Profile Manager first appeared in OS X Lion Server as the Apple-provided tool for managing Apple devices, including Mobile Device Management (MDM) for iOS based devices as well as Profile management for macOS based computers, including MacBooks, MacBook Airs, Mac Minis, Mac Pros and iMacs running Mac OS X 10.7 and up. Profile Manager has seen a few more updates over the years, primarily in integrating new MDM options provided by Apple and keeping up with the rapidly changing MDM landscape. Apple has added DEP functionality, content distribution, VPP, and other features over the years. In macOS Server 5.4, there are plenty of new options, including the ability to deploy VPP…
-
-
Use Startup Profiles In macOS Sierra
There is a nifty feature available in the profiles command in Sierra (which dates back to Mavericks), where you can configure profiles to install at the next boot, rather than immediately. Useful in a number of scenarios. Use the -s to define a startup profile and take note that if it fails, the profile will attempt to install at each subsequent reboot until installed. To use the command, simply add a -s then the -F for the profile and the -f to automatically confirm, as follows (and I like to throw in a -v usually for good measure): profiles -s -F /Profiles/SuperAwesome.mobileconfig -f -v And that’s it. Nice and easy…
-
Use The Profiles Command In Sierra
You might be happy to note that other than the ability to interpret new payloads, the profiles command mostly stays the same in Sierra. You can still export profiles from Apple Configurator or Profile Manager (or some of the 3rd party MDM tools). You can then install profiles by just opening them and installing. Once profiles are installed on a Mac, mdmclient, a binary located in /usr/libexec will process changes such as wiping a system that has been FileVaulted (note you need to FileVault if you want to wipe an OS X Lion client computer). /System/Library/LaunchDaemons and /System/Library/LaunchAgents has a mdmclient daemon and agent respectively that start it up automatically.…
-
Configure Xsan Clients In Server 5.2
Yosemite brought Xsan 4, which included a whole new way to add clients to an Xsan. Xsan Admin is gone, as of El Capitan, but unchanged from then to macOS Sierra (other than a couple of binaries moving around). These days, instead of scanning the network using Xsan Admin. we’ll be adding clients using a Configuration Profile. This is actually a much more similar process to adding Xsan clients to a StorNext environment than it is to adding clients to Metadata Controllers running Xsan 3 and below. But instead of making a fsnameservers file, we’re plugging that information into a profile, which will do that work on the client on our behalf.…
-
Profile Payload Best Practices
Apple has defined some best practices to be taken when using Profiles. Obviously these don’t cover every situation, but they cover all but edge cases and lay out a pretty good description of why you should do the things we’ve mostly figured out to do by trial and error thus far. Great job to the OS X Server documentation team! https://help.apple.com/profilemanager/mac/5.1.5/#/apdE3493-C50A-4E9E-A1B6-CBCBC8C73507
-
Programmatically Extract Saved Wi-Fi Passwords In OS X
Previously, I covered how to Programmatically Obtain Recent Wi-Fi Networks On A Mac. But, here I’m gonna’ go a step further and look at how to extract the password for a network as well. The two are stored in different locations. The recent networks are in the /Library/Preferences/SystemConfiguration/com.apple.airport.preferences defaults domain. If you pull one of those, then you can use the security command to extract the password itself. security find-generic-password -ga "Krypted Home" The output is as follows, showing everything that is tracked about this network in the keychain. keychain: "/Library/Keychains/System.keychain" class: "genp" attributes: 0x00000007 <blob>="Krypted Home" 0x00000008 <blob>=<NULL> "acct"<blob>="Krypted Home" "cdat"<timedate>=0x32303135313230373135313731375A00 "20151207151717Z\000" "crtr"<uint32>=<NULL> "cusi"<sint32>=<NULL> "desc"<blob>="AirPort network password" "gena"<blob>=<NULL> "icmt"<blob>=<NULL> "invi"<sint32>=<NULL> "mdat"<timedate>=0x32303135313230373135313731375A00 "20151207151717Z\000"…
-
Add Profiles To Blueprints In Apple Configurator 2
One of the tasks you’ll need to perform in Apple Configurator 2, is to assign Profiles to iOS devices in order to set them up with features or restrict the device from using certain features. I cover creating a profile here. To get started applying a profile to a device, bring up the Blueprints screen. Choose a Blueprint and right-click on it. Choose Profiles… Browse to the profile and then click on Add Profile. The profile is then applied to any devices that the Blueprint is applied to. For more on Blueprints, view this article.
-
Apple Configurator 2 Guide
Apple Configurator 2 is a great new evolution in iOS initial and configuration management. And there are lots of great options. And to help you wrap your head around all this new fun stuff, I’ve written up a quick and dirty guide for using Apple Configurator 2. It’s not completely done, but it will be shortly. Hope this help someone. Enjoy!
-
Using Apple Configurator 2 Blueprints to Manage iOS Devices
Blueprints are a new option in Apple Configurator 2. Blueprints allow you setup a template of settings, options, apps, and restore data, and then apply those Blueprints on iOS devices. For example, if you have 1,000 iOS devices, you can create a Blueprint with a restore item, an enrollment profile, a default wallpaper, skip all of the activation steps, install 4 apps, and then enabling encrypted backups. The Blueprint will provide all of these features to any device that the Blueprint is applied to. But then why not call it a group? Why call it a Blueprint? Because the word template is boring. And you’re not dynamically making changes to devices over…
-
Use The profiles Command Line In El Capitan
You might be happy to note that other than the ability to interpret new payloads, the profiles command mostly stays the same in El Capitan, from Yosemite. You can still export profiles from Apple Configurator or Profile Manager (or some of the 3rd party MDM tools). You can then install profiles by just opening them and installing. Once profiles are installed on a Mac, mdmclient, a binary located in /usr/libexec will process changes such as wiping a system that has been FileVaulted (note you need to FileVault if you want to wipe an OS X Lion client computer). /System/Library/LaunchDaemons and /System/Library/LaunchAgents has a mdmclient daemon and agent respectively that start…