Lion Profile Manager clear passcode ipad 2
Hi All,
First ever post to Apple forums:) I'll try to make it simple
Ok on Profile manager I enrolled the ipad all went good, with passcode setting.
Now the user has forgotten the passcode.
I go to profile manager, select the device and select clear passcode and Its stuck on sending, because the ipad cannot connect to the internet since it uses proxy with authentication.
So is there a workaround to this problem, I cant change the proxy settings on the ipad since it is locked.
So how can I clear the passcode
Thanks in advance
Hi
Is the Lion server directly on the internet, or is there a proxy server or fire wall? These will block the ports needed for the Lion server to send the push request to the Apple Cloud.
Is the Web browser you used, Safari or Firefox? Safari is more relaible to connect to the profile manager.
Similar Messages
-
Bandwidth for remote Lion Profile Manager server
Hi all,
Can anyone shed some light on what kind of upstream bandwidth you'd need to have for a remote Lion Profile Manager server to manage your Macs? I'm not thinking about accessing home directories over the Internet, just the configuration profiles.
Thanks in advance for any input,
ChrisHi
64kbps for sites with approx 3-5 users or using ADSL lines with 512kbps
Regards
Divya -
Profile Manager to reset iPad passcode
Is it possible to use Mac OS X Lion Server Profile Manager to reset the passcode on managed iPads? I see the option to set complexity, but not an option to clea the existing passcode. Thanks.
If you go to /mydevices and log in as the profile you installed on your devices, you will see all the devices that profile is installed on. It is important that you log in as that profile and not an admin profile. You want to login as the profile name you installed on your devices.
Find the device you are looking for and click on "clear passcode" -
Mac Mini Profile Manager installing/updating ipad Apps - HELP!
Hi,
i am hoping someone might be able to help with the following.
we have a mac mini server to remote manage 25 ipads using profile manager.
this works well as we can lock, wipe and clear passcodes etc.and attach the policies without any trouble.
However we are trying to push out an app (version 1.4) to the devices and this is sort of working but not fully.
if the app is already installed with version 1.3 it doesnt update even though in profile manager, 'active tasks' it says successful.
if you go go into profile manager and select the device and select 'update info' this registers against the device but still shows as the old version.
if we delete the app from our test ipad and push it out via profile manager it goes in active tasks as successful then the ipad has a pop up message box saying the xxxxxx.ourdomain.co.uk would like to install the app, once this has been ok'd it installs on the ipad ok, but when you select the app it tries to open then goes back to the screen again and never opens the app.
if you download the app direct from itunes it opens with out any trouble.
here is the process i am using.
on the mac mini server.
download the app via itunes
then in apps i drag the app on to the desktop, this creates the .ipa file
in profile manager, select the device, edit apps and browse to the .ipa and upload
select the uploaded app and 'add'
when you save this, then go to active tasks it gets pushed out to the device and reports as successful
then the app either doesnt update if old version is installed or installs if no app is installed but doesnt open
any help welcome
regards
GavinGavin,
We've run into the same issue that you mentioned. My understanding of the Push App functionality of Profile Manager is this:
Pushing apps is designed to be used to deliver In-House developed apps over the air (OTA). Meaning, if your organization develops an app for use on its own devices, you can upload the .ipa to Profile Manager and push it out while bypassing any App Store interaction. The In-House .ipa would contain its own provisioning profile that would dictate who is allowed to run it.
When you download an app from the App Store, the .ipa that you get actually contains the AppleID that was used to purchase/download the app in the .plist. If you then push that app to a device that has never been used with that AppleID, the app will fail to launch as it cannot verify that you actually own the app.
Before we go any further: what I'm about to discuss isn't officially condoned or supported by Apple, which means it is inheritly risky and could be patched over at any time.
In order to bypass the issue, what has worked for us is to sign into the App Store on each iPad with the AppleID that is used to purchase the apps on your Mac Mini. You need to download at least one app to the iPad while logged in with that AppleID in order for the iPad to retain the AppleID after the iPad users log in again with their personal AppleID. After you have done that, users may once again log in with their own AppleID.
At this point, you can push an app to any of those devices that have been paired with your Mac Mini's AppleID at least once. The apps won't (immediately) crash.
Here's the catch: I'm told that the .ipa contains an "expiration date" of sorts. Once that date has elapsed, your iPad will attempt to extend the expiration date by connecting to the App Store to verify that the same AppleID that was used to download the app in the first place is still active on the device. If it is not, the app may once again crash when you attempt to run it. Now, this expiration date or timer is not disclosed, meaning, if this is really the case, you will have no idea when the apps will stop working. It could be weeks, or months, or years. A gamble, really. So, use that at your own risk.
Currently, there is no official method for pushing App Store apps Over-the-air with Profile Manager or any other Mobile Device Management platform.
Remember!: If you are even considering pushing apps in the manner mentioned above, you will still need to account for licensing. As an organization, you must have purchased the same number of copies of an app as you intend to install on your devices. This is a non-issue with free apps, but for auditing purposes, you'd best look into VPP or steer clear of pushing apps altogether.
I hope some of that helped clear up your question.
Good luck! -
Problems setting up Profile Manager
Hi everyone,
I've got 35 iPads in one room and I'd like to be able to configure them to use Profile Manager. I am running OSX 10.7.3 and all the tools are up to date.
I cannot get Profile Manager to run on the iPads. Here's what I've done so far:
- Enabled Profile Manager on the server
- Created a Self-Signed Certificate using Server.app
- Able to login to Profile Manager via the browser
I am stuck on the next part which is enroling the devices to Profile Manager. When I login to profile manager on the iPad, I get the option the "Enrol" the iPad, when I click "Enrol" I get the following error message:
"Unverified Profile" - "The authticity of "Device Enrollment" cannot be vertified. Installing this profile will change settings on your iPad.". I select 'Install Now', enter my passcode and I get this error: "The server certificate for "https://servername.domain/devicemanagment/api/device/ota_service" is invalid. When I press OK, I go back to the "Install Profile" window.
Has anyone had this issue before or know what's causing it? I suspect it's to do with certificates but I have created a Self-Signed one - do I need to do something else?
Thanks is advance,
MorganI had a similar issue before. I had changed the cert so many times that my keychain started having issues; ended up reformating the drive and reinstalling server.
I set my server up with a public domain and bought a UCC certificate from go daddy. Spending the money on a cert does bypass installing the whole trust profile as TeenTitan said.
Here's how I did it:
Setting up w/ Signed CA:
Establish your host name (ex. server.domain.com)
Don't turn on Profile Manager before setting up certs
Open Server.app, click on your server under "Hardware"
Go to "Settings"
Click on "Edit" next to SSL Certificate
In the drop down screen click the gear wheel in the left corner, select "Manage Certificates"
Click the "+" in the window, Click "Create a Certificate Indentity"
In the Name field type in your servers host name (ex. server.example.com)
Click the check for "Let me override defaults"
Fill out the next two windows with your organization's info
Click through the next few windows leaving all the defaults until you get to the window labeled "Subject Alternate Name Extension"
In the "dNSName" field add the the following records: yourdomain.com; server.yourdomain.com; www.yourdomain.com; autodiscovery.yourdomain.com (you could add more if you plan on hosting mail, address book, etc..)
IMPORTANT- make sure you add those "dNSName" addresses as Alternate name extensions when you are creating your SSL cert from an Authorized CA issuer like GoDaddy for example.
Click continue and finish creating your self generated cert
When you are finished you will return back to the Manage Certificates window and see your newly self generated SSL cert.
Click on the gear wheel and select "Generate Certificate Signing Request (CSR)"
Copy the following text
Close the window
Next, you need to go to your CA issuer and generate your cert. Copy the text into the field for generating your own SSL cert. (Your milage may vary in this process; I only know how to do it in GoDaddy)
After creating your cert, download it from your CA issuer's website. You should have two files, one being your "gd_intermediate.crt" and the other "yourdomain.com.crt"
Go back to the Settings section in Server.app and select "Edit" in "SSL Certificate" section
click the gear wheel icon and select "Manage Certificates"
Highlight your self genereated ssl that you created in the last steps
click the gear wheel icon and select "Replaced Certificate With Signed Or Renewed Certificate"
drag the "gd_intermediate.crt" that you downloaded into the window
Allow the keychain to add the record
Close Server.app
Open "Keychain Access" in your App folder
Click the lock in the bottom left corner and authenticate
In the top left pane select, under Keychains, "System"
in the bottom left pan, under Category, select "Certificates"
Drag the "yourdomain.com.crt" file that you downloaded from you CA issuer
Close keychain
Go back to Server.app in the settings section
select your newly generated SSL cert as your primary cert
Next, Enable Apple Push Notifications
Go to Profile Manager
Configure your directory services (I created an Open Directory Master)
Click Sign configuration profiles and choose your new SSL cert
Finally, turn on Profile Manager and if all goes well, you should be able to add your devices.
Hopefully this is helfpful; these were the steps I took to get my server going with a public address.
Other Info:
iOS devices enrolled had iOS 5.0.1 or higher (Models 3GS, 4, 4S)
I had ports 1640 & 2195 open for Profile Manager on my router
OS X Lion 10.7.3
Lion clients enrolled were 10.7.2 and up -
How to rename registered devices on Profile Manager
When we use the Profile Manager for our iPad control, we can not select the each iPad to rename them . Is there any way we can rename the devices in Server side? Would you advise us how we can configure in Server side for allowing to rename them?
We use OS X:10.9.5/iOS:8.1/Server:3.2.2You can only rename supervised devices with the profile manager.
All other devices will not show the Rename option at the Devices section.
The users can rename the devices and the new name will be shown after executing "Update Info" at the profile manager. I don't know any other way, with the exception of using the Apple Configurator. -
Profile Manager cannot set ibooks as single app mode in iOS
Right now I had updated all my iPad to iOS 8.0.2, and the server is updated to the newest version,too.
Sadly, When I want to setup the iPad to single app mode with iBooks, I cannot find it in the list.
Is this means ibooks is no long support on the single app mode? Then why give us the new function about push ibooks?
I have try the assistant function on my iPhone (8.0.2) itself, it can be locked in iBooks.
Any one can tell me what is the problem?
Many many thanks!HI Hines,
I had the same problems after the 3.0.2 update: enrolling of devices not working, unable to push configurations from Profile Manager, etc.
The update was a simple 3.0.1 => 3.0.2 on already updated OSX Mavericks to 10.9.1 and it seemed that all was ok, not like this situation: https://discussions.apple.com/message/24450438
Services used:
-Web
-Profile Manager with 20 iPads/iPhones already enrolled and with some in-house app pushed
I followed a solution similar to what suggested from Hines, apart from point #6. I was unable to re-download Server.app from App Store, greyed-out button.
So I was very happy to have another mac to download a fresh copy of Server.app.
Then:
-Deleted and thrashed the old version
-Message "all services stopped"
-Reboot
-Copied fresh "Server.app" to /Applications
-Started "Server.app" that made some initial auto configuration
-Services restarted
I just had to restart the postgres service and seems that I didn't lost any data/config (I hope, I'm already checking!)
=begin RANT
I know that Apple is essentially an hardware manufacter manly for consumer target now but that a simple minor update broke an entire software meant to be solid, like a server must be, is just plain unacceptable.
I know that OSX Server is very cheap and we can't pretend too much....but F**K...i loosed my sleep tonight!
=end RANT -
Use Profile Manager to configure 802.1x authentication to Active Directory
I have an OS X Lion Server running profile manager, and I want to authenticate Macs against Active Directory. My test machine is running Lion as well.
If I configure the profile to for WPA/WPA2 Enterprise security type and PEAP protocol with a generic user name and password with explicit access on the RADIUS server, the machine can get on the 802.1x network
If I configure the profile to "Use as a Login Window configuration", the machine can get on the 802.1x network after entering the user name and password of an authorized RADIUS user.
Here's my problem:
I want to enable authentication for machines that are members of the Active Directory domain, but when I use the "Use Directory Authentication" option to authenticate with the target machine's directory credentials, the machine does not connect to my 802.1x network.
Any thoughts?
Thanks!!!!I'm trying to do the same thing, but I'm using Mountain Lion Profile Manager. If I can't get this to work I'm going to try SCEP and certificate authentication.
-
I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
DVD>Disk Utility>Erase Disk [or Recovery Partition>Disk Utility>Erase Partition]
DVD>Install Lion
Reboot, hopefully Lion install kicks in
Update, update, update Lion (NOT Lion Server yet) until no more updates
System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
Terminal>$ sudo scutil --set HostName server.domain.com
App Store>Install Lion Server and run through the Setup
Download install Server Admin Tools, then update, update, update until no more updates
Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
A few DNS set-up steps and these most important steps:
A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
I. Test from web browser server.domain.com/mydevices: Lock Device to test
J. ??? Profit
12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
Firewall
Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
SSH
Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
client$ ssh-keygen -t rsa -b 2048 -C client_name
[Securely copy ~/.ssh/id_rsa.pub from client to server.]
server$ cat id_rsa.pub > ~/.ssh/known_hosts
I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
$ diff denyhosts.cfg-dist denyhosts.cfg
12c12
< SECURE_LOG = /var/log/secure
> #SECURE_LOG = /var/log/secure
22a23
> SECURE_LOG = /var/log/secure.log
34c35
< HOSTS_DENY = /etc/hosts.deny
> #HOSTS_DENY = /etc/hosts.deny
40a42,44
> #
> # Mac OS X Lion Server
> HOSTS_DENY = /private/etc/hosts.deny
195c199
< LOCK_FILE = /var/lock/subsys/denyhosts
> #LOCK_FILE = /var/lock/subsys/denyhosts
202a207,208
> LOCK_FILE = /var/denyhosts/denyhosts.pid
> #
219c225
< ADMIN_EMAIL =
> ADMIN_EMAIL = [email protected]
286c292
< #SYSLOG_REPORT=YES
> SYSLOG_REPORT=YES
Network Accounts
User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
Oh well.
Email
Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
root: myname
admin: myname
sysadmin: myname
certadmin: myname
webmaster: myname
my_alternate: myname
Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
cd /etc/postfix
sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
sudo serveradmin stop mail
sudo serveradmin start mail
Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
iCal Server
Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
Web
The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
$ diff httpd.conf.default httpd.conf
95c95
< #LoadModule ssl_module libexec/apache2/mod_ssl.so
> LoadModule ssl_module libexec/apache2/mod_ssl.so
111c111
< #LoadModule php5_module libexec/apache2/libphp5.so
> LoadModule php5_module libexec/apache2/libphp5.so
139,140c139,140
< #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
< #LoadModule encoding_module libexec/apache2/mod_encoding.so
> LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
> LoadModule encoding_module libexec/apache2/mod_encoding.so
146c146
< #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
> LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
177c177
< ServerAdmin [email protected]
> ServerAdmin [email protected]
186c186
< #ServerName www.example.com:80
> ServerName domain.com:443
677a678,680
> # Server-specific configuration
> # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
> Include /etc/apache2/mydomain/*.conf
I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
Alias /eyetv /Users/uname/Sites/EyeTV
<Directory "/Users/uname/Sites/EyeTV">
AuthType Digest
AuthName "EyeTV"
AuthUserFile /Users/uname/.htdigest
AuthGroupFile /dev/null
Require user uname
Options Indexes MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
<Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
AuthType Digest
AuthName "EyeTV"
AuthUserFile /Users/uname/.htdigest
AuthGroupFile /dev/null
Require user uname
Options Indexes MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
User-agent: *
Disallow: /
Misc
VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.Privacy Enhancing Filtering Proxy and SSH Tunnel
Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
$ ./ssht 8080:[email protected]:3128
$ ./ssht 8080:alice@:
$ ./ssht 8080:
$ ./ssht 8018::8123
$ ./ssht 5901::5900 [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
$ vi ./ssht
#!/bin/sh
# SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
USERNAME_DEFAULT=username
HOSTNAME_DEFAULT=domain.com
SSHPORT_DEFAULT=22
# SSH port forwarding specs, e.g. 8080:localhost:3128
LOCALHOSTPORT_DEFAULT=8080 # Default is http proxy 8080
REMOTEHOST_DEFAULT=localhost # Default is localhost
REMOTEPORT_DEFAULT=3128 # Default is Squid port
# Parse ssh port and tunnel details if specified
SSHPORT=$SSHPORT_DEFAULT
TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
while [ "$1" != "" ]
do
case $1
in
-p) shift; # -p option
SSHPORT=$1;
shift;;
*) TUNNEL_DETAILS=$1; # 1st argument option
shift;;
esac
done
# Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
shopt -s extglob # needed for +(pattern) syntax; man sh
LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
USERNAME=$USERNAME_DEFAULT
HOSTNAME=$HOSTNAME_DEFAULT
REMOTEHOST=$REMOTEHOST_DEFAULT
REMOTEPORT=$REMOTEPORT_DEFAULT
# LOCALHOSTPORT
CDR=${TUNNEL_DETAILS#+([0-9]):} # delete shortest leading +([0-9]):
CAR=${TUNNEL_DETAILS%%$CDR} # cut this string from TUNNEL_DETAILS
CAR=${CAR%:} # delete :
if [ "$CAR" != "" ] # leading or trailing port specified
then
LOCALHOSTPORT=$CAR
fi
TUNNEL_DETAILS=$CDR
# REMOTEPORT
CDR=${TUNNEL_DETAILS%:+([0-9])} # delete shortest trailing :+([0-9])
CAR=${TUNNEL_DETAILS##$CDR} # cut this string from TUNNEL_DETAILS
CAR=${CAR#:} # delete :
if [ "$CAR" != "" ] # leading or trailing port specified
then
REMOTEPORT=$CAR
fi
TUNNEL_DETAILS=$CDR
# REMOTEHOST
CDR=${TUNNEL_DETAILS%:*} # delete shortest trailing :*
CAR=${TUNNEL_DETAILS##$CDR} # cut this string from TUNNEL_DETAILS
CAR=${CAR#:} # delete :
if [ "$CAR" != "" ] # leading or trailing port specified
then
REMOTEHOST=$CAR
fi
TUNNEL_DETAILS=$CDR
# USERNAME
CDR=${TUNNEL_DETAILS#*@} # delete shortest leading +([0-9]):
CAR=${TUNNEL_DETAILS%%$CDR} # cut this string from TUNNEL_DETAILS
CAR=${CAR%@} # delete @
if [ "$CAR" != "" ] # leading or trailing port specified
then
USERNAME=$CAR
fi
TUNNEL_DETAILS=$CDR
# HOSTNAME
HOSTNAME=$TUNNEL_DETAILS
if [ "$HOSTNAME" == "" ] # no hostname given
then
HOSTNAME=$HOSTNAME_DEFAULT
fi
ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
&& echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
|| echo "SSH tunnel FAIL." -
Profile Manager - Remove icons in ipad and disable home button
Hello,
First of all sorry for my bad english.
Im working on a project, installed LION Server with Profile Manager configured, also Enrolled my iPad, i can also push the settings in to the ipad.
But now what i realy want, what the meaning of the project is; remove all of the icons and place only one icon (WEBCLIP) and what even will be beter is, when i boot my iPad the webclip popups by default. Is this possible guys?
Thank you!It's impossible to develop an iPad app that can't be closed until some actions are done. The iPad programmer cannot override what happens when the user presses the 'Home' button. The 'Home' button will always tell the front application to go to the background, and if that application doesn't cooperate within a reasonable time it will be terminated.
Bear in mind that an iPad is an overgrown iPhone. It's always possible that someone will phone you up when you're running an app, and the app must release control and let you answer that phonecall.
I suggest you discuss the design philosophy with whoever wants the application, remembering that computers are meant to help us do what we want to do, not boss us about. -
How to write .CSV file to import device placeholder into Lion Server Profile Manager?
I'm now using Mac Mini with Lion Server (10.7.4). I've already setup a server with Profile Manager to manage some iOS devices.
Now I need to add many devices into Profile Manager. From some articles, (for example http://my.safaribooksonline.com/book/-/9780132778879/chapter-4dot-managing-accou nts/ch04lev1sec3), I found that I can use .CSV file to import many device placeholders at a time. So I create a .CSV file "devices.csv" with the content as the following:
iPhone001,12345ABCD12,,,
Then I import this file to "Devices" in Profile Manager, but in vain. It says that the placeholder is invalid.
If there's any one could provide some exemples? Thanks a lot.Hi Nien-Yi Ho,
A little late, but perhaps someone else can benefit ...
The way I did this, is:
- create an empty Excel spreadsheet
- add 5 headers in the first row: DeviceName, SerialNumber, IMEI, MEID, UDID
- in the next rows add your devices and specs (for the iPhones and iPads I only added DeviceName, SerialNumber and IMEI specs)
- IMPORTANT: save the file as a Windows CSV file.
If you import the CSV file now, all should go well. -
Mountain Lion Server Profile Manager error
I recently setup a Mountain Lion server (10.8.2) to manage multiple ipads and Macs with Profile Manager in a PC oriented Active Directory environment.
I setup an SSL certificate and bound to the organization's active directory (with Directory Utility) and that all works fine.
We are now simply trying to assign the rights to individual users to use Profile Manager and running into trouble.
Using the Server app, we click on a user (or group) and then go to assign rights (with the gear menu).
The list of items to assign is supposed to come up.
Instead the list never comes up.
Can anyone shed any light on what we have to do?What are you trying to do
Assign what users can use the profile managers web interface
or restrict what users can and can't have devices registered to their name in profile manager -
Mountain Lion Server Profile Manager not accessible externally
What do I need to be checking if I can't access our Mountain Lion server's Profile Manager externally. From a test iPad on a carrier's 3G network, I get a "server not found" error when using http://fqdn/. I can bring up the server page if I use https://publicipaddress. but not https://publicipaddress/profilemanager. Apple tried accessing the server with the same findings. We're a state agency behind tight firewall and security and we're told that all Profile manager needed ports are open... Thanks.
Nelson -
Pretty much everything boiled down to DNS, firewalls and ports. Unfortunately, I was never able to acertain which of the three items were causing this problem because we have a separate group who manages the network and firewall (plus a separate security team). If I recall, once they focused on what it was I was trying to accomplish, most of the problems "magically" went away.
Is your reverse DNS working the way it's supposed to? Ex:
yourserver:~ login$ hostname
yourserver.yourdomainname
yourserver:~ login$ host yourserver.yourdomainname
yourserver.yourdomainname has address 10.x.x.x
yourserver:~ login$ host 10.x.x.x
3.34.2.10.in-addr.arpa domain name pointer yourserver.yourdomainname
yourserver:~ login$
Also be sure to follow "burton11234's" posts. https://discussions.apple.com/people/burton11234?view=overview -
Lion Server Profile Manager - Windows Enviroment
My company needs to be able to manage mobile devices, specifically iPhones and iPads, that connect to our corporate MS Exchange server. We are looking at mobile device management solutions to manage password policy, software restrictions, device registrations, etc., and I have come across the built in Profile Manager in Lion Server. Is it possible to introduce or integrate a Lion Server into our existing Active Directory environment for the purposes of mobile device management or are we better off on finding another third party solution?
taubmas wrote:
Not sure if its that as finally got Lion Server working on a VM setup so network shouldn't be an issue...
Had 1 OSX Lion Server VM and 1 OSX Lion Client VM and OSX Lion Server VM gets profile and enrolls device fine but again OSX client doesn't get enroll just sits again at installing..... even if set keychain to trust and make trust profile verified..
any other ideas? I think need to somehow get the server to trust trust profile by default instead of going to keychain all the time.
Shane
Did you get this to work in an ESXI envrionment? If so, which version are you running? -
1 iPad used by multiple people, configurator or profile manager?
We have one iPad that needs to be taken out by 3 or 4 people at various times, we have mountain lion server running Profile Manager.
I have just downloaded Apple Configurator to supervise the iPad to allow us to re-assign it to different people as needed.
My question is, should you set up the configuration profiles using Apple Configurator or use Profile Manager to handle this, or doesn't it make any difference?You can all have independent AppleIDs for iCloud or iMessage etc, but share the same one for iTunes Store / AppStore purchases.
Maybe you are looking for
-
I'm worried about what will happen if I delete my recent backup data from the phone I still own? Will I lose any progress in games that was saved in the backup? I have an iPhone 4S and I keep getting those irritating notifications that tell me I need
-
CAn two different skype account use the same skype...
If I buy a skype number thru my account , when someone calls, can it ring in my husband´s and my device or do I need a different skype number for each skype account?
-
How to configure array for UAG 2010 with topology Between a frontend firewall and a backend firewall
Hi, We want to publish exchange 2013 through UAG 2010. What is the best topology for UAG 2010? Can we configure UAG 2010 arrawy with topology "Between a frontend firewall and a backend firewall" ? Can we configure UAG 2010 array in workgroup? What is
-
User Entry variable - AND condition
Hi, The requirement is, if the user enters two materials A and B, the query should pull out all the transactions with BOTH materials in it. If the user entry variable with selection option is used, it pulls out the records even if one of the material
-
What is the best way to make a temporary change to my home page?
I plan to make a change to my home page that will last about a month. I will include information about a current exhibition I am having. Then I will revert back to my current page. My planned approach is to copy and save my current "domain" file, mak