This article originally appeared in TidBITS on 2014-08-04 at 2:21 p.m.
The permanent URL for this article is: http://tidbits.com/article/14967
Include images: Off

Take Control of OS X Server, Chapter 9: Mobile Device Management

by Charles Edge

This article is a pre-release chapter in the upcoming “Take Control of OS X Server,” by Charles Edge, scheduled for public release later in 2014. Apart from Chapter 1: Introducing OS X Server [1], and Chapter 2: Choosing Server Hardware [2], these chapters are available only to TidBITS members [3]; see “Take Control of OS X Server” Streaming in TidBITS [4] for details.


Mobile Device Management

From the enterprise angle, a significant feature of OS X Server is mobile device management or MDM, that is, software and services that make it easy for a system administrator to configure numerous devices—iPads, iPhones, and even Macs—with consistent settings and policies. With MDM, an administrator can manage these devices by deploying apps, wiping lost devices, unlocking devices when passcodes are forgotten (yes, it happens), and more.

It may be easy to set up a single iPad as you desire, but setting up 25 classroom iPads manually with the same settings might cause insanity. And you don’t even want to contemplate manual configuration of 5,000 iPads for a large business.

Profile Manager is an MDM tool built into OS X Server that’s designed to simplify the task of managing a fleet of Apple devices in a wide variety of ways. It works with iOS devices running iOS 5 and higher, and with Macs running OS X 10.7 Lion and later.

What can you do with Profile Manager? Lots, including:

  • Push apps and Web clips to multiple iOS devices
  • Set and enforce passcode policies
  • Configure email settings
  • Set iOS device restrictions
  • Remotely unlock, lock, or wipe a device
  • Control login screen options
  • Set up printers in OS X
  • Launch certain apps at login
  • Automatically configure Exchange and Google Apps clients
  • Require that Macs sleep when not in use
  • And much more…

Note: You can even remove apps that you supplied from devices, which might be handy in a school situation, for instance, where you need to replace the apps on the iPads of outgoing kindergarteners with first-grade apps, but put those kindergarten apps on new iPads for the incoming kindergartners.

Before we go further, though, I need to offer a caveat. OS X Server’s Profile Manager is entirely functional, and if you already have a Mac set up as a server, $19.99 for OS X Server is cheap. But Profile Manager is far from the only—or the best for many environments—MDM tool available, and if you’re contemplating buying a Mac and getting started with OS X Server purely for Profile Manager, I recommend you look at third-party MDM solutions like AirWatch [5], FileWave [6], and JAMF Casper Suite [7]. (Full disclosure: I am currently employed by JAMF.)

Third-party MDM tools have several advantages over OS X Server’s Profile Manager:

  • Cost: If you consider the cost of a server Mac, the software-as-a-service solutions can be notably cheaper.
  • Function: These tools often provide more coherent management consoles that are integrated with other capabilities or that fit into other management consoles, such as those for Microsoft Exchange. These tools can be more stable and even cluster-able for larger environments.
  • Upgrading: Upgrades to OS X Server, such as the jump from 10.7 Lion to 10.8 Mountain Lion, have sometimes required that iOS devices be re-enrolled in Profile Manager. It’s not the end of the world, but it can be annoying.

The Volume Purchase Program

The Volume Purchase Program, which requires that you set up a special account with Apple, enables you to use an institutional credit card to buy apps from the App Store and books from the iBooks Store (but neither music nor videos from the iTunes Store) in bulk and then distribute them to your users’ devices. I don’t say more about this program here, but for more information and to start enrolling your organization, visit the Volume Purchase Program for Education [8] and Volume Purchase Program for Business [9] pages on Apple’s Web site.

The Device Enrollment Program

As with the Volume Purchase Program, the Device Enrollment Program [10] is outside the scope of this book, but you may still want to be aware of it. With this program, very large organizations can purchase numerous iOS devices from Apple and thus associate each device with an organizational Apple ID automatically, making it possible to hand sealed iPad boxes to users and have your MDM solution automatically configure the iPads as they are activated. The Device Enrollment Program also allows you to force devices to remain enrolled by an MDM solution.

Enable Profile Manager

On the face of it, Profile Manager seems like the most time consuming and complicated OS X Server service to configure because there are a lot of technical parts moving in the background and actual usage of Profile Manager takes place in a Web browser, not in the Server app. But, in fact, you can get Profile Manager up and running quickly provided you understand MDM and meet the prerequisites.

It’s essential that you have push notifications and Open Directory properly configured before starting with Profile Manager, so if you’ve jumped directly to this chapter rather than working your way through Chapter 3, Preparation and Installation [11], and Chapter 4, Directory Services [12], swing back and run through those steps.

Once you’ve handled these prerequisites, open the Server app and follow these steps.

Turn on device management:
  1. Click Profile Manager in the sidebar to open the Profile Manager pane at the right (Figure 1).
    [image link]

    Figure 1: View Profile Manager’s main screen.

  2. In the Profile Manager pane, click the Configure button to the right of the Device Management label to start the Device Management assistant.
  3. Click Next.
  4. On the Organization Information screen, enter your name, administrator email address, and phone number (Figure 2). This information appears in the code signing certificate that protects Profile Manager communications. Since users will see what you enter, don’t be too cheeky. Click Next.
    [image link]

    Figure 2: Enter your contact information in the Organization Information screen.

    Note: If, despite my admonitions, you haven’t set up push notifications yet, you’ll see additional screens as Server walks you through that setup.

  5. On the Configure an SSL Certificate screen, choose an SSL certificate (Figure 3). The easiest approach is to choose the self-signed certificate you created back in Configure Alerts [13], in Chapter 3. Click Next.
    [image link]

    Figure 3: Choose an SSL certificate to protect the communications between your server and your users’s devices.

    Note: If you’ve obtained a trusted SSL certificate, you can use that here instead, but the only advantage is one fewer confirmation dialog when enrolling devices in Profile Manager.

  6. On the Confirm Settings screen, click the Finish button to complete the Device Management assistant.

Back on the Profile Manager pane, “Enabled” appears next to the Device Management label and the Configure button has disappeared.

Create a default configuration file:
  1. Click the Edit button to the right of Default Configuration Profile.
  2. Give the profile a name, such as Everyone (Figure 4).
    [image link]

    Figure 4: Name your default configuration profile and select the checkbox if you run all your services on this server.

  3. If you host any services (Calendar, Contacts, VPN, etc.) on this server, select the “Include configuration for services” checkbox—icons indicating which services are included in the default profile appear to the right of the checkbox. Otherwise, leave the checkbox unselected. You can enable other services later and have them configured for devices at enrollment time.
  4. Click OK.

The name of the profile appears adjacent the Default Configuration Profile label.

Maximize the security of your configuration:
  1. Select the “Sign configuration profiles” checkbox.
  2. In the Code Signing Certificate dialog that appears (Figure 5), choose your SSL certificate from the Certificate pop-up menu.
    [image link]

    Figure 5: Choose a code signing certificate; unless you’ve installed a third-party certificate, your existing self-signed certificate is the only choice.

  3. Click OK.

Tip: Security is important here, since enrolled devices can be locked or wiped and you don’t want a troll to mess with your users’s devices.

Now that everything you need is in place, click the ON switch to start Profile Manager and wait for it to start up, which could take a minute or so.

Warning! Do not click anything while waiting for Profile Manager to start! The Web service isn’t fully started until the path to the default Web site is shown (the correct entry, as seen in Figure 6, should be “Available at host.domain.name/profilemanager”) and an Open Profile Manager link is shown at the bottom of the screen. If you touch anything too early, you’re going to mess something up, so be patient.

When Profile Manager is done starting up, the Profile Manager screen has new links that open the user portal (described next) and the Profile Manager Web interface (described a little later in this chapter).

[image link]

Figure 6: Once enabled, the Profile Manager screen shows a green light next to the Status label as well as links to the Profile Manager Web interface and the user portal.

Starting from Scratch

If you run into problems when you’re getting started, never fear, because you can always run the wipeDB.sh script that resets the Profile Manager database:

sudo /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/wipeDB.sh

Any devices that you’ve enrolled in Profile Manager will need to be re-enrolled, needless to say, so don’t use the wipeDB.sh script unless you’re certain you wish to blow away all your Profile Manager work.

Enroll Devices

Before you start enrolling all your devices in Profile Manager, pick one device that you don’t mind wiping repeatedly as you play with all the available options. If you don’t have a completely sacrificial device, remember that you can make a backup of a production device, wipe it for testing, and then restore your backup once your testing is complete.

Speeding Up Enrollment

Because the steps below have you relying on your self-signed SSL certificates, you’ll get two extra warnings during the process. You can avoid those either by either purchasing third-party trusted certificates for the server or by installing self-signed certificates on devices prior to enrollment. The extra warnings are the only downside; the security level remains the same.

Better yet, if you’re enrolling a large number of devices at once, consider using Apple Configurator [14], a free app from Apple that does much of what Profile Manager does (but via a USB connection to a Mac). In this context, Apple Configurator is perhaps most useful for pushing out Profile Manager’s enrollment profile to many devices so you don’t have to fuss with the Web browser on each device. But, in fact, if you don’t require over-the-air management (via a network), Apple Configurator can stand in entirely for Profile Manager.

Apple Configurator may be free, but it’s not trivial to use, so much so that I co-authored (with TJ Houston) an entire book about it: Instant Apple Configurator How-to [15].

Any device that you want to enroll must be able to connect to the Profile Manager user portal Web interface, so if you haven’t already updated the DNS settings for the device so it can see your server, do that now.

For example, to update the DNS on an iOS device, tap Settings > Wi-Fi, edit your Wi-Fi network configuration, and change the DNS entry to point at your server (Figure 7).

[image link]

Figure 7: If necessary, change the DNS setting the iOS device so it can see your server on the local network.

Note: The steps below show the process for an iOS device, but you can follow them to enroll a Mac as well.

Once the device in question has its DNS set properly, you can enroll it:

  1. Open Safari and load the Profile Manager user portal by visiting host.domain.name/MyDevices. (For example, if the name of the server is mavserver.pretendco.lan, visit https://mavserver.pretendco.lan/MyDevices.

    Tip: Be careful when typing the URL, since it’s easy to make a mistake, and if you get it wrong, Safari may prefix the host name with www as well. It may be easier to send the URL to the device via email or instant messaging.

  2. Because of your self-signed SSL certificate, a prompt tells you that the server identity can’t be verified; tap Continue (Figure 8, left).
  3. Enter the user’s Open Directory credentials and tap Log In (Figure 8, right).
    [image link]

    Figure 8: Tap Continue to accept the self-signed certificate, and then log in using your administrator credentials.

    After you log in, you’re presented with the My Devices screen.

  4. Tap the Enroll button to enroll your device; this involves installing a profile, so tap Install (Figure 9).
    [image link]

    Figure 9: Tap the Enroll button, and if necessary, tap Install to accept your self-signed certificate.

  5. Because iOS takes security seriously, it presents another warning (Figure 10, left); tap Install in the upper right to acknowledge that you’ve seen it, and if prompted, enter the device’s passcode.
  6. Once the profile is installed, tap Done to finish (Figure 10, right).
[image link]

Figure 10: Tap Install to acknowledge the warning, and once the profile is installed, tap Done to finish.

Once enrolled, you can find the profile in Settings > General > Profile (Figure 11).

General > Profile." />

Figure 11: Find the profile in Settings > General > Profile.

Note: If you’ve enrolled a Mac instead of an iOS device, the profile appears in a new Profiles pane in System Preferences.

Note: You can delete the profile from the Settings app (or System Preferences) unless the device was configured via the Device Enrollment Program, at which point it’s presumably owned by the organization and shouldn’t be controlled by an individual.

After enrollment, there isn’t much that can be done from the user portal, though the user can log in to it at any time from any device, to lock or wipe the device (including the device logged in to the portal), or clear the passcode.

Why might a user want to do this? Imagine that she has boarded a plane and realized after take-off that she left her work iPhone in the boarding area. Maybe she’ll get it back, maybe she won’t, but she can use the in-flight Wi-Fi from another passenger’s Windows laptop to visit the Profile Manager user portal to lock or even wipe the iPhone.

[image link]

Figure 12: From the Profile Manager user portal, the user can always lock or wipe the device, or clear its passcode.

Of course, the point of mobile device management isn’t what the user can do; it’s about what the system administrator can do, such as configuring devices remotely. And that’s where we turn our attention next.

Manage Devices

Now that a device is enrolled, it’s time to visit the Profile Manager Web interface. Either click Open Profile Manager on the Profile Manager screen in the Server app or access it from any computer on your network in a Web browser by appending profilemanager to your server’s host name in a URL. (For the host mavserver.pretendco.lan, the URL would be https://mavserver.pretendco.lan/profilemanager.)

At the login page, enter the administrator credentials you use to to sign in to the Server app (Figure 13).

[image link]

Figure 13: Log in to Profile Manager in a Web browser.

When you’re logged in, you’ll see Profile Manager’s Web interface (Figure 14). In the left-hand sidebar, you can switch among managing apps, devices, device groups, users, and user groups, and see both currently active tasks and a log of completed tasks. The pane in the middle displays the contents of the selected item in the Library section, and the large right-hand pane lets you manage that item’s settings.

[image link]

Figure 14: In the Profile Manager’s Web interface, select an item in the left-hand sidebar and then select an item in the middle pane. In this screenshot, I’ve selected my default configuration profile, Everyone, in the middle pane.

Setting Up Device Groups

Notice that if you click Groups in the sidebar and then click Everyone (or whatever you named your default configuration profile back in Enable Profile Manager [16]), you can apply settings to all enrolled devices (see Figure 14, above). You can also manage devices individually or in smaller groups.

To create a group, select Device Groups in the sidebar, click the Add Device Group button (or the plus [image link] button at the bottom of the sidebar), name the group, and click the Save button.

Then, to add a device to the group, click the plus [image link] button below the right-hand pane, click Add Devices (Figure 15), and in the dialog that appears, click the Add button for the desired device.

[image link]

Figure 15: To manage multiple devices at a time, add them to a device group.

Click Save when you’re done.

Regardless of whether you’ve selected a device, device group, user, or user group, you manage settings in essentially the same way. The best way to explore the many available settings is to click the Settings tab in the right-hand pane and then click Edit.

I’ll walk you through the two most common management tasks, forcing a passcode on a device and wiping a device remotely.

Force a Passcode

Users can, of course, set up their own passcodes, but you can take matters into your own hands and ensure that an appropriate passcode is in place:

  1. In the Profile Manager Web interface, click Devices in the sidebar and then in the middle pane select a device.

    The initial About tab shows a wide variety of information about the device, including last check-in time, available capacity, battery life remaining, Do Not Disturb setting, Activation Lock status, installed apps, and more (Figure 16).

    [image link]

    Figure 16: Profile Manager’s About tab for a device displays a vast amount of information that could be useful to a system administrator.

  2. Click the Settings tab in the right-hand pane, and then click the Edit button next to General to bring up a dialog showing all the possible settings, listed in a left-hand sidebar and separated into three groups of settings that apply to both OS X and iOS, just iOS, and just OS X.
  3. Click Passcode, and then click Configure at the right to reveal all the possible passcode settings.
  4. In the Passcode settings screen, select Allow Simple Value and set the Minimum Passcode Length to 4 (Figure 17). Click OK to commit the changes.
    [image link]

    Figure 17: Configure the passcode settings as desired.

    Note: I find that with iOS, a 4-character passcode is usually sufficient, since the device will wipe itself far before someone can guess the 4-character passcode. Anything longer becomes a drag to tap in every time the user needs to unlock the iPhone.

  5. Back in the main settings screen for the device, click Save to save your changes (Figure 18).
[image link]

Figure 18: Make sure to save your changes!

If the device didn’t previously have a passcode, it will prompt the user to set one a few moments later. And if it did previously have a passcode, the passcode can no longer be turned off in Settings > Passcode.

Wipe a Device

The next task I want to showcase is wiping a device, which is something system administrators often want to do when a device is lost or stolen. Follow these steps:

  1. In the sidebar of the Profile Manager Web interface, click Devices.
  2. Select the device you want to wipe from the middle pane.
  3. At the bottom of the right-hand pane, click the gear [image link] button and from the pop-up menu that appears, choose Wipe.
    [image link]

    Figure 19: From the gear menu, choose Wipe.

  4. In the Wipe dialog that appears, select the device again and click Wipe.

The device is wiped instantly; if you were being a cowboy and trying this on a device that’s not actually lost, now’s the time to restore it from backup.

Read More: About [17] | Chapter 1 [18] | Chapter 2 [19] | Chapter 3 [20] | Chapter 4 [21] | Chapter 5 [22] | Chapter 6 [23] | Chapter 7 [24] | Chapter 8 [25] | Chapter 9 [26] | Chapter 10 [27] | Chapter 11 [28] | Chapter 12 | Chapter 13 [29] | Chapter 14 [30]

[1]: http://tidbits.com/article/14748
[2]: http://tidbits.com/article/14749
[3]: http://tidbits.com/member_benefits.html
[4]: http://tidbits.com/article/14744
[5]: http://www.air-watch.com/
[6]: http://www.filewave.com/
[7]: http://www.jamfsoftware.com/products/casper-suite/
[8]: http://www.apple.com/education/it/vpp/
[9]: http://www.apple.com/business/vpp/
[10]: https://www.apple.com/education/it/dep/
[11]: http://tidbits.com/article/14799#PreparationandInstallation
[12]: http://tidbits.com/article/14821#DirectoryServices
[13]: http://tidbits.com/article/14799#ConfigureAlerts
[14]: https://itunes.apple.com/us/app/apple-configurator/id434433123?mt=12
[15]: http://krypted.com/mac-os-x/my-new-book-on-apple-configurator/
[16]: #EnableProfileManager
[17]: http://tidbits.com/article/14744
[18]: http://tidbits.com/article/14748
[19]: http://tidbits.com/article/14749
[20]: http://tidbits.com/article/14799
[21]: http://tidbits.com/article/14821
[22]: http://tidbits.com/article/14840
[23]: http://tidbits.com/article/14861
[24]: http://tidbits.com/article/14883
[25]: http://tidbits.com/article/14950
[26]: http://tidbits.com/article/14967
[27]: http://tidbits.com/article/14987
[28]: http://tidbits.com/article/15005
[29]: http://tidbits.com/article/15037
[30]: http://tidbits.com/article/15055