Profile Manager.
The premiere Apple native mobile device manager (MDM) for business. Our lightning-fast setup has been known to cut down device enrollment times to under. Come join us in the #simplemdm channel in the Mac Admins Slack group.
The master multitasker.
Profile Manager simplifies deploying, configuring, and managing the Mac computers and iOS devices in your organization. It’s one place where you control everything: You can create profiles to set up user accounts for mail, calendar, contacts, and messages; configure system settings; enforce restrictions; set PIN and password policies; and more. Profile Manager simplifies the distribution of institution-licensed apps and books purchased through the App Store Volume Purchase Program. It also gives users access to a self-service web portal where they can download and install new configuration profiles, as well as clear passcodes and remotely lock or wipe their Mac, iPhone, or iPad if it’s lost or stolen. And it allows you to perform push installs of macOS enterprise apps and iOS media assets including PDF, EPUB, and iBooks Author files.
Features for iOS and macOS
macOS Server lets you assign Volume Purchase Program (VPP) apps to devices — instead of a user’s Apple ID. This allows for the installation of VPP apps on iOS devices and Mac computers without configuring an Apple ID or sending an invitation. You can also migrate apps already installed on a device to a user’s Apple ID without deleting the app or user data.
Features for iOS
App Store apps — including newly assigned apps and app updates — can be installed even if the App Store is disabled. And apps configured to use Kerberos will automatically launch Per-App VPN when a user logs in to that app. You can enroll iPad and iPhone in the Device Enrollment Program (DEP) and remove the Move from Android option. Network usage rules allow each group or company to specify how managed apps use networks — like restricting the app’s ability to connect over cellular or when roaming on other networks. And you can also update DEP-enrolled supervised devices to the latest iOS version.
macOS Server features restrictions for devices to prevent the use of Mail Drop or AirDrop. You can enable restrictions for supervised devices too, like preventing wallpaper changes, device name changes, modification of enterprise app trust settings, access to iCloud Photos or keyboard shortcuts, Apple Watch pairing, or setting a passcode.
Features for macOS
You can automatically create an administrator account during initial system setup that can be hidden from standard users. Or create a standard account or skip account setup during DEP enrollment, configure the macOS Setup Assistant to create a new standard (non-admin) account, or skip account creation entirely during DEP enrollment.
Xsan.
Advanced by volumes.
Xsan is a powerful and scalable solution for storage consolidation. Everyone in your organization can have fast, concurrent access to terabytes of centralized data. Built into macOS, Xsan allows any Mac to access Xsan or StorNext volumes over Fibre Channel or Ethernet.
Mobile Device Management (MDM) is best described as 'a way of securing, managing, monitoring, and securing mobile devices' - Derick Okihara. MDM suites vary in price, but — between application, support, and per-device licensing costs — prices can be incredibly high for a small- to medium-sized network.
Apple's OS X Server has an ace up its sleeve with the inclusion of a modestly equipped MDM platform baked right into the Profile Manager service. The very same service used to managed wired nodes on a LAN can also be used to wirelessly manage mobile devices — both OS X and iOS — over the internet. With the ability to host up to 5,000 devices on a single server, factored in with the relatively low cost of an Apple Server, running a MDM server has never been this inexpensive or simple to setup — especially compared to other pricer MDM suites. Lest we forget, being a 1st-party Apple application, support is always included at no additional cost.
Before proceeding with the MDM features, let's take a moment to review the requirements for OS X Server:
- Apple Computer running OS X Server (1.0+)
- The following OS X Server services configured and turned on:
- Open Directory (Active Directory may be used in lieu of OD)
- Users and groups configured
- Devices added to Profile Manager with trust profiles installed
- Broadband internet access (Ethernet or Wi-Fi)
- Self-signed or 3rd-party code-signing certificate
Follow these steps to configure Profile Manager settings in OS X Server for MDM use:
- Launch your web browser and enter the URL that pertains to your Profile Manager website.
- Login with administrative credentials and click the Log In button to authenticate (Figure A).
Figure A - From the Library pane, select Devices (or Device groups), and then select the device (or group) you wish to configure. Select the Settings tab from the device pane and click the Edit button (Figure B).
Figure B - This will open the settings payload for the selected device. Scroll down to view the iOS category, which contains all the payload settings that apply only to iOS, since we're focusing on mobile devices like iPhones or iPads using iOS (Figure C).
Figure C - By default, the General payload is always included, as it defines how the payload will be deployed, a description of what it contains and whether the configuration can be removed by end users or password protected. Best practices for MDM allow flexibility when configuring settings. However, required settings should always be locked down with a password to prevent intentional or accidental removal by end users. Also, pay close attention to the Automatic or Manual radio buttons under Profile Distribution Type. Automatic Push will deploy settings once they are saved; Manual Download with only deploy settings when the download is initiated from the client (Figure D).
Figure D - I will focus on how configuration works by providing a couple of examples. The basics are the same between the OS X counterparts outlined in previous articles. However, since iOS has many integrated apps, there's a slight degree more control over the usage of these apps as evidenced by the number of choices present in the payload under the Functionality (Figure E) and Apps (Figure F) tabs.
Figure E
Figure F - The Media Content tab allows the configuration of age-appropriate settings when browsing the App Stores in iOS. This allows the administrator to limit the scope of what is allowable and disallowed (Figure G).
Figure G - Click the OK button to close the configuration screen when the settings have been selected.
- Continue to add payloads until they meet the needs of the environment. When you're done, click the OK button to exit the payload settings screen. However, the settings aren't committed to memory yet. Clicking on the Save button of the device pane will save the configuration permanently. Remember, once you click Save, any settings that have been configured will be automatically deployed via push to all targeted devices if Automatic Push was selected in step #5. Please double-check and triple-check, as well as test your settings thoroughly, before final deployment.
- The Settings tab should now reflect the payload categories that were added previously (Figure H).
Figure H - There are several commands available that you can execute remotely on managed devices. These can be accessed by clicking the cog wheel in the device pane (Figure I).
Figure I - Lock will allow the administrator to set a passcode that will render the device unusable until the passcode has been entered (Figure J).
Figure J - Wipe will initiate a complete format of the device's content, fully restoring it back to its factory default configuration (Figure K).
Figure K - Update Info synchronizes the information for the device in the Profile Manager database, updating any data that has changed (Figure L).
Figure L - Allow Activation Lock is a new feature introduced in iOS 7 to prevent device erasure and/or theft. This feature ties the device to an Apple ID, preventing it from completing the restoration process until the correct credentials are entered (Figure M).
Figure M - Clear Activation Lock allows administrators to bypass the activation lock mechanism on supervised devices only. This is beneficial if a user has forgotten their Apple ID or if the device is maliciously locked (Figure N).
Figure N - Under the Library pane, Active Tasks will indicate any current processes being deployed, what device(s) it's being deployed to, the current status, and time stamp. Completed Tasks include similar information to Active Tasks, as well as information about whether the task was completed successfully or if it failed or was cancelled. Plus, it retains a historical database of all executed commands for audit purposes (Figure O).
Figure O
Enabling MDM features in Profile Manager is initially more a planning effort than a technical one. The ability for Profile Manager to perform Asset Tracking can make inroads into designing a plan that works for your organization. Please note that enabling MDM within Profile Manager does require some additional configuration of OS X Server, as included above in the requirements. The MDM features will simply not function on closed networks, which means that the server must be accessible via the internet and encrypted via SSL.
Apple's OS X Server with Profile Manager service takes the hard work out of setup and management. It makes for a solid foundation with scalability to match for many small, medium, and enterprise environments. With that said, if your organization requires specific frameworks for management or your BYOD policy includes Windows, Android, or BlackBerry mobile devices, you may wish to look into a more robust MDM offering.
Do you use OS X Server's built-in MDM capability in Profile Manager? Share your experience in the discussion thread below.