Configuring Profile Manager
To allow assigning profiles, the Profile Manager service must be enabled. Using profiles is significantly different than managing clients in earlier versions of OS X Server. Note that the older method of using Workgroup Manager is still valid in Lion Server, but this book doesn’t approach it. For information on OS X Managed Client, see Chapter 9, “Managing Accounts,” in the book Apple Training Series: Mac OS X Server Essentials v10.6.
In the context of device management, a Profile is basically a collection of settings. Configuration profiles define settings such as Wi-Fi settings, email accounts, calendar accounts, and security policies. Enrollment profiles allow the server to manage your device. A payload is what’s inside a profile.
Preparations for Profile Manager
Prior to configuring Profile Manager, you’ll need to set up a few items to make the process more streamlined.
- Configure your server to manage network users and groups. This is also referred to as creating an Open Directory Master.
- Obtain and install an SSL certificate. It is recommended to use one signed by a trusted certificate authority. You could use the certificate that was automatically generated when you configured your server to manage network accounts, but you first need to configure devices to trust that certificate. If you instead use your self-signed certificate, you won’t be able to enroll iOS devices.
- Obtain an Apple ID for use when you request a push certificate from Apple through the http://appleid.apple.com website. Prior to using this ID, make sure you log in at that site under “Manage My Account” and verify the address. Otherwise, it is possible that you won’t have success requesting the push certificate.
Enabling Profile Manager
In this section, you’ll go through the steps to enable Profile Manager including the signing of a configuration profile.
Open Server app and select Profile Manager in the Server app sidebar.
Click Configure, next to Device Management.
- The service will gather some data and give a description of its capabilities. Click Next.
Choose your certificate. If you use your self-signed certificate, you will not be able to enroll any iOS devices.
Request an Apple Push Notification certificate using an Apple ID. If you do not have one, there’s a link to obtain one under the credential fields. Make sure to verify the address at the http://appleid.apple.com site. Click Next.
A green circle will indicate that you succeeded. Click Finish.
Select the checkbox labeled “Sign configuration profiles,” then choose the Code Signing certificate that was created when you created your network accounts.
By signing the profiles with a certificate, you provide a way to validate that the profiles came from where they are supposed to be from.
- If you don’t have any services running, use this time to configure and activate a few services, then click the On/Off switch to turn on Profile Manager.
User Profile Portal
The User Profile Portal provides simple access for users to log in, apply profiles, and manage their devices. The portal is accessed via a web browser; by simply publishing the website, users anywhere in the world can enroll their devices–whether they be computers, iPhones or other iOS based mobile devices. It is through the portal that a user can lock or wipe their enrolled devices.
- Navigate to the site https://server17.pretendco.com/mydevices.
- Through a series of redirects the user will be prompted for her credentials to log in.
The user is given tabs for Devices and Profiles. Devices is where the user can enroll the device. Profiles is where the various profiles made available to her will be displayed.
- Click the Install Trust Profile. The profile will be downloaded, and the Profiles preferences will appear.
Click the Show Profile button to view the contents of the profile, then click Continue.
In the next window click Show Details to view more information regarding the certificates involved, and then click Install. Enter an administrator’s credentials when prompted.
Navigate to the Devices tab and click Enroll. You will be brought back to the Profile preferences and asked if you want to enroll. View the profile and then click Install.
In the next screen, you will be asked to install Remote Management which allows the server to manage that machine. View the profile and click Continue. Enter an administrator’s credentials when prompted.
Now that the profile has been installed on the computer, refresh the view in the browser and notice that the computer is now listed under the Devices tab with choices to Lock or Wipe the computer. This allows the user to utilize any modern web browser to control those aspects of the computer remotely, if the machine were to get lost or stolen.
To lock the remote device, navigate to the site https://server17.pretendco.com/mydevices on a different computer and log in. Choose your test computer and lock it by clicking the Lock button and entering a 6 digit passcode. Click the Lock button again, and a confirmation box will appear. Once the confirmation has been given, the remote computer will reboot and then offer a dialog to unlock the machine via the passcode.
Managing Profiles Locally
Occasionally a profile will need to be viewed, added, or removed to make way for an updated profile or to simply stop management of the device. Managing the profiles local to a computer is done via the Profiles preference pane located in System Preferences. You added a profile to the computer in the previous exercise and now you will remove one.
To remove a profile local to an OS X computer:
- Open the Profiles preference pane in System Preferences. The various profiles installed on the computer are listed along with their contents and purposes.
- Pick the profile you wish to remove such as the remote management profile and click the Remove (-) button.
- A confirmation dialog box will appear. Click Remove. Enter a local administrator’s credentials, if prompted, and click OK.
To remove a profile local to an iOS device:
- Navigate to Settings/General/Profiles.
- Tap the profile to show the details.
- Tap the Remove button.
- Confirm the removal by tapping the Remove button on the confirmation box.
- Exit Settings.
Using Profile Manager
Once Profile Manager has been turned on, you access the actual management interface via a web application. The web application can be reached via web browser on any machine.
- Navigate to the site https://server17.pretendco.com/profilemanager.
Log in to the Profile Manager web app with an administrator’s credentials.
The layout is a column view where the selection made in the left column defines the content of the column to the right. Click on Devices under the Library and click an enrolled computer.
- In the computers information pane, click Profile and then click Edit under Settings.
In the new window that opens, scroll down the list to the Mac OS X section, noting that there are sections for iOS and combined iOS and Mac OS X. Click Dock and then click Configure.
Change the settings to place the Dock on the Left and to automatically hide and show the Dock.
- Scroll back to the top of the list in the left column and choose General. Under Profile Distribution Type select Manual Download. Click OK.
Note that the Dock preference is indicated in the settings for the computer. Click Save.
A warning that new settings might be pushed to the managed devices is presented. Click Save.
- Under the Settings for the computer, click the Download button. A copy of the preferences is stored in the profile that has been downloaded to the machine Profile Manager is running on. Open the profile in TextEdit.app and view the contents. The profile is simply an XML text file.
Copy the file to your client computer and double-click on it to install. Choose Show Profile to view the contents of the profile.
- Click Install and enter the local administrators password.
- Log out and log back in. Notice the Dock is now hidden on the left side.
- Open the Profiles preference pane in System Preferences. View the new profile. Remove the profile by clicking the Remove (-) button at the bottom of the left column. Acknowledge the removal and enter a local administrator’s credentials. Upon logging out and back in, the original Dock location and behavior will be restored.
Once created, profiles can be delivered to users and computers or iOS devices in a number of ways:
- Via the User Portal where users log in to the portal with their account credentials and they are presented with the profiles assigned to them.
- Emailed to users. The profile is a simple text file, so it is easily transported.
- Web link. The profile can be published on a website for users to visit and download.
- Automatic Push. The profile gets automatically pushed to the device with no user interaction (the device must be enrolled for this to work).
Remotely Locking or Wiping a Device
Once enrolled, a device or group of devices can be remotely locked or wiped. In this example, a remote lock will be performed. A remote wipe can be attempted, but only do it on a device you don’t mind reconfiguring. The device can be locked via Profile Manager by an administrator or via the User Portal by the users themselves.
Upon requesting a lock, a confirmation pane will appear, a passcode will be requested, and the lock command will be sent. On Lion computers, the machine is shut down and an EFI passcode is set, so it needs to be entered to use the machine again. For iOS devices, the screen is locked and the passcode enforced.
- Profile Manager: Log into Profile Manager and select the device or group of devices to be locked. In the Action (gear) menu at the bottom of the right pane choose Lock.
- User Portal: Once users log in, each device they enrolled will be displayed in the Devices.