From the enterprise angle, a significant feature of OS X Server is mobile device management or MDM—that is, software and services that make it easy for a system administrator to configure numerous devices (iPads, iPhones, and even Macs) with consistent settings and policies. With MDM, an administrator can manage these devices by deploying apps, wiping lost devices, unlocking devices when passcodes are forgotten (yes, it happens), and more.
It may be easy to set up a single iPad as you like, but setting up 25 classroom iPads manually with the same settings might cause insanity. And you don’t even want to contemplate manual configuration of 5,000 iPads for a large business!
Profile Manager is an MDM tool that is built into OS X Server and is designed to simplify the task of managing a fleet of Apple devices in a wide variety of ways. It works with iOS devices running iOS 5 and later and with Macs running OS X 10.7 Lion and later.
What can you do with Profile Manager? Lots, including:
Before we go further, though, I need to offer a caveat. OS X Server’s Profile Manager is entirely functional, and if you already have a Mac set up as a server, $19.99 for OS X Server is cheap. But Profile Manager is far from the only—or the best, for many environments—MDM tool available. If you’re contemplating buying a Mac and getting started with OS X Server purely for Profile Manager, I recommend you look at third-party MDM solutions like AirWatch, FileWave, and JAMF Casper Suite. (Full disclosure: I am currently employed by JAMF.)
Third-party MDM tools have several advantages over OS X Server’s Profile Manager:
On the face of it, Profile Manager seems like the most time-consuming and complicated OS X Server service to configure because there are a lot of technical parts moving in the background and configuration of Profile Manager takes place in a Web browser, not in the Server app. But, in fact, you can get Profile Manager up and running quickly provided you understand MDM and meet the prerequisites.
It’s essential that you have push notifications and Open Directory properly configured before starting with Profile Manager, so if you’ve jumped directly to this chapter rather than working your way through Preparation and Installation and Directory Services, swing back and run through those steps.
Once you’ve handled these prerequisites, open the Server app and follow these steps.
Back in the Profile Manager pane, “Enabled” appears next to the Device Management label and the Configure button has disappeared.
The name of the profile appears adjacent the Default Configuration Profile label.
Now that everything you need is in place, click the ON button to start Profile Manager, and wait for it to start, which could take a minute or so.
With Profile Manager fully started, the Profile Manager pane has new links that open the user portal (described next) and the Profile Manager Web interface (described a little later in this chapter).
Before you start enrolling all your devices in Profile Manager, pick one device that you don’t mind wiping repeatedly as you play with all the available options. If you don’t have a completely sacrificial device, remember that you can make a backup of a production device, wipe it for testing, and then restore your backup once your testing is complete.
Any device that you want to enroll must be able to connect to the Profile Manager user portal Web interface, so if you haven’t already updated the DNS settings for the device so that it can see your server, do that now. For example, to update the DNS on an iOS device, tap Settings > Wi-Fi, edit your Wi-Fi network configuration, and change the DNS entry to point at your server (Figure 75).
Once a device has its DNS set properly, you can enroll it (the steps below are for an iOS device, but you can follow them to enroll a Mac):
host.domain.name/MyDevices
. For example, if the name of the server is mavserver.pretendco.lan
, visit https://mavserver.pretendco.lan/MyDevices
.
After you log in, you’re presented with the My Devices screen.
With the device now enrolled, you can find the profile in Settings > General > Profile (Figure 79).
After enrollment, there isn’t much that can be done from the user portal, though the user can log in to it at anytime from any device, to lock or wipe the device (including the device logged in to the portal) or clear the passcode.
Why might a user want to do this? Imagine that she has boarded a plane and realized after takeoff that she left her work iPhone in the boarding area. Maybe she’ll get it back and maybe she won’t, but she can use the in-flight Wi-Fi from another passenger’s Windows laptop to visit the Profile Manager user portal to lock or even wipe the iPhone (Figure 80).
Of course, the point of mobile device management isn’t what the user can do; it’s about what the system administrator can do, such as configuring devices remotely. And that’s where we turn our attention next.
Now that a device is enrolled, it’s time to visit the Profile Manager Web interface. Either click Open Profile Manager on the Profile Manager pane in the Server app or access it from any computer on your network in a Web browser by appending profilemanager
to your server’s hostname in a URL. (For the host mavserver.pretendco.lan
, the URL would be https://mavserver.pretendco.lan/profilemanager
.)
At the login page, enter the administrator credentials you use to sign in to the Server app (Figure 81).
When you’re logged in, you see Profile Manager’s Web interface (Figure 82). In the left-hand sidebar, you can switch among managing apps, devices, device groups, users, and user groups and see both currently active tasks and a log of completed tasks. The pane in the middle displays the contents of the item selected in the Library section, and the large right-hand pane lets you manage that item’s settings.
Regardless of whether you’ve selected a device, device group, user, or user group, you manage settings in essentially the same way. The best way to explore the many available settings is to click Settings in the right-hand pane and then click Edit.
I’ll walk you through the two most common management tasks: forcing a passcode on a device and wiping a device remotely.
Users can set up their own passcodes, but you can take matters into your own hands and ensure that an appropriate passcode is in place:
The initial About pane shows information about the device: last check-in time, available capacity, battery life remaining, Do Not Disturb setting, Activation Lock status, installed apps, and more (Figure 84).
If the device didn’t previously have a passcode, it will prompt the user to set one a few moments later. If it did previously have a passcode, the passcode can no longer be turned off in Settings > Passcode.
The next task I want to showcase is wiping a device, which is something system administrators often want to do when a device is lost or stolen. Follow these steps:
The device is wiped instantly; if you were being a cowboy and trying this on a device that’s not actually lost, now’s the time to restore it from backup.