This article is a pre-release chapter in the upcoming “Take Control of OS X Server,” by Charles Edge, scheduled for public release later in 2014. Apart from, and , these chapters are available only to ; see  for details.
From the enterprise angle, a significant feature of OS X Server is mobile device management or MDM, that is, software and services that make it easy for a system administrator to configure numerous devices—iPads, iPhones, and even Macs—with consistent settings and policies. With MDM, an administrator can manage these devices by deploying apps, wiping lost devices, unlocking devices when passcodes are forgotten (yes, it happens), and more.
It may be easy to set up a single iPad as you desire, but setting up 25 classroom iPads manually with the same settings might cause insanity. And you don’t even want to contemplate manual configuration of 5,000 iPads for a large business.
Profile Manager is an MDM tool built into OS X Server that’s designed to simplify the task of managing a fleet of Apple devices in a wide variety of ways. It works with iOS devices running iOS 5 and higher, and with Macs running OS X 10.7 Lion and later.
What can you do with Profile Manager? Lots, including:
Before we go further, though, I need to offer a caveat. OS X Server’s Profile Manager is entirely functional, and if you already have a Mac set up as a server, $19.99 for OS X Server is cheap. But Profile Manager is far from the only—or the best for many environments—MDM tool available, and if you’re contemplating buying a Mac and getting started with OS X Server purely for Profile Manager, I recommend you look at third-party MDM solutions like, , and . (Full disclosure: I am currently employed by JAMF.)
Third-party MDM tools have several advantages over OS X Server’s Profile Manager:
On the face of it, Profile Manager seems like the most time consuming and complicated OS X Server service to configure because there are a lot of technical parts moving in the background and actual usage of Profile Manager takes place in a Web browser, not in the Server app. But, in fact, you can get Profile Manager up and running quickly provided you understand MDM and meet the prerequisites.
It’s essential that you have push notifications and Open Directory properly configured before starting with Profile Manager, so if you’ve jumped directly to this chapter rather than working your way through Chapter 3,, and Chapter 4, , swing back and run through those steps.
Once you’ve handled these prerequisites, open the Server app and follow these steps.
Back on the Profile Manager pane, “Enabled” appears next to the Device Management label and the Configure button has disappeared.
The name of the profile appears adjacent the Default Configuration Profile label.
Now that everything you need is in place, click the ON switch to start Profile Manager and wait for it to start up, which could take a minute or so.
When Profile Manager is done starting up, the Profile Manager screen has new links that open the user portal (described next) and the Profile Manager Web interface (described a little later in this chapter).
Before you start enrolling all your devices in Profile Manager, pick one device that you don’t mind wiping repeatedly as you play with all the available options. If you don’t have a completely sacrificial device, remember that you can make a backup of a production device, wipe it for testing, and then restore your backup once your testing is complete.
Any device that you want to enroll must be able to connect to the Profile Manager user portal Web interface, so if you haven’t already updated the DNS settings for the device so it can see your server, do that now.
For example, to update the DNS on an iOS device, tap Settings > Wi-Fi, edit your Wi-Fi network configuration, and change the DNS entry to point at your server (Figure 7).
Once the device in question has its DNS set properly, you can enroll it:
host.domain.name/MyDevices. (For example, if the name of the server is
After you log in, you’re presented with the My Devices screen.
Once enrolled, you can find the profile in Settings > General > Profile (Figure 11).General > Profile." />
After enrollment, there isn’t much that can be done from the user portal, though the user can log in to it at any time from any device, to lock or wipe the device (including the device logged in to the portal), or clear the passcode.
Why might a user want to do this? Imagine that she has boarded a plane and realized after take-off that she left her work iPhone in the boarding area. Maybe she’ll get it back, maybe she won’t, but she can use the in-flight Wi-Fi from another passenger’s Windows laptop to visit the Profile Manager user portal to lock or even wipe the iPhone.
Of course, the point of mobile device management isn’t what the user can do; it’s about what the system administrator can do, such as configuring devices remotely. And that’s where we turn our attention next.
Now that a device is enrolled, it’s time to visit the Profile Manager Web interface. Either click Open Profile Manager on the Profile Manager screen in the Server app or access it from any computer on your network in a Web browser by appending
profilemanager to your server’s host name in a URL. (For the host
mavserver.pretendco.lan, the URL would be
At the login page, enter the administrator credentials you use to to sign in to the Server app (Figure 13).
When you’re logged in, you’ll see Profile Manager’s Web interface (Figure 14). In the left-hand sidebar, you can switch among managing apps, devices, device groups, users, and user groups, and see both currently active tasks and a log of completed tasks. The pane in the middle displays the contents of the selected item in the Library section, and the large right-hand pane lets you manage that item’s settings.
Regardless of whether you’ve selected a device, device group, user, or user group, you manage settings in essentially the same way. The best way to explore the many available settings is to click the Settings tab in the right-hand pane and then click Edit.
I’ll walk you through the two most common management tasks, forcing a passcode on a device and wiping a device remotely.
Users can, of course, set up their own passcodes, but you can take matters into your own hands and ensure that an appropriate passcode is in place:
The initial About tab shows a wide variety of information about the device, including last check-in time, available capacity, battery life remaining, Do Not Disturb setting, Activation Lock status, installed apps, and more (Figure 16).
If the device didn’t previously have a passcode, it will prompt the user to set one a few moments later. And if it did previously have a passcode, the passcode can no longer be turned off in Settings > Passcode.
The next task I want to showcase is wiping a device, which is something system administrators often want to do when a device is lost or stolen. Follow these steps:
The device is wiped instantly; if you were being a cowboy and trying this on a device that’s not actually lost, now’s the time to restore it from backup.
Read More: Chapter 12 |  |  |  |  |  |  |  |  |  |  |  |  |  |