profile manager managing mac clients by arek dreyer
DESCRIPTION
A slideshow going into detail on the Profile Manager Apple ships with Mac OS 10.8 Server. by Arek DreyerTRANSCRIPT
Profile ManagerArek Dreyer
[email protected] 2011
OS X Lion Server Recap
• Connect
• Share
• Manage
• Connect
• Share
• Manage
The eBook
• Profile Manager
• iOS Device focus
• For iBooks, Kindle, Safari
• Under 5 USD
• Managed Preferences & Profile Manager
• Interesting Corners of Profile Manager
• Strategies for Mixed Management Models
75 Minutes about Profile Manager
MCX vs Profile Manager
Part 1 of 3
MCX vs Profile Manager
• Initial Confguration
• Enroll Devices
• Apply Changes
• Troubleshooting
Initial Configuration: MCX
• Precedence:
User
Computer
Computer Group
Workgroup
• Never, Once, Always
• Combine, Inherit, Override
• dsimport, dsexport, dscl
Initial Configuration: Profile Manager
• iPCU *
• Profile Manager web app
• Variables possible!
• Device > user
• Profile overlap not documented
Profile Manager with iPad
• Ever run Workgroup Manager on your iPad? *
• Profile Manager Web App rocks!
"Rotate your iPad to useProfile Manager."
Precedence
• Not documented
• Devices take precedence over users
Enroll Devices: MCX
• Bind to directory node
• Anonymous bind is preferred for DHCP clients
Enroll Devices: Profile Manager
• User-enrolled
• Administrator-enrolled
• A third way
User-Enrolled
• Use User Portal with network account credentials
• Local admin credentials required for Lion
• All user's devices appear in User Portal
• Use User Portal to Lock, Wipe, Reset Passcode
• Best for one-to-one
Just Because You Can...
• Multiple users can enroll the same device!
• Duncan can enroll using Alan's MacBook
• Consider SACLs for Profile Manager
Admin-Enrolled
• Admin Uses Enrollment Profile
• Create
• Download
• Install
• Use Profile Manager web app to Wipe, Lock, Clear Passcode
Kind of a Hassle, Right?
Imaging and Enrollment
• Create Enrollment Profile
• Download Trust Profile
• Include Trust Profile in Image
"Restrict use to devices in the libary"
Imaging and Enrollment
• /var/db/ConfigurationProfiles/
• Setup
• SetupCompleted
• Store
Placeholders
• Configure profiles for devices BEFORE they enroll
Apply Changes: MCX
• Update record in directory
• Client updates at network transition, reboot
Apply Changes: Profile Manager
• Update with web app
• APNS dance
• DIY: distribute .mobileconfig, use profile command
Apple Push Notification Service
• Client regularly checks in with APNS
• Profile Manager change: notify APNS
• APNS tells client to call home
• Client calls home for the change
Troubleshooting
• MCX
• mcxquery
• System Profiler
• PM
• Profiles preferences
• System Information
• Managed Preferences Compared against Profile Manager
• Interesting Corners of Profile Manager
• Strategies for Mixed Management Models
75 Minutes
Image thanks to MrNoded at http://www.flickr.com/photos/jrnoded/3340607045/
Interesting Corners
• 802.1X
• Passcodes for Lion
• Trust Profile
• Removing Profiles
• Profile Manager must be ODM
Part 2 of 3
802.1X10.6 10.7
10.6
10.7
Passcodes for Lion
• Pretty obvious for iOS
• But what about for Lion?
• Remote Lock = Immediate Reboot
• Changes EFI Password to PIN
Trust Profile
• OD CA
• OD Intermediate CA
• SSL Certificate
Signed by yourCode Signing Certificate
Your OD CA
SSL Certificate
Removing Profiles
• Preferred ways:
• User Portal
• Web App
• Profiles preferences doesn't tell Profile Manager service anything
• Don't forget authorization password
Profile Manager Must Be ODM
• Don't use the same Directory Administrator short name
• Import Users/Groups from upstream node
• Imported Group membership periodically refreshed
• Managed Preferences Compared against Profile Manager
• Interesting Corners of Profile Manager
• Strategies for Mixed Management Models
75 Minutes
Managing Mixed Management
Part 3 of 3
Quick Poll - Left Hand
• Do you manage "legacy" devices?
• Mac OS X before Lion
Quick Poll - Right Hand
• Will you manage "new" devices?
• iOS 4 devices
• Macs with Lion
Image thanks to portobeseno at http://www.flickr.com/photos/portobeseno/2673925463/
DO NOTSURRENDER
Mixed Managing
• Reconsider Why You Manage
• Use Duplicate Systems
• Separate MCX and Profile Manager
• Use Change Management
• Third Party Solutions
Reconsider Why You Manage
• Do changing models require less management?
• Can users be admins? *
Use Duplicate Systems
• Who manages Windows and Macs the same way?
• Who manages Macs and iOS in the same system?
• Transition from Managed Preferences to Profile Manager
No Collisions Please
• Don't manage Dock in MCX and in Profiles
Document
• Want to manage it?
• Write it down.
• Configure it in your management systems.
Use Change Management
• Play with test systems.
• Don't play with production systems.
Third Party Solutions
• "That is an excellent third-party developer opportunity"
More Challenges
• Users move between legacy and new devices
• Lion bind script has to answer the trust question
• Trackpad madness
• Managed Preferences & Profile Manager
• Interesting Corners of Profile Manager
• Strategies for Mixed Management Models
75 Minutes about Profile Manager
Profile ManagerArek Dreyer
[email protected] 2011