Profile Manager

Arek Dreyer arek@arekdreyer.com macsysadmin.se 2011

OS X Lion Server Recap
• • •
Connect Share Manage

• • •

Connect Share Manage

The eBook
• • • •
Profile Manager iOS Device focus For iBooks, Kindle, Safari Under 5 USD

75 Minutes about Profile Manager
• • •
Managed Preferences & Profile Manager Interesting Corners of Profile Manager Strategies for Mixed Management Models

MCX vs Profile Manager

Part 1 of 3

MCX vs Profile Manager
• • • •
Initial Confguration Enroll Devices Apply Changes Troubleshooting

Initial Configuration: MCX

Precedence: User Computer Computer Group Workgroup

• • •

Never, Once, Always Combine, Inherit, Override dsimport, dsexport, dscl

Initial Configuration: Profile Manager
• • • • •
iPCU * Profile Manager web app Variables possible! Device > user Profile overlap not documented

Profile Manager with iPad

• •

Ever run Workgroup Manager on your iPad? * Profile Manager Web App rocks!

"Rotate your iPad to use Profile Manager."

Precedence

• •

Not documented Devices take precedence over users

Enroll Devices: MCX

• •

Bind to directory node Anonymous bind is preferred for DHCP clients

Enroll Devices: Profile Manager
• • •
User-enrolled Administrator-enrolled A third way

User-Enrolled
• • • •
Use User Portal with network account credentials

Local admin credentials required for Lion

All user's devices appear in User Portal Use User Portal to Lock, Wipe, Reset Passcode Best for one-to-one

Just Because You Can...
• • •
Multiple users can enroll the same device! Duncan can enroll using Alan's MacBook Consider SACLs for Profile Manager

Admin-Enrolled

Admin Uses Enrollment Profile

• • • •

Create Download Install

Use Profile Manager web app to Wipe, Lock, Clear Passcode

Kind of a Hassle, Right?

Imaging and Enrollment
• • •
Create Enrollment Profile Download Trust Profile Include Trust Profile in Image

"Restrict use to devices in the libary"

Imaging and Enrollment

/var/db/ConfigurationProfiles/

• • •

Setup SetupCompleted Store

Placeholders

Configure profiles for devices BEFORE they enroll

Apply Changes: MCX

• •

Update record in directory Client updates at network transition, reboot

Apply Changes: Profile Manager
• • •
Update with web app APNS dance DIY: distribute .mobileconfig, use profile command

Apple Push Notification Service
• • • •
Client regularly checks in with APNS Profile Manager change: notify APNS APNS tells client to call home Client calls home for the change

Troubleshooting
• •
MCX

• • • •

mcxquery System Profiler

PM Profiles preferences System Information

75 Minutes
• • •
Managed Preferences Compared against Profile Manager Interesting Corners of Profile Manager Strategies for Mixed Management Models

Image thanks to MrNoded at http://www.flickr.com/photos/jrnoded/3340607045/

Interesting Corners
• • • • •
802.1X Passcodes for Lion Trust Profile Removing Profiles Profile Manager must be ODM Part 2 of 3

10.6

802.1X

10.7

10.6

10.7

Passcodes for Lion

• •

Pretty obvious for iOS But what about for Lion?

• •

Remote Lock = Immediate Reboot Changes EFI Password to PIN

Trust Profile
• • •
OD CA OD Intermediate CA SSL Certificate

Signed by your Code Signing Certificate

Your OD CA SSL Certificate

Removing Profiles
• • •
Preferred ways:

• •

User Portal Web App

Profiles preferences doesn't tell Profile Manager service anything Don't forget authorization password

Profile Manager Must Be ODM
• • •
Don't use the same Directory Administrator short name Import Users/Groups from upstream node Imported Group membership periodically refreshed

75 Minutes
• • •
Managed Preferences Compared against Profile Manager Interesting Corners of Profile Manager Strategies for Mixed Management Models

Managing Mixed Management

Part 3 of 3

Quick Poll - Left Hand

Do you manage "legacy" devices?

Mac OS X before Lion

Quick Poll - Right Hand

Will you manage "new" devices?

• •

iOS 4 devices Macs with Lion

DO NOT SURRENDER

Image thanks to portobeseno at http://www.flickr.com/photos/portobeseno/2673925463/

Mixed Managing
• • • • •
Reconsider Why You Manage Use Duplicate Systems Separate MCX and Profile Manager Use Change Management Third Party Solutions

Reconsider Why You Manage

• •

Do changing models require less management? Can users be admins? *

Use Duplicate Systems
• • •
Who manages Windows and Macs the same way? Who manages Macs and iOS in the same system? Transition from Managed Preferences to Profile Manager

No Collisions Please

Don't manage Dock in MCX and in Profiles

Document
• • •
Want to manage it? Write it down. Configure it in your management systems.

Use Change Management

• •

Play with test systems. Don't play with production systems.

Third Party Solutions

"That is an excellent third-party developer opportunity"

More Challenges
• • •
Users move between legacy and new devices Lion bind script has to answer the trust question Trackpad madness

75 Minutes about Profile Manager
• • •
Managed Preferences & Profile Manager Interesting Corners of Profile Manager Strategies for Mixed Management Models

Profile Manager

Your questions, please.

Arek Dreyer arek@arekdreyer.com macsysadmin.se 2011

Profile Manager
Arek Dreyer arek@arekdreyer.com macsysadmin.se 2011

Sign up to vote on this title
UsefulNot useful