Profile ManagerArek Dreyer

arek@arekdreyer.commacsysadmin.se 2011

OS X Lion Server Recap

• Connect

• Share

• Manage

• Connect

• Share

• Manage

The eBook

• Profile Manager

• iOS Device focus

• For iBooks, Kindle, Safari

• Under 5 USD

• Managed Preferences & Profile Manager

• Interesting Corners of Profile Manager

• Strategies for Mixed Management Models

75 Minutes about Profile Manager

MCX vs Profile Manager

Part 1 of 3

MCX vs Profile Manager

• Initial Confguration

• Enroll Devices

• Apply Changes

• Troubleshooting

Initial Configuration: MCX

• Precedence:

User

Computer

Computer Group

Workgroup

• Never, Once, Always

• Combine, Inherit, Override

• dsimport, dsexport, dscl

Initial Configuration: Profile Manager

• iPCU *

• Profile Manager web app

• Variables possible!

• Device > user

• Profile overlap not documented

Profile Manager with iPad

• Ever run Workgroup Manager on your iPad? *

• Profile Manager Web App rocks!

"Rotate your iPad to useProfile Manager."

Precedence

• Not documented

• Devices take precedence over users

Enroll Devices: MCX

• Bind to directory node

• Anonymous bind is preferred for DHCP clients

Enroll Devices: Profile Manager

• User-enrolled

• Administrator-enrolled

• A third way

User-Enrolled

• Use User Portal with network account credentials

• Local admin credentials required for Lion

• All user's devices appear in User Portal

• Use User Portal to Lock, Wipe, Reset Passcode

• Best for one-to-one

Just Because You Can...

• Multiple users can enroll the same device!

• Duncan can enroll using Alan's MacBook

• Consider SACLs for Profile Manager

Admin-Enrolled

• Admin Uses Enrollment Profile

• Create

• Download

• Install

• Use Profile Manager web app to Wipe, Lock, Clear Passcode

Kind of a Hassle, Right?

Imaging and Enrollment

• Create Enrollment Profile

• Download Trust Profile

• Include Trust Profile in Image

"Restrict use to devices in the libary"

Imaging and Enrollment

• /var/db/ConfigurationProfiles/

• Setup

• SetupCompleted

• Store

Placeholders

• Configure profiles for devices BEFORE they enroll

Apply Changes: MCX

• Update record in directory

• Client updates at network transition, reboot

Apply Changes: Profile Manager

• Update with web app

• APNS dance

• DIY: distribute .mobileconfig, use profile command

Apple Push Notification Service

• Client regularly checks in with APNS

• Profile Manager change: notify APNS

• APNS tells client to call home

• Client calls home for the change

Troubleshooting

• MCX

• mcxquery

• System Profiler

• PM

• Profiles preferences

• System Information

• Managed Preferences Compared against Profile Manager

• Interesting Corners of Profile Manager

• Strategies for Mixed Management Models

75 Minutes

Image thanks to MrNoded at http://www.flickr.com/photos/jrnoded/3340607045/

Interesting Corners

• 802.1X

• Passcodes for Lion

• Trust Profile

• Removing Profiles

• Profile Manager must be ODM

Part 2 of 3

802.1X10.6 10.7

10.6

10.7

Passcodes for Lion

• Pretty obvious for iOS

• But what about for Lion?

• Remote Lock = Immediate Reboot

• Changes EFI Password to PIN

Trust Profile

• OD CA

• OD Intermediate CA

• SSL Certificate

Signed by yourCode Signing Certificate

Your OD CA

SSL Certificate

Removing Profiles

• Preferred ways:

• User Portal

• Web App

• Profiles preferences doesn't tell Profile Manager service anything

• Don't forget authorization password

Profile Manager Must Be ODM

• Don't use the same Directory Administrator short name

• Import Users/Groups from upstream node

• Imported Group membership periodically refreshed

• Managed Preferences Compared against Profile Manager

• Interesting Corners of Profile Manager

• Strategies for Mixed Management Models

75 Minutes

Managing Mixed Management

Part 3 of 3

Quick Poll - Left Hand

• Do you manage "legacy" devices?

• Mac OS X before Lion

Quick Poll - Right Hand

• Will you manage "new" devices?

• iOS 4 devices

• Macs with Lion

Image thanks to portobeseno at http://www.flickr.com/photos/portobeseno/2673925463/

DO NOTSURRENDER

Mixed Managing

• Reconsider Why You Manage

• Use Duplicate Systems

• Separate MCX and Profile Manager

• Use Change Management

• Third Party Solutions

Reconsider Why You Manage

• Do changing models require less management?

• Can users be admins? *

Use Duplicate Systems

• Who manages Windows and Macs the same way?

• Who manages Macs and iOS in the same system?

• Transition from Managed Preferences to Profile Manager

No Collisions Please

• Don't manage Dock in MCX and in Profiles

Document

• Want to manage it?

• Write it down.

• Configure it in your management systems.

Use Change Management

• Play with test systems.

• Don't play with production systems.

Third Party Solutions

• "That is an excellent third-party developer opportunity"

More Challenges

• Users move between legacy and new devices

• Lion bind script has to answer the trust question

• Trackpad madness

• Managed Preferences & Profile Manager

• Interesting Corners of Profile Manager

• Strategies for Mixed Management Models

75 Minutes about Profile Manager

Profile Manager

• Your questions, please.

Arek Dreyerarek@arekdreyer.commacsysadmin.se 2011

Profile ManagerArek Dreyer

arek@arekdreyer.commacsysadmin.se 2011