Mobile Device Management

From the enterprise angle, a significant feature of OS X Server is mobile device management or MDM—that is, software and services that make it easy for a system administrator to configure numerous devices (iPads, iPhones, and even Macs) with consistent settings and policies. With MDM, an administrator can manage these devices by deploying apps, wiping lost devices, unlocking devices when passcodes are forgotten (yes, it happens), and more.

It may be easy to set up a single iPad as you like, but setting up 25 classroom iPads manually with the same settings might cause insanity. And you don’t even want to contemplate manual configuration of 5,000 iPads for a large business!

Profile Manager is an MDM tool that is built into OS X Server and is designed to simplify the task of managing a fleet of Apple devices in a wide variety of ways. It works with iOS devices running iOS 5 and later and with Macs running OS X 10.7 Lion and later.

What can you do with Profile Manager? Lots, including:

  • Push apps and Web clips to multiple iOS devices
  • Set and enforce passcode policies
  • Configure email settings
  • Set iOS device restrictions
  • Remotely unlock, lock, or wipe a missing device
  • Control login screen options
  • Set up printers in OS X
  • Launch certain apps at login
  • Automatically configure Exchange and Google Apps accounts
  • Require that Macs sleep when not in use

Note: You can even remove apps that you supplied from devices, which might be handy in a school situation, for instance, where you need to replace the apps on the iPads of outgoing kindergarteners with first-grade apps but put those kindergarten apps on new iPads for the incoming kindergartners.

Before we go further, though, I need to offer a caveat. OS X Server’s Profile Manager is entirely functional, and if you already have a Mac set up as a server, $19.99 for OS X Server is cheap. But Profile Manager is far from the only—or the best, for many environments—MDM tool available. If you’re contemplating buying a Mac and getting started with OS X Server purely for Profile Manager, I recommend you look at third-party MDM solutions like AirWatch, FileWave, and JAMF Casper Suite. (Full disclosure: I am currently employed by JAMF.)

Third-party MDM tools have several advantages over OS X Server’s Profile Manager:

  • Cost: If you consider the cost of a server Mac, the software-as-a-service solutions can be notably cheaper.
  • Function: These tools often provide more coherent management consoles that are integrated with other capabilities or that fit into other management consoles, such as those for Microsoft Exchange. These tools can be more stable and can even be clustered for larger environments.
  • Upgrading: Upgrades to OS X Server, such as the jump from 10.7 Lion to 10.8 Mountain Lion, have sometimes required that iOS devices be re-enrolled in Profile Manager. It’s not the end of the world, but it can be annoying.

The Volume Purchase Program

The Volume Purchase Program, which requires that you set up a special account with Apple, enables you to use an institutional credit card to buy apps from the App Store and books from the iBooks Store (but neither music nor videos from the iTunes Store) in bulk and then distribute them to your users’ devices. For more information and to start enrolling your organization, visit the Volume Purchase Program for Education and Volume Purchase Program for Business pages on Apple’s Web site.

The Device Enrollment Program

As with the Volume Purchase Program, the Device Enrollment Program is outside the scope of this book, but you should still be aware of it.

With this program, very large organizations can buy numerous iOS devices from Apple and associate each device with an organizational Apple ID automatically, making it possible to hand sealed iPad boxes to users and have your MDM solution automatically configure the iPads as they’re activated. The Device Enrollment Program also allows you to force devices to remain enrolled by an MDM solution.

Enable Profile Manager

On the face of it, Profile Manager seems like the most time-consuming and complicated OS X Server service to configure because there are a lot of technical parts moving in the background and configuration of Profile Manager takes place in a Web browser, not in the Server app. But, in fact, you can get Profile Manager up and running quickly provided you understand MDM and meet the prerequisites.

It’s essential that you have push notifications and Open Directory properly configured before starting with Profile Manager, so if you’ve jumped directly to this chapter rather than working your way through Preparation and Installation and Directory Services, swing back and run through those steps.

Once you’ve handled these prerequisites, open the Server app and follow these steps.

Turn on device management:
  1. Click Profile Manager in the sidebar to open the Profile Manager pane at the right (Figure 69).
    **Figure 69:** Profile Manager’s main screen.

    Figure 69: Profile Manager’s main screen.

  2. In the Profile Manager pane, click the Configure button to the right of the Device Management label to start the Device Management assistant.
  3. Click Next.
  4. On the Organization Information screen, enter your name, administrator email address, and phone number (Figure 70). This information appears in the code signing certificate that protects Profile Manager communications. Since users will see what you enter, don’t be too cheeky. Click Next.
    **Figure 70:** Enter your contact information on the Organization Information screen.

    Figure 70: Enter your contact information on the Organization Information screen.

    Note: If, despite my admonitions, you haven’t set up push notifications yet, additional screens will walk you through that setup.

  5. On the Configure an SSL Certificate screen, choose an SSL certificate (Figure 71). The easiest approach is to choose the self-signed certificate you created back in Configure Alerts. Click Next.
    **Figure 71:** Choose an SSL certificate to protect the communications between your server and your users’ devices.

    Figure 71: Choose an SSL certificate to protect the communications between your server and your users’ devices.

    Note: If you’ve obtained a trusted SSL certificate, you can use that here instead, but the main advantage is one less confirmation dialog when enrolling devices in Profile Manager.

  6. On the Confirm Settings screen, click the Finish button to complete the Device Management assistant.

Back in the Profile Manager pane, “Enabled” appears next to the Device Management label and the Configure button has disappeared.

Create a default configuration file:
  1. Click the Edit button to the right of Default Configuration Profile.
  2. Give the profile a name, such as Everyone (Figure 72).
    **Figure 72:** Name your default configuration profile and select the checkbox if you run all your services on this server.

    Figure 72: Name your default configuration profile and select the checkbox if you run all your services on this server.

  3. If you host any services (Calendar, Contacts, VPN, and so on) on this server, select the “Include configuration for services” checkbox; icons indicating which services are included in the default profile appear to the right of the checkbox. Otherwise, leave the checkbox unselected. You can enable other services later and have them configured for devices at enrollment time.
  4. Click OK.

The name of the profile appears adjacent the Default Configuration Profile label.

Maximize the security of your configuration:
  1. Select the “Sign configuration profiles” checkbox.
  2. In the Code Signing Certificate dialog that appears (Figure 73), choose your SSL certificate from the Certificate pop-up menu.
    **Figure 73:** Choose a code signing certificate; unless you’ve installed a third-party certificate, your existing self-signed certificate is the only choice.

    Figure 73: Choose a code signing certificate; unless you’ve installed a third-party certificate, your existing self-signed certificate is the only choice.

  3. Click OK.

Tip: Security is important here, since enrolled devices can be locked or wiped and you don’t want a troll to mess with your users’ devices.

Now that everything you need is in place, click the ON button to start Profile Manager, and wait for it to start, which could take a minute or so.

Warning! Don’t click anything while waiting for Profile Manager to start! The Web service isn’t fully started until the path to the default Web site is shown (the correct entry, as shown in Figure 74, should be “Available at host.domain.name/profilemanager”) and an Open Profile Manager link is shown at the bottom of the screen. If you touch anything too early, you’ll mess something up, so be patient.

With Profile Manager fully started, the Profile Manager pane has new links that open the user portal (described next) and the Profile Manager Web interface (described a little later in this chapter).

**Figure 74:** Once Profile Manager is enabled, the Profile Manager pane shows a green circle next to the Status label as well as links to the Profile Manager Web interface and the user portal.

Figure 74: Once Profile Manager is enabled, the Profile Manager pane shows a green circle next to the Status label as well as links to the Profile Manager Web interface and the user portal.

Starting from Scratch

If you run into problems when you’re getting started, never fear, because you can always run the wipeDB.sh script that resets the Profile Manager database:

sudo /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/wipeDB.sh

Any devices you’ve enrolled in Profile Manager will need to be re-enrolled, needless to say, so don’t use the wipeDB.sh script unless you’re certain you want to blow away all your Profile Manager work.

Enroll Devices

Before you start enrolling all your devices in Profile Manager, pick one device that you don’t mind wiping repeatedly as you play with all the available options. If you don’t have a completely sacrificial device, remember that you can make a backup of a production device, wipe it for testing, and then restore your backup once your testing is complete.

Speeding up Enrollment

Because the steps below have you relying on your self-signed SSL certificates, you’ll get two extra warnings during the process. You can avoid those either by purchasing third-party trusted certificates for the server or by installing self-signed certificates on devices prior to enrollment. The extra warnings are the only downside; the encryption and technical security are the same.

If you want to enroll a large number of devices at once, consider using Apple Configurator, a free app from Apple that does much of what Profile Manager does (but via a USB connection to a Mac). In this context, Apple Configurator is perhaps most useful for pushing out Profile Manager’s enrollment profile to many devices so you don’t have to fuss with the Web browser on each device. But, in fact, if you don’t require over-the-air management (via a network), Apple Configurator can stand in entirely for Profile Manager.

Apple Configurator may be free, but it’s complicated enough that I co-authored (with TJ Houston) an entire book about it, Instant Apple Configurator How-to.

Any device that you want to enroll must be able to connect to the Profile Manager user portal Web interface, so if you haven’t already updated the DNS settings for the device so that it can see your server, do that now. For example, to update the DNS on an iOS device, tap Settings > Wi-Fi, edit your Wi-Fi network configuration, and change the DNS entry to point at your server (Figure 75).

**Figure 75:** If necessary, change the DNS setting for the device so it can see your server on the local network.

Figure 75: If necessary, change the DNS setting for the device so it can see your server on the local network.

Once a device has its DNS set properly, you can enroll it (the steps below are for an iOS device, but you can follow them to enroll a Mac):

  1. Open Safari and load the Profile Manager user portal by visiting host.domain.name/MyDevices. For example, if the name of the server is mavserver.pretendco.lan, visit https://mavserver.pretendco.lan/MyDevices.

    Tip: Be careful when typing the URL, since if you get it wrong Safari may prefix the hostname with www. It may be easier to send the URL to the device via email or instant messaging.

  2. Because of your self-signed SSL certificate, a prompt tells you that the server identity can’t be verified; tap Continue (Figure 76, left).
  3. Enter the user’s Open Directory credentials, and then tap Log In (Figure 76, right).
    **Figure 76:** Tap Continue to accept the self-signed certificate (left), and then log in using your administrator credentials (right).

    Figure 76: Tap Continue to accept the self-signed certificate (left), and then log in using your administrator credentials (right).

    After you log in, you’re presented with the My Devices screen.

  4. Tap the Enroll button to enroll your device; this involves installing a profile, so tap Install (Figure 77).
    **Figure 77:** Tap the Enroll button (left), and if necessary tap Install to accept your self-signed certificate (right).

    Figure 77: Tap the Enroll button (left), and if necessary tap Install to accept your self-signed certificate (right).

  5. Because iOS takes security seriously, it presents another warning (Figure 78, left); tap Install in the upper right to acknowledge that you’ve seen it, and if prompted enter the device’s passcode.
  6. Once the profile is installed, tap Done (Figure 78, right).
**Figure 78:** Tap Install to acknowledge the warning (left), and once the profile is installed tap Done (right).

Figure 78: Tap Install to acknowledge the warning (left), and once the profile is installed tap Done (right).

With the device now enrolled, you can find the profile in Settings > General > Profile (Figure 79).

**Figure 79:** Find the profile in Settings > General > Profile.

Figure 79: Find the profile in Settings > General > Profile.

Note: If you’ve enrolled a Mac instead of an iOS device, the profile appears in a new Profiles pane in System Preferences.

Note: You can delete the profile from the Settings app (or System Preferences) unless the device was configured via the Device Enrollment Program, at which point it’s presumably owned by the organization and shouldn’t be controlled by an individual.

After enrollment, there isn’t much that can be done from the user portal, though the user can log in to it at anytime from any device, to lock or wipe the device (including the device logged in to the portal) or clear the passcode.

Why might a user want to do this? Imagine that she has boarded a plane and realized after takeoff that she left her work iPhone in the boarding area. Maybe she’ll get it back and maybe she won’t, but she can use the in-flight Wi-Fi from another passenger’s Windows laptop to visit the Profile Manager user portal to lock or even wipe the iPhone (Figure 80).

**Figure 80:** From the Profile Manager user portal, the user can lock or wipe the device or clear its passcode.

Figure 80: From the Profile Manager user portal, the user can lock or wipe the device or clear its passcode.

Of course, the point of mobile device management isn’t what the user can do; it’s about what the system administrator can do, such as configuring devices remotely. And that’s where we turn our attention next.

Manage Devices

Now that a device is enrolled, it’s time to visit the Profile Manager Web interface. Either click Open Profile Manager on the Profile Manager pane in the Server app or access it from any computer on your network in a Web browser by appending profilemanager to your server’s hostname in a URL. (For the host mavserver.pretendco.lan, the URL would be https://mavserver.pretendco.lan/profilemanager.)

At the login page, enter the administrator credentials you use to sign in to the Server app (Figure 81).

**Figure 81:** Log in to Profile Manager in a Web browser.

Figure 81: Log in to Profile Manager in a Web browser.

When you’re logged in, you see Profile Manager’s Web interface (Figure 82). In the left-hand sidebar, you can switch among managing apps, devices, device groups, users, and user groups and see both currently active tasks and a log of completed tasks. The pane in the middle displays the contents of the item selected in the Library section, and the large right-hand pane lets you manage that item’s settings.

**Figure 82:** In Profile Manager’s Web interface, to manage an item’s settings, select it in the sidebar and then select an item in the middle pane (in this screenshot, my default configuration profile, Everyone).

Figure 82: In Profile Manager’s Web interface, to manage an item’s settings, select it in the sidebar and then select an item in the middle pane (in this screenshot, my default configuration profile, Everyone).

Setting up Device Groups

Notice that if you click Groups in the sidebar and then click Everyone (or whatever you named your default configuration profile back in Enable Profile Manager), you can apply settings to all enrolled devices (see Figure 82, above). You can also manage devices individually or in smaller groups.

To create a group, select Device Groups in the sidebar, click the Add Device Group button (or the plus button below the sidebar), name the group, and click the Save button.

Then, to add a device to the group, click the plus button below the right-hand pane, click Add Devices (Figure 83), and, in the dialog that appears, click the Add button for the desired device.

_**Figure 83:** To manage multiple devices at a time, add them to a device group._

Figure 83: To manage multiple devices at a time, add them to a device group.

Click Save when you’re done.

Regardless of whether you’ve selected a device, device group, user, or user group, you manage settings in essentially the same way. The best way to explore the many available settings is to click Settings in the right-hand pane and then click Edit.

I’ll walk you through the two most common management tasks: forcing a passcode on a device and wiping a device remotely.

Force a Passcode

Users can set up their own passcodes, but you can take matters into your own hands and ensure that an appropriate passcode is in place:

  1. In Profile Manager’s Web interface, click Devices in the sidebar and then, in the middle pane, select a device.

    The initial About pane shows information about the device: last check-in time, available capacity, battery life remaining, Do Not Disturb setting, Activation Lock status, installed apps, and more (Figure 84).

    **Figure 84:** Profile Manager’s About pane for a device displays a vast amount of info that could be useful to a system administrator.

    Figure 84: Profile Manager’s About pane for a device displays a vast amount of info that could be useful to a system administrator.

  2. Click the Settings button in the right-hand pane, and then click the Edit button next to General to bring up a dialog showing all the possible settings, listed in a sidebar on the left and separated into three groups of settings: both OS X and iOS; just iOS; and just OS X.
  3. Click Passcode, and then click Configure at the right to reveal all the possible passcode settings.
  4. Select Allow Simple Value and set Minimum Passcode Length to 4 (Figure 85). Click OK to commit the changes.
    **Figure 85:** Configure the passcode settings as desired.

    Figure 85: Configure the passcode settings as desired.

    Note: With iOS, a 4-character passcode is usually sufficient, since the device will wipe itself long before someone can guess the 4-character passcode. Anything longer becomes a drag to enter every time the user needs to unlock the iPhone, unless the device has Touch ID.

  5. Back in the main settings screen for the device, click Save to save your changes (Figure 86).
**Figure 86:** Make sure you save your changes!

Figure 86: Make sure you save your changes!

If the device didn’t previously have a passcode, it will prompt the user to set one a few moments later. If it did previously have a passcode, the passcode can no longer be turned off in Settings > Passcode.

Wipe a Device

The next task I want to showcase is wiping a device, which is something system administrators often want to do when a device is lost or stolen. Follow these steps:

  1. In the sidebar of the Profile Manager Web interface, click Devices.
  2. From the middle pane, select the device you want to wipe.
  3. At the bottom of the right-hand pane, click the gear button; from the pop-up menu that appears, choose Wipe (Figure 87).
    **Figure 87:** From the gear menu, choose Wipe.

    Figure 87: From the gear menu, choose Wipe.

  4. In the Wipe dialog that appears, select the device again and click Wipe.

The device is wiped instantly; if you were being a cowboy and trying this on a device that’s not actually lost, now’s the time to restore it from backup.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset