A primer in OS X Server's Profile Manager

More Stories in this Series

A primer in Profile Manager: Managing many devices

osx server profile manager

This is the final episode in our series on setting up and managing devices using Server’s Profile Manager service.

If you’re just tuning in now, you’ll want to look at:

We’ve just about finished our brief tour of Profile Manager, 15 episodes and loads of information, but, I’m happy to say, this won’t be our last look at Apple’s Server app. We’ll look at other Server features in the weeks ahead.

For the entirety of this class we’ve looked at adding devices to Profile Manager using Profile Manager’s User Portal, which links devices to specific users. The reality of enterprise environments is that you’ll want to enroll devices as soon as the box is opened or using some kind of imaging system, such as Server’s Netinstall service. We’ll look in detail at each of these services other Working Mac columns in the weeks ahead, but for now, let’s look at how you can quickly and easily enroll and manage devices in Profile Manager by creating Groups and using manually installed Trust and Enrollment Profiles.

Create a device group

If you’ve worked in IT for any length of time you know the best way to manage users and devices is to create groups, put users and devices into those groups, and then manage each group’s access to resources. You can use Profile Manager to manage groups of users and devices.

  1. Log in to Profile Manager.
  2. Click Device Groups.
  3. Click the + at the bottom of the Device Groups column. This will create a new group with the default name, New Device Group.
  4. Change the group name to All Devices. Note that the group contains no members. Since we’re creating a setting for All Devices, we’re going to add a setting that’s obvious and easy to check. For the sake of the exercise we’ll assume you’re using a Mac. Choose something equally as obvious if you’re using an iOS device.
  5. Click the group’s Settings tab.
  6. Click the Edit button.
  7. Located and select the Directory payload and click Configure.
  8. Enter the server information you used to bind to your Profile Manager server in episode 12.
    bindsettings
  9. Click OK.
  10. Click Save.

Create a device placeholder

Now that we have a group, it’s time to add a device to that group. It’s best, for this exercise, to use a device that hasn’t already been added to Profile Manager. You’ll need the serial number for that device to complete this exercise. In a real world scenario you can use Profile Manager’s import tool to import a spreadsheet of placeholder devices. For now we’ll create a single placeholder device.

  1. Select Devices in the Profile Manager sidebar.
  2. Click the + button at the bottom of the device list.
    addplaceholder
  3. Select iOS/OS X from the Device Type menu.
  4. Give the device a name.
  5. Enter the serial number for the device.
    placeholdersettings
  6. Click the Add button. Note that you now have a device placeholder.
    placholder

Create an enrollment profile

Enrollment Profiles are used to automatically enroll devices in Profile Manager. When you install an Enrollment Profile on a Mac the profile links it to your Profile Manager server. Additionally, devices using an Enrollment Profile can be automatically added to Device Groups.

  1. Click the + button in Profile Manager’s Library list.
  2. Click the resulting Enrollment Profile menu. This creates a new Enrollment Profile.
  3. Give the Enrollment Profile a name.
  4. Select the Enrollment Profile’s Settings tab.
  5. Leave the check in the box that says, Restrict use to devices with placeholders. This makes it so that only devices with placeholders will be enrolled in Profile Manager when this profile is installed.
  6. Click the + button below the Device Groups list.
  7. Click the Add button next to the group you just created.
    addtogroup
    Adding this Device Group automatically adds any devices using this Enrollment Profile in Profile Manager as long as you have a placeholder for this device in your device list.
    enrollmentprofile
  8. Click Done.
  9. Click Save.
  10. Click the Download button for the Enrollment Profile.
  11. When your Mac asks you to install the Profile, click the Cancel button. The Enrollment Profile should now be in your Downloads folder.

A matter of trust

You may recall that when you were using the My Devices portal, before you could enroll your personal device, you first had to install a Trust Profile. The same is true when you’re manually enrolling devices in Profile Manager. You now need to download your Profile Manager’s Trust Profile.

  1. Click the Admin Menu at the upper-right-hand side of the Profile Manager window.
  2. Click the Download Trust Profile menu in the Admin menu.
  3. When your Mac asks you to install the Trust Profile, click the Cancel button.

Install the profiles on an unmanaged device

The final step in the process is to install these profiles on a device that isn’t currently managed using Profile Manger.

Remember: If your Profile Manager server doesn’t have a DNS record on your default DNS server, you will have to change the DNS settings on the placeholder device to point to your Profile Manager server.

  1. Copy the the Trust and Enrollment Profiles from your Downloads folder to a thumb drive or use some other method to copy the file to the computer you added a placeholder for in the Placeholder exercise.
  2. On the Placeholder computer, double click the Trust Profile.
  3. When prompted, click Continue then click Install.
  4. If prompted, authenticate as an administrative user on that computer.
  5. Next, double click the Enrollment Profile.
  6. Click Install.
  7. Authenticate as an administrative user if you’re prompted to do so.

As soon as the Enrollment Profile is installed Profile Manager will automatically add the computer to the All Devices device group and apply the settings for that group.

  1. Look at the All Devices group in Profile Manager and verify that your placeholder device has been added to that group.
    deviceadded
  2. On the enrolled device, open System Preferences.
  3. Click the Users & Groups preference.
  4. Click Login Options at the bottom of the window.
  5. Verify that your enrolled computer is now bound to your directory server.
    boundtoserver

The end...

And so ends our multi-week journey through Profile Manager. After a brief hiatus, in which we’ll go back to normal Working Mac content, we’ll pick up again with other features available to you in Apple’s Server app.

Cheers! We’ll see you next week with another Working Mac.

Subscribe to the Best of Macworld Newsletter

Comments