A primer in Profile Manager: Payloads for OS X part 1

This is episode 11 in our series on setting up and managing devices using Server’s Profile Manager service.

If you’re just tuning in now, you’ll want to look at:

• A Primer in Profile Manager
• The Setup
• The Server App
• Manage Your Server Remotely
• Set Up Open Directory
• Turn on Profile Manager
• Add Users, Enable Device Management
• Enrolling and Managing Devices
• Payloads, Profiles, and Push Notification Services
• OS X and iOS payloads for devices

Last episode we looked at payloads that can be deployed to both iOS and OS X devices. Now we’re going to look at payloads that can only be deployed to Macs.

We can’t touch on every single OS X payload available in Profile Manager, so instead, we’ll focus on payloads that make sense for most environments. Because there are so many OS X-only payloads, we’ll take two episodes to cover them all. You should also note that we are, again, focusing on device settings. We’ll look at user settings in an upcoming episode.

Restrictions payload

The restrictions payload allows you to restrict access to all or specific System Preferences, apps, widgets, media, including AirDrop, optical disks, internal and external drives, sharing options, such as Facebook and Twitter, and OS functionality, such as iSight cameras and iCloud passwords.

Restrict System Preferences

1. Log in to Profile Manager.
2. Select Devices in the Profile Manager sidebar.
3. Select an enrolled device and scroll down to the section for OS X payloads.

   

4. Select the Restrictions payload and click Configure.
5. Select the Preferences tab.
6. Place a check in the box that says Restrict items in System Preferences.
7. Select Enable selected items.
8. Remove the checkmarks in:
   • Accessibility
   • Energy Saver
   • Profiles
   • Startup Disk

     

9. Open System Preferences on your managed device and open each of the preferences listed in the last step, then close System Preferences.
10. Click OK in Profile Manager.
11. Click Save.
12. Open System Preferences.

Note that each of the preferences we looked at in step 8 are no longer available. Additionally, if you have any third-party preferences installed, they will be disabled as well.

Restrict apps

App restriction is limited to Apple’s built-in apps or apps you’ve added to specific folders. For this exercise we’re only going to limit access to Apple’s Game Center, but feel free to create folders in your Mac’s Applications folder and limit access to those apps as well.

1. Select your managed device in Profile Manager and select Edit.
2. Select Restrictions under the OS X payloads.
3. Click Configure, if this payload isn’t currently configured, otherwise click the Apps tab.
4. Uncheck the box that says Allow use of Game Center.

   

5. Open Game Center on your Managed Mac (Applications—>Game Center), make sure it opnes correctly, then close the Game Center App.
6. Click OK in Profile Manager.
7. Click Save.
8. Reopen Game Center. Note that, while the app opens, you are not allowed to log in or use Game Center features.

   

Restrict access to media

Media restrictions allow you to limit access to connected devices, such as volumes connected using USB, Thunderbolt, or FireWire and OS X Features such as AirDrop. You will need an external volume for this exercise.

1. Open the OS X Restrictions payload in Profile Manager.
2. Select the Media tab.
3. Uncheck AirDrop and Allow for External Disks.

   

4. Connect an external drive to your managed Mac using USB, Thunderbolt, or FireWire and verify that you can see the disk and open it, then eject the volume.
5. Open the Go menu in the Finder or look at the sidebar of any Finder window and verify that you see the AirDrop menu item.
6. Click the OK button in Profile Manager
7. Click the Save button in Profile Manager.Note that you may have to log out before these changes take effect.
8. Plug the external volume back into your Mac and note that it is no longer available.
9. Open the Disk Utility.
10. Note that your external volume is visible, but unavailable in Disk Utility.
11. Select the volume in Disk Utility and select the Mount button. Note that the volume still will not mount.

    

12. Open the Finder’s Go menu or any Finder window and note that AirDrop not longer appears.

Login Window payload

We’ll finish this lesson with the Login Window payload. The Login Window payload lets you make changes to how information is displayed when your Mac is at a Login Window. You’ll note that there are still several other OS X payloads available for configuration. We’ll look at some of those in the next lesson, including the Directory payload.

1. Select the Login Window payload and click Configure.
2. Put a check in the box that says Show additional information in the menu bar.
3. Type a banner message in the Banner field.
4. Select the radio button next to Name and password text fields.

   

5. Select the Options tab.
6. Uncheck the box that says Allow Guest User.
7. Open System Preferences on your managed computer and make sure the Guest user is enabled for login.

   

8. In Profile Manager, click OK then click Save.
9. Logout of your managed computer.Note that your Login Window now displays the banner information you entered.
10. Click where the time appears in the upper right-hand corner of the screen, then keep clicking and note that it will display your computer name, build version of the Mac OS you have installed, and the IP address for this Mac.

    

11. Type guest in the login window’s name field, leave the password field blank and log in. Note that you cannot log in using the Guest user account.

Next we’ll dig into OS X-only settings some more.