you will see a list of the shares on the server.

Screen Shot 2013-10-05 at 9.33.49 PMIn our example configuration we’re going to disable the built-in share. To do so, click on Groups one time and then click on the minus button on the screen.

Screen Shot 2013-10-05 at 9.34.51 PMAs mentioned, shares can be shared out using different protocols. Next, we’re going to disable SMB for Public. To do so, double-click on Public and then uncheck the SMB protocol checkbox for the share.

Screen Shot 2013-10-05 at 9.37.14 PMWhen you’ve disabled SMB, click on the Done button to save the changes to the server. Next, we’re going to create a new share for iPads to be able to put their work, above and beyond the WebDAV instance automatically used by the Wiki service. To create the share, first we’re going to create a directory for the share to live in on the computer, in this case in the /Shared Items/iPads directory. Then from the File Sharing pane in Server app, click on the plus sign (“+”).

Screen Shot 2013-10-05 at 9.38.49 PMAt the browse dialog, browse to the location of your iPad directory and then click on the Choose button.

Screen Shot 2013-10-05 at 9.39.23 PMAt the File Sharing pane, double-click on the new iPads share.

Screen Shot 2013-10-05 at 9.40.06 PMAt the screen for the iPads share, feel free to edit the name of the share (how it appears to users) as it by default uses the name of the directory for the name of the share. Then, it’s time to configure who has access to what on the share. Here, use the plus sign (“+”) in the Access section of the pane to add groups that should be able to have permission to access the share. Also, change the groups in the list that should have access by double-clicking on the name of the group and providing a new group name or clicking on the plus sign to add a user or group.

Screen Shot 2013-10-05 at 9.40.47 PM

The permissions available in this screen for users that are added are Read & Write, Read Only/Read and Write. POSIX permissions (the bottom three entries) also have the option for No Access, but ACLs (the top entries comprise an Access Control List) don’t need such an option as if there is no ACE (Access Control Entry) for the object then No Access is assumed.

If more granular permissions are required then click on the name of the server in the Server app (the top item in the List Pane) and click on the Storage tab. Here, browse to the directory and click on Edit Permissions.

Screen Shot 2013-10-05 at 9.42.06 PMAs can be seen, there are a number of other options that more granularly allow you to control permissions to files and directories in this view. If you make a share a home folder, you can use that share to store a home folder for a user account provided the server uses Open Directory. Once a share has been made an option for home folders it appears in both Workgroup Manager and the Server app as an available Home Folder location for users in that directory service.

Once you have created all the appropriate shares, deleted all the shares you no longer need and configured the appropriate permissions for the share, click on the ON button to start the File Sharing service.

Screen Shot 2013-10-05 at 9.46.18 PMTo connect to a share, use the Connect to Server dialog, available by clicking Connect to Server in the Go menu. A change in Mavericks is that when you enter an address, the client connects over SMB. If you’d like to connect over AFP, enter afp:// in front of the address and then click Connect.

The File Sharing service can also be controlled from the command line. Mac OS X Server provides the sharing command. You can create, delete and augment information for share points using sharing. To create a share point for AFP you can use the following command:

sharing -a <path> -A <share name>

So let’s say you have a directory at /Shares/Public and you want to create a share point called PUBLIC. You can use the following command:

sharing -a /Shares/Public -A PUBLIC

Now, the -a here will create the share for AFP but what if you want to create a share for other protocols? Well, -F does FTP and -S does SMB. Once created you can disable the share using the following command:

sharing -r PUBLIC

To then get a listing of shares you can use the following command:

sharing -l

You can also use the serveradmin command to manage file shares as well as the sharing service. To see settings for file shares, use the serveradmin command along with the settings option and then define the sharing service:

sudo serveradmin settings sharing

Sharing settings include the following:

sharing:sharePointList:_array_id:/Users/admin/Public:smbName = "administrator's Public Folder"
sharing:sharePointList:_array_id:/Users/admin/Public:nfsExportRecord = _empty_array
sharing:sharePointList:_array_id:/Users/admin/Public:afpIsGuestAccessEnabled = yes
sharing:sharePointList:_array_id:/Users/admin/Public:isIndexingEnabled = no
sharing:sharePointList:_array_id:/Users/admin/Public:dsAttrTypeNative\:sharepoint_group_id = "35DF29D6-D5F3-4F16-8F20-B50BCDFD8743"
sharing:sharePointList:_array_id:/Users/admin/Public:mountedOnPath = "/"
sharing:sharePointList:_array_id:/Users/admin/Public:dsAttrTypeNative\:sharepoint_account_uuid = "51BC33DC-1362-489E-8989-93286B77BD4C"
sharing:sharePointList:_array_id:/Users/admin/Public:path = "/Users/admin/Public"
sharing:sharePointList:_array_id:/Users/admin/Public:smbIsShared = yes
sharing:sharePointList:_array_id:/Users/admin/Public:smbIsGuestAccessEnabled = yes
sharing:sharePointList:_array_id:/Users/admin/Public:afpName = "administrator's Public Folder"
sharing:sharePointList:_array_id:/Users/admin/Public:dsAttrTypeStandard\:GeneratedUID = "4646E019-352D-40D5-B62C-8A82AAE39762"
sharing:sharePointList:_array_id:/Users/admin/Public:smbDirectoryMask = "755"
sharing:sharePointList:_array_id:/Users/admin/Public:afpIsShared = yes
sharing:sharePointList:_array_id:/Users/admin/Public:smbCreateMask = "644"
sharing:sharePointList:_array_id:/Users/admin/Public:ftpName = "administrator's Public Folder"
sharing:sharePointList:_array_id:/Users/admin/Public:name = "administrator's Public Folder"

To see settings for the services use the serveradmin command with the settings option followed by the services: afp and smb:

sudo serveradmin settings afp

AFP settings include:

afp:maxConnections = -1
afp:kerberosPrincipal = "afpserver/LKDC:SHA1.978EED40F79A72F4309A272E6586CF0A3B8C062E@LKDC:SHA1.978EED40F79A72F4309A272E6586CF0A3B8C062E"
afp:fullServerMode = yes
afp:allowSendMessage = yes
afp:maxGuests = -1
afp:activityLog = yes

To see a run-down of some of the options for afp, see this article I did previously. Additionally, for a run-down of smb options, see this one.

Mac OS X Server Mac Security Mass Deployment

Logs, Scripts and OS X Mountain Lion Server

OS X Mountain Lion has a lot of scripts used for enabling services, setting states, changing hostnames and the like. Once upon a time there was a script for OS X Server called server setup. It was a beautiful but too simplistic kind of script. Today, much of that logic has been moved out into more granular scripts, kept in /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup, used by the server to perform all kinds of tasks. These scripts are, like a lot of other things in Mountain Lion Server. Some of these include the configuration of amavisd, docecot and alerts. These scripts can also be used for migrating services and data, such as /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup/MigrationExtras/30-ipfwmigrator. Sometimes the scripts are in bash, sometimes ruby, sometimes perl and other times even python.

Additionally, there’s a directory /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup/MigrationExtras/ that is full of scripts for migrating services in OS X Server, helpful for even services that have been seemingly deprecated.

One of the things that can can be useful about the scripts scattered throughout the Server app is to learn how the developers of OS X Server intend for certain tasks to occur. One such example is /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup/loggather.sh, used to grab logs. Here, you can learn the locations of certain logs as well as rudimentary stackshot commands. This is where I started calling stackshot before I did Server installs (or during), using the following command, which creates a custom text file containing :

/usr/libexec/stackshot -i -f /Library/Logs/ServerSetup_StackShot_KRYPTED.txt

This is also where I learned that I can tail /tmp/SetupLogs.tgz during some installs to be able to watch what’s going on during the installation process:

tail -f /tmp/SetupLogs.tgz

Looking At Each Service

This is also where I learned that Apple had put an Open Directory backup script in /Applications/Server.app/Contents/ServerRoot/usr/libexec/server_backup/opendirectorybackup (that still requires a password). But what I haven’t seen in all of these logs is bumping up the logging level for services before performing tasks, so that you can see a verbose output of what’s going on. To do this, it looks like we’re going service-by-service. So let’s look alphabetically, starting with Address Book:

sudo serveradmin settings addressbook:DefaultLogLevel = "warn"

This by defualt logs to /var/log/caldavd/error.log, which is built based on the following, which sets the base:

sudo serveradmin settings addressbook:LogRoot=/var/log/caldavd

And the following, which sets the file name in that directory:

sudo serveradmin settings addressbook:ErrorLogFile=error.log

You can change either by changing what comes after the = sign.

Next is afp. This service logs output to two places. The first is with errors to the service, using /Library/Logs/AppleFileService/AppleFileServiceError.log, the path designated in the following:

sudo serveradmin settings afp:errorLogPath = "/Library/Logs/AppleFileService/AppleFileServiceError.log"

The second location logs activities (open file, delete file, etc) rather than errors and is /Library/Logs/AppleFileService/AppleFileServiceAccess.log, defined using:

sudo serveradmin settings afp:activityLogPath = "/Library/Logs/AppleFileService/AppleFileServiceAccess.log"

The activity log is disabled by default and enabled using the command:

sudo serveradmin settings afp:activityLog = yes

The events that trigger log entries are in the afp:loggingAttributes array and are all enabled by default. There are no further controls for the verbosity of the afp logs.

The next service is calendar. Similar to address book, the caldav server uses DefaultLogLevel to set how much data gets placed into logs:

sudo serveradmin settings calendar:DefaultLogLevel = "warn"

This by defualt logs to /var/log/caldavd/error.log, which is built based on the following, which sets the base:

sudo serveradmin settings calendar:LogRoot=/var/log/caldavd

And the following, which sets the file name in that directory:

sudo serveradmin settings calendar:ErrorLogFile=error.log

You can changing either by changing what comes after the = sign.

Profile Manager is called devicemgr in the serveradmin interface and I’ve found no way to augment the logging levels. Nor does its migration script ( /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup/MigrationExtras/80-devicemgrmigration.sh ) point to any increased logging during migration.

The dirserv (aka Open Directory) uses the slapconfig back-end, so I use slapconfig to increase logging:

sudo slapconfig -enableslapdlog

The DNS service uses named.conf, located in /etc to set log levels and has no serveradmin settings for doing so. Here, use the logging section and look for both the file setting (by default /Library/Logs/named.log) for where the log is stored as well as the severity setting, which can set the logging levels higher or lower.

By default Messages, or iChat Server, logs a lot. See the following for what is logged:

sudo serveradmin settings jabber:logLevel = "ALL"

Adding the -D option to the LaunchDaemon that invokes jabber will increase the logs. Logging long-term is handled in each of the xml files that make up the features of jabber. See the Logconfiguration section of the c2s file via:

cat /Applications/Server.app/Contents/ServerRoot/private/etc/jabberd/c2s.xml

The mail service has a number of options for logging, much of which has to do with the fact that it’s a patchy solution made up of postfix, etc. To see the virus database logging levels (which should usually be set to warn):

sudo serveradmin settings mail:postfix:virus_db_log_level

To see the spamassassin logging levels:

sudo serveradmin settings mail:postfix:spam_log_level

To see the actual postfix logging level:

sudo serveradmin settings mail:postfix:log_level

To enable timestamps on logs:

sudo serveradmin settings mail:imap:logtimestamps = yes

To set the dovecot logging:

sudo serveradmin settings mail:imap:log_level = "warn"

To set increased logging per function that dovecot performs, see the config files in /Applications/Server.app/Contents/ServerRoot/private/etc/dovecot/default/conf.d, each of which has a logging section to do so.

The NetBoot service is simple to configure logging for, simply set the netboot:logging_level to HIGH (by default it’s MEDIUM):

sudo serveradmin settings netboot:logging_level = "HIGH"

The Postgres service uses a log directory, configured with postgres:log_directory:

sudo serveradmin settings postgres:log_directory = "/Library/Logs/PostgreSQL"

The /private/etc/raddb/radiusd.conf has a section (log {}) dedicated to configuring how the radius service logs output.

The san service (Xsan) logs output per volume to both the System Log and volume-based log files, stored in /Library/Preferences/Xsan/data.

The smb service has a file /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist
with a key for log level that can be used for more verbose output of the service.

The PPTP VPN service logs output to the file specified in vpn:Servers, configured with these:

sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:Server:LogFile = "/var/log/ppp/vpnd.log"
sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:PPP:LogFile = "/var/log/ppp/vpnd.log"
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:Server:LogFile = "/var/log/ppp/vpnd.log"
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:LogFile = "/var/log/ppp/vpnd.log"

By default, verbose logging is enabled, which you can see with:

sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:Server:VerboseLogging
sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:PPP:VerboseLogging
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:Server:VerboseLogging
sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:VerboseLogging

The last service is web (Apache). The default access logs are per-site, with a key called customLogPath existing for each. The defaultSite uses the following for its logs:

sudo serveradmin settings web:defaultSite:customLogPath

Swap out the defaultSite with another site to see its log paths. There’s also a key for errorLogPath that shows errors. These are per-site so that administrators can provide access to logs for the owners of each site and not fear them having access to logs for other users. Global error logs are stored in /private/var/log/apache2/error_log as defined in /private/etc/apache2/httpd.conf. Find LogLevel in this file and set it to configure how in depth the logs will be, using debug for the most verbose and info, notice, warn, error, crit, alert, and emerg to get incrementally less information.

Additionally the log formats can be set in /private/etc/apache2/httpd.conf, allowing administrators to configure Mountain Lion Server’s built-in web service to conform to the standards of most modern web log analyzers.

Conclusion

Overall, there’s a lot of information in these logs and administrators can spend as much time reviewing logs as they want. But other than standard system logs, the output is typically configured on a service-by-service basis. Some services offer a lot of options and others offering only a few. Some services also offer options within the serveradmin environment while others use their traditional locations in their configuration files. I’ll end this with a warning. There can also be a lot of output in these logs. Therefore, if you set the logging facilities high, make sure to keep a watchful eye on the capacity of the location you’re writing logs out to. The reason I looked at paths to logs where applicable was because you might want to consider redirecting logs to an external volume when debugging so as not to fill up a boot volume and cause even more problems than what you’re likely parsing through logs looking to fix…

Mac OS X Server Windows Server

Disable ACLs for SMB

I had a pretty strange issue recently with how QuickBooks works with Samba. The fix was to disable ACLs for SMB. While this seems like a silly issue for silly software, it’s worth noting the fix. Before doing so, it’s worth mentioning that

defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AclsEnabled -bool NO

If yore having saving issues from QuickBooks and this doesn’t fix your issue I’d immediately switch back:

sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.smb.server AclsEnabled -bool YES

Mac OS X Mac OS X Server Mac Security Mass Deployment Windows Server

Limiting The Number of Windows Users in Lion Server (aka How-to of hidden serveradmin settings)

Lion Server doesn’t have an option in the GUI for throttling the maximum number of users that can connect to the server via SMB. Nor does it have said option in the  serveradmin interface. If you run the following, you would have previously seen the required setting:

serveradmin settings smb

The required setting (if controlled via serveradmin) is MaxClients= followed by the number of clients that you want to be the max:

serveradmin settings smb:MaxClients=10

This is pretty easy stuff, but I have a point that goes beyond limiting the number of users. Not all of the settings that can be run through serveradmin are actually in the preferences any more. You can add more. Not that all of the ones from the developer documentation for the old smb code are still around, but a lot are. Another that a lot of people would want to use is to set the SMB Workgroup name in Lion Server:

serveradmin settings smb:Workgroup=SMBLOWS

You can also disable guest access by setting AllowGuestAccess to FALSE:

serveradmin settings smb:AllowGuestAccess=FALSE

Now, just because the option isn’t obvious doesn’t mean the server hasn’t already got a preconfigured setting. Running the AllowGuestAccess as follows will actually just show you that it defaults to on and most options, when specifically invoked, should provide the setting if it still exists:

serveradmin settings smb:AllowGuestAccess

Overall, there’s a lot you can do with a number of services. The options for many of these used to be a little easier to find, if you to see what some option from 10.6 allowed you to do that isn’t in the GUI in Lion or subsequent OSes that you miss, just look to the serveradmin command, make the change and see what preference changed. Who knows, that option might be available in Lion, even if it wasn’t available in the GUI…

iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment Network Infrastructure Xsan

Video ON Setting Up File Sharing Services In Lion Server

iPhone Mac OS X Mac OS X Server Mac Security Mass Deployment

Managing iOS Devices with Apple Configurator

My traditional interpretation of Apple’s vision on how iOS devices are used is that everyone has an AppleID. That AppleID enables them to access their apps from any iOS device they own or Mac that they own. That AppleID enables them to access mail, contacts, calendars and even files through iCloud. That AppleID also allows users to remotely wipe their device through Find iPhone and track their friends iOS devices (as in social networking via breadcrumb tracking) through Find Friends. All of this “Just Works” in a consumer sense. And it even allows for a little sharing of content across devices you own. However, larger organizations need more. They need centralized management, content distribution and most other things you find that you rely on traditional desktop computers for.

Over the years, Apple has added tools for centralized control of devices. This started with ActiveSync compatibility and early forms of Mobile Device Management and has grown into a pretty robust, albeit disconnected, set of tools. Of these, Apple Configurator is the latest. Apple Configurator was released about a week ago and since, I’ve been trying to figure where it fits into the solutions architecture that surrounds iOS integrations. There are a number of other tools already available that can aid in the deployment and management of iOS devices, and Configurator is a great addition.

To me, there are 3 classes of management tools for iOS. These were roughly broken up into Over the Air (OTA), cradled (USB) and content management. Apple Configurator ends up fitting into all of these scenarios in some way. Let’s start by looking at the traditional uses of these three and then look at how they are impacted by Apple Configurator.

Mobile Device Management

Over the Air tools, such as Profile Manager, allow for Mobile Device Management (MDM) without cradling, or syncing a devices. These tools allow you to configure policies via profiles. There is also a bit of App pushing built into most MDM solutions. Apple’s Profile Manager can push applications written in-house, but no content from the App Store. 3rd party solutions, such as JAMF’s Casper Suite, Absolute Manage MDM, AirWatch and about 15 others are able to push apps from the App Store as well, leveraging the Volume Purchasing Program (VPP) to issue apps to devices. However, when an app is pushed through one of these tools, the app becomes associated with the AppleID for the user who owns the device.

Note: While we use the term push, the user has to accept all App installations on the device.

For large environments, MDM is a must as it allows for centralized command and control. Pushing apps is one aspect of such control. Policies enforceable through MDM include disabling cameras, configuring passcode policies on devices (not pushing passcodes), disabling YouTube, silencing Siri, unstreaming photos, disabling iCloud Backup, forcing encrypted backups, disabling location services, controlling certificates, blocking pop-ups, controlling cookies, disabling access to the iTunes and App Stores,  and controlling what kind of media can be accessed on devices.

Additionally, MDM can be used to push SSIDs for wireless networks (and their passwords/802.1x configuration information), setup mail, setup Exchange ActiveSync, configure VPN connections, configure access shared calendars (iCal shared files, CalDAV and Exchange), configure access to shared contacts (LDAP, CardDAV, Exchange and Exchange Global Address Lists), deploy Web Clips and manage certificates (either with cert files or via SCEP). In short, whether you’re using the practically free Profile Manager from Apple, Mobile Iron, Casper, AirWatch, FileWave or one of the many other tools, there are a lot of things that MDM can configure on devices.

Reporting can also play a major role in how MDM tools are used. iOS Apps are owned by AppleIDs, not devices. MDM does not manage AppleIDs, but you can trigger fields in MDM databases to report back unauthorized AppleIDs being used. Reporting can also identify when devices join non-approved wireless networks (which cannot be blocked through MDM), identify devices that have been jailbroken (a major security concern for many organizations) and report on device use.

Because devices can fall outside of our control, MDM also plays an important role in being able to wipe and lock devices. While some of these types of features are available via Exchange, not all people use ActiveSync. Users and administrators alike can wipe, lock and de-enroll devices at will, potentially crippling what any device with an Enrollment Profile can do.

There are really 3 kinds of MDM tools: those that can push apps, those that can’t and Apple’s Profile Manager. The reason I put Profile Manager into its own class, is that it can push some kinds of apps, it’s cheap ($49.99 one time as opposed to per device per month or per device per year billing) and it’s great for some things. But Profile Manager should be used in very specific environments unless the price is the only decision making factor behind a tool. In larger environments, choosing a MDM solution is one of the most important aspects of managing mobile devices and the iOS platform is no different in that manner than other mobile platforms.

MDM has some limitations, though. A good MDM solution can manage the infrastructure side of device configuration. However, content requires a completely separate tool. Additonally, MDM is a completely opt-in experience. If a user wants, they can remove their device from the MDM solution at any time. Rather than a limitation, think about the opt-in experience this way: if a user removes themselves from MDM then all content that was given to them via MDM is then taken away, except that which they have moved to the local device. Therefore, if an administrator pushes an Exchange configuration then all content from that Exchange profile is forbidden fruit, removed alongside the de-enrollment.

MDM also works with Lion. Policies, centralized management, etc can be integrated with Lion. You can’t do app distribution per se, but you can push out a policy to change where the dock is on the screen, add a printer to a Mac and configure a login hook through a Profile Manager-based policy. Many of the MDM providers have begun adding functionality to their tools to allow for Mac management as well as iOS and I would expect that to become the standard in years to come. iOS is a single-user device and OS X is a multi-user device, which completes that paradigm, but Apple has made it no secret that policy-based management for Mac OS X is moving to the realm MDM (even if that is enforced through a traditional lens of directory services based policy-based management).

Content Management

One of the unique aspects of the iOS platform is that it doesn’t have a file system that is exposed to users. There’s no /Volumes, no C: drive and no home folders. The devices don’t log into a server, because there’s no way to interpret a server connection. The file system that is exposed to iOS devices is through the lens of each application. Sandbox is a technology that limits each application’s access in terms of memory, hard drive, etc. Each application can only communicate with resources outside of itself if there is an API to do so, APIs mostly reserved for Apple (e.g. photos, contacts, etc). Therefore, when you discuss content management from the perspective of building a large iOS solution, you’re talking about apps.

The apps used for content management come in a few flavors. There are those that allow you to edit content and then there are those that allow you to read content. One way to look at this is through Safari. Sharepoint, WebDAV and various document management portals allow users to access data through the Safari browser on an iOS device. Safari will let you view various file types. But to edit the data, you would need to send it to an app, or copy it to the clipboard and access it in an app. Pages is an example of an app that can browse a file tree via WebDAV and edit content. However, planning how each type of file is accessed and what type of editing can be done on each file type or what type of resources need to be accessible can be difficult (e.g. there are a number of transitions in Keynote presentations that do not work in iOS).

Cradling Devices

Then there’s iTunes. iTunes allows you to backup and restore devices, update devices, etc. iTunes allows you to drop content into each application. If you look into the ~/Library/Mobile Documents, you can drop content, edit default documents and other tasks that can be done through a command line, then perform a cradled sync to an app. If networking is built into an app then you don’t have to plug a device into a computer. If an app can leverage iCloud, SMB or AFP then you can access data over the air. If you are trying to replace computers with iOS devices (a la post-PC) then you would need to plan each business task that needs to be performed and make sure not only that there is an app for that (or an app you build for that) but also make sure that you can round trip data from a shared repository and back to the network storage that the data resides on.

You can also access many of the benefits of MDM without having an OTA element. This can be done with iPhone Configuration Utility. iPhone Configuration Utility can configure the same policies available through Profile Manager but relies on either a cradled or email/web server/manual way of getting policies onto devices and updating. MDM automates this, but iPhone Configuration Utility is free and can be used as well. Additionally, profiles can be exported from Profile Manager and installed in the email/web server/manual way that iPhone Configuration Utility profiles are installed.

This is all probably starting to seem terribly complicated. Let’s simplify it:

  • OTA policies and custom app deployment: MDM
  • OTA content distribution: Apps
  • Cradled policies and custom app deployment: iPhone Configuration Utility (free)
  • Cradled content and app distribution: iTunes (free)
  • OTA App distribution: AppleID/iCloud
  • Backup and restore: iCloud or iTunes

Basically, there’s a few holes here. First, AppleIDs cannot be centrally managed. Second, you need to use gift cards or the Volume Purchasing Program (VPP) to distribute apps, and Third, even when you push an app to an AppleID, the app follows the AppleID to their next organization (which causes many organizations to treat apps like consumables). Fourth, synchronizing content is done primarily through iTunes, which only syncs a device at a time, making preparation of large numbers of systems terribly complicated.

Apple Configurator

Enter Apple Configurator, a free tool on the Mac App Store. This tool basically fixes all of the problems that we reference, but does so over USB. This means that Apple Configurator is not necessarily a replacement for MDM. In fact, you can deploy Trust and Entrollment profiles for MDM and automate the MDM enrollment for a device through Configurator. Instead, Apple Configurator is a tool that can either Prepare or Supervise an iOS deployment and do so in a manner that is easy enough that you don’t need a firm background in IT to manage devices on a day-to-day basis.

Here is what Apple Configurator can do:

  • Update iOS devices to the latest version of iOS.
  • Rename devices using a numbered scheme (e.g. iPad 1, iPad 2, etc).
  • Erase (wipe) iOS devices.
  • Backup and Restore iOS devices.
  • Deploy profiles/policies (e.g. no Siri for you, disable cameras, setup wireless, etc) to iOS devices.
  • Export profiles.
  • Activate devices (after all a restore of a freshly activated device is an activation).
  • Push any kind of app to devices.
  • Track Volume Purchase Program (VPP) codes used on devices.
  • Revoke VPP codes used on “Supervised” devices (more on supervision later).
  • Assign users from directory services to devices.
  • Load non-DRM’d content to apps on devices.
  • Can work with up to 30 devices simultaneously (think big USB hubs or carts on wheels here).

Apple Configurator has some caveats:

  • Paid apps need to use VPP codes to DRM apps. These VPP codes are purchased through a centralized program for an entire organization. To enter the VPP, you need to be a business with a DUNS number or an educational institution. You also basically need to be in the United States.
  • Free apps can be deployed but the AppleID is in the IPA, meaning that to do an OTA update through App Store requires entering the password for the Apple ID the app was purchased with.
  • In order to push apps through Apple Configurator, the system running Configurator needs access to Apple’s servers and Apple Configurator needs an AppleID associated with it that is not the VPP facilitator if you are leveraging any paid apps.
  • You can use Apple Configurator “off-line” or without an AppleID to Prepare devices with Profiles, just not to
  • If you push Trust and Enrollment profiles to automatically join Profile Manager (or another MDM vendor) the device isn’t associated with a user unless the MDM has been prepped to designate each UDID or Serial Number to a given user.
  • Apple Configurator doesn’t work with Video or Music due to different DRM limitations.
  • If you accidentally plug in your iPhone to a machine you’re using Apple Configurator on it and you’ve chosen to Erase in the application, then it will wipe your phone along with the 30 iPads you’re wiping. It’s awesome and scary like that (yes, I’ve accidentally wiped my phone).

I see a number of uses for Apple Configurator. Some of these use cases include:

  • Company and education labs: manage devices end-to-end (no MDM, iTunes iPhone Configuration Utility or other tools needed), managed by the lab manager.
  • One-to-One environments (schools): Manage the distribution of infrastructure settings (mail, wireless networks, etc) for devices as well as Trust Profiles to make it faster to enroll in MDM environments and Web Clips to manage the links for enrollment.
  • Device distribution: Pre-load applications (that can’t be updated unless they’re cradled again), renaming, profiles, activation, iOS software updates, etc.
  • Backup and Restore only stations where you don’t interfere with later iTunes use.

These can enhance practically every environment I’ve worked with. But unless it’s a small environment (e.g. the labs), Apple Configurator isn’t a replacement for the tools already in use in most cases. Instead, it just makes things better. Overall, Apple Configurator is a welcome addition to the bat belt that we all have for iOS management and deployment. Now that we’ve looked at the when/where of using it, let’s look at the how.

There are two ways to use Apple Configurator. The first is to Prepare Devices. You would use this mode when you’re going to perform the initial setup and configuration of devices but not when the devices won’t be checking back into the computer running Apple Configurator routinely. Preparation settings do not persist. And while applications can be pushed through Preparation, updates for those applications will be tied to the AppleID that purchased the app.

The second is Supervise.  Supervising devices is an option when preparing and allows you to have persistent changes to devices, to layer new settings the next time devices are plugged in, to add applications and the most intriguing aspect of iOS management here is reallocating VPP codes to new devices when a user or device is retired. Supervising devices also allows for assigning a given user to a device and thus pushing data into an application.

Setting Up Apple Configurator

Apple Configurator is installed through the Mac App Store. When installed, you are presented with three options. The first (going from left to right) is to Prepare Devices.

Apple Configurator

Apple Configurator

Before we get started, we’re going to add our AppleID. The computer running Apple Configurator needs to be able to connect to the App Store and it needs to have an AppleID associated with it if you’re going to use VPP codes. So let’s set that up before moving on. To do so, from Apple Configurator, click on the Apple Configurator menu and click on Preferences… From the Preferences menu, click on Set for the Apple ID and provide an AppleID (not the VPP Program Facilitator).

Configuring AppleIDs with Apple Configurator

Configuring AppleIDs with Apple Configurator

Then, when prompted, provide the credentials for your AppleID. If you have any problems with this, try Authorizing the computer in iTunes, if you can’t do one it stands to reason you can’t do the other and it’s either an invalid AppleID or that the computer cannot communicate with Apple’s servers (ports, DNS, Internet connectivity, etc might be the issue).

Configuring AppleIDs with Apple Configurator

Configuring AppleIDs with Apple Configurator

Also, let’s configure the Lock Screen settings, which is what’s displayed to users when you’re supervising devices. If you have user pictures in Open Directory, this will show each user’s photo at the lock screen (we will discuss device supervision later).

Configuring Lock Screen Settings In Apple Configurator

Configuring Lock Screen Settings In Apple Configurator

Using Apple Configurator to Prepare Devices

In this example, we’re going to prepare some devices for deployment. Before we do anything, we’re going to do a backup of the iOS device to use for testing. To do so, simply click Prepare Devices to bring up the main Apple Configurator screen and then click in the Restore field.

Apple Configurator's Prepare Devices Screen

At the Restore menu, click Back Up…

Then choose the device to backup and click on Create Backup… to bring up the screen to select where to save your backup to (by default it should be your Documents but you can save them anywhere, like /iOSBackups). Click Save to make the first backup.

Saving Backups in Apple Configurator

Saving Backups in Apple Configurator

Notice how fast that went (assuming you didn’t load it up with 10 Gigs of crap)? The reason is that we’re not backing up iOS, just the data. This will become a little more obvious the first time we go to restore a device. In the meantime, if you look at your target directory, you’ll see a file with the name you provided followed by .iosdevicebackup. If you aren’t supervising you would need to delete these from the filesystem to remove them from the menu of available backups. If you are supervising then you’ll have a menu to manage the backups. You can also use the Other option in the selection menu to browse to another location and select another backup (e.g. you’re pulling them from other machines, etc.

Now that we have a backup, let’s do some stuff to the device. Let’s join the wireless network, change the wallpaper, create some contacts, make some notes and in general do some of those things that you might do on a base image of a computer, aside from of course configuring local admin (it’s not a multi-user device), installing anti-virus (to date, AV companies for iOS are snake oil salesmen) and other things you might not do. But as with imaging, if you can do something in Profile Manager or Apple Configurator, let’s reserve doing it there. In fact, I would probably try to set everything in Profile Manager or your MDM provider that you can (if you have one) and use Apple Configurator for as little as possible. That goes with imaging as well, do as much in directory services/managed preferences/profiles as you can and keep the image as simple as possible…

Anyway, once you have the device as you want it, make another backup. This is akin to baking an image with DeployStudio or System Image Utility. We can’t asr them out yet, but we’re in a much better place than we were.

Once you have a good backup, let’s leverage Apple Configurator to tell the device erase, update to the latest version of iOS, restore our image, join the SSID of our enrollment network (let’s consider this similar to a supplicant network in 802.1x). Then, let’s add a profile that will throw a Web Clip to our MDM solution and even add a Trust Profile to cut down on the number of taps to enroll (and the confusion of tap here, tap there, etc). From the Prepare screen in Apple Configurator, click on Settings and type the naming convention for your devices (in this case we’re going to call them krypted 1 and up) in the Name field. Then check the box for Number sequentially starting at 1 so it’s going to name them from 1 to 1,000,000 (which is how many iPads my krypted company is going to end up writing off at the testing rate I’m on now). Leave Supervision set to OFF (we’ll look at that later) and set the iOS field to Latest. Then, check the box for Erase all contents and settings and choose your image from the Restore menu.

Preparing Devices in Apple Configurator

Preparing Devices in Apple Configurator

Now for something that users of iPhone Configuration Utility, Profile Manager and Casper MDM will find familiar, click on the plus sign in the Profiles field and select Create New Profile. Here, we see what is the standard policy sheet (apologies to HIG if that’s not what those are officially called but I’ve not been able to find the right term) and give it a name in the Name field. This is how it will appear in the Profiles section of Apple Configurator. Because you can deploy multiple profiles, I’m just going to configure the SSID and Web Clip and call it MDM Enrollment. Optionally, give it some notes, organization name, etc.

Naming Your Profile in Apple Configurator

Naming Your Profile in Apple Configurator

Click on Wi-Fi and then click on the Configure button. Here, enter the SSID of the deployment network (MDMEnroll in this example). We’ll use the Hidden Network field to indicate the SSID is suppressed and we’ll use the network type of WEP and throw the password into the Password field as well. Now, before we move on, notice that there’s a plus and minus sign in the top right of the screen? You can deploy multiple of each, so if you have 10 wireless networks, 4 Email accounts, 9 VPN connections, 29 SSL Certs etc, you could deploy them all easily with multiple entries of each.

Adding Wireless Networks with Apple Configurator

Adding Wireless Networks with Apple Configurator

Scroll down in the sidebar a little and then click on Web Clips. Click on the Configure button. The Label is how the web clip’s name will appear on the device. We’re going to enter Enroll Here. In the URL field, provide the URL for your MDM server (e.g. When using a Profile Manager server called mdm.krypted.com the URL would be https://mdm.krypted.com/MyDevices). Not to get off topic, but did anyone else notice that Profile Manager in 10.7.3 now requires SSL certs? Anyway, you’ll also choose whether the web clip should be Removable (I think it should if it’s to enroll) and optionally choose an Icon. We’ll skip that (if we were using a 3rd party tool, I’d throw their logo in here; otherwise I usually like to use the company logo. I also like enrollment links to be Full Screen.

Go ahead and click Save and you’ll see MDM Enrollment listed in the Settings. If you notice, you can also click on the profile and then click on the export menu to export the profile or under the plus sign (“+”) you can Import Profile…, which is how we’ll bring in our Trust Profile from Profile Manager. From Profile Manager we already downloaded the Trust Profile. Now we’re going to click on Import Profile… and browse to it on the desktop, clicking on Trust profile.mobileconfig (or whatever name yours may have). Click Open.

Importing a Trust Profile Into Apple Configurator

Importing a Trust Profile Into Apple Configurator

We could go a step further and actually enroll the device by exporting the enrollment profile as well, but again, I want each user to provide their username and password so I as an administrator don’t have to go through and attach each device to a user in this scenario. I’ve been looking at importing devices and associating them with users via postgres, but that’s going to be another 3am article, on another night…

Next, check the box for each profile and click on Apps. This is where things start getting kinda’ cool. For this you’re going to need some app ipas. Each app in iTunes is stored as an .ipa file. We’re going to look at two different kinds of apps. The first is a free one and the second is a paid for app, both we’ll pull from iTunes. To do so, open iTunes and click on an app (iBooks in our example) and click on Show in Finder.

Show Apps in iTunes

Show Apps in iTunes

Note: Not all app .ipas are called the same thing as the filename. If you Show in Finder from the contextual menu of an app in iTunes it will automatically highlight the correct app in the Finder when it opens a Finder screen.

From the Finder you can either copy the app to the machine running Apple Configurator or if you’re using iTunes on that machine, you can go ahead and drag it to the Apple Configurator apps list. We’re also going to add an App that we used a purchase code from the VPP store to buy. You’ll get an error when you drag the paid app in (or browse to it if you so choose) that indicates the app is paid and in order to deploy it you’ll need to use VPP codes. Once added, you’ll notice it has an error indicator and the number 0 beside it.

Install Apps in Apple Configurator

Install Apps in Apple Configurator

Click on the numerical indicator beside the app name and you’ll be able to import redemption codes. These are emailed to you when you buy apps through the Volume Purchasing Program. BTW, no drag and drop in this screen, use the Important Redemption Codes button to browse to the XLS files.

Adding VPP Codes in Apple Configurator

Adding VPP Codes in Apple Configurator

Once the codes are imported, you’re ready to configure a device.
App Indicator Counts

App Indicator Counts In Apple Configurator

When you import an application, you are creating a file with a GUID in /Users/admin/Library/Application Support/com.apple.configurator/Resources. These files represent applications that have been prepared for distribution. When importing, it will take as long as it takes to copy from the source to that directory. The entry in that directory is roughly the same size as the app. Therefore, you likely don’t want to copy every app you have in there, just the ones you plan to distribute.
Now for the dangerous part. Make sure you don’t have any devices plugged into the computer. I love to start with a device at the activation screen. That thing requires so many taps I jump at any 0 touch deploy type of options I can get my hands on to skip it (not that you’re going to get 0 touch if you have profiles). The reason we want to make sure there aren’t any devices plugged in is that they’ll be wiped if they are… Provided there aren’t any, click on the Prepare button and any devices plugged in wills tart configuring immediately. The application count will go down for VPP apps as each device is configured. It can do 30 in parallel.
Imaging Devices in Apple Configurator

Imaging Devices in Apple Configurator

You’ll see a green checkmark when each device is done. When you’re ready to stop configuring devices, click on Stop. The only other way to do any in parallel is through Xcode Organizer’s restore feature, but that was never very stable for this type of purpose and this is a much more object oriented approach to device imaging. The caveat for these apps is that the password for the AppleID is needed to update them, so this is not a means to deploy paid apps to BYOD or self-managed types of devices (IMHO). Also, the iOS version for devices is downloaded at this point from Apple. If you notice that the first time each type of device is imaged that it takes awhile, this is why. The second time this step is skipped (another reason we need Internet access on our Apple Configurator computer). These are located in /Users/admin/Library/Application Support/com.apple.configurator/IPSWs and if you need to run a beta version of iOS you can do so by dropping their ipsw versions in here manually, but I haven’t gotten device supervision to work when doing so.

Using Apple Configurator to Supervise Devices

Now, supervising devices may seem more complicated, but it isn’t. Back at the Prepare screen, we set Supervision to OFF. Change the iOS field to No Change. Now, let’s turn it ON. When you do so, the iOS field automatically switches to Latest. This means that supervision is going to require updates (which is fine in my book as updates have yet to break a single app for me). Get all the same settings the same as they were previously.

Supervising Devices in Apple Configurator

Supervising Devices in Apple Configurator

Once you enable Supervision, click on Prepare in Apple Configurator and connect a device again. The device will then be imaged as with the same settings that you’ve given it from before. However, once it’s done, you’ll be able to click on the Supervise tab and see devices (Note: You supervise devices rather than users).

Device Supervision in Apple Configurator

Device Supervision in Apple Configurator

The subsequent Starts and Stops will now allow you to enable and disable profiles and apps on the fly, as well as restore backups, update devices and as you can see in this screen, reclaim those valuable VPP codes!

Do a Get Info on a device and you’ll also see a bevy of information about that device.

Get Info on Devices in Apple Configurator

Get Info on Devices in Apple Configurator

You can also click on Assign, once you’ve enabled Supervision. Assigning devices requires directory services. When you click on Assign, click on the plus sign (“+”) to add the first user. Type the first few letters of the users name and they should appear in the list. Click on them and they’ll be added. You can then use the right panel to assign content to the apps that you assign to that user’s devices.

Pushing Content in Apple Configuration Utility

Pushing Content in Apple Configuration Utility

Once added, the user will by default have no device. To assign a device to a user, use the Check Out box at the bottom of the screen and then match the users with the devices you want them to have.

Checking Devices Out To Users

Checking Devices Out To Users

The final piece of this application is to assign content to users. As I mentioned earlier in this article, the file system of an iOS device is through the lens of the applications that the device has installed. Therefore, we’ll be associating files to applications. DRMd content is not distributed through Apple Configurator. So iBooks, etc, aren’t applicable. The various third party applications can open and therefore host file types that they support, as with iTunes. From the Assign pane of Apple Configurator, click on a user and then click on the plus sign (“+”) to add documents. At the Choose A Target Application screen, choose the application you’ll be loading content into.

Choosing An App For Content

Choosing An App For Content

When you click Choose, you’ll then be able to select files to use with that application.

Selecting Content

Selecting Content

Then just dock the iOS device, sync and viola you’ve got content distribution over USB all handled. You can also add groups of devices and groups of users and distribute content to groups of users rather than to one at a time.

Conclusion

Apple Configurator is really a great tool when used in the right scenarios. In learning how it works and interacts I actually learned a lot about both iOS and Mac OS X that I didn’t know before. I hope I did the tool justice with how easy it is to use. This is a fairly long article and it’s probably more complicated than it needs to be in parts, but that’s more my method of trying to figure out what it’s doing than the tool being complicated. It’s not hard to figure out at all. I am sure I could teach any non-technical iOS admin to use it in less than an hour.

My wish list includes logs and OTA. You can’t use iPhone Configuration Utility while you’re using Apple Configurator and therefore, you can’s see up-to-the second logs about things like key bags to figure out why this isn’t working or that. This makes it kinda’ difficult to figure out why a profile doesn’t get installed with an image if you’re not using an AppleID with the tool or other weird little things like that. I’d love to see a little more logging. Obviously, if you could run this thing Over the Air then it would be nerd nirvana. I guess the OTA isn’t as much as wish list for this tool, but features that could be imported into Profile Manager and other tools.

One of the more important aspects is the impact on AppleID use and app ownership. I started this off by saying “My traditional interpretation of Apple’s vision on how iOS devices are used is that everyone has an AppleID.” Well, when using this tool an AppleID is no longer necessary for app deployment.

Overall, we have a new, powerful tool in our arsenal that makes up the iOS administration ecosystem. I hope that I’ve managed to dispel a few rumors with this article and look at some great uses for where this tool should and should not be used. I also hope that no matter what, if you manage iOS devices, that you’ll take a look at it. I expect you’ll find it useful in some part of your management toolkit!