OS X Server – Profile Manager
The “killer app” for the OS X Server is the Profile Manager. Apple bundles this mobile device management (MDM) service with the $50 Lion Server. It’s truly an unbelievable deal. Not only does the Profile Manager manage your iOS devices, but it can also manage Macs using the same administrative tools. While there are many other MDM solutions available for iOS devices, the Profile Manager is certainly worth considering if your mid-size company uses Apple devices exclusively.
Devices can be enrolled with the Profile Manager using two methods:
- A network user can use Safari to access the Profile Manager, log in, and then click on an enrollment button.
- An administrator can email an Enrollment Profile file to users. The user simply opens this attachment and the device will automatically be enrolled with the MDM. Since this method does not authenticate users, the administrator can preregister devices within Profile Manager. There is a configuration setting to restrict enrollment to preregistered devices. (This would be critical for most companies.) Devices can be preregistered using the serial number, UDID, IMEI, or MEID.
Devices enrolled with Profile Manager can be remotely wiped or locked. But this is only the beginning of MDM. Configuration profiles can be pushed to the devices at enrollment time or any time a profile is updated. Profiles can contain configuration settings and security controls for your VPN, email servers, LDAP directories, calendar servers, and more. Configuration profiles allow your employees’ devices to be used for their own personal needs and for use with office resources. Your company can tailor the profiles to be as restrictive as necessary. Customized profiles can be applied to individual users, groups of users, individual devices, or groups of devices.
As an alternative to pushed profile updates, configuration profiles can be downloaded via Safari or emailed to users.
As a security precaution, enrollment and configuration profile files can be digitally signed. This prevents malicious users from tampering with the files.
When setting up Profile Manager, you’ll need the following certificates:
- An SSL server certificate for the Profile Manager service. This certificate identifies your server to your employees’ devices.
- A certificate to authenticate to the Push Notification Service (gateway.push.apple.com). This cert is obtained through Apple.
- A code signing certificate to digitally sign your profiles.
If you don’t use a known commercial certificate authority (CA), your employees will need to download a Trust Profile before enrolling their devices. This profile contains your own root certificates. It can be downloaded using Safari or emailed to users.
One feature that would be very helpful (but currently lacking) is location-aware profiles. With such a feature, the security controls could be modified depending on where the iOS device is geographically located. For example, most companies like to disable mobile cameras to prevent leaking of sensitive documents and other intellectual property. This restriction could be lifted once an employee leaves corporate offices. We’ll see what Apple offers in the coming years.