Home / Mac / How-To
Working Mac

A primer in Profile Manager: OS X and iOS payloads for devices

Working Mac
By Jeffery Battersby, Macworld FEB 2, 2016 8:00 pm PST

This is episode ten in our series on setting up and managing devices using Server’s Profile Manager service.

If you’re just tuning in now, you’ll want to look at:

When you’re creating payloads, Profile Manager organizes those payloads into three distinct areas:

  • OS X and iOS
  • iOS
  • OS X
pmpayloads

As this list indicates, some settings work on all Apple devices, while others can only be configured for one type of device or another. It’s important to note that you can add an OS X-only payload to an iOS device, or vice-versa, with no ill effect. When the payload is deployed on an unsupported device it is simply ignored.

There are 38 possible payloads you can deploy for users and user groups and over 40 you can deploy for devices and device groups. That’s far too many to cover here, and many of these payloads won’t be relevant to anything you’re doing in real life. In addition, many configuration settings are valid for both devices and users. (Take note, again, of this link to Apple’s support site: Payload best practices.) To that end we’ll look at more commonly used payloads for OS X and iOS devices related to individual devices or device groups.

These exercises assume that you still have a device enrolled in Profile Manager. If you un-enrolled your device at the end of the previous lesson, you will need to reenroll that device before you can proceed with these exercises.

Passcode payload

The Passcode payload allows you to set specific passcode requirements for a Mac or iOS device.

  1. Log in to Profile Manager.
  2. Select Devices in the Profile Manager sidebar.
  3. Select a Device.
  4. Select the Settings tab and click the Edit button.
  5. Select the Passcode payload and click the Configure button.

When you click the Configure button you see the Passcode settings with descriptions for each of those settings.Let’s change a few of these settings:

  1. Put a check in the box that says Require alphanumeric value.
  2. Select 10 for the minimum passcode length.
  3. Select 1 for Minimum number of complex characters. You’re welcome to select others if you want to.
    passcodesettings
  4. Click the OK button.
  5. Click the Save button.
  6. Open System Preferences on the managed Mac.
  7. Select Users & Groups.
  8. Select the account for the currently logged in user.
  9. Click the Change Password button.
  10. If you see a dialog window asking if you want to use an iCloud password, choose the option to Change Password. Likewise, if you see the option to change your iCloud password, choose to switch to a local password.
  11. Enter your old password and you should see something that looks like this:
    passwordrequirements

Your computer now requires a passcode that conforms to the payload you created.

Network payload

The Network payload can be used to create default settings for ethernet, legacy hotspot, and Passpoint networks, but its most common usage is for Wi-Fi configurations and for hidden network configurations in particular. This exercise will work best if you’ve enrolled a device that is not currently connected to your Wi-Fi network.

  1. Open the Profile Manager’s edit pane for your enrolled device.
  2. Select the Network payload.
  3. Choose Wi-Fi in the Network interface menu.
  4. Type the name of your Wi-Fi network in the SSID field. (Select the Hidden Network checkbox if this is a hidden network.)
  5. Put a check in the Auto Join checkbox.
  6. Choose the appropriate security type for your network. (Enterprise wireless security will require detailed settings.)
  7. Enter your Wi-Fi password.
    wi fisettings
  8. Click OK.
  9. Click Save.

If your device wasn’t already joined to your wireless network, it should now be joined to it. If it was joined, look at the Profiles preference in System Preferences to view the newly added Wi-Fi settings.

VPN payload

The VPN payload is used to configure VPN connection information on remote devices. This exercise requires that you have a VPN configured in order to be useful, but it’s not required to see a VPN configuration deployed.

  1. Open Profile Manager’s Edit pane for your enrolled device.
  2. Select the VPN payload and click Configure.
  3. Enter a unique name for your configuration in the Connection Name field.
  4. Choose the appropriate Connection Type for your VPN. (If you have no VPN, select L2TP.)
  5. Enter the IP address or fully qualified domain name for your VPN server.
  6. Enter a user name in the account field.
  7. Enter an password in the Password field. (If you’re connecting to your own VPN you’ll have to select the appropriate authentication type for your VPN.)
  8. Select Shared Secret from the Machine Authentication menu.
  9. Enter your shared secret in the Shared Secret field.When you’re done your configuration should look something like this:
    vpnsettings
  10. Click the OK button.
  11. Click the Save button.

Now let’s check to see if the configuration was applied.

  1. Open System Preferences and select the Network preference.
  2. Select your VPN settings. (It will be named the same as what you entered in the Connection Name field above.)
  3. Verify that the settings are what you entered in the VPN payload and, if you set this up for a real VPN in your network, click the Connect button to see of the configuration works.
    vpnset

Security & Privacy payload

The Security & Privacy payload allows you to define Gatekeeper settings and computer security settings, require FileVault settings, and turn on or off the option to send application data to Apple and third-party developers. For this exercise we will only make changes to Gatekeeper and password settings.

  1. Open Profile Manger’s Edit pane for your enrolled device.
  2. Select the Security & Privacy payload and click Configure.
  3. Select the General (OS X Only) tab. Note that, even though we are working with payloads that are for both OS X and iOS devices, some of these settings are still device-specific.)
  4. Select Mac App Store under the Gatekeeper setting.
  5. Put a check in the box that says Do not allow user to override Gatekeeper setting.
  6. Uncheck the box that says “Allow user to change password.”
    securityandprivacy
  7. Click OK.
  8. Click Save.

Once the payload is pushed out to your device:

  1. Open System Preferences.
  2. Select the Security & Privacy preference.
  3. Click the lock in the lower left-hand corner of the window and authenticate as an administrative user.

Note that both the Change Password button and Gatekeeper settings—the ones that says “allow apps downloaded from”—cannot be changed.

sandpset
  1. Open Profile Manager Edit pane for your enrolled device.
  2. Select the Security & Privacy payload.
  3. Click the “-” button in the upper right-hand side of the Security & Privacy payload window.
  4. Repeat this process for all of the other payloads you configured.

Next we’ll have a look at OS X-only payloads.