Managing your mobile devices in the cloud using Apple’s own MDM solution

Profile Manager is less then 20$ and can save you both money and time, starting from the very first device. This is how you set it up.

If you are at home in the corporate world, chances are good that you already made contact with a Mobile Device Management (MDM). Maybe your employer uses MDM to setup your office WiFi on your phone or to configure your e-mail account. Maybe your camera app magically disappears as soon as you enter the secret lab you are working in, or maybe your admin kindly unlocked your iPhone the last time you forgot your iOS security code.

But maybe you are more like me, and just want to gain more insights about your personal devices. Maybe you run your own small business and want to protect your investments. Or maybe you want to be this kind admin from above and spend less time manually configuring your co-workers devices. In this case, read on.

The tutorial in front of you will introduce you to Apple’s very own MDM solution, called Profile Manager. Few people actually know it exists, and that’s really sad: Profile Manager provides an impressive feature set, is easy to use, rather stable and — above all — very affordable at 19,99$, included in the macOS Server package you may have seen before in the Mac App Store. Along the steps of this tutorial, you will configure a Mac server to support Profile Manager, install all required software and enroll your first device. If you have an hour to spare and feel adventorous, give it a try — it’s like a trip into a whole new world of Apple device configuration.

If you run into issues along the way, make sure to comment, and I will do my best to help. Nevertheless, you are obviously doing this your own risk and should make sure that you have working (!) backups for all devices involved.


Remark: This article was originally published in October 2016 and has gained some popularity since then — thanks a lot for your feedback! Most of the tutorial is still valid, but time has passed and development on macOS, Let’s Encrypt & Co. has continued, so don’t be irritated if you experience some differences. I’m sorry that I cannot provide an update or offer follow-up support at the moment.

In the past year, cloud MDM solutions have also gained a lot of popularity and may be a good and lower-maintenance alternative to setting up your own Profile Manager. To get started, you may want to have a look at Jamf Now.


Step 0: Prerequisites

While this tutorial aims at starting at the very basics, there are some prerequisites that I would like you to provide before diving in:

  1. Let’s start simple: you need two Apple IDs. One (your personal Apple ID) can be your regular Apple ID, we will just use it to download the software we need from the Mac App store. The second (your corporate Apple ID) should be brand new and not have been used before. To create it, just pay a visit to http://appleid.apple.com. While you are at it, I suggest that you activate two-factor authentication, as it will be a prerequisite for some services we use later on.
  2. Apple does not offer a hosting service for Profile Manager, so you will need to supply a Mac yourself. This Mac should run the latest version of macOS (I used El Capitan to write this tutorial) and be available from the internet via a fixed IP. If you are like me, you neither have a Mac mini to spare nor a server-ready internet connection at home. In this case, I highly recommend having a look at the offering of MacStadium. MacStadium offers hosting and housing of Mac minis in high performance data centers for affordable rates and has kindly provided a sample server to create this tutorial. Thanks, @brianstucki!
  3. This tutorial assumes that you have already configured your server with regards to security, backups and software updates. If you haven’t, please make sure to do so before starting to work on MDM. The Macminicolo Blog is a great resource for the basics.
  4. Lastly, we also require a domain or subdomain that we can turn into a hostname for your server. Don’t own a domain yet? Feel free to check out hover.

Got it all? Then let’s get the party started.


Step 1: DNS and Reverse DNS

MacOS Server is clever and can configure a lot of its services by itself. However, it’s rather picky about the host’s DNS and Reverse DNS configuration. Therefore, do two things before you start the macOS Server console for the first time:

  1. Set up an A record for your selected hostname that points to your server’s IP.
  2. Set up a Reverse DNS record for your server’s IP that returns your selected hostname. If you are using MacStadium, just open a support ticket — I was setup within two minutes. Can’t believe it? See below!
My request for a Reverse DNS setup at MacStadium was completed within two minutes. I’m kind of sad that I missed support ticket number 20000, though.

You can check both settings via the Lookup feature in the macOS Network Utilities. Looking up your domain should return your IP and vice versa.


Step 2: Installing macOS Server

Connect to your server via a screen sharing session or just switch on the screen in case you are sitting in front of it.

Looking at our server’s desktop for the first time. I changed the wallpaper to improve VNC performance, and so should you.

Head over to the Mac App Store and look for the OS X Server app. Depending on when you read this tutorial, this may have been renamed to macOS Server in the meantime. Download the package with your Apple ID (and pay 19,99$ in case this is the first time you do so). If you are a registered Apple Developer, you may want to grab the server package from the Developer Portal instead — it’s free over there, you know.

OS X Server in the Mac App Store.

After your download and installation has finished, I suggest dragging the Server app icon into the dock — we will need it more than once in the future. Please refrain from starting it yet — we have one more task to complete first.


Step 3: Creating an SSL certificate

This step is not entirely required to set up a functional MDM server, but still highly recommended. Creating an SSL certificate signed by a trusted authority for our server does not only increase the security of your system, but also removes security prompts that would interrupt the later device enrollment process. If you already own a signed certificate for your server and have imported it to macOS, you can skip this step — otherwise, read on.

Let’s Encrypt, a pretty new service, enables us to receive signed certificates for free. Unfortunately, this process is not entirely plug & play, but requires some terminal commands. Still, don’t worry — if you follow this tutorial closely, you should be fine, and it won’t get any more complicated than this down the road.

As a first step, open your server’s terminal, e.g. using the Spotlight feature.

It’s dangerous to go alone, take this: 🗡

First, we will install Homebrew, a package manager for macOS. To do so, enter the following command into your terminal window:

/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Homebrew installation has been successful.

Next, we will use Homebrew to install certbot, a collection of scripts that will help us with generating our certificate. Enter the following command into the terminal window:

brew install certbot
Certbot has been successfully installed via Homebrew.

We now use certbot to request the signed certificate. Enter the following line into the terminal window and replace my domain dub1.joshua-jung.com with yours:

certbot certonly --standalone -d dub1.joshua-jung.com

You will be asked to enter an e-mail address and to agree to the terms of LetsEncrypt. Do so. Then, if everything worked out fine, your screen should look as follows:

Congratulations, your certificate has been created and stored on your Mac.

Two more steps to take: we want to translate the certificate into a format macOS natively understands and we want to make sure that it renews automatically.

At this point, we are running into a small challenge: During each renew, LetsEncrypt performs an HTTP request to authenticate our server. However, our HTTP ports will later be blocked by the web server included in macOS server. Therefore, we will now implement a small change to the LetsEncrypt configuration file. Afterwards, the renew process will not try to create an own web server, but instead make use of the one that’s already running.

The file we want to modify is located at /etc/letsencrypt/renewal and called dub1.joshua-jung.com.conf in my case — you may want to look for your own domain. Open the file with an editor of your choice and look for the [renewalparams] block. In this block, change the authenticator property to webroot. Then, at the very bottom of the file, add

webroot_path = /Library/Server/Web/Data/Sites/Default,
[[webroot_map]]
dub1.joshua-jung.com = /Library/Server/Web/Data/Sites/Default

After your modifications, your file should look like this (with your domains and another account GUID):

# renew_before_expiry = 30 days
version = 0.9.3
cert = /etc/letsencrypt/live/dub1.joshua-jung.com/cert.pem
privkey = /etc/letsencrypt/live/dub1.joshua-jung.com/privkey.pem
chain = /etc/letsencrypt/live/dub1.joshua-jung.com/chain.pem
fullchain = /etc/letsencrypt/live/dub1.joshua-jung.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = 6e376fd12de0b4be0db4c2adawdawdwadwa
webroot_path = /Library/Server/Web/Data/Sites/Default,
[[webroot_map]]
dub1.joshua-jung.com = /Library/Server/Web/Data/Sites/Default

In the next step, let’s create a handy script that renews the certificate (if required) and imports it to macOS server once a day.

Create the file get-cert.sh in your home directory with the following content and replace my domain with yours once again:

#!/bin/sh
DOMAIN="dub1.joshua-jung.com"
PEM_FOLDER="/etc/letsencrypt/live/${DOMAIN}/"
# Renew the certificate
sudo certbot renew --quiet
# Generate a passphrase
PASS=$(openssl rand -base64 45 | tr -d /=+ | cut -c -30)
# Transform the pem files into a p12 file
sudo openssl pkcs12 -export -inkey "${PEM_FOLDER}privkey.pem" -in "${PEM_FOLDER}cert.pem" -certfile "${PEM_FOLDER}fullchain.pem" -out "${PEM_FOLDER}letsencrypt_sslcert.p12" -passout pass:$PASS
# Import the p12 file into the keychain
sudo security import "${PEM_FOLDER}letsencrypt_sslcert.p12" -f pkcs12 -k /Library/Keychains/System.keychain -P $PASS -T /Applications/Server.app/Contents/ServerRoot/System/Library/CoreServices/ServerManagerDaemon.bundle/Contents/MacOS/servermgrd

To make it executable, enter the following command into your terminal window:

chmod +x ~/get-cert.sh

Run the script once:

~/get-cert.sh
The initial run of our script has been successful.

Now we want to make sure that the script runs on a daily schedule. To do so, let’s create the file local.getcert.plist in the folder /Library/LaunchDaemons. This folder is only writable with super user privileges, so the quickest way to create the file is to use the Nano text editor in our terminal window. Enter the following command:

sudo nano /Library/LaunchDaemons/local.getcert.plist
The Nano text editor is ready for input.

Paste or type the following script into Nano. If your script is located at another path, modify the respective line.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>local.unpackletsencrypt</string>
<key>RunAtLoad</key>
<false/>
<key>StartCalendarInterval</key>
<dict>
<key>Hour</key>
<integer>3</integer>
<key>Minute</key>
<integer>0</integer>
</dict>
<key>ProgramArguments</key>
<array>
<string>/Users/administrator/get-cert.sh</string>
</array>
</dict>
</plist>

Close and save the file via Ctrl+X, Y and then Enter.

Congratulations: the hardest part of this tutorial is now over! You have requested a certificate signed by Let’s Encrypt, made it available to macOS and ensured that it’s regularly renewed.


Step 4: Basic configuration of macOS Server

Hurrah — you have now earned the right to start up the macOS Server console for the first time. So let’s do it: click the dock icon.

macOS Server welcomes you.

Click through the setup assistant without changing any settings until you arrive at the server home screen:

The server home screen after completing the setup assistant. All lights are green, as they should be.

There are some indicators on this screen that you should check:

  • The server hostname displayed should be identical to the domain or subdomain you selected for your server. If it is not, double check your Reverse DNS records.
  • The indicator light behind the Internet label should be green as well, indicating that your server is reachable from the internet. If it is not, double check your firewall and router settings.

Next, open the Certificates section of the server console. It should display a certificate for your hostname, issued by the Let’s Encrypt Authority X3 or your trusted certificate authority. If it does not, please revisit step 3 of this tutorial.

The certificate we created earlier on has been correctly selected by our server to secure its services. This should happen automatically.

Before we start the actual Profile Manager service, let’s take a quick look at the user group and user administration. Both are available via the server console navigation bar on the left.

The number of groups and users you want to create at this step depends on your setup (corporate or personal), but it’s straight-forward in any way. For now, let’s just create one sample user (apart from the administrator account, which we should not use for production).

Creating users and groups in macOS server is really easy.

Step 5: Configuring and activating Profile Manager

You are now ready to activate the Profile Manager service, the actual MDM solution included in Apple’s server package. Select it from the navigation bar and click the Configure… button next to the Device Management label.

Start the configuration of Profile Manager.

Again, a helpful wizard guides us through the setup process. It assists us with creating a Directory Administrator account (don’t worry about it too much) and asks for some basic information about your company — just enter your personal details if you want to use Profile Manager for yourself.

Don’t worry too much about the Directory Administrator, but make sure to enter a secure password and to memorize it in case you need it again later on.

In the last step of the wizard, you will need the corporate Apple ID you created at the very beginning of this tutorial to get an Apple Push Notification Service certificate. Make sure not to use your personal Apple ID at this step.

This is the last step of the wizard — make sure to enter your corporate Apple ID, not your personal one.

After finishing the wizard, the Profile Manager overview page should read Enabled behind the Device Management label. Now feel free to flip the switch in the top-right corner!

We have completed the wizard. Now let’s finally activate the Profile Manager service!

Afterwards, the service status should read Reachable over the internet via your domain. Well done! If it does not, once again check your firewall, port forwardings and DNS settings.

Profile Manager is up, running, and reachable over the internet.

To double check, open the provided URL from your local machine. You should be presented with a login prompt:

Profile Manager can now also be reached from your local machine. If it’s more comfortable for you, feel free to use a local browser session for the next steps.

Step 6: Enrollment 101 and preparing Profile Manager for enrollment

This is a quick one: Profile Manager is now running, but we need to tweak one or two settings to allow easy device enrollment, i.e. adding devices to our new MDM solution.

It’s important to know that there are many different ways to enroll devices to Profile Manager or any other MDM solution. They vary in prerequisites, effort, and also results, and in my opinion, there are only three that you should actually consider:

  1. By far the easiest, quickest and most secure way to enroll devices is to use Apples Device Enrollment Program (DEP). DEP enables you to enroll both iOS and macOS devices to your MDM automatically on activation, without the need to touch them even once. It’s an almost magical experience. However, it requires that you have purchased the devices you want to enroll via certain DEP-ready channels, such as the Business Teams found at Apple locations. I’m planning to discuss DEP in a later addendum to this tutorial, but for now, let me just point you at Apple’s own guide. All you need to know right now is that your Profile Manager setup is fully compatible with DEP.
  2. If you cannot use DEP (e.g. because the devices you want to enroll are already waiting on the table in front of you), I suggest triggering the enrollment via Apple Configurator, a configuration tool also to be found in the Mac App Store. Just like using DEP, this method also provides full access to the enrolled devices and is rather quick, but requires you to attach each device to be enrolled to a Mac first (yes, with a cable).
  3. Finally, if you are following a BYOD strategy and your co-workers are not comfortable with handing over your phones to you and you playing around with them, they can also enroll their devices themselves by visiting the URL https://your-mdm-domain.com/mydevices on the device to be enrolled (after you have allowed them to do so in Profile Manager). However, be aware: this method of enrollment only provides superficial control over the enrolled devices and can also be reversed by the user at any time.

Most of us will not be able to use DEP right now, so we will aim at option 2 for the moment and prepare our Profile Manager for device enrollment via Apple Configurator. So open Profile Manager by clicking the Open in Safari button next to the Profile Manager label in your server console and sign in with your macOS administrator credentials.

Welcome to Profile Manager! You should feel right at home.

Luckily, all settings we are looking for are right on the first page showing up:

  • Allow access to My Devices Portal: Use this setting to activate or deactivate enrollment option 3 described above. I prefer switching this off, as I don’t want anybody to enroll devices to my MDM without me noticing.
  • Allow enrollment during Setup Assistant for devices configured using Device Enrollment Program: Use this setting to activate or deactivate enrollment option 1 described above. I suggest keeping it on for the moment.
  • Allow enrollment during Setup Assistant for devices using Apple Configurator: We now use this setting to enable us to use enrollment option 2 above. Again, switch this on right now, or device enrollment will fail later on. Done? Great! Don’t forget to save with the button in the lower right hand corner.
Profile Manager after we changed enrollment settings.

Step 7: Enrolling a sample device

We are now all set for the final and most exciting step of this tutorial: we are adding a device to our MDM, using option 2 described in step 6 above. We no longer need access to our server to do so and can instead switch to a local Mac that we can physically attach our sample iOS device to.

Before, however, we want to download Apple Configurator (version 2 is current) from the Mac App Store to this local Mac.

Apple Configurator in the Mac App Store. Download it to your local Mac that you will later attach your iOS device to.

In case your iOS device has been in use before, you also want to reset it to factory settings. Otherwise, Apple Configurator itself will do so later on and also upgrade it to the latest iOS version automatically.

Our sample iPad has been reset to factory settings and is now ready for enrollment.

Now attach your iOS device to the local Mac and start Apple Configurator. Hide the welcome screen by clicking the blue Get Started button.

Apple Configurator has started and identified the attached iPad.

Select your iPad in the Apple Configurator Window and click the Prepare button in the window toolbar. A wizard opens. I will only describe the non-trivial steps now.

We want to intiate a ‘manual’ enrollment and specify the MDM server ourselves.

In the first step, select Manual. This may seem odd first, but is the right choice for us as we want to manually define an MDM server to enroll in. Don’t worry — enrollment will stell be a very automated process.

The next three steps of the wizard ask you to define the MDM server you want to the device to enroll in.

You will only have to take this step once: the server will be available for later enrollments.

When you are asked for the hostname of your server, make sure not to delete the suggested value from the text box. Instead, just replace the domain with your own server hostname.

Make sure to keep the predefined hostname and only replace the domain with your own. Erased it already? Just go back a step and then forward again.

After completing the server definition, you will asked if you want to supervise the devices to be enrolled. You definitely do: supervision enables advanced management features.

We really want to supervise the enrolled devices as it enables us to access all configuration options, even those very deep in the system.

If this is the first time you enroll a device, the wizard will ask you to create a so-called supervision identity, i.e. a rule set for supervision. Answer all questions as per your preferences.

This page enables us do deactivate individual steps of the iOS setup assistant.

As soon as you have completed the wizard, your device will automatically be prepared. This should not take longer than a few seconds.

Our sample device is enrolling.

As soon as the progress bar disappears, you can detach the device and hand it over to the future user. It’s now configured to automatically connect to your MDM solution during the iOS activation assistant and enroll itself after asking the user for his credentials. This should look similar to the following animation:

Our sample device being configured automatically during the iOS setup assistant.

Impressive, isn’t it? Let’s double check that our device has shown up in the Devices list of Profile Manager:

There it is.

Step 8: Exploring Profile Manager

Congratulations: you’re done! You have prepared your Mac server, set up Profile Manager, and enrolled a first device. You can now use all the features Profile Manager has in store for you, and for the moment, I will leave you to it. Just browse through all the pages or Profile Manager and discover — it’s really fun.

A small fraction of the (nearly) unlimited possibilities Profile Manager has in store for you.

Some things you may want to try:

  • Find the huge list of restrictions to apply to your device, e.g. to deactivate iCloud backups or the App Store.
  • Try single-app mode, restricting your device to run one app only.
  • Mark your device as lost and track it via GPS, without being signed in to Find my iPhone.
  • Display your iOS version, free capacity and SIM identifier.
  • Set a common wallpaper on all your devices and order your home screen icons.
  • Configure your e-mail account and WiFi via Profile Manager.
  • Blacklist or whitelist URLs.
  • Push a PDF to your devices.

While you do so, I will work one some extensions to this tutorial. If everything works out as planned, expect them to cover:

  • Signing up for Apple’s Device Enrollment Program (DEP) and connecting your MDM server to DEP.
  • Registering for Apple’s Volume Purchase Program (VPP) and using it to purchase apps in large quantities that you can later manage via Profile Manager.
  • Enrolling a Mac to your MDM.
  • And any additional topic you may find interesting. Please make sure to let me know in the comments.

Until then, happy managing!


Acknowledgements

Thanks a lot once again to MacStadium for providing the server this tutorial has been created on. I have been using Macminicolo/MacStadium for a while now to host my projects, and it has been a more than positive experience. If you are looking for a Mac Server, look no further.

Thank you also to JeffTheRocker, whose instructions for importing a Let’s Encrypt certificate to macOS were the keystone for step 3 of this tutorial.