Creating and Deploying Settings Profiles
The process of creating settings profiles for our organization's iOS devices involves the following steps in the Profile Manager Web app:
- We create placeholder entries for all company-owned iDevices
- We associate each user with his or her respective iDevice
- We associate company iDevices with one or more Device Groups
- We define a settings profile that is associated with each Device Group
A placeholder is nothing more than a staged iOS or OS X device account in OD. To create an iOS device placeholder, navigate to the Devices node in Profile Manager, and click the plus sign (+) in the middle column.
To create a placeholder, you need to supply a name for the device, as well as a unique identifier. The unique ID can be any of the following:
- Serial Number
- Unique Device Identifier (UDID)
- International Mobile Equipment Identity (IMEI)
- Mobile Equipment Identifier (MEID)
As you can see in Figure 6, placeholders are differentiated from enrolled iDevices because they appear in Profile Manager as dashed-line rectangles instead of as iDevice icons.
Figure 6 Staging iOS device accounts in Profile Manager
Now that all our managed iOS devices are staged in Profile Manager, we need to associate each iDevice with its owner. Navigate to Users, select a user, and click the Devices tab. You can then use the plus sign button to select an iDevice for the user. I've annotated this process in Figure 7.
Figure 7 Associating an iDevice with an Open Directory or AD user
We now have to navigate to Device Groups and click the middle column plus sign to create one or more Device Groups. A Device Group is an aggregation of iOS devices that will share the same configuration profile. Believe me: It is far easier to apply a single policy to a Device Group instead of defining policies on a per-user basis.
In Figure 8, I created a Device Group for my Sales department staff named, appropriately enough, Sales Dept iPhones. After creating the Device Group, be sure to switch to the Members tab and use the third-column plus sign button to add in the relevant iDevice placeholders.
Figure 8 Device groups aggregate iOS devices much like OD groups aggregate OD/AD users
At long last, we are ready to define policy settings for our Device Groups. To do this, navigate to Device Groups in Profile Manager, select the target group, and click the Profile tab; this interface is shown in Figure 9.
Figure 9 Defining a profile policy to a Device Group
Click Edit to actually make changes to the initially empty policy. You'll note that the policy settings in Profile Manager are organized into three platform-specific categories:
- OS X and iOS
- OS X
What you can do here with respect to iOS device management is limited only to your IT department's policies and your own imagination. For reference, I show you the iOS Restrictions policy area in Figure 10.
Figure 10 Profile Manager allows you to completely manage OS X and iOS preferences
The final step in our deployment is to enroll our iDevices with Profile Manager. We've already created placeholders, which associate each iDevice with a user and a Device Group; each Device Group in turn is linked to a policy.
Enrolling iDevices with Your Management Server
The sad fact of the matter is that iDevice enrollment requires that you (or somebody else) "touch" each and every iDevice. Unless a first- or third-party alternative surfaces, there exists no way to batch-enroll devices with Profile Manager. Ugh!
The first step of the enrollment process is to fire up the Safari browser on an iDevice and navigate to the Mountain Lion Server's self-service user portal at https://servername/mydevices. You (or your user) can log in with OD or AD credentials. I show you the logon page in Figure 11.
Figure 11 Logging into the Mountain Lion Server from an iPhone
Once we're logged in, we have two tabs available to us:
- Devices: This tab lists any OS X or iOS devices that are owned/enrolled by the current user.
- Profiles: Here the user can download trust, enrollment, and policy profiles.
To complete the configuration, navigate to the Profiles tab and click Install for the appropriate policy. In Figure 12, I've defined only the Settings for Everyone default policy. Also, if you choose to use a self-signed SSL certificate instead of a globally recognized one, you'll need to install the Trust Profile so the client trusts your Mountain Lion server.
One great convenience of purchasing a globally recognized SSL certificate is that your iDevices will trust your management server automatically.
Figure 12 We need to manually enroll our iDevice with the server
To enroll the iDevice, you can either install the New Enrollment Profile on the Profiles tab, or click the big Enroll button on the Devices tab. After enrollment completes, you'll see your iDevice listed, and can lock, wipe, or clear the passcode with one click. See Figure 13 for details.
Figure 13 A user with an enrolled iDevice can perform some remote management tasks
That was quite a bit of work, wasn't it? The good news is that once you've successfully enrolled your iDevices and verified the settings are applied correctly to the right user populations, the Apple push notification service will take care of the rest.
That is, the user should not have to log back in to the self-service portal unless he or she needs to perform a remote lock or wipe. When you make changes to a policy, Apple’s push notification will transfer the changes to the iDevices "automagically."
The two different but deeply inter-related subjects of AD/OD integration and iOS and OS X device management with Profile Manager are far broader than I can do justice to in a brief online article.
To that point, I will leave you with a handpicked selection of resources that I hope you find helpful in your own pursuit of enterprise iDevice management.
- Mac 10.8 ML Server: Profile Manager
- Apple Pro Training Series: OS X Server Essentials: Using and Supporting OS X Server on Mountain Lion
- Mobile Device Management in iOS
- OS X Server Product Overview
- The Complete Guide to Profile Manager
- Magic Triangle Setup
- Integrating Mac OS X Lion Server’s Profile Manager With Active Directory
- Mountain Lion Server Tutorials
- Managing iOS Devices with OS X Lion Server