Profile Management in XIr2

Similar Messages

• How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

  I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
  Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
  Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
  Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
  DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
  DVD>Install Lion
  Reboot, hopefully Lion install kicks in
  Update, update, update Lion (NOT Lion Server yet) until no more updates
  System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
  Terminal>$ sudo scutil --set HostName server.domain.com
  App Store>Install Lion Server and run through the Setup
  Download install Server Admin Tools, then update, update, update until no more updates
  Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
  System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
  A few DNS set-up steps and these most important steps:
  A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
  B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
  C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
  D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
  E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
  F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
  G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
  H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
  I. Test from web browser server.domain.com/mydevices: Lock Device to test
  J. ??? Profit
  12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
  You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
  Firewall
  Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
  SSH
  Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
  PermitRootLogin no
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
  Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
  client$ ssh-keygen -t rsa -b 2048 -C client_name
  [Securely copy ~/.ssh/id_rsa.pub from client to server.]
  server$ cat id_rsa.pub > ~/.ssh/known_hosts
  I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
  $ diff denyhosts.cfg-dist denyhosts.cfg
  12c12
  < SECURE_LOG = /var/log/secure
  > #SECURE_LOG = /var/log/secure
  22a23
  > SECURE_LOG = /var/log/secure.log
  34c35
  < HOSTS_DENY = /etc/hosts.deny
  > #HOSTS_DENY = /etc/hosts.deny
  40a42,44
  > #
  > # Mac OS X Lion Server
  > HOSTS_DENY = /private/etc/hosts.deny
  195c199
  < LOCK_FILE = /var/lock/subsys/denyhosts
  > #LOCK_FILE = /var/lock/subsys/denyhosts
  202a207,208
  > LOCK_FILE = /var/denyhosts/denyhosts.pid
  > #
  219c225
  < ADMIN_EMAIL =
  > ADMIN_EMAIL = [email protected]
  286c292
  < #SYSLOG_REPORT=YES
  > SYSLOG_REPORT=YES
  Network Accounts
  User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
  2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
       User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
  Oh well.
  Email
  Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
  root:           myname
  admin:          myname
  sysadmin:       myname
  certadmin:      myname
  webmaster:      myname
  my_alternate:   myname
  Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
  cd /etc/postfix
  sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
  sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
  sudo serveradmin stop mail
  sudo serveradmin start mail
  Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
  If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
  iCal Server
  Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
  Web
  The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
  $ diff httpd.conf.default httpd.conf
  95c95
  < #LoadModule ssl_module libexec/apache2/mod_ssl.so
  > LoadModule ssl_module libexec/apache2/mod_ssl.so
  111c111
  < #LoadModule php5_module libexec/apache2/libphp5.so
  > LoadModule php5_module libexec/apache2/libphp5.so
  139,140c139,140
  < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  < #LoadModule encoding_module libexec/apache2/mod_encoding.so
  > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  > LoadModule encoding_module libexec/apache2/mod_encoding.so
  146c146
  < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  177c177
  < ServerAdmin [email protected]
  > ServerAdmin [email protected]
  186c186
  < #ServerName www.example.com:80
  > ServerName domain.com:443
  677a678,680
  > # Server-specific configuration
  > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
  > Include /etc/apache2/mydomain/*.conf
  I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
  Alias /eyetv /Users/uname/Sites/EyeTV
  <Directory "/Users/uname/Sites/EyeTV">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
  <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
  Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
  One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
  Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
  User-agent: *
  Disallow: /
  Misc
  VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

  Privacy Enhancing Filtering Proxy and SSH Tunnel
  Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
  If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
  $ ./ssht 8080:[email protected]:3128
  $ ./ssht 8080:alice@:
  $ ./ssht 8080:
  $ ./ssht 8018::8123
  $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
  $ vi ./ssht
  #!/bin/sh
  # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
  USERNAME_DEFAULT=username
  HOSTNAME_DEFAULT=domain.com
  SSHPORT_DEFAULT=22
  # SSH port forwarding specs, e.g. 8080:localhost:3128
  LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
  REMOTEHOST_DEFAULT=localhost    # Default is localhost
  REMOTEPORT_DEFAULT=3128         # Default is Squid port
  # Parse ssh port and tunnel details if specified
  SSHPORT=$SSHPORT_DEFAULT
  TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
  while [ "$1" != "" ]
  do
    case $1
    in
      -p) shift;                  # -p option
          SSHPORT=$1;
          shift;;
       *) TUNNEL_DETAILS=$1;      # 1st argument option
          shift;;
    esac
  done
  # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
  shopt -s extglob                        # needed for +(pattern) syntax; man sh
  LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
  USERNAME=$USERNAME_DEFAULT
  HOSTNAME=$HOSTNAME_DEFAULT
  REMOTEHOST=$REMOTEHOST_DEFAULT
  REMOTEPORT=$REMOTEPORT_DEFAULT
  # LOCALHOSTPORT
  CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      LOCALHOSTPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEPORT
  CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEHOST
  CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEHOST=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # USERNAME
  CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%@}                            # delete @
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      USERNAME=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # HOSTNAME
  HOSTNAME=$TUNNEL_DETAILS
  if [ "$HOSTNAME" == "" ]                # no hostname given
  then
      HOSTNAME=$HOSTNAME_DEFAULT
  fi
  ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
      && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
      || echo "SSH tunnel FAIL."

• Unable to push user profiles to AD groups with Profile Manager since upgrade to Server v3

  Since upgrading our OS X Mac server from 10.8.5 to 10.9.1, and OS X Server app to v3 (now 3.0.2) I have been unable to push or modify user profiles to AD groups (or AD users) using Profile Manager. This was working fine on OS X 10.8.5. Pushing device profiles is still working OK after the upgrade.
  From what I can see from the logs on the client side and server side, it seems related to a problem with the mdm authtoken.
  In the client console I can see this entry:
  27/01/14 14:30:15.844 mdmclient[38557]: *** ERROR *** [Agent:636102071] Unable to proceed with connection to: https://ourserver.ourdomain/devicemanagement/api/device/mdm_connect (com.apple.mdmconfig.mdm) because don't have valid MDM AuthToken
  On the server, in the php.log I can see the corresponding attempt to authenticate:
  1::Jan 27 14:29:50.930 [158] <192.168.28.171> {require_once (mdm_checkin.php:11)} vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv - PUT mdm_checkin
  0::Jan 27 14:29:50.931 [158] <192.168.28.171> checkin: 'UserAuthenticate'
  1::Jan 27 14:29:50.936 [158] <192.168.28.171> {Target_for_incoming_request (target.php:209)} Found target NETWORK LS: <User[156]@ourclientmachine>
  0::Jan 27 14:29:50.937 [158] <192.168.28.171> {LabSession_validate_auth_token (mdm_checkin.php:22)} Failed auth for target NETWORK LS: <User[156]@Device[1697]>, incoming_request={
  0::Jan 27 14:29:50.937 [158] <192.168.28.171>   'MessageType'=>'UserAuthenticate',
  0::Jan 27 14:29:50.937 [158] <192.168.28.171>   'UDID'=>'17aff5c5a40f51acbbd78023d0028c80',
  0::Jan 27 14:29:50.937 [158] <192.168.28.171>   'UserID'=>'A5EA25B7-7CCD-4EF4-B240-F23DED275EEC'
  0::Jan 27 14:29:50.937 [158] <192.168.28.171> }
  1::Jan 27 14:29:50.965 [158] <192.168.28.171> {SendFinalOutput (mdm_checkin.php:145)} Sent Final Output (407 bytes)
  1::Jan 27 14:29:50.965 [158] <192.168.28.171> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - /devicemanagement/mdm/mdm_checkin
  0::Jan 27 14:29:50.965 [158] <192.168.28.171> {SendFinalOutput (mdm_checkin.php:145)} Completed in 34ms | 200 OK [https://ourserver.ourdomain/devicemanagement/api/device/mdm_checkin]
  So I can see there is a failure to authenticate, but don't really know how to troubleshoot this further. Or maybe this is just a bug in the new server app?
  I have tried to remove and re-enroll clients in Profile Manager but no joy there.
  In the client's Keychain I can see an MDM user AuthToken linked to the correct user account.
  Thanks in advance for any help or suggestions

  I just wanted to update my post, as this issue for me is resolved.
  I uninstalled and reinstalled the Server.app on our Mac server, since then I've been able to push profiles to AD Users and Groups. I guess that in my case the Server app got into a bit of a mess when it was upgraded to v3.
  Now the next headache I have is that my AD Groups which are displayed in Profile Manager are not syncing any recent changes. I think I'm probably seeing the same issue as described in this post
  https://discussions.apple.com/message/25420919#25420919

• VPP Distribution issues with OSX Server Profile Manager

  Hi, I have a new issue with my OSX 10.9.5 Server. I use VPP to distribute apps to users devices, when I would add a new user I would send them an invitation message through /profilemanager . All was working well until recenetly , the message still arrives in the users mailbox however when you click the "sign in" link on the "receive apps and books from xxxxx" email instead of opening through the Mac App store app it now opens Safari and connects to the profile manager server , any ideas ? it never has done this before and although I thought it was a new feature or method I can not seem to resolve the issue.

  Hi if when you are redirected back to your Mac Server you enter the user name and password of the user you are trying to receive VPP apps for i.e the Open Directory credentials it will then open the App Store providing the credentials are correctly entered so it looks like an additional layer of security. The process is click on the link in the VPP invite email, this takes you to your Mac Server profile manager, log on with your OD account, App store then opens on your Mac like it used to.

• Profile manager won't clear previous settings

  While messing around with profile manager it do a couple basic things. Start FaceTime at login and map some network drives. This worked fine but when i went back in later to turn those off they continue to go through. When I log on to a different computer the settings are correct, however. Is there someone I can do a clean refresh of the machine to wipe it of all previous profile manager settings. I've even tried deleting and re adding the machine to Profile manager but this still doesn't work.

  You'll need to cleanup DNS on the domain controller not client systems.
  Give me some information on how this server is integrated into your environment.
  Is it bound to Active Directory?  If so, what happens when you launch terminal?  Does the hostname match the name under Sharing in sys prefs on your server?  If not, you've probably got some stale DNS screwing things up.
  To see if this is the case, log in to your primary DC (or whichever server hosts DNS records in your environment) and check your forward and reverse lookup zones.  In my case, I saw more records than we have machines!  Problem with Macs is those records stick around even after you remove a machine.  Macs aren't always automagical unfortunately.
  Another way to see if you have DNS problems is simply take a freshly imaged server (BEFORE it's bound to AD) and fire up profile manager.  If it launches easy breezy (aka not getting DNS from the potentially messy server) then it's safe to assume you'll need to scavenge out those records.  But that another story for a Win 2008 R2 board.

• How do I use multiple VPP accounts in a school system with 1 Profile manager server?

  I have 40 schools with their own money they want to spend on apps. I need these accounts to be seperate. We are registered in the Device enrollment program and are using Apple's profile manager to distribute VPP apps. In the DEP website you can add existing vpp admins. I had hoped when these accounts purchased apps, the apps would show up in Profile Manager which uses the master Apple ID, but this didn't happen. Anyone know what the correct process is for doing this?

  If you haven't found the answer: You have to install the correct token for each account.  Apple Servers, as far as I know, do not support using multiple tokens at once.  As a result, you will have to swap out each of the 40 tokens anytime anyone wants to buy something then assign it to a user then push the app.
  Or just buy it with a redemption code and give that code to your users.

• How do I use the Profile Manager to run multiple PHP sessions?

  I have a website that tracks the session and state of users as they traverse through the site. Several users can "work together" simultaneously. To test this cooperative functionality, I ran multiple Firefox profiles simultaneously on my computer, using Firefox's Profile Manager. After logging in as two users (one on each separate running Firefox instance), one of my Firefox instances still works, while the other one does not seem to track the session.
  How do I create and run multiple Firefox instances to allow me to test the functionality of such sites? I believe this worked a few months ago. Perhaps this is a new bug?
  I even tried running normal Firefox and Firefox Extended Support Release simultaneously, but I ran into the same error.

  Disregard the question. The solution has nothing to do with any "Firefox bug". Turns out that my session wasn't being managed properly. Or rather, I was accidentally deleting other users' information when new users logged in. So if I had user 1 and user 2, and user 2 logged in after user 1, some of user 1's information would be deleted, resulting in the errors.
  Oops; sorry about the false alarm. :)
  (Was hoping to retract the question, but it looks like others have a similar problem.)

• Why will firefox not start on my laptop? can't uninstall or open the profile manager either. it simply does not run. it used to work fine until i had to restore my system.

  had firefox 4.0 & have been a user of firefox for a few years now. never had any problems. had to do a system restore after my computer detected a virus of some sort & i couldn't do anything. the virus kept popping up a bogus add for me to buy an antivirus program. had to restart laptop in safemode to initiate the restore. ever since then firefox has not opened. can't even uninstall it or open the profile manager. anything that has to do with firefox will simply not run/open at all. i'm stumped.

  System restore can cause problems as well as solve them, it has probably completely mucked up your Firefox installation.
  Try deleting your Firefox installation directory, the default location on 32 bit Windows is C:\Program Files\Mozilla Firefox\
  Now re-install Firefox, it should pick up your current profile folder so you should not lose your bookmarks, passwords etc.

• Cry for help: a decent network profile manager

  Am I the only one that finds the default arch linux network profile management a bit.. lacking? Maybe I just don't have it set up right, but it only works for my ethernet connection and connecting to non-encrypted wireless networks. Problem is, I run WPA2-AES networks at home and at work. I finally got wpa_supplicant properly set up (I'm on wireless right now), but I can't just select the network profile from the menu and be on my way.
  Here is what I have to do to get connected right now:
  [root@cdl-magnesium chris]# wpa_supplicant -dw -c/etc/wpa_supplicant.conf -Dmadwifi -iath0
  [root@cdl-magnesium chris]# dhcpcd ath0
  and I'm connected, everything working great. That's fairly simple, right? I'm thinking my network profile has a lot more in it than necessary.
  # Network Profile
  DESCRIPTION="57 May"
  # Network Settings
  INTERFACE=ath0
  #HOSTNAME=myhost
  # Interface Settings (use IFOPTS="dhcp" for DHCP)
  IFOPTS="dhcp"
  #GATEWAY=192.168.0.1
  # DNS Settings (optional)
  #DOMAIN=localdomain
  #DNS1=192.168.0.1
  #DNS2=
  # Wireless Settings (optional)
  ESSID="Galactica"
  #KEY=
  #IWOPTS="mode managed essid $ESSID channel 6 key restricted $KEY"
  WIFI_INTERFACE=wifi0 # use this if you have a special wireless interface
  # that is linked to the real $INTERFACE
  WIFI_WAIT=5 # seconds to wait for the wireless card to
  # associate before bringing the interface up
  USEWPA="yes" # start wpa_supplicant with the profile
  WPAOPTS="-D madwifi" # use "" for normal operation or specify additional
  # options (eg, "-D ipw")
  # see /etc/wpa_supplicant.conf for configuration
  #AUTOWPA="yes" # automatically configure WPA
  If I do a /etc/rc.d/network restart and select the profile from the menu, I get all sorts of errors about not being able to connect to wpa_supplicant (because for some reason it isn't running.. was I supposed to do something about that?).
  I'm a bit tired right now so pardon any incomprehensible sentences or questions
  ps: while we're on the subject, is there a way to re-sort the items in the network profile list? It always wants to connect to this broken wpa2 profile first, as I think it just goes in alphabetic order or somethin. I guess I should just turn off the timeout so it always waits for me to choose.

  i'm working on one.
  http://wiki.archlinux.org/index.php/Network_Scripts
  James

• My firefox isn't starting and I've tried changing the profile manager but that wouldn't open either even when I closed it out on the task manager

  I've followed all the steps in the "Firefox will not start" and it is still not working :(

  I'm also having this problem. The firefox.exe ins't even shown in my processes, but the profile manager still won't open. Neither will firefox internet. So far I've been going in circles trying to figure it out and nothing is working. I don't want to start deleting things (the profile, extentions), but I don't know what else to do.

• Firefox doesn't open, but is open in Processes in Task Manager, not even profile manager opens up for Firefox opens up. Please help

  I'm using Vista, 32 bit - not even downloading the beta version of Firefox 4 helps; it downloads (just like the regular version of Firefox, 3.4) and I can install it, but trying to run it gives me nothing - no warning, no text; it just doesn't open up, but is still visible in my start menu, programs folder and in task manager. And not even profile manager opens up.

  Make sure that you do not remove your personal data when you uninstall Firefox. Then you won't lose personal data stored in a different location in the [http://kb.mozillazine.org/Profile_folder_-_Firefox Firefox Profile Folder].
  See also http://kb.mozillazine.org/Profile_backup and [[Backing up your information]]
  A possible cause is security software (firewall) that blocks Firefox.<br />
  Remove all rules for Firefox from the permissions list in the firewall and let your firewall ask again for permission to get full unrestricted access to internet for Firefox.<br />
  See [[Server not found]] and [[Firewalls]] and http://kb.mozillazine.org/Firewalls
  See also http://kb.mozillazine.org/Browser_will_not_start_up
  Do a malware check with a few malware scan programs.<br />
  You need to use all programs because each detects different malware.<br />
  Make sure that you update each program to get the latest version of the database.<br />
  *http://www.malwarebytes.org/mbam.php - Malwarebytes' Anti-Malware
  *http://www.superantispyware.com/ - SuperAntispyware
  *http://www.safer-networking.org/en/index.html - Spybot Search & Destroy
  *http://www.lavasoft.com/products/ad_aware_free.php - Ad-Aware Free
  *http://www.microsoft.com/windows/products/winfamily/defender/default.mspx - Windows Defender: Home Page
  See also "Spyware on Windows": http://kb.mozillazine.org/Popups_not_blocked and [[Searches are redirected to another site]]

• Firefox won't open, error msg = can't find profile; deleted all app.data to rid new Win 7 Total Security virus - tried both v 4.0 & v 3.6 (now no error msg either). Can't open profile manager, can't open safe mode. pls help

  My mother's computer was infected with the new "Win 7 Total Security" virus (apparently a fake antivirus program) - corrupted real av. To remove, we followed online advice to delete everything in AppData, for all programs, plus some other stuff. We moved it all to a flashdrive for safety, but after successfully removing virus, likewise cleaned & reformatted flashdrive. This apparently deleted Firefox profile(s), and after uninstalling & reinstalling, Firefox still won't open - I can't create a new profile. With v 4.0, I get an error message about not being able to find the profile. Found advice on how to open profile manager, but it won't open. Found reference to version 4 dispensing with profile manager, so tried installing version 3.6 again; still won't open, still can't open profile manager, but now no error message at all.

  THANX for the reply cor-el. I've never had a problem using just "firefox -p", but i did use the full path like you advised after i read the profile manager article here before i posted my question. Unfortunately it didn't work. I've backed up all 3 profiles from the "%appdata% profile" file, and also from my remaining main profile that i'm on right now. I decided i'm going to uninstall ff3.6.28 & upgrade to "firefox 11" this weekend and hopefully create the other 2 profiles along with my main one. I do like in the newer versions of FF the tabs on top like googles chrome because it gives you more room on the page. I also like some other features too, but the main reason i kept my old version both times is because the newer versions didn't seem to load pages any faster than version 3.6.28. I'm not going to worry about some themes/personas not being compatible with ff11. I'll find some new ones. I think when i tried "ff9" awhile back along with my current version, i just deleted the shortcut that the article said to create on the desktop and still had all 3 profiles & no problems like i have now. In case your curious, the article on how to create more than one version of firefox at the same time was on the site "Dottech.org>[How To] Tip: Install multiple versions of Firefox to test before upgrading to latest release". It works but i obviously did something different this time that caused this problem. THANX again for your time/help, i do appreciate it.

• Dns problems setting up profile manager

  i have been experimenting setting up OS X Server (10.8) on a new Mac mini on a network with Time Capsule.   server's host name is "server.me.private" at IP address 192.168.1.100 , Time Machine DHCP server address is 192.168.1.1 .
  Open Directory and Profile Manger are on in Server.app.  (Profile Management: Enabled, Signing config profiles using the Apple Certified Push Certificate, w/ Apple push notifications on in Server settings.)
  I can not, however, get Profile Manager to open and connect in a browser using "server.me.private/profilemanager" from either the mini itself or from another mac on the nework.  i can get a brower to connect to Profile Manager using "192.168.1.100/profilemanager" but after successfully logging in, the browser is redirected to a "server.me.private/..."  address and shows connection failure. 
  i HAVE gotten a browser to connect and function properly by changing the DNS Server in the the Network System Preferences on that specific Mac from "192.168.1.1" to "192.168.1.100".  (DNS in Server.app, for the record is also on in this instance, forwarding server to 192.168.1.1 )  this, howerver, is a pain and also doesn't work trying to connect an iOS device.
  i'm definitely missing something here.  it seems to me that the Time Capsule should remain the DNS Server for the network and forward "server.me.private" to "192.168.1.100".  it is not doing this, and there are no options for setting this with Airport Utility.
  some light on this subject would be greatly appreciated.  Thanks very much!

  thanks very much for your thoughts and reply, Thomas.
  if i were to change the Time Capsule to use the Mini as the primary DNS server, is this where i'd do it in Airport Utility?
  but it won't let me change the DNS Servers fields here.  and if i can change the DNS Serever to my Mini's 192.168.1.100, what address should i keep for the second DNS Server?
  Thanks again!

• Please help - Firefox will not open. library - applications - and no firefox is listed to get to my profile manager. . What's next?

  firefox has been running slower. When this happens I'll reboot my computer and this speeds up firefox. When I restarted the computer firefox would not open. Just the spinning wheel with no access to the tools.
  After I force quit - it says ignore or notify/report to apple. I tried sending a report, and it ques up the box with details, system config, etc... but when I click on send - it will not let me send one - I've never been unable to send a report before.
  I uninstalled, then reinstalled. Upon opening I get the spinning wheel and nothing happens - I need to force quit. I see on this mozilla help site that I need to update my profile manager. I followed these instructions - Finding your profile without opening Firefox Open Finder and go to your home folder. Note: your home folder is usually the name of your Mac user account From your home folder open /Library/, then /Application Support/, then /Firefox/, then /Profiles/. Your​ prof​ile ​fold​er is with​in this​ fold​er. but when I got to library - application support - there is no firefox listed.

  You can do a disk check with the chkdsk.exe program.
  If you run the chkdsk.exe program from a cmd.exe Command window then you can read the response from the chkdsk.exe program.
  Open a cmd.exe window:<br />
  Start &gt; Run: cmd.exe &lt;press Enter&gt;
  At the command prompt (>) type or Copy&Paste: chkdsk.exe /f /r &lt;press Enter&gt; (put a space before /f and /r)
  If you get something like: Would you like to schedule this volume to be checked the next time the system restarts? y/n then answer the question with "Y" and close all programs and reboot the computer.
  A possible cause is security software (firewall) that blocks or restricts Firefox without informing you about that, possibly after detecting changes (update) to the Firefox program.
  Remove all rules for Firefox from the permissions list in the firewall and let your firewall ask again for permission to get full unrestricted access to internet for Firefox and the plugin-container process.
  See:
  * [[Server not found]]
  * [[Firewalls]]
  * http://kb.mozillazine.org/Browser_will_not_start_up

• Why is the Profile Manager web portal inaccessible after update to 3.2.1 ?

  We run the Profile Manager in OS X as an MDM. We also use the Device Enrollment Program.
  After updating to 3.2.1, the web portal for Profile Manager became inaccessible, and DEP checkbox in Profile Manager became unchecked.
  I've attempted to re-enroll in the DEP, but it always rejects the Token I give.
  I don't know if the two problems are related or not.
  Does anyone have a solution?
  This is the log from the Profile Manager Service Log when I attempt to log in to the Profile Manager portal.
  [641] [2014/09/18 12:54:16.249] I: Processing MagicController#admin_will_load (for 10.31.101.183 at 2014-09-18 12:54:16) [POST]
  [641] [2014/09/18 12:54:16.250] I: auth_token doesn't exist
  [641] [2014/09/18 12:54:16.251] I: Filter chain halted as [:verify_auth_token] rendered_or_redirected.
  [641] [2014/09/18 12:54:16.251] I: Completed in 2ms (View: 0, DB: 1) | 403 Forbidden [http://appleserver0001.ccps.us/magic/admin_will_load]
  [633] [2014/09/18 12:54:20.392] I: Processing MagicController#do_magic (for 10.31.101.183 at 2014-09-18 12:54:20) [POST]
  [633] [2014/09/18 12:54:20.393] I: auth_token doesn't exist
  [633] [2014/09/18 12:54:20.394] I: Filter chain halted as [:verify_auth_token] rendered_or_redirected.
  [633] [2014/09/18 12:54:20.394] I: Completed in 2ms (View: 0, DB: 1) | 403 Forbidden [http://appleserver0001.ccps.us/magic/do_magic]
  [636] [2014/09/18 12:54:35.028] I: Processing AuthenticationController#callback (for 10.31.101.183 at 2014-09-18 12:54:35) [GET]
  [636] [2014/09/18 12:54:35.359] F: ActiveRecord::StatementInvalid (PG::Error: ERROR:  relation "view_all_user_groups_users_flat" does not exist
      LINE 2:         FROM   view_all_user_groups_users_flat AS j
                             ^
      :         SELECT COUNT(j.*)
              FROM   view_all_user_groups_users_flat AS j
              WHERE  j.user_id       = 27
                AND  j.user_group_id = 3
              LIMIT  1
        vendor/ruby/1.9.1/gems/activerecord-2.3.18/lib/active_record/connection_adapter s/abstract_adapter.rb:227:in `rescue in log'
        vendor/ruby/1.9.1/gems/activerecord-2.3.18/lib/active_record/connection_adapter s/abstract_adapter.rb:204:in `log'
        vendor/ruby/1.9.1/gems/activerecord-2.3.18/lib/active_record/connection_adapter s/postgresql_adapter.rb:520:in `execute'
        vendor/ruby/1.9.1/gems/activerecord-2.3.18/lib/active_record/connection_adapter s/postgresql_adapter.rb:1002:in `select_raw'
        vendor/ruby/1.9.1/gems/activerecord-2.3.18/lib/active_record/connection_adapter s/postgresql_adapter.rb:989:in `select'
        vendor/ruby/1.9.1/gems/activerecord-2.3.18/lib/active_record/connection_adapter s/abstract/database_statements.rb:7:in `select_all'
        vendor/ruby/1.9.1/gems/activerecord-2.3.18/lib/active_record/connection_adapter s/abstract/query_cache.rb:60:in `block in select_all_with_query_cache'
        vendor/ruby/1.9.1/gems/activerecord-2.3.18/lib/active_record/connection_adapter s/abstract/query_cache.rb:81:in `cache_sql'
        vendor/ruby/1.9.1/gems/activerecord-2.3.18/lib/active_record/connection_adapter s/abstract/query_cache.rb:60:in `select_all_with_query_cache'
        vendor/ruby/1.9.1/gems/activerecord-2.3.18/lib/active_record/connection_adapter s/abstract/database_statements.rb:13:in `select_one'
        vendor/ruby/1.9.1/gems/activerecord-2.3.18/lib/active_record/connection_adapter s/abstract/database_statements.rb:19:in `select_value'
        vendor/ruby/1.9.1/gems/activerecord-2.3.18/lib/active_record/base.rb:920:in `count_by_sql'
        app/models/user_group.rb:371:in `user_is_member_of_group'
        app/models/user.rb:293:in `user_is_admin?'
        app/controllers/application_controller.rb:258:in `verify_admin_logged_in'
        vendor/ruby/1.9.1/gems/activesupport-2.3.18/lib/active_support/callbacks.rb:178 :in `evaluate_method'
        vendor/ruby/1.9.1/gems/activesupport-2.3.18/lib/active_support/callbacks.rb:166 :in `call'
        vendor/ruby/1.9.1/gems/actionpack-2.3.18/lib/action_controller/filters.rb:225:i n `call'
        vendor/ruby/1.9.1/gems/actionpack-2.3.18/lib/action_controller/filters.rb:629:i n `run_before_filters'
        vendor/ruby/1.9.1/gems/actionpack-2.3.18/lib/action_controller/filters.rb:615:i n `call_filters'
        vendor/ruby/1.9.1/gems/actionpack-2.3.18/lib/action_controller/filters.rb:610:i n `perform_action_with_filters'
        vendor/ruby/1.9.1/gems/actionpack-2.3.18/lib/action_controller/benchmarking.rb: 68:in `block in perform_action_with_benchmark'
        vendor/ruby/1.9.1/gems/actionpack-2.3.18/lib/action_controller/benchmarking.rb: 68:in `perform_action_with_benchmark'
        vendor/ruby/1.9.1/gems/actionpack-2.3.18/lib/action_controller/rescue.rb:160:in `perform_action_with_rescue'
        vendor/ruby/1.9.1/gems/actionpack-2.3.18/lib/action_controller/flash.rb:151:in `perform_action_with_flash'
        vendor/ruby/1.9.1/gems/actionpack-2.3.18/lib/action_controller/base.rb:532:in `process'
        vendor/ruby/1.9.1/gems/actionpack-2.3.18/lib/action_controller/filters.rb:606:i n `process_with_filters'
        vendor/ruby/1.9.1/gems/actionpack-2.3.18/lib/action_controller/base.rb:391:in `process'
        vendor/ruby/1.9.1/gems/actionpack-2.3.18/lib/action_controller/base.rb:386:in `call'
        vendor/ruby/1.9.1/gems/actionpack-2.3.18/lib/action_controller/routing/route_se t.rb:438:in `call'
        vendor/ruby/1.9.1/gems/actionpack-2.3.18/lib/action_controller/dispatcher.rb:87 :in `dispatch'
        vendor/ruby/1.9.1/gems/actionpack-2.3.18/lib/action_controller/dispatcher.rb:12 1:in `_call'
        vendor/ruby/1.9.1/gems/actionpack-2.3.18/lib/action_controller/dispatcher.rb:13 0:in `block in build_middleware_stack'
        vendor/ruby/1.9.1/gems/actionpack-2.3.18/lib/action_controller/string_coercion. rb:25:in `call'
        vendor/ruby/1.9.1/gems/actionpack-2.3.18/lib/action_controller/string_coercion. rb:25:in `call'
        vendor/ruby/1.9.1/gems/actionpack-2.3.18/lib/action_controller/params_parser.rb :15:in `call'
        vendor/ruby/1.9.1/gems/actionpack-2.3.18/lib/action_controller/session/abstract _store.rb:177:in `call'
        vendor/ruby/1.9.1/gems/activerecord-2.3.18/lib/active_record/query_cache.rb:29: in `block in call'
        vendor/ruby/1.9.1/gems/activerecord-2.3.18/lib/active_record/connection_adapter s/abstract/query_cache.rb:34:in `cache'
        vendor/ruby/1.9.1/gems/activerecord-2.3.18/lib/active_record/query_cache.rb:9:i n `cache'
        vendor/ruby/1.9.1/gems/activerecord-2.3.18/lib/active_record/query_cache.rb:28: in `call'
        vendor/ruby/1.9.1/gems/activerecord-2.3.18/lib/active_record/connection_adapter s/abstract/connection_pool.rb:361:in `call'
        vendor/ruby/1.9.1/gems/actionpack-2.3.18/lib/action_controller/failsafe.rb:26:i n `call'
        <internal:prelude>:10:in `synchronize'
        vendor/ruby/1.9.1/gems/actionpack-2.3.18/lib/action_controller/dispatcher.rb:10 6:in `call'
        vendor/ruby/1.9.1/gems/rails-2.3.18/lib/rails/rack/static.rb:31:in `call'
        vendor/ruby/1.9.1/gems/rails-2.3.18/lib/rails/rack/log_tailer.rb:17:in `call'
        vendor/ruby/1.9.1/gems/thin-1.5.1/lib/thin/connection.rb:81:in `block in pre_process'
        vendor/ruby/1.9.1/gems/thin-1.5.1/lib/thin/connection.rb:79:in `catch'
        vendor/ruby/1.9.1/gems/thin-1.5.1/lib/thin/connection.rb:79:in `pre_process'
        vendor/ruby/1.9.1/gems/thin-1.5.1/lib/thin/connection.rb:54:in `process'
        vendor/ruby/1.9.1/gems/thin-1.5.1/lib/thin/connection.rb:39:in `receive_data'
        vendor/ruby/1.9.1/gems/eventmachine-1.0.3/lib/eventmachine.rb:187:in `run_machine'
        vendor/ruby/1.9.1/gems/eventmachine-1.0.3/lib/eventmachine.rb:187:in `run'
        vendor/ruby/1.9.1/gems/thin-1.5.1/lib/thin/backends/base.rb:63:in `start'
        vendor/ruby/1.9.1/gems/thin-1.5.1/lib/thin/server.rb:159:in `start'
        vendor/ruby/1.9.1/gems/thin-1.5.1/lib/thin/controllers/controller.rb:86:in `start'
        vendor/ruby/1.9.1/gems/thin-1.5.1/lib/thin/runner.rb:187:in `run_command'
        vendor/ruby/1.9.1/gems/thin-1.5.1/lib/thin/runner.rb:152:in `run!'
        thin:11:in `<main>'
  [636] [2014/09/18 12:54:35.360] I: Rendering /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/public /500.html (500 Internal Server Error)

  There are several of us having issues.  A couple of threads so far:
  Server 3.2.1 update fail
  After Server 3.2.1 Upgrade profile manager stopped working
  You can read my reply in the first one, but you should add your voice and call Apple Support about this.  They need to understand this is an issue and will probably capture some data so that they are able to (hopefully) release or post a fix.