If you’ve been enjoying our Using Apple OS X Lion Server as a Home Server series, then make sure you pick up a copy of the accompanying eBook. You’ll find additional chapters and information on using OS X Lion Server to power your digital home that won’t be available here on the site, and with all of our walkthroughs available in one convenient document (ePub or PDF), it’s far easier to install and configure your server without having to click backward and forwards to the website.
- Introduction
- Choosing Your Hardware
- Features
- Installation
- The Server App
- Storage and Network Configuration
- Users and Groups Configuration
- Profile Manager and Macs [eBook Exclusive]
- Profile Manager and iOS Devices [eBook Exclusive]
- File and Folder Sharing
- Shared Address Book [eBook Exclusive]
- Shared Calendar [eBook Exclusive]
- iChat Server
- Time Machine Backup
- Windows PC Backup [eBook Exclusive]
- VPN Configuration [eBook Exclusive]
- Websites, Blogs and Wikis
Right, it’s time to have some fun! In the last seven parts of our deep dive into Apple’s OS X Lion Server we’ve talked through the rationale for its potential role as a home server, features, hardware options, installation, the server app, storage and networking setup and then finally, configuration of users, network accounts and user groups. I hope you’re enjoying the journey – discovering a new platform can be fraught with pitfalls, but so far (a odd bug aside) we’re in decent shape, and we’re ready to start using some of Lion Server’s features.
In this part of the series, we’re going to walk through Apple’s Profile Manager – a powerful configuration tool that allows remote configuration of a vast array of client features and settings. I’m actually splitting this part of the series into two sections – today, we’re focused on using Profile Manager to configure and manage standard Mac clients – desktop machines like the iMac, MacBook Pros, Mac Minis and MacBook Airs. We’ll walk through how to register your Apple computers with Profile Manager and how those machines (and indeed, the user accounts running on them) can be configured to provide a personalised, tailored experience for your users. Need to rock some parental controls for the kids? On all of the Macs in the house? At once? Profile Manager is your friend.
Then, in Part 9 we’ll look in detail at how Profile Manager can also work with iOS device – that’s right, iPads, iPhone and iPod Touches are all welcome in the world in Profile Manager. If you want to set a consistent security profile for those mobile devices (say, ensuring every device uses a passcode), then you can do so in Profile Manager. If a device goes missing, how about a remote lock, or even a remote wipe of the device to ensure your personal information is protected? Yep, Profile Manager is the guy.
Over the two parts, there’s going to be a lot to cover and I’ll try to combine a detailed look at the options with some examples of real world, practical application for the various setting in a home context. But, as you know, there’s no substitute for diving in and taking a look for yourself!
The Purpose of Profile Manager
Before we dig into the detail, let’s take a step back. Why does a tool like Profile Manager exist? It all comes down to business. Whether it’s via a tool like Group Policy Editor in Windows, or Profile Manager in Apple’s OS X, enterprise IT administrators need simple ways to manage the hundreds, thousands or tens of thousands of computers in their organisations. A centralised configuration tool allows administrators to create a consistent profile (or policy) that all computers, or a subset of computers use. Changes to that profile can be made once, and pushed out to one, more or all of those computers automatically over the network – far easier than walking around to 10,000 computers to change the screen saver setting, right? It also allows them to prevent access to the parts of the operating system that they don’t want you to access – locked USB ports? Internet browser not working? Can’t install your favourite “stuff on my cat” screensaver? Yep, you have your friendly IT admin, a centralised profile manager tool and some mis-guided aspiration for “efficiency” to thank.
But hey, it’s more fun if you’re the admin, right? Just imagine the power, mwaa-haa-haa! In all seriousness, though, a tool like Profile Manager can be really useful at home. It may only be required to configure 3, 4, 5 devices (maybe more if your a large family or you just keep buying stuff) but when it comes to simple and efficient configuration and management of things like security settings, networking setup, email access, parental controls and more, there’s nothing like it – and indeed, unless you’ve previously been running a full-blown version of Windows Server (Windows Home Server does not have access to Group Policy Editor) or OS X Server, you’ve most probably never had access to such a tool.
So, without further ado, let’s get it fired up.
1. Set Up Profile Manager and the Apple Push Notification Service
Profile Manager is a web application, and before we can access the tool, we have a little administration to take care of. In Server app, click on the Profile Manager entry in the left hand pane to view the configuration options. Most notably, we need to apply for (yet another) certificate to utilise Apple’s Push Notification Service. This external service (hosted by Apple) monitors changes you make to device and user profiles in Profile Manager and notifies those devices of updates – profile updates can then be issued over the air to those devices by your server – very cool.
So, click Configure and you’ll be guided through the setup of Profile Manager. If you’ve not yet setup the Open Directory service (see the last part of the series for more on that). You’ll also need to setup an SSL certificate if you haven’t already – self-signed certificates can be used with profile manager, but will require you installing a “trust profile” as an additional step on your clients to work correctly. If you have a certificate on board from an authorised certificate authority, you’re good to go.
Setting up the Apple Push Notification Service is a simple matter of entering your Apple ID and password – the server then handles the certificate acquisition and installation in the background. Let the gears grind for a short while, and you should be fine to proceed.
As an extra layer of security, in the Profile Manager configuration panel, you’ll also see an option to code-sign the profiles generated by Profile Manager. This allows devices to verify that the profiles haven’t been modified since issuing. To switch on, check the box named Sign your configuration profiles, click Edit… and select your certificate.
In Default Configuration Profile, you’ll see a profile called Settings for Everyone – this is a universal profile that covers all of your Devices and Users (you still have granular control on what settings go to which user and device, so it’s fine to use). Depending on what server features you have switched on, you’ll be able to include (or exclude) specific configuration settings pertaining to those features in Profile Manager.
2. Open Profile Manager
Once you’re ready to proceed, hit the Open Profile Manager link at the bottom of the panel and your browser should open with a login screen. Drop in your Administrator username and password to view the tool. Top tip, if you have remote access configured, you can use Profile Manager remotely using your server’s external URL – just look for the Profile Manager link on the default webpage. (In fact, I’m writing this very article on a train accessing Profile Manager on my Mac Server via the on board Wi-Fi – who said modern life was rubbish, eh?)
Once you’re through authentication, the Profile Manager Tool lies in wait.
Profile Manager uses a simple three panel interface, with a top menu bar (which includes a universal search box and a small command panel accessible by clicking the logged in user name at the top right). From left to right, the main interface comprises a Library panel, for navigating between Devices, Device Groups, Users and Groups of users, an Activity Panel below used to navigate between Active Tasks and a log of Completed Tasks), a middle panel which is used to navigate between individual users, groups and devices (depending on the option selected in the far left panel) and finally a large panel on the right which will display information on those users, groups and devices.
Before proceeding with the next step, have a click through the menus to familiarise yourself with the menus.
3. Enroll Your Computers
If we’re going to push settings to our Macs around the home, we’ll need to ensure that Profile Manager knows about them. To do this, we use Enrollment. Note that if you want to work on your settings before enrolling your devices, you can simply go to Devices, click the plus button at the bottom of the middle panel and select Add Placeholder – this will create a placeholder device that can be configured with profile settings. You’ll need to enroll the computer before you can issue the profile, though.
Important: Before proceeding with enrollment, make sure you have the following ports forwarded to your server via your router – Port 1640 and Port 2195. Without these forwarded, you’ll receive an “unexpected error” when you try to enroll a device other than the server itself. A little undocumented requirement there, which wasted a few hours of my life. So, no need to waste yours!
