Jesus Vigo walks through the steps of configuring Profile Manager settings in OS X Server for MDM use.
Mobile Device Management (MDM) is best described as "a way of securing, managing, monitoring, and securing mobile devices" - Derick Okihara. MDM suites vary in price, but — between application, support, and per-device licensing costs — prices can be incredibly high for a small- to medium-sized network.
Apple's OS X Server has an ace up its sleeve with the inclusion of a modestly equipped MDM platform baked right into the Profile Manager service. The very same service used to managed wired nodes on a LAN can also be used to wirelessly manage mobile devices — both OS X and iOS — over the internet. With the ability to host up to 5,000 devices on a single server, factored in with the relatively low cost of an Apple Server, running a MDM server has never been this inexpensive or simple to setup — especially compared to other pricer MDM suites. Lest we forget, being a 1st-party Apple application, support is always included at no additional cost.
Before proceeding with the MDM features, let's take a moment to review the requirements for OS X Server:
- Apple Computer running OS X Server (1.0+)
- The following OS X Server services configured and turned on:
- Users and groups configured
- Devices added to Profile Manager with trust profiles installed
- Broadband internet access (Ethernet or Wi-Fi)
- 3rd-party SSL certificate
- Apple push notification certificate
- Self-signed or 3rd-party code-signing certificate
Follow these steps to configure Profile Manager settings in OS X Server for MDM use:
- Launch your web browser and enter the URL that pertains to your Profile Manager website.
- Login with administrative credentials and click the Log In button to authenticate (Figure A).
- From the Library pane, select Devices (or Device groups), and then select the device (or group) you wish to configure. Select the Settings tab from the device pane and click the Edit button (Figure B).
- This will open the settings payload for the selected device. Scroll down to view the iOS category, which contains all the payload settings that apply only to iOS, since we're focusing on mobile devices like iPhones or iPads using iOS (Figure C).
- By default, the General payload is always included, as it defines how the payload will be deployed, a description of what it contains and whether the configuration can be removed by end users or password protected. Best practices for MDM allow flexibility when configuring settings. However, required settings should always be locked down with a password to prevent intentional or accidental removal by end users. Also, pay close attention to the Automatic or Manual radio buttons under Profile Distribution Type. Automatic Push will deploy settings once they are saved; Manual Download with only deploy settings when the download is initiated from the client (Figure D).
- I will focus on how configuration works by providing a couple of examples. The basics are the same between the OS X counterparts outlined in previous articles. However, since iOS has many integrated apps, there's a slight degree more control over the usage of these apps as evidenced by the number of choices present in the payload under the Functionality (Figure E) and Apps (Figure F) tabs.
- The Media Content tab allows the configuration of age-appropriate settings when browsing the App Stores in iOS. This allows the administrator to limit the scope of what is allowable and disallowed (Figure G).
- Click the OK button to close the configuration screen when the settings have been selected.
- Continue to add payloads until they meet the needs of the environment. When you're done, click the OK button to exit the payload settings screen. However, the settings aren't committed to memory yet. Clicking on the Save button of the device pane will save the configuration permanently. Remember, once you click Save, any settings that have been configured will be automatically deployed via push to all targeted devices if Automatic Push was selected in step #5. Please double-check and triple-check, as well as test your settings thoroughly, before final deployment.
- The Settings tab should now reflect the payload categories that were added previously (Figure H).
- There are several commands available that you can execute remotely on managed devices. These can be accessed by clicking the cog wheel in the device pane (Figure I).
- Lock will allow the administrator to set a passcode that will render the device unusable until the passcode has been entered (Figure J).
- Wipe will initiate a complete format of the device's content, fully restoring it back to its factory default configuration (Figure K).
- Update Info synchronizes the information for the device in the Profile Manager database, updating any data that has changed (Figure L).
- Allow Activation Lock is a new feature introduced in iOS 7 to prevent device erasure and/or theft. This feature ties the device to an Apple ID, preventing it from completing the restoration process until the correct credentials are entered (Figure M).
- Clear Activation Lock allows administrators to bypass the activation lock mechanism on supervised devices only. This is beneficial if a user has forgotten their Apple ID or if the device is maliciously locked (Figure N).
- Under the Library pane, Active Tasks will indicate any current processes being deployed, what device(s) it's being deployed to, the current status, and time stamp. Completed Tasks include similar information to Active Tasks, as well as information about whether the task was completed successfully or if it failed or was cancelled. Plus, it retains a historical database of all executed commands for audit purposes (Figure O).
Enabling MDM features in Profile Manager is initially more a planning effort than a technical one. The ability for Profile Manager to perform Asset Tracking can make inroads into designing a plan that works for your organization. Please note that enabling MDM within Profile Manager does require some additional configuration of OS X Server, as included above in the requirements. The MDM features will simply not function on closed networks, which means that the server must be accessible via the internet and encrypted via SSL.
Apple's OS X Server with Profile Manager service takes the hard work out of setup and management. It makes for a solid foundation with scalability to match for many small, medium, and enterprise environments. With that said, if your organization requires specific frameworks for management or your BYOD policy includes Windows, Android, or BlackBerry mobile devices, you may wish to look into a more robust MDM offering.
Do you use OS X Server's built-in MDM capability in Profile Manager? Share your experience in the discussion thread below.