10.9 Profile Manager Active Directory Advanced Options

Similar Messages

• SharePoint 2013 profile service account requirements when using "Use SharePoint Active Directory Import" option

  Hi All,
  I am trying to configure SharePoint Profile service. We would like a straightforward profile import from Active Directory.
  On the "Configure Synchronization Settings" page, we have chosen the option "Use SharePoint Active Directory Import" option.
  We have created a connection to the Active Directory using Configure Synchronization Connections page. We have specified the account that would be used for the import process.
  Question:
  I would like to confirm whether the account configured for the profile import need any special privileges when using "Use SharePoint Active Directory Import" option ?
  Thanks,
  Saurabh

  Grant Replicate Directory Changes permission on a domain
  To do this please follows below procedure
  On the domain controller, click Start, click Administrative Tools, and then click Active Directory Users and Computers.
  In Active Directory Users and Computers, right-click the domain, and then click Delegate Control.
  On the first page of the Delegation of Control Wizard, click Next.
  On the Users or Groups page, click Add.
  Type the name of the synchronization account, and then click OK.
  Click Next.
  On the Tasks to Delegate page, select Create a custom task to delegate, and then click Next.
  On the Active Directory Object Type page, select This folder, existing objects in this folder, and creation of new objects in this folder, and then clickNext.
  On the Permissions page, in the Permissions box, select Replicating Directory Changes (select Replicate Directory Changes on
  Windows Server 2003), and then click Next.
  Click Finish.
  Thanks & Regards
  ShivaPrasad Pola
  SharePoint Developer 

• User profiles from Active directory when loggedin then userdisplay, useredit shows blank white screen in SharePoint 2013

  User profiles from Active directory when loggedin then userdisplay, useredit shows blank white screen in SharePoint 2013 
  I can login with the these AD users and AD direct import is working just fine. We are not using UPS.
  With admin user when I click on the user it shows up proper data. But when I login with the same user it does not show me userdisplay/useredit and shows blank data. Also another strange thing is when I add new item in list with these AD users created by
  modified by is blank and its really strange. I checked user information list, tried to rerun user sync with direct AD import option but no success.
  MCTS Sharepoint 2010, MCAD dotnet, MCPDEA, SharePoint Lead

  Hi Amit,
  According to your description, my understanding is that the page is blank when the use accessed /_layouts/15/userdisp.aspx and the created by field was blank when the user created a new list item in SharePoint 2013.
  I tested the same scenario per your post, however I cannot reproduce your issue.
  For troubleshooting this issue, I recommend to verify the things below:
  Check the permission of the user in the corresponding site collection to see if he can access /_layouts/15/userdisp.aspx.
  Delete the user from AD and SharePoint, then re-add the user to AD and grant proper permission to the user in SharePoint to see if the issue still occurs.
  Did this issue occur with all the users? Add a new user in AD and test the same scenario.
  Best regards.
  Thanks
  Victoria Xia
  TechNet Community Support

• How to manage Active directory and tools to manage Active Directory

  How to manage Active directory and which tools we use?

  You can use Microsoft Active Directory management tools:
  http://technet.microsoft.com/en-us/library/aa998508(EXCHG.65).aspx
  http://technet.microsoft.com/en-us/library/aa998508(EXCHG.65).aspx
  erview of Server Message Block signing
  http://support.microsoft.com/kb/887429/en-us
  Remote Server Administration Tools for Windows 7:
  http://www.microsoft.com/downloads/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en
  AD Admin Center:
  http://technet.microsoft.com/en-us/library/dd560651(WS.10).aspx
  http://technet.microsoft.com/en-us/library/dd560652(WS.10).aspx
  Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX http://blogs.sivarajan.com/ http://publications.sivarajan.com/ This posting is provided "AS IS" with no warranties, and confers no rights.

• Migrate local OS X profile to Active Directory account

  I need to add our MACs to our Active Directory domain.
  How do I go about migrating their settings, preferences, and files to the new AD account?
  On my test system, when I signed on, it created a new profile and everything had to be reconfigured.
  How can I prevent this?

  Oh good! Its not just me....
  I raised this issue months ago when the version changed to 10.6.x and was told by Apple Lion would fix it...
  It didnt, it fact it made it work... the version of Snow Leopard on the mac mini worked perfectly!
  I have had mixed results so far... Initially binding to my 2008 mixed mode domain only worked if we specificed a specific Domain Controller and that has worked with a number of machines, our initial fleet of 5 machines for instance
  A few weeks ago my lion client was rebooted and on power up it ahd lost its domain binding and nothing would work to get it back on. Im now stuck using a mobile account version of my account...
  My new Lion Server just arrived and im following the same procedure and it doesn't work either giving me fairly generic error messages like the one you initially mentioned that leave me confused... In the middle of this project we upraded to 2008 DCs but are still running in 2000 mode...
  We are looking at swapping to mac hard ware for our client base and if this issue isnt resolved I cannot move forward; joining a domain is step 1 of a Windows Install usually...
  Thanks
  Andrew

• Profile Manager Active Tasks

  Hey guys,
  Whenever we log into our Profile Manager, there's also a ton of active tasks running.  I just checked now, and there are 40 tasks currently active.  These are tasks we haven't initiated on our end, and for the majority, it's removing settings from our laptops.  Sometimes, we'll just watch the active tasks list for a few minutes and within that period more and more tasks will get added that neither myself nor the other Mac tech has initiated.
  Have you all heard anything like this before, and if there's a possible solution/reason?
  Thanks!
  Aaron Campbell
  Tech II | Putnam City Schools

  I found since profile manager is pulling over ad users I can search individual users and they are set by default to push settings does anyone know how to change this?

• Profile Manager Active Tasks Status stays on Pending

  Hi, I have a Mavericks Server with Profile Manager, I have two device groups for iPads and iPhones. For some reason I can no longer apply any updates etc to devices, it hangs on pending under Active Tasks. Nothing has changed, I have the following ports open: TCP:2195,2196,1640,5223. Everything was working ok, I am struggling to work out why this has changed. I have even restarted the Server.
  Any pointers or ideas would be well appreciated.

  Hi dankgus, I was reading this article which explains how the mechanics of this work.
  http://www.justinrummel.com/how-apns-works-with-mdms-that-manage-osx-and-ios/
  I then thought about your firewall comment, when I configured my firewall to work with my Mac MDM I used this Apple KBA ------> http://support.apple.com/kb/ht5302 however I did not open TCP:443 for security reasons. I actually thought this was just for device enrollment and management however it looks like the iOS device might actually require it to function properly. I opened the port and ran a device update which worked. I think it worked ok initially because internally users can get to the MDM over TCP:443 through our split DNS and as soon as they took their iOS devices out of the reach of our corp WIFI it stopped working. I will observe the results and report back and of course I welcome comments.

• Profile Manager - Activity Tasks - Unknown Target

  Hardware Details
  Product - Mac mini Server (Late 2012)
  Processor - 2.3 GHz Intel Core i7
  Memory - 4 GB 1600 MHz DDR3
  OS - OS X Yosemite 10.10.2 (14C1510)
  OS X Server Application Details
  Version - 4.0.3 (14S350)
  I am configuring the Profile Manager for Users. I have created Restrictions in the Settings tab for Users for one of the Users. After saving my Restrictions, the profile manager pushes it to devices and for some reason it will not push and the status is shown as Pending, because the device is Unknown.
  How do I retrieve the unknown device and remove it from my PM as it is causing hassle every time I try to push the settings to the User.
  [Attached image for clarification]

  Did you setup DNS correctly?
  Profilemanager relies heavily on a Fully Qualified Domain Name FQDN, so only using macserver.local might cause this issue.
  Is the computer who is @unknown getting it's DNS information from the macserver as well or another DHCP server? And does that DHCP server point to the macserver, enrollment needs a valid DNS setup to work properly.
  Is port forwarding enabled for profile manager? Can you tell us more about your setup?
  Goodluck
  Jeffrey

• Profile Manager Active Tasks never complete, are always pending

  I'm using OS X Server 3.2.2 on OS X 10.9.5. I'm attempting to push changes to a device or device group (iMacs in this case), but the task status is always pending and the task never completes. However, when I manually download the Enrollment Profile on a client machine, it will contact the server and grab the device and device group profiles during the initial enrollment. We're not blocking any ports and the server and client are both on the same VLAN and subnet. I'm stumped as to why I'm seemingly only able to communicate to the server from a client and not the other way around. I appreciate any help and suggestions. Thanks.

  Hi dankgus, I was reading this article which explains how the mechanics of this work.
  http://www.justinrummel.com/how-apns-works-with-mdms-that-manage-osx-and-ios/
  I then thought about your firewall comment, when I configured my firewall to work with my Mac MDM I used this Apple KBA ------> http://support.apple.com/kb/ht5302 however I did not open TCP:443 for security reasons. I actually thought this was just for device enrollment and management however it looks like the iOS device might actually require it to function properly. I opened the port and ran a device update which worked. I think it worked ok initially because internally users can get to the MDM over TCP:443 through our split DNS and as soon as they took their iOS devices out of the reach of our corp WIFI it stopped working. I will observe the results and report back and of course I welcome comments.

• Active directory mobile accounts

  Hi,
  Just did a clean install of Lion, joined it to my active directory (Windows SBS 2003). No issues with this part...
  But when I log in as a domain user, I get:
  the home folder for user is not located in the usual place or cannot be accessed
  Strangely enough, if I turn off mobile account creation, it works, and /Users/domainuser is created. If I then turn back on mobile account creation I get the error again.
  Anybody else experience this? Any pointers on how to troubleshoot?

  WORKAROUND for "Error: The home folder for user "ActiveDirectoryUser" isn't located in the usual place or can't be accessed. The home or Users folder may have been moved or deleted. If the home...."
  I was able to "Fix" the Mobile Account issue above in Lion -for now. (Valid as of 8/18/11 on Lion 10.7.1)
  - In Directory Utility -> Active Directory -> Advanced Options, I unchecked "Create mobile account at login" and left "Force local home directory on startup disk" checked
  - Log out then back in as a networked user,  -A local home directory will be created under /Users but will not be accessible if network is offline (non-mobile)
  - Open Terminal
  --- Type: cd /System/Library/CoreServices/ManagedClient.app/Contents/Resources/
  --- Type: ./createmobileaccount -n username
  The username you specify with the createmobileaccount command will turn it from a standard account into a mobile account.
  This fixes Active Directory mobile accounts for the time being so now its on to Open Directory which refuses to stay bound after a reboot.

• User login report in Active Directory for specific date and time

  I want to get User login report in Active Directory for specific date and time e.g user logged in at15-01-2015 from 8:00am to 4:00pm
  Is any query, script or any tool available?
  Waiting for reply please

  You can identify the last logon date and time using my script here: https://gallery.technet.microsoft.com/scriptcenter/Get-Active-Directory-User-bbcdd771
  If you would like to get back in time and see when the user did a logon / logoff then you need to have auditing enabled. Once done, you can records from Security log in the event viewer: https://social.technet.microsoft.com/Forums/windowsserver/en-US/98cbecb0-d23d-479d-aa65-07e3e214e2c7/manage-active-directory-users-logon-logoff-events
  I have started a Wiki about how to track logon / logoff and it can help too: http://social.technet.microsoft.com/wiki/contents/articles/20422.record-logon-logoff-activities-on-domain-servers-and-workstations-using-group-policy.aspx
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• Ldap Sync: User is not able to create in Active Directory through OIM

  Hi ,
  I have enabled the ldap sync between OIM and Active Directory.
  Option 1: with password
  While creating the new user in OIM , I am getting the below error .
  80eeb34d89d5ed80:18bc05bb:1403be9d7e6:-8000-000000000008f710,0] [APP: oim#11.1.2.0.0] Could not modify entry.[[
  javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0
  remaining name 'cn=ADTESTLDAp10F ADTESTLDAp10LL,cn=Users,dc=cgtest,dc=adtest,dc=com'
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3140)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3013)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
    at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1458)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
    at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:153)
    at oracle.ods.virtualization.engine.backend.jndi.ConnectionHandle.modify(ConnectionHandle.java:301)
    at oracle.ods.virtualization.engine.backend.jndi.BackendJNDI.modify(BackendJNDI.java:781)
  [2013-08-04T17:06:58.840-07:00] [oim_server1] [ERROR] [OVD-60600] [oracle.ods.virtualization.engine.util.ADUtilities] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 80eeb34d89d5ed80:18bc05bb:1403be9d7e6:-8000-000000000008f710,0] [APP: oim#11.1.2.0.0] Cannot set password : LDAP Error 53 : [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0[[
  Looks like password is not able to set properly. But I am able to create the same user in AD using the same password.
  Option 1: without password
  Another testing, I have also tried to create user without password.  There is no error coming to log file. and I am able to see the below message in log file
  oracle.iam.ldapsync.impl.eventhandlers.user.UserCreateLDAPPreProcessHandler] [APP: oim#11.1.2.0.0] [SRC_METHOD: createUser] User created in LDAP with GUID 9dc8f6f4b8564216a5d75d86f7cad0a2
  But user is not created in AD . this is another issue.
  Thanks,
  Amit

  Thanks for your reply.
  I have seen sample xml and my target looks the same
  <wlserver dir="${weblogic.domain.dir}"
                           port="${weblogic.domain.admin.server.port}"
                           servername="${weblogic.domain.admin.server.name}"
                           username="${weblogic.domain.admin.user}"
                           domainname="${weblogic.domain.name}"
                           password="${weblogic.domain.admin.password}"
                           configFile="config.xml"
                           generateConfig="true"
                           action="start"
                           beahome="${env.BEA_HOME}"/>
  my requirement is to use ant task.. otherwise I am able to create through configuration wizard
  Thanks

• Fix: Active directory corrupted (NTDS ISAM Database Corruption errors in eventlog)

  It worked for me!
  Frank Keunen
  IT-Pro Evangelist :: Microsoft IT Infrastructure Engineer
  Follow the procedure below to fix Microsoft Active Directory database problems (corrupted Active Directory due to e.g memory issues/disk problems):
  1. Reboot the server and press F8. Choose Directory Services Restore Mode from the Menu.
  2. Check the physical location of the Winnt\NTDS\ folder.
  3. Check the permissions on the \Winnt\NTDS folder. The default permissions are: Administrators – Full Control System – Full Control
  4. Check the Winnt\Sysvol\Sysvol folder to make sure it is shared.
  5. Check the permissions on the Winnt\Sysvol\Sysvol share. The default permissions are: Share Permissions: —————— Administrators – Full Control Authenticated Users – Full Control Everyone – Read NTFS Permissions: —————– Administrators – Full Control Authenticated
  Users – Read & Execute, List Folder Contents, Read Creator Owner – none Server Operators – Read & Execute, List Folder Contents, Read System – Full Control Note: You may not be able to change the permissions on these folders if the Active Directory
  database is unavailable because it is damaged, however it is best to know if the permissions are set correctly before you start the recovery process, as it may not be the database that is the problem.
  6. Make sure there is a folder in the Sysvol share labeled with the correct name for their domain.
  7. Open a command prompt and run NTDSUTIL to verify the paths for the NTDS.dit file. These should match the physical structure from Step 2. To check the file paths type the following commands: Start a command prompt NTDSUTIL Files Info The output should
  look similar to: Drive Information: C:\ NTFS (Fixed Drive) free (2.9 Gb) total (3.9 Gb) D:\ NTFS (Fixed Drive) free (3.6 Gb) total (3.9 Gb) DS Path Information: Database : C:\WINNT\NTDS\ntds.dit – 10.1 Mb Backup dir: C:\WINNT\NTDS\dsadata.bak Working dir:
  C:\WINNT\NTDS Log dir : C:\WINNT\NTDS – 30.0 Mb total res2.log – 10.0 Mb res1.log – 10.0 Mb edb.log – 10.0 Mb This information is pulled directly from the registry and mismatched paths will cause Active Directory not to start. Type Quit to end the NTDSUTIL
  session.
  8. Rename the edb.chk file and try to boot to Normal mode. If that fails, proceed with the next steps.
  9. Reboot into Directory Services Restore mode again. At the command prompt, use the ESENTUTL to check the integrity of the database. NOTE: You can use NTDSUTIL to check the Integrity, however esentutl is usually more reliable. Type the following command:
  ESENTUTL /g “\NTDS.dit” /!10240 /8 /v /x /o (Note: Type the path without the quotes). Note: The default path would be C:\Winnt\NTDS\ntds.dit; however it may be different in some cases. The output will tell you if the database is inconsistent and may produce
  a jet_error 1206 stating that the database is corrupt. If the database is inconsistent or corrupt it will need to be recovered or repaired . To recover the database type the following at the command prompt: NTDSUTIL Files Recover If this fails with an error,
  type quit until back at the command prompt and repair the database using ESENTUTL by typing the following: ESENTUTL /p “\NTDS.dit” /!10240 /8 /v /x /o (Note: Type the path without the quotes). Note: If you do not put the switches at the end of the command
  you will most likely get a Jet_error 1213 “Page size mismatch” error.
  10. Delete the log files in the NTDS directory, but do not delete or move the ntds.dit file.
  11. The NTDSUTIL tool needs to be run again to check the Integrity of the database and to perform a Semantic Database analysis. To check the integrity, at the command prompt type: NTDSUTIL Files Integrity The output should tell you that the integrity check
  completed successfully and prompt that you should perform a Semantic Database Analysis. Type quit. To perform the Semantic Database Analysis type the following at the NTDSUTIL Prompt type: Semantic Database Analysis Go The output will tell you that the Analysis
  completed successfully. Type quit and closes the command prompt. NOTE: If you get errors running the Analysis then type the following at the semantic checker prompt: semantic checker: go fix This puts the checker in Fixup mode, which should fix whatever errors
  there were.
  12. Reboot the server to Normal Mode. If any of these steps fail to recover the database the only alternative is to perform an Authoritative System State restore from backup in Directory Services Restore mode. For more information, please refer to the following
  articles: 315136 HOW TO: Complete a Semantic Database Analysis for the Active Directory http://support.microsoft.com/?id=315136 265706 DCDiag and NetDiag in Windows 2000 Facilitate Domain Join and DC Creation http://support.microsoft.com/?id=265706 258007
  Error Message: Lsass.exe – System Error : Security Accounts Manager http://support.microsoft.com/?id=258007 265089 Event 1168: Windows 2000 DCs Unable to Boot into Active Directory http://support.microsoft.com/?id=265089 315131 HOW TO: Use Ntdsutil to Manage
  Active Directory Files from the Command http://support.microsoft.com/?id=315131 BR – Frank

  Frank: This procedure (with some variations required for my environment) worked
  perfectly. Thank you very much.
  To other readers: The procedure works, but it is a loaded gun. Be careful and methodical.
  The specifics of my situation, which I offer as additional information, are:
  Windows Server 2003 R2 Standard Edition SP2 with all updates.
  One server, 20 clients; of course the server is the domain controller.
  I suggest running the command prompt window at an elevated security level ("run as:", followed by unchecking the "restricted" box).
  I also suggest changing directories to C:\WINNT\NTDS or C:\WINDOWS\NTDS, as appropriate.
  Variations:
  The location of the NTDS folder is C:\WINDOWS\NTDS for an install that is not an upgrade from Server 2000.
  Step 9 -- the parameters for ESENTUTL are different. For the integrity check I used "ESENTUTL /g NTDS.DIT /8" as the other parameters are not available.
  Also in step 9 -- For the repair step that was required I used "ESENTUTL /p NTDS.DIT /8". There was a window warning of a possible data loss, which clicking OK cleared.
  Step 11 -- NTDSUTIL FILES INTEGRITY works properly without change. However, the Semantic Database Analysis check cannot be run in a single command. I used "NTDSUTIL SEMANTIC DATABASE ANALYSIS" followed by "GO" at the next prompt. The database analysis does
  not report a positive result, but if there is no warning the database passes the analysis. To be certain I ran the "GO FIX" step anyway, which gave identical output.
  After this procedure the system started perfectly. I recommend this procedure as the answer to the problem.
    -- E. R. Quinones

• Active Directory Mobile Account not working

  Hello all. I've successfully joined a few macs to an Active Directory domain. However, I have a laptop that needs to be able to authenticate even when away from the network. The "Create Mobile Account" checkbox seems perfect for the job. From my reading, it seems that it is supposed to cache login authentication info from network login users. Then when the computer doesn't have a network connection, it uses the cached credentials. Upon 1st login it asks if I want to create a mobile account, and I say yes. However, it doesn't work accross a reboot.
  If I reboot the computer without an network connection, and then try to authenticate at the login screen with my network user, the password field "shakes" as if I got it wrong.
  However, I know it is sorta working because if I type >console into the user field, I get dumped to the console, where I can successfully login using the network user's credentials. Even without a network connection. But not from the gui login screen.
  Any ideas?
  Thanks!

  Abbas,
  You can find active directory synchronization option under PWA settings >> Operation Policies
  1.In Project Web App, click the Settings icon, and then click Project Web App Settings.
  2.On the Project Web App Server Settings page, in the Operational Policies section, click Active Directory Resource Pool Synchronization
  3. On this page, you need to enter the Active directory Group which contains the users you want to sync and then click on save and synchronize.
  You can check the status of the Enterprise Resource Pool synchronization by returning to the Active Directory Enterprise Resource Pool Synchronization page and reviewing the information in the
  Synchronization Status section. It contains information such as when the last successful synchronization occurred.  If last synchronization failed for any reason, it will also post a timestamp of when it occurred if you wanted to search
  for more information in the ULS logs.
  Let us know the results.
  You can find more information on AD sync at
  http://technet.microsoft.com/en-us/library/gg982985(v=office.15).aspx
  Thank you,
  Kiran K.

• Mac Mini Profile Manager installing/updating ipad Apps - HELP!

  Hi,
  i am hoping someone might be able to help with the following.
  we have a mac mini server to remote manage 25 ipads using profile manager.
  this works well as we can lock, wipe and clear passcodes etc.and attach the policies without any trouble.
  However we are trying to push out an app (version 1.4) to the devices and this is sort of working but not fully.
  if the app is already installed with version 1.3 it doesnt update even though in profile manager, 'active tasks' it says successful.
  if you go go into profile manager and select the device and select 'update info' this registers against the device but still shows as the old version.
  if we delete the app from our test ipad and push it out via profile manager it goes in active tasks as successful then the ipad has a pop up message box saying the xxxxxx.ourdomain.co.uk would like to install the app, once this has been ok'd it  installs on the ipad ok, but when you select the app it tries to open then goes back to the screen again and never opens the app.
  if you download the app direct from itunes it opens with out any trouble.
  here is the process i am using.
  on the mac mini server.
  download the app via itunes
  then in apps i drag the app on to the desktop, this creates the .ipa file
  in profile manager, select the device, edit apps and browse to the .ipa and upload
  select the uploaded app and 'add'
  when you save this, then go to active tasks it gets pushed out to the device and reports as successful
  then the app either doesnt update if old version is installed or installs if no app is installed but doesnt open
  any help welcome
  regards
  Gavin

  Gavin,
  We've run into the same issue that you mentioned. My understanding of the Push App functionality of Profile Manager is this:
  Pushing apps is designed to be used to deliver In-House developed apps over the air (OTA). Meaning, if your organization develops an app for use on its own devices, you can upload the .ipa to Profile Manager and push it out while bypassing any App Store interaction. The In-House .ipa would contain its own provisioning profile that would dictate who is allowed to run it.
  When you download an app from the App Store, the .ipa that you get actually contains the AppleID that was used to purchase/download the app in the .plist. If you then push that app to a device that has never been used with that AppleID, the app will fail to launch as it cannot verify that you actually own the app.
  Before we go any further: what I'm about to discuss isn't officially condoned or supported by Apple, which means it is inheritly risky and could be patched over at any time.
  In order to bypass the issue, what has worked for us is to sign into the App Store on each iPad with the AppleID that is used to purchase the apps on your Mac Mini. You need to download at least one app to the iPad while logged in with that AppleID in order for the iPad to retain the AppleID after the iPad users log in again with their personal AppleID. After you have done that, users may once again log in with their own AppleID.
  At this point, you can push an app to any of those devices that have been paired with your Mac Mini's AppleID at least once. The apps won't (immediately) crash.
  Here's the catch: I'm told that the .ipa contains an "expiration date" of sorts. Once that date has elapsed, your iPad will attempt to extend the expiration date by connecting to the App Store to verify that the same AppleID that was used to download the app in the first place is still active on the device. If it is not, the app may once again crash when you attempt to run it. Now, this expiration date or timer is not disclosed, meaning, if this is really the case, you will have no idea when the apps will stop working. It could be weeks, or months, or years. A gamble, really. So, use that at your own risk.
  Currently, there is no official method for pushing App Store apps Over-the-air with Profile Manager or any other Mobile Device Management platform.
  Remember!: If you are even considering pushing apps in the manner mentioned above, you will still need to account for licensing. As an organization, you must have purchased the same number of copies of an app as you intend to install on your devices. This is a non-issue with free apps, but for auditing purposes, you'd best look into VPP or steer clear of pushing apps altogether.
  I hope some of that helped clear up your question.
  Good luck!