To
enroll devices for management, use the URL
https://mdm.pretendco.com/MyDevices
(replace the hostname
with your own). Click the Profiles tab to bring up a list of profiles
that can be installed manually (
Figure 8-19
). You need to install a Trust
Profile in order for the client to enroll, so click the Install button
for the Trust Profile and complete the installation process.
Once you’re done, click back to the Devices tab and click the
Enroll button and complete the enrollment process for the client
(following the defaults will suffice).
On the devices, you’ll then be prompted to install the profile. In
iOS, tap Install, then Install, and then Done. In OS X (
Figure 8-20
), click Continue, and then
Install.
Once enrolled, you can wipe or lock the device from the My Devices
portal. Management profiles from the MDM server are then used. Devices
can opt out of management at any time.
Tip: If you’re looking for more information on moving Managed
Preferences (MCX) from Open Directory to a profile-based policy
management environment,
review
this article
.
If there are any problems when you’re first getting started, you
can always run the
wipeDB.sh
script that resets the
Profile Manager (a.k.a., devicemgr) database. To do that, run the
following command in OS X’s Terminal application:
sudo /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/wipeDB.sh
The two profiles needed to set up a client on the server are
accessible from the Server app’s web interface. Saving these two
profiles to a Mac OS X computer then allows you to automatically enroll
devices into Profile Manager using Apple Configurator, as shown in
this
previous article
.
When setting up profiles, note that the username and other objects
that are dynamically populated can be replaced through a form of
variable expansion using payload variables in Profile Manager. For more
on doing so, see
this
article
.
Once you’ve got devices enrolled, those devices can easily be
managed from a central location. The
first thing we’re going to do is force a passcode on a
device. In this case, it’s an iPad. We’re going select the device in
Profile Manager’s admin portal (
Figure 8-21
), located at
https://servername
/profilemanager
(in this case,
https://mdm.pretendco.com/profilemanager
).
On the right side of the admin portal, click the Profile tab, and
then click the Edit button (circled in
Figure 8-21
). Doing so opens the
“Settings for [device name]” screen (
Figure 8-22
), where, you can configure
a number of settings. There are sections for iOS devices, OS X–specific
settings, and settings applicable to both platforms. Let’s configure a
passcode requirement for an iPad. In the lefthand column, click
Passcode, and then click Configure.
Note: iOS devices aren’t fully encrypted unless a passcode is
used.
In the Passcode settings, check the box for “Allow simple value,”
and then set the “Minimum passcode length” to 4. (I find that with iOS,
4 characters is usually enough as it’ll wipe long before someone can
brute-force that.) Click OK to commit the changes. Once configured,
click Save. On the “Save Changes?” screen, click Save. A few moments
later, the device prompts you to set a passcode (
Figure 8-23
).
The
next thing we’re going to do is push an app. To do so,
first find an app in your library that you want to push out. Right-click
(or Control-click) the app and select “Show in Finder.” (You can copy
the app from your library or browse to it at the location it is in
later.) Then, in the admin portal, click an object to manage (in this
example, I selected a group called Demo), and then click the Apps tab.
There, click the cog icon and select Edit Apps (
Figure 8-24
).
On the Add Apps screen that appears, click Upload and then browse
to the app we found earlier. The app is then uploaded and displayed in
the list. Click Add to add that app to the currently selected
(highlighted) group. Next, click Done, and then click Save and an App
Installation dialog box will appear on the iOS device you’re pushing the
app to (
Figure 8-25
).
In the App Installation dialog box on the iPad, click the Install
button and the app will instantly be copied to the last screen of apps
on the device. Tap on the app to open it and verify that it works. If
the app opens, then it’s safe to assume that you’ve run the App Store
app logged in as a user who happens to own the app. You can sign out of
the App Store and the app will still open. However, you won’t be able to
update
the app; if you try to, you’ll see a “You
are not signed in” dialog box.
This brings up an interesting limitation of how Profile Manager
interacts with the App Store: it kinda doesn’t. To push apps to
elementary school iPads in a one-to-one deployment (where each user has
their own device), either use Apple Configurator (if I wanted to burn up
a VPP code per student per year) or I could use iTunes (a
labor-intensive process of restoring an iPad per computer rather than a
parallel process). But either way, I’m gonna stay away from Profile
Manager for apps.
So if you push an app to a device and the user taps on the app and
the screen goes black, then make sure the app is owned by the AppleID
signed into the device. If the app is owned by that ID, have the user
open the App Store and update any
other
app, and
then see if the pushed app
opens.
Finally, let’s
wipe a device. In the Profile Manager admin portal, click
a device and then, from the cog menu at the bottom of the screen, select
Wipe (
Figure 8-26
).
On the Wipe screen, select the device and then click the Wipe
button again. The iPad then says Resetting iPad—and just like that, the
technical walkthrough is over.
Note: For fun, you can use the admin portal to wipe your iPad
from the iPad itself.