Jesus Vigo walks through the steps of adding unknown devices to Profile Manager in Apple's OS X Server.
Managing devices has long been the core function of a systems administrator. As networks grew and bandwidth speeds got faster, so did the number of nodes to be managed. Enterprise-level suites performed the "heavy lifting" on thousands of connected computers.
However, the rise of initiatives such as BYOD and the Consumerization of IT (CoIT) has changed the device management field significantly. Today, new devices may be personally owned, and some mobile devices you may never even physically touch!
Yet they must be configured, secured, and supported by IT through their lifecycle. So, how does one go about adding unknown devices to Profile Manager? And how can some types of devices be administered while not impacting others?
Let's take a look at answers to these questions, plus some best practices for staging and managing devices.
Below are the requirements for managing Profile Manager in OS X Server:
- Apple Computer running OS X Server (1.0+)
- The following OS X Server services configured and turned on:
- Users and groups configured
- Broadband internet access (Ethernet or Wi-Fi)
Follow these steps to manage devices with Profile Manager in OS X Server:
- Launch Server.app and select the server you wish to manage.
- Login with administrative credentials.
- Select Profile Manager from the Server pane (Figure A).
- Clicking on the Open Profile Manager link will open the portal, which is the web-based console for managing Profile Manager.
- Alternately, the website may be accessed directly by entering the hostname into the address bar of a browser. Access to the portal will rely on administrative credentials initially. Click Log in after entering your administrative username and password (Figure B).
- Profile Manager consists of a three-section website: Services pane, Devices pane, and Information pane (Figure C).
- Before continuing any further, profiles must be created that will allow client devices to communicate with and allow itself to be managed by the Profile Manager service. These two respective profiles are: Trust and Enrollment. They are generated automatically based off the SSL certificate used when setting up the PM service. To download the Trust profile, select Download Trust Profile from the drop-down menu, located under the currently logged on user's name (Figure D).
- Confirm the download of the Trust profile by selecting Download when prompted. The Trust profile allows client devices to establish a secured connection with the server and enables verification of the services provided (Figure E).
- The second profile, Enrollment, links the client devices to the Profile Manager service for managing settings. Click on the plus sign [+] under the Services pane and select Enrollment Profile from the drop-down menu to create a new Enrollment profile.
- Enter a unique name for the new Enrollment profile. Optionally, you may wish to uncheck the box next to Restrict use to devices with placeholders in environments with large deployments or with rapid turnover provisions. Keeping this box checked will only allow devices that are pre-staged to communicate with the PM service (Figure F).
- Click Save... to save the new Enrollment profile, then click Download to save a copy of the profile locally.
- With both profiles saved to a local folder or server share, they're almost ready to be deployed to client devices. Please note that the order in which these profiles load is extremely important. The Trust profile must always be loaded first or else the installations will fail. An easy method to ensure this is to append the "01_" to the Trust profile and "02_" to the Enrollment profile. This way, hierarchically speaking, the Trust profile will load first, followed by the Enrollment profile each time they're deployed (Figure G).
- Deploying the Trust and Enrollment profiles to client devices can be accomplished in several ways, depending on the level of control IT wishes to exercise. If manually installing the profiles, go to step #14; If using a fully automated, scripted approach or Apple Remote Desktop (ARD), go to step #15; If extending this right to the self-service portal, go to step #16.
- Manually installing profiles may be perfectly viable for less than 7 computers, but as the numbers increase, the burden of manual processes grows exponentially. With that said, simply login to a node with administrative credentials and double-click the Trust profile to install, followed by the Enrollment profile. Confirm your credentials when prompted to do so.
- ARD or scripting allows for a quick, automated install each and every time. Begin by making a folder called "Setup," and copy the two profiles created earlier to the folder. The goal of the task is to copy the folder (and its contents) to the following location: /var/db/ConfigurationProfiles. Once the folder is copied to its destination, reboot the node to automatically parse the Trust and Enrollment profiles, thus adding the device to Profile Manager.
- Providing end-user access to the self-service portal is by far the easiest way to configure devices for PM. This method relies on user accounts -- either managed through OS X Server or a 3rd-party directory service, such as Active Directory. End users will be required to visit the My Devices URL (ex. https://hostname.com/mydevices) and login using their account credentials.
- Upon logging in successfully, users will see the My Devices page, which links any devices they've enrolled directly to their account (Figure H).
- Selecting the Profiles tab displays all profiles made available to them. From here, they can manually download and install the Trust and Enrollment profiles -- in that order -- to configure their device for management remotely (Figure I).
- Once the installation of the profiles is completed, clicking the Devices tab reveals all devices currently linked to their accounts. If the device falls out of compliance, they can log back in to remotely Lock or Wipe the device, or they can click the Remove link to unlink if from Profile Manager altogether (Figure J).
One of the greatest features of Profile Manager isn't a feature at all -- at least, not a technical one. It's the flexibility it offers. From being able to choose which way to migrate devices to the configuration process for deploying settings, Profile Manager allows the sysadmin to work alone or unison with end users to achieve management and support goals.
With the initial setup of Profile Manager completed and devices registered with the service, the real power behind Profile Manager will be the focus of subsequent articles. If you have any questions about Profile Manager that you'd like to see covered in an upcoming post, please let us know in the discussion thread below.