Jesus Vigo walks through the configuration of settings that will be pushed from OS X Server's Profile Manager service to multiple devices to help lock them down and ensure they stay that way.
Management of device settings and security is the mantra of a systems administrator. It can (and does) make the difference between a smooth running system or a problematic one, which robs countless man hours from the IT department's never-ending list of tasks.
Whether you're managing five nodes or 5,000, the end result is the same: having standardized configurations and management policies in place to enforce those baselines is essential to keeping end users and their equipment humming right along.
In a previous post, I walked through the steps of adding unknown devices to Profile Manager. This article focuses on the actual configuration of settings that will be pushed from OS X Server's Profile Manager service to multiple devices to help lock them down and ensure they stay that way.
Prior to beginning, let's review the requirements necessary:
- Apple computer running OS X Server (1.0+)
- The following OS X Server services configured and turned on:
- Users and groups configured
- Devices added to Profile Manager with trust profiles installed
- Broadband internet access (Ethernet or Wi-Fi)
Follow these steps to configure settings in Profile Manager on OS X Server:
- Launch your web browser and enter the URL that pertains to your Profile Manager website
- Login with administrative credentials and click Log In to authenticate (Figure A).
- From the Library pane, select Devices, and then select the device you wish to configure. Select the Settings tab from the device pane and click the Edit button (Figure B).
- This will open the settings payload for the selected device. There are two portions to the payload screen: the category pane and the configuration pane. The categories pane has settings that are specific to iOS, OS X, or both (Figure C).
- By default, the General payload is always included as it defines how the payload will be deployed, a description of what it contains, and whether the configuration can be removed by end users or password protected (Figure D).
- Enumerating all the possibilities for configuring each payload would be too lengthy to detail and frankly beyond the scope of this article. Instead, I will focus on how configuration works by providing a couple of examples. The basics are the same across the board, and you'll find that what payloads are used will vary from environment to environment.
- One relatively simple configuration that adds multiple security benefits to most enterprises is the securing of the Systems Preferences pane. To enable this lockdown, scroll to the OS X section of the categories pane and select Restrictions, then click on the Configure button. Check the Restrict items in System Preferences check box. Next, select the radio button next to disable selected items to effectively "black list" preferences you don't want end users to access. In this case, the Startup Disk preference pane has been check marked (Figure E). This will prevent end users from booting alternate boot images, non-provisioned hard drives, or recovery partitions, which could be used to circumvent security, restrictions, or bypass safeguards — or all of the above.
- Click the OK button to close the configuration screen when the settings have been selected.
- You'll notice the payload has been both configured and added to the Settings tab. This will occur for each payload that is configured properly (Figure F).
- To add or change payloads, simply click the Edit button to access the payload settings. In this next example, we'll add the Network payload, located under the OS X and iOS category pane. Click the Configure button to enter the settings pane and configure a Wi-Fi access point that will be deployed to all OS X and iOS devices matched to this payload (Figure G). Note: In some (but not all) payloads, the minus [-] and plus sign [+] icons will appear. This is available only in payloads that offer multiple settings within that category, such as the Network payload. Clicking the [+] button will add another settings page, since it's possible to have more than one Wi-Fi network configuration present on your OS X/iOS devices.
- Continue to add payloads until they meet the needs of the environment. Once completed, click the OK button to exit the payload settings screen. However, they're not committed to memory yet. Clicking on the Save button of the device pane will save the configuration permanently. Warning: Once you click Save, any settings that have been configured will automatically be deployed via push to all targeted devices, so double and triple check and test your settings thoroughly, prior to final deployment (Figure H).
- As settings are deployed, you'll notice two sections under the Activity pane: Active Tasks and Completed Tasks (Figure I).
- Active Tasks will indicate any current processes being deployed, what device(s) it's being deployed to, the current status, and time stamp (Figure J).
- Completed Tasks has similar information as Active Tasks, but it include whether the task was completed successfully, failed, or was cancelled. Plus it retains a historical database of all executed commands for audit purposes (Figure K).
Additional tip: User accounts are often culled together in Groups for ease of managing user account settings — for example, all system administrators being added to the Administrators Security Group. Profile Manager has a Device Groups entry under the Library pane that is designated for just this very purpose.
Similar devices may be grouped together in a Device Group, which is then used as a target for payload settings. Much like User accounts, instead of making changes one account at a time, by targeting the Device Group, all devices that are members of this group will automatically inherit the payload settings configured on the group itself. This makes managing settings much simpler and cleaner, since payloads may be configured per group. Additionally, since Device Groups may be nested — that is, groups containing other groups — as settings are applied, they can be layered across the various groups to provide much tighter control over security without duplicating settings or the workload.
I've held the belief that one should "work smarter, not harder." I learned this early on in my IT career and have carried it with me ever since. Hard work is necessary from time to time, but if the nodes can be leveraged to perform the heavy lifting and repetitive tasks, then why not use that resource to your advantage?
Managing devices in the BYOD age has become difficult at best and downright mind-bending at others. However, combining the tools, servers, and software available to the modern sysadmin, along with a little careful planning, even a 5,000+ device network can be tamed with standardization and the proper policies in place.
What tips or tricks have you learned while working with Profile Manager configurations in OS X Server? Share your experience in the discussion thread below.