Profile management meta tables list

Similar Messages

• Server 2.2 and AD Profile Manager issues

  The Server 2.2 update lets you use AD users inside of AD groups (YAY!)  My problm is after the update the web interface in Profile Manager will not list groups or users anymore, it slows down to a crawl and errors out.  I also can't add "network users" to local groups in OD anymore.  Is this a permissions error or is it just overloading my new mac mini server?
  We and a few hundred users and in logs I can see the users importing from AD and it is peaking out the CPU resources on the mini. 
  any ideas?

  Dec 10 10:12:46 iosconfig.server.com ProfileManager[236]: hide_user_record?: ignoring invalid record <ODRecord 0x7f93ee61c040 [attributes {'dsAttrTypeStandard:GeneratedUID': '6A7C291C-2149-4D04-9654-041FE990A2DC', 'dsAttrTypeStandard:RecordName': 'user', 'dsAttrTypeStandard:UniqueID': '1786521884', 'dsAttrTypeStandard:RealName': 'LAST, FIRST', 'dsAttrTypeStandard:AppleMetaRecordName': 'CN=USER,OU=OU,OU=Employees,DC=DOMAIN,DC=COM', 'dsAttrTypeStandard:AppleMetaNodeLocation': '/Active Directory/domain/server.com', 'dsAttrTypeStandard:RecordType': 'dsRecTypeStandard:Users'}]> (stack level too deep)
  it is importing each user in the System Log like this(edited for privacy)

• Profile Manager Login Item Apps

  Where does Profile Manager get the list of apps that you can select from for the applications to load at login in the "Login Items" payload?
  I have several apps that I've added on the server, but they do not show up in the list of applications?!?  Weird.

  I would reccomend the use of a Login banner if you have that much content.
  http://support.apple.com/kb/HT4788

• Profile Manager Calendar Subscription

  Is it possible to deploy calendar subscriptions to OSX Users with Profile Manager?  Its listed as an option for iOS users, but not OSX.  Perhaps a custom payload?

  hi there. did you find a way to solve this?
  I am getting many (non-stop every minute) of "10/8/12 4:24:48.966 PM com.apple.launchd[1]: (com.apple.collabcored4) Throttling respawn: Will start in 7 seconds" errors. And my wiki is now unstable with error page once every few clicks.
  Thanks in advance for any suggestion you might have.
  Edward

• Please help - Firefox will not open. library - applications - and no firefox is listed to get to my profile manager. . What's next?

  firefox has been running slower. When this happens I'll reboot my computer and this speeds up firefox. When I restarted the computer firefox would not open. Just the spinning wheel with no access to the tools.
  After I force quit - it says ignore or notify/report to apple. I tried sending a report, and it ques up the box with details, system config, etc... but when I click on send - it will not let me send one - I've never been unable to send a report before.
  I uninstalled, then reinstalled. Upon opening I get the spinning wheel and nothing happens - I need to force quit. I see on this mozilla help site that I need to update my profile manager. I followed these instructions - Finding your profile without opening Firefox Open Finder and go to your home folder. Note: your home folder is usually the name of your Mac user account From your home folder open /Library/, then /Application Support/, then /Firefox/, then /Profiles/. Your​ prof​ile ​fold​er is with​in this​ fold​er. but when I got to library - application support - there is no firefox listed.

  You can do a disk check with the chkdsk.exe program.
  If you run the chkdsk.exe program from a cmd.exe Command window then you can read the response from the chkdsk.exe program.
  Open a cmd.exe window:<br />
  Start &gt; Run: cmd.exe &lt;press Enter&gt;
  At the command prompt (>) type or Copy&Paste: chkdsk.exe /f /r &lt;press Enter&gt; (put a space before /f and /r)
  If you get something like: Would you like to schedule this volume to be checked the next time the system restarts? y/n then answer the question with "Y" and close all programs and reboot the computer.
  A possible cause is security software (firewall) that blocks or restricts Firefox without informing you about that, possibly after detecting changes (update) to the Firefox program.
  Remove all rules for Firefox from the permissions list in the firewall and let your firewall ask again for permission to get full unrestricted access to internet for Firefox and the plugin-container process.
  See:
  * [[Server not found]]
  * [[Firewalls]]
  * http://kb.mozillazine.org/Browser_will_not_start_up

• Firefox won't start, profile manager won't start, but firefox.exe shows in processes list (task manager)

  Firefox will not start, even though it is listed in my processes in task manager. Can't get profile manager to start either.
  I have tried the following to no avail:
  - try to start FF in Safe Mode, doesn't load
  - started Windows Vista in Safe Mode, FF still does not load
  - turned off Kaspersky AV, FF still does not load
  - uninstalled FF, cleaned out user/####/AppData/Mozilla/Firefox folder, as well as ProgramFiles/Mozilla/Firefox folder, and cleaned our Registry manually from all references to Firefox. Downloaded FF 3.6.3, installed. still does not load
  - whatever i seem to do, does not fix the problem. When I try to start Firefox, no window appears. I can see the process starting in my task manager. I can "end process" and try to start the program again by double-clicking program icon. Process starts in task manager, but no app window appears.
  I am frustrated and have just wasted 2+hours of my night trying to get this to work. Downloaded Google Chrome, unless there is a fix for FF (which I would prefer to use), i will have to switch to Chrome.
  I can't pinpoint when this trouble started, but may have been after a recent Windows Update. I already did a System Restore to a restore point about 5 days ago (the oldest one available to me, and I believe that was before the FF trouble started). This has not helped either.
  I have run a full virus scan with Kaspersky and a Full scan with Windows Defender. Nothing came up.
  Anyone else been able to find a solution to this?
  == This happened ==
  Every time Firefox opened
  == Less than a week ago ==
  == User Agent ==
  Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.86 Safari/533.4

  I found a way to make it work somehow but not really fixing the error... one day when I got really pissed off because FF just won't open, I clicked the icon and killed the enter button, then multiple FF windows appeared. I tried to open it with just a single hit of the enter or double clicking but it won't work anymore, but repeatedly clicking the enter button (mine works with just 3 hits, sometimes 6) seem to open it. And until now, I have no technical explanation for this.

• Complete list of settings in Profile Manager

  Hi!
  I'm looking for a complete list of the settings available in the Profile Manager for iOS devices.
  Restrictions
  Push Apps
  Push books and PDF's
  Passcode policy
  etc. etc.
  So, is there a list out there with all the settings and features of Profile Manager with iOS?
  Thanks!

  Apple has a good developer page on most of the payloads:
  https://developer.apple.com/library/ios/featuredarticles/iphoneconfigurationprof ileref/introduction/introduction.html
  Sadly, Apple does not provide many examples nor a clear explanation of the management levels.  But this is a great reference and now it includes OS X payloads, despite the URL name.  Sadly, not all profiles are listed yet but Apple seems to be revising the document.
  Reid
  Apple Consultants Network
  Author "Yosemite Server – Foundation Services" :: Exclusively available in Apple's iBooks Store
  Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store
  Author "Mavericks Server – Control and Collaboration" :: Exclusively available in Apple's iBooks Store

• Workflows table is not showing up in Data Manager drop down table list

  Hi,
  I am able to see Workflows table in Console but not able to see it Data Manager drop down table list in record mode for selection.
  Even not allowed to create another workflow table.
  Thanks for any tips/clue
  -reo

  Reo,
  You will not be able to create another workflow table. There is only a single workflow table that will hold all the workflows you create through the Data Manager.
  As Vito mentioned, please make sure to load the corresponding MDMWorkflow component on the client machines running the Data Manager that you wish to create and view workflows from.
  Once the workflow component is installed you should see it as a new tab in the Data Manager. You will need Visio to create workflows.
  Thanks,
  Tim

• (null) users listed in Profile Manager

  While configuring Lion Server, I created and reset Open Directory several times as I experimented with different configurations.  As you can see from the attached image, it appears that this action has created (null) users in the profile manager user list.  These users do not show up in Open Directory when viewed via Workgroup Manager.  Does anyone know how to get rid of them?  Thanks in advance.

  Hi Mike,
  And my problems have gotten worse because I ran the WipeDB tool and I have destroyed the Open Directory several times in an attempt to remove the null users, but now when I rebuild everything and start from "scratch" the Profile Manager page crashes regularly.
  I even went so far as to rename the host name on the machine to see if the new Open Directory that it created would emerge in a new structure, but no luck.
  The "Null" users no longer say "null null", now their entries just say "loading..." and they never load, probably because there is nothing TO load, just old dead record pointers somewhere in the Profile Manager.
  I've hunted through the file system in command line trying to figure out where any of this data might be stored, but I haven't found anything I feel comfortable deleting yet. I'm facing a reformat of the disks and a re-installatoin of the OS if I can't figure out how to fix this.
  How can I clean this up? Anyone have any idea?
  Thanks,
  Ralph

• Firefox does not open, profile manager does not open, not listed in task manager

  firefox worked fine about two days back. Our norton expired so I downloaded Kaspersky Anti-Virus 12.0.0.374. I don't know if that has any connection to firefox not working.
  I click on the icon, nothing happens. The task is not mentioned in the task manager.
  I try to run it in safe mode, nothing happens. I try to open the profile manager, nothing happens! What can I do to fix this?

  Thank you fmdeveloper! I did some more research after I posted the question and it turns out Kaspersky was not the issue. I had done a system restore two days back and it says online that after a system restore, you have to uninstall and reinstall firefox. So I uninstalled it (kept my settings and data) and reinstalled it and voila, it works!
  I did switch from Kaspersky to Avira too for Anti-vifus, don't know if that's a sane decision or not, but it's good to know that Kaspersky was not the culprit!

• How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

  I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
  Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
  Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
  Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
  DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
  DVD>Install Lion
  Reboot, hopefully Lion install kicks in
  Update, update, update Lion (NOT Lion Server yet) until no more updates
  System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
  Terminal>$ sudo scutil --set HostName server.domain.com
  App Store>Install Lion Server and run through the Setup
  Download install Server Admin Tools, then update, update, update until no more updates
  Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
  System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
  A few DNS set-up steps and these most important steps:
  A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
  B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
  C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
  D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
  E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
  F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
  G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
  H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
  I. Test from web browser server.domain.com/mydevices: Lock Device to test
  J. ??? Profit
  12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
  You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
  Firewall
  Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
  SSH
  Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
  PermitRootLogin no
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
  Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
  client$ ssh-keygen -t rsa -b 2048 -C client_name
  [Securely copy ~/.ssh/id_rsa.pub from client to server.]
  server$ cat id_rsa.pub > ~/.ssh/known_hosts
  I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
  $ diff denyhosts.cfg-dist denyhosts.cfg
  12c12
  < SECURE_LOG = /var/log/secure
  > #SECURE_LOG = /var/log/secure
  22a23
  > SECURE_LOG = /var/log/secure.log
  34c35
  < HOSTS_DENY = /etc/hosts.deny
  > #HOSTS_DENY = /etc/hosts.deny
  40a42,44
  > #
  > # Mac OS X Lion Server
  > HOSTS_DENY = /private/etc/hosts.deny
  195c199
  < LOCK_FILE = /var/lock/subsys/denyhosts
  > #LOCK_FILE = /var/lock/subsys/denyhosts
  202a207,208
  > LOCK_FILE = /var/denyhosts/denyhosts.pid
  > #
  219c225
  < ADMIN_EMAIL =
  > ADMIN_EMAIL = [email protected]
  286c292
  < #SYSLOG_REPORT=YES
  > SYSLOG_REPORT=YES
  Network Accounts
  User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
  2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
       User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
  Oh well.
  Email
  Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
  root:           myname
  admin:          myname
  sysadmin:       myname
  certadmin:      myname
  webmaster:      myname
  my_alternate:   myname
  Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
  cd /etc/postfix
  sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
  sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
  sudo serveradmin stop mail
  sudo serveradmin start mail
  Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
  If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
  iCal Server
  Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
  Web
  The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
  $ diff httpd.conf.default httpd.conf
  95c95
  < #LoadModule ssl_module libexec/apache2/mod_ssl.so
  > LoadModule ssl_module libexec/apache2/mod_ssl.so
  111c111
  < #LoadModule php5_module libexec/apache2/libphp5.so
  > LoadModule php5_module libexec/apache2/libphp5.so
  139,140c139,140
  < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  < #LoadModule encoding_module libexec/apache2/mod_encoding.so
  > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  > LoadModule encoding_module libexec/apache2/mod_encoding.so
  146c146
  < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  177c177
  < ServerAdmin [email protected]
  > ServerAdmin [email protected]
  186c186
  < #ServerName www.example.com:80
  > ServerName domain.com:443
  677a678,680
  > # Server-specific configuration
  > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
  > Include /etc/apache2/mydomain/*.conf
  I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
  Alias /eyetv /Users/uname/Sites/EyeTV
  <Directory "/Users/uname/Sites/EyeTV">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
  <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
  Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
  One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
  Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
  User-agent: *
  Disallow: /
  Misc
  VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

  Privacy Enhancing Filtering Proxy and SSH Tunnel
  Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
  If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
  $ ./ssht 8080:[email protected]:3128
  $ ./ssht 8080:alice@:
  $ ./ssht 8080:
  $ ./ssht 8018::8123
  $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
  $ vi ./ssht
  #!/bin/sh
  # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
  USERNAME_DEFAULT=username
  HOSTNAME_DEFAULT=domain.com
  SSHPORT_DEFAULT=22
  # SSH port forwarding specs, e.g. 8080:localhost:3128
  LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
  REMOTEHOST_DEFAULT=localhost    # Default is localhost
  REMOTEPORT_DEFAULT=3128         # Default is Squid port
  # Parse ssh port and tunnel details if specified
  SSHPORT=$SSHPORT_DEFAULT
  TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
  while [ "$1" != "" ]
  do
    case $1
    in
      -p) shift;                  # -p option
          SSHPORT=$1;
          shift;;
       *) TUNNEL_DETAILS=$1;      # 1st argument option
          shift;;
    esac
  done
  # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
  shopt -s extglob                        # needed for +(pattern) syntax; man sh
  LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
  USERNAME=$USERNAME_DEFAULT
  HOSTNAME=$HOSTNAME_DEFAULT
  REMOTEHOST=$REMOTEHOST_DEFAULT
  REMOTEPORT=$REMOTEPORT_DEFAULT
  # LOCALHOSTPORT
  CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      LOCALHOSTPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEPORT
  CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEHOST
  CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEHOST=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # USERNAME
  CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%@}                            # delete @
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      USERNAME=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # HOSTNAME
  HOSTNAME=$TUNNEL_DETAILS
  if [ "$HOSTNAME" == "" ]                # no hostname given
  then
      HOSTNAME=$HOSTNAME_DEFAULT
  fi
  ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
      && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
      || echo "SSH tunnel FAIL."

• Cry for help: a decent network profile manager

  Am I the only one that finds the default arch linux network profile management a bit.. lacking? Maybe I just don't have it set up right, but it only works for my ethernet connection and connecting to non-encrypted wireless networks. Problem is, I run WPA2-AES networks at home and at work. I finally got wpa_supplicant properly set up (I'm on wireless right now), but I can't just select the network profile from the menu and be on my way.
  Here is what I have to do to get connected right now:
  [root@cdl-magnesium chris]# wpa_supplicant -dw -c/etc/wpa_supplicant.conf -Dmadwifi -iath0
  [root@cdl-magnesium chris]# dhcpcd ath0
  and I'm connected, everything working great. That's fairly simple, right? I'm thinking my network profile has a lot more in it than necessary.
  # Network Profile
  DESCRIPTION="57 May"
  # Network Settings
  INTERFACE=ath0
  #HOSTNAME=myhost
  # Interface Settings (use IFOPTS="dhcp" for DHCP)
  IFOPTS="dhcp"
  #GATEWAY=192.168.0.1
  # DNS Settings (optional)
  #DOMAIN=localdomain
  #DNS1=192.168.0.1
  #DNS2=
  # Wireless Settings (optional)
  ESSID="Galactica"
  #KEY=
  #IWOPTS="mode managed essid $ESSID channel 6 key restricted $KEY"
  WIFI_INTERFACE=wifi0 # use this if you have a special wireless interface
  # that is linked to the real $INTERFACE
  WIFI_WAIT=5 # seconds to wait for the wireless card to
  # associate before bringing the interface up
  USEWPA="yes" # start wpa_supplicant with the profile
  WPAOPTS="-D madwifi" # use "" for normal operation or specify additional
  # options (eg, "-D ipw")
  # see /etc/wpa_supplicant.conf for configuration
  #AUTOWPA="yes" # automatically configure WPA
  If I do a /etc/rc.d/network restart and select the profile from the menu, I get all sorts of errors about not being able to connect to wpa_supplicant (because for some reason it isn't running.. was I supposed to do something about that?).
  I'm a bit tired right now so pardon any incomprehensible sentences or questions
  ps: while we're on the subject, is there a way to re-sort the items in the network profile list? It always wants to connect to this broken wpa2 profile first, as I think it just goes in alphabetic order or somethin. I guess I should just turn off the timeout so it always waits for me to choose.

  i'm working on one.
  http://wiki.archlinux.org/index.php/Network_Scripts
  James

• Firefox doesn't open, but is open in Processes in Task Manager, not even profile manager opens up for Firefox opens up. Please help

  I'm using Vista, 32 bit - not even downloading the beta version of Firefox 4 helps; it downloads (just like the regular version of Firefox, 3.4) and I can install it, but trying to run it gives me nothing - no warning, no text; it just doesn't open up, but is still visible in my start menu, programs folder and in task manager. And not even profile manager opens up.

  Make sure that you do not remove your personal data when you uninstall Firefox. Then you won't lose personal data stored in a different location in the [http://kb.mozillazine.org/Profile_folder_-_Firefox Firefox Profile Folder].
  See also http://kb.mozillazine.org/Profile_backup and [[Backing up your information]]
  A possible cause is security software (firewall) that blocks Firefox.<br />
  Remove all rules for Firefox from the permissions list in the firewall and let your firewall ask again for permission to get full unrestricted access to internet for Firefox.<br />
  See [[Server not found]] and [[Firewalls]] and http://kb.mozillazine.org/Firewalls
  See also http://kb.mozillazine.org/Browser_will_not_start_up
  Do a malware check with a few malware scan programs.<br />
  You need to use all programs because each detects different malware.<br />
  Make sure that you update each program to get the latest version of the database.<br />
  *http://www.malwarebytes.org/mbam.php - Malwarebytes' Anti-Malware
  *http://www.superantispyware.com/ - SuperAntispyware
  *http://www.safer-networking.org/en/index.html - Spybot Search & Destroy
  *http://www.lavasoft.com/products/ad_aware_free.php - Ad-Aware Free
  *http://www.microsoft.com/windows/products/winfamily/defender/default.mspx - Windows Defender: Home Page
  See also "Spyware on Windows": http://kb.mozillazine.org/Popups_not_blocked and [[Searches are redirected to another site]]

• Firefox won't open and neither will Profile Manager.

  I running Windows 7 Professional. So about two weeks ago I had suddenly was unable to open Firefox and since then have been trying to solve it myself to no avail. the Firefox process opens in the task-manager, however, the browser window does not appear. When trying to open Firefox again, another process opens and the same thing happens. Processes just keep opening and that's it. I have tried the Profile manager but it only opened once and I have been unable to get it to open again. Every once in a while Firefox actually opens when I launch it, but when I close it to see if it works again it does not. Firefox does open in Safe-mode with Networking with no problems consecutively. While it was in safe-mode I ran a full system scan with Nortan Antivirus and cleared about thirty threats but after the restart Firefox still won't open, only processes. I have tried deleting Mozilla from the x86 path and cleared My local and roaming Mozilla appdata, then re installed with 34.0.5. I have tried opening Firefox in safe mode but it won't open at all, only the process again.

  ''cor-el [[#answer-668399|said]]''
  <blockquote>
  It is possible that your security software (firewall, anti-virus) blocks or restricts Firefox or the plugin-container process without informing you, possibly after detecting changes (update) to the Firefox program.
  Remove all rules for Firefox and the plugin-container from the permissions list in the firewall and let your firewall ask again for permission to get full, unrestricted, access to install for Firefox and the plugin-container process and the updater process.
  See:
  *https://support.mozilla.org/kb/Server+not+found
  *https://support.mozilla.org/kb/Firewalls
  *https://support.mozilla.org/kb/fix-problems-connecting-websites-after-updating
  Do a malware check with several malware scanning programs on the Windows computer.
  Please scan with all programs because each program detects different malware.
  All these programs have free versions.
  Make sure that you update each program to get the latest version of their databases before doing a scan.
  *Malwarebytes' Anti-Malware:<br>http://www.malwarebytes.org/mbam.php
  *AdwCleaner:<br>http://www.bleepingcomputer.com/download/adwcleaner/<br>http://www.softpedia.com/get/Antivirus/Removal-Tools/AdwCleaner.shtml
  *SuperAntispyware:<br>http://www.superantispyware.com/
  *Microsoft Safety Scanner:<br>http://www.microsoft.com/security/scanner/en-us/default.aspx
  *Windows Defender:<br>http://windows.microsoft.com/en-us/windows/using-defender
  *Spybot Search & Destroy:<br>http://www.safer-networking.org/en/index.html
  *Kasperky Free Security Scan:<br>http://www.kaspersky.com/security-scan
  You can also do a check for a rootkit infection with TDSSKiller.
  *Anti-rootkit utility TDSSKiller:<br>http://support.kaspersky.com/5350?el=88446
  See also:
  *"Spyware on Windows": http://kb.mozillazine.org/Popups_not_blocked
  *https://support.mozilla.org/kb/troubleshoot-firefox-issues-caused-malware
  </blockquote>
  My firewall has been off for ages. And I did a check with Nortan. It didn't help.
  EDIT: Turns out I was just being lazy I guess. I had read this post before on another user and it didn't work for him so I didn't try it. AWD did clean a lot of stuff but didn't work, Malwarebytes however cleaned more things and suddenly Firefox opens each time I try. Not sure if it is permanent yet.

• Profile Manager - Why create Enrollment Profiles?

  So a similar question was asked previously:
  Why use an enrollment profile?
  I've read through it and I don't think the answers provided tell the whole story, so I'd like to ask again adding some of my own thought and clarifications on the previous thread.  This may be considered a "primer" by some - though I am certainly not the expert on Profile Manager.  I'm laying it out there to explain my understanding and off of that, ask a question.  If you are an expert, and understand how all this works, please just skip to my question below!
  First, my experience and understanding.  (I urge others to correct/clarify where they see fit):
  The previous thread attempted to make a distinction between the 3 different types of profiles:  Trust, Enrollment.and Remote Management Profiles.
  I believe the proper 3 distinctions should be: Trust, Remote Management/Enrollment, and Configuration Profiles.
  - The Trust Profile is basically a Profile (.mobileconfig file) that contains the Server Certificate that needs to be present to validate other signed Profiles.  It's a fancy way of packaging up the Root certificates.
  - The Remote Management/Enrollment Profile is a Profile (.mobileconfig file) that delivers the Remote Management "connection".  It registers the device with the Profile Manager server and facilitates the ability to use PM/APNS to push various Configuration Profiles as well as commands (wipe/lock/etc).  It is *only* called an Enrollment Profile when you explicitly create one (more on that below).  Because an Enrollment Profile does not need to exist to enroll (or rather it will use the implicit "unseen" enrollment), this is the most confusing of the 3 Profile types.  It is further confusing because the term "Profile" is used almost elusively on the device and not within Profile Manager.  In fact the "Enrollment Profile" is the only one explicitly called a "Profile" within the management interface!
  IOW: While it is not shown anywhere in Profile Manager, I believe that "Remote Management" (called a Profile on the device) is basically the *default* Enrollment Profile that is only inferred and seen when you use the Enroll function on MyDevices.  This means you don't need to create any Enrollment Profile to enroll your devices interactively via the MyDevices page.
  - The Configuration Profile is a Profile (.mobileconfig file) that delivers specific settings.  These Profiles are applied to either Users, Groups, Devices, or Device Groups.  They can be automatically pushed to an enrolled device, or they can be manually downloaded from the MyDevices page (seems to apply to User configuration only) for devices even if they are not enrolled (this would allow the end user the 'choice' to pull down settings).
  Having outlined that, the simplest steps to enrollment...:
  When you setup Profile Manager, you can go right to the MyDevices page on your device, login, and choose "Enroll." (sample device is let's say an iPad)
  Doing so will prompt you to install the "Remote Management" profile.
  Note that when enrolling in this way it does not appear necessary to install the "Trust Profile" for your server, even when using a Self-signed Cert.  It would appear that this "Remote Management" profile contains not only the SCEP Enrollment Request and the Device Management payload, but also the Certificates that would be installed with the "Trust profile"
  So we have seen here that one can enroll a device without explicitly creating any "Enrollment Profile."
  So why use an Enrollment Profile?
  Well according to https://help.apple.com/profilemanager/mac/3.1/#apd6DD5E89E-2466-4D3C-987E-A4FF05 676EB7, the answer is pretty straightforward:
  "The user does not need to authenticate or log in to Profile Manager’s user portal"
  This is a great feature.  For one, you can create an Enrollment Profile and send it via e-mail and the user doesn't need to visit a web page and login to enroll a device.  In fact, based on my experience Enrollment Profiles can't even be accessed via the MyDevices page unless you are a Server Admin.
  However, when distributing an Enrollment Profile you seemingly *must* install the Trust Profile prior to this, or you will get an error about communicating with the server.  Several docs/tutorials you can google explain how to set up your deployment systems (specifically OSX machines) to deploy systems with both the Trust and Enrollment profiles to facilitate automatic enrollment when a new system is deployed so it can instantly be managed.
  However, since a device that is already deployed will/may not have the Trust Profile installed, one would have to visit the MyDevices page to install that prior to being able to import a delivered Enrollment Profile.  Because of that it seems that from a distribution approach (as opposed to a deployment scenario) there is not much advantage of using an explicit Enrollment Profile anyway since we already need to visit the MyDevices page to get the Trust Profile, we might as well just use the standard MyDevices implicit Enrollment.
  All devices that have enrolled themselves via a defined/explicit Enrollment Profile will be listed under that Profile in Profile Manager.  Devices that have enrolled via MyDevices will not be listed under any Profile, but rather just under Devices (where *all* devices will be shown regardless of how they enrolled).
  So, now the questions:
  So, the idea of an Enrollment Profile makes perfect sense - it is basically the only way to create an exportable profile that can be distributed and configured to automatically enroll a device without interactive enrollment via the MyDevices page.
  What I don't get is WHY is there the ability to create multiple Enrollment Profiles rather than simply providing a default exportable profile?
  The reason it makes no sense to me is there is absolutely no correlation (that I can deduce) between an Enrollment Profile and the devices that used it to enroll.  While I can see a (non-exportable) list of each device enrolled via each Enrollment Profile, it ends there.  I can't, for instance, create Configuration Settings that I link to an Enrollment Profile.  Or dynamically populate a Device Group with all devices enrolled from a specific Enrollment Profile.  If I could do these things, it might make sense to me and I have spent much time looking at the interface and scouring documentation to see where the connection is.  I have simply determined that there isn't one.
  I can go ahead and create several Enrollment Profiles such as:
  iPads
  Lab Systems
  Main Office Systems
  High Security Systems
  And I can deploy these Profiles (either via mail/file or via initial deployment) to the respective devices.  I can then see under each Profile which devices enrolled.  But, since I can't actually do anything to correlate those systems to a configuration, why would I want to do this segregation?  Sure it gives me a listing of iPads apart from OSX machines, but I can't do anything with this listing!
  Now, of course, I can still pre-stage devices and add them into particular device groups so that as soon as they are enrolled (via any Enrollment Profile) they will get the Configuration Profile(s) attached to them.  This makes the inclusion of multiple Enrollment Profiles even more suspect.
  Am I missing something?  Can someone enlighten me as to what the purpose of creating more than one Enrollment Profile would be?
  We can easily say "Well it's not hurting having them there" but, in terms of complexity and confusion I believe it is.  Had they simply provided a single Enrollment Profile ("Remote Management") that was downloadable/exportable it would have been sufficient.
  Thoughts?

  So a similar question was asked previously:
  Why use an enrollment profile?
  I've read through it and I don't think the answers provided tell the whole story, so I'd like to ask again adding some of my own thought and clarifications on the previous thread.  This may be considered a "primer" by some - though I am certainly not the expert on Profile Manager.  I'm laying it out there to explain my understanding and off of that, ask a question.  If you are an expert, and understand how all this works, please just skip to my question below!
  First, my experience and understanding.  (I urge others to correct/clarify where they see fit):
  The previous thread attempted to make a distinction between the 3 different types of profiles:  Trust, Enrollment.and Remote Management Profiles.
  I believe the proper 3 distinctions should be: Trust, Remote Management/Enrollment, and Configuration Profiles.
  - The Trust Profile is basically a Profile (.mobileconfig file) that contains the Server Certificate that needs to be present to validate other signed Profiles.  It's a fancy way of packaging up the Root certificates.
  - The Remote Management/Enrollment Profile is a Profile (.mobileconfig file) that delivers the Remote Management "connection".  It registers the device with the Profile Manager server and facilitates the ability to use PM/APNS to push various Configuration Profiles as well as commands (wipe/lock/etc).  It is *only* called an Enrollment Profile when you explicitly create one (more on that below).  Because an Enrollment Profile does not need to exist to enroll (or rather it will use the implicit "unseen" enrollment), this is the most confusing of the 3 Profile types.  It is further confusing because the term "Profile" is used almost elusively on the device and not within Profile Manager.  In fact the "Enrollment Profile" is the only one explicitly called a "Profile" within the management interface!
  IOW: While it is not shown anywhere in Profile Manager, I believe that "Remote Management" (called a Profile on the device) is basically the *default* Enrollment Profile that is only inferred and seen when you use the Enroll function on MyDevices.  This means you don't need to create any Enrollment Profile to enroll your devices interactively via the MyDevices page.
  - The Configuration Profile is a Profile (.mobileconfig file) that delivers specific settings.  These Profiles are applied to either Users, Groups, Devices, or Device Groups.  They can be automatically pushed to an enrolled device, or they can be manually downloaded from the MyDevices page (seems to apply to User configuration only) for devices even if they are not enrolled (this would allow the end user the 'choice' to pull down settings).
  Having outlined that, the simplest steps to enrollment...:
  When you setup Profile Manager, you can go right to the MyDevices page on your device, login, and choose "Enroll." (sample device is let's say an iPad)
  Doing so will prompt you to install the "Remote Management" profile.
  Note that when enrolling in this way it does not appear necessary to install the "Trust Profile" for your server, even when using a Self-signed Cert.  It would appear that this "Remote Management" profile contains not only the SCEP Enrollment Request and the Device Management payload, but also the Certificates that would be installed with the "Trust profile"
  So we have seen here that one can enroll a device without explicitly creating any "Enrollment Profile."
  So why use an Enrollment Profile?
  Well according to https://help.apple.com/profilemanager/mac/3.1/#apd6DD5E89E-2466-4D3C-987E-A4FF05 676EB7, the answer is pretty straightforward:
  "The user does not need to authenticate or log in to Profile Manager’s user portal"
  This is a great feature.  For one, you can create an Enrollment Profile and send it via e-mail and the user doesn't need to visit a web page and login to enroll a device.  In fact, based on my experience Enrollment Profiles can't even be accessed via the MyDevices page unless you are a Server Admin.
  However, when distributing an Enrollment Profile you seemingly *must* install the Trust Profile prior to this, or you will get an error about communicating with the server.  Several docs/tutorials you can google explain how to set up your deployment systems (specifically OSX machines) to deploy systems with both the Trust and Enrollment profiles to facilitate automatic enrollment when a new system is deployed so it can instantly be managed.
  However, since a device that is already deployed will/may not have the Trust Profile installed, one would have to visit the MyDevices page to install that prior to being able to import a delivered Enrollment Profile.  Because of that it seems that from a distribution approach (as opposed to a deployment scenario) there is not much advantage of using an explicit Enrollment Profile anyway since we already need to visit the MyDevices page to get the Trust Profile, we might as well just use the standard MyDevices implicit Enrollment.
  All devices that have enrolled themselves via a defined/explicit Enrollment Profile will be listed under that Profile in Profile Manager.  Devices that have enrolled via MyDevices will not be listed under any Profile, but rather just under Devices (where *all* devices will be shown regardless of how they enrolled).
  So, now the questions:
  So, the idea of an Enrollment Profile makes perfect sense - it is basically the only way to create an exportable profile that can be distributed and configured to automatically enroll a device without interactive enrollment via the MyDevices page.
  What I don't get is WHY is there the ability to create multiple Enrollment Profiles rather than simply providing a default exportable profile?
  The reason it makes no sense to me is there is absolutely no correlation (that I can deduce) between an Enrollment Profile and the devices that used it to enroll.  While I can see a (non-exportable) list of each device enrolled via each Enrollment Profile, it ends there.  I can't, for instance, create Configuration Settings that I link to an Enrollment Profile.  Or dynamically populate a Device Group with all devices enrolled from a specific Enrollment Profile.  If I could do these things, it might make sense to me and I have spent much time looking at the interface and scouring documentation to see where the connection is.  I have simply determined that there isn't one.
  I can go ahead and create several Enrollment Profiles such as:
  iPads
  Lab Systems
  Main Office Systems
  High Security Systems
  And I can deploy these Profiles (either via mail/file or via initial deployment) to the respective devices.  I can then see under each Profile which devices enrolled.  But, since I can't actually do anything to correlate those systems to a configuration, why would I want to do this segregation?  Sure it gives me a listing of iPads apart from OSX machines, but I can't do anything with this listing!
  Now, of course, I can still pre-stage devices and add them into particular device groups so that as soon as they are enrolled (via any Enrollment Profile) they will get the Configuration Profile(s) attached to them.  This makes the inclusion of multiple Enrollment Profiles even more suspect.
  Am I missing something?  Can someone enlighten me as to what the purpose of creating more than one Enrollment Profile would be?
  We can easily say "Well it's not hurting having them there" but, in terms of complexity and confusion I believe it is.  Had they simply provided a single Enrollment Profile ("Remote Management") that was downloadable/exportable it would have been sufficient.
  Thoughts?