Profile Manager Calendar Subscription

Similar Messages

• Deploying Calendars via Profile Manager

  I recently needed to start sharing calendars between staff here at school. I have successfully created and shared calendars between two test accounts, setting them up manually via the "Mail, Contacts & Calendars" section of system preferences for each user.
  I then shared then opened up the calendar app and shared each test accounts calendar with each other via the right click menu>Sharing Settings.
  Everything is working exactly as I want but I want to automate this setup for our staff and so I turned to profile manager thinking that we could at least skip the step that was covered through "Mail, Contacts and Calendar".
  I could not.
  It seems that Profile Manager settings requires a password which is terrible and that would have all staff subscribe to one calendar account rather than having their own.
  Is there a way around this or am I destined to set up each user individually?

  Thank you both so very much for using these forums. Today I was having the issue of the profile not pushing when there were Calendar settings in the profile. Then I ran across this discussion. I was able to confirm your findings Henry. Indeed when I set it to manual, downloaded the profile and installed, it worked like a charm. (sad this is still an issue in Yosemite) Anyway, it gave me an idea. All I did was add a description to the General section of the profile, changed it back to automatic push, no password installed and using SSL, and it worked. I have no idea, but just placing a comment in the field did the trick. Thought it should be shared. Thanks for your discussion, help, and feedback. Have a great day!

• Update 3.1.1 external calendar issues (and profile manager)

  So I did the 3.1.1 update and now I am of course regretting it. I am having the non functional profile manager issue but, more importantly my calendar server is not communicating to any of the devices outside the network. I have a firewall in place so the question is did apple add a port to this update? I ran wireshark and couldn't find anything new.
  Help!

  How long between syncing?
  This link provides the data included with the backup.
  http://support.apple.com/kb/HT1766
  If you received or placed a call, the same for SMS/MMS, used Safari, made any changes to contact info and calendar events, there were changes to the data included with your iPhone's backup. If there were no changes to any of the data included with your iPhone's backup since the last sync, your iPhone's backup wouldn't be updated.
  Does your iPhone's Camera Roll include a number of photos that haven't been imported by your computer followed by being deleted from the Camera Roll, or have been imported but not removed from the Camera Roll after the import process is complete?
  2. The other symptom I've noticed (that commenced with the prior OS version) is that the phone is hesitating sometimes and won't respond for up to a minute to screen inputs-- seems to be preoccupied with some task it wasn't doing before.
  Any change after powering your iPhone off and on and/or after doing an iPhone reset when this occurs?

• Reset calendars and contacts and profile manager, reset calendars and contacts and profile manager

  HI,
  I have succesfully re setup postgres with this set of instructions...
  Wki's now work, just need to re initialise calendars and contacts and maybe profile manager...
  serveradmin stop postgres_server
  serveradmin stop postgres
  mv /Library/Server/PostgreSQL\ For\ Server\ Services/Data{,-old}
  mv /Library/Server/PostgreSQL/Data{,-old}
  /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup/Promotio nExtras/58_postgres_setup.rb
  /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/wipeDB. sh
  serveradmin start wiki
  /Applications/Server.app/Contents/ServerRoot/usr/bin/psql -U _postgres -h "/Library/Server/PostgreSQL For Server Services/Socket" -l
  /Applications/Server.app/Contents/ServerRoot/usr/bin/psql -U _postgres -h "/Library/Server/PostgreSQL For Server Services/Socket" postgres -c "\dg"
  bash-3.2# serveradmin stop postgres_server
  postgres_server:state = "STOPPED"
  bash-3.2# serveradmin stop postgres
  postgres:state = "STOPPED"
  bash-3.2# mv /Library/Server/PostgreSQL\ For\ Server\ Services/Data{,-old}
  bash-3.2# mv /Library/Server/PostgreSQL/Data{,-old}
  bash-3.2# /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup/Promoti onExtras/58_postgres_setup.rb
  WARNING: enabling "trust" authentication for local connections
  You can change this by editing pg_hba.conf or using the option -A, or
  --auth-local and --auth-host, the next time you run initdb.
  WARNING: enabling "trust" authentication for local connections
  You can change this by editing pg_hba.conf or using the option -A, or
  --auth-local and --auth-host, the next time you run initdb.
  bash-3.2# /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/wipeDB .sh
  devicemgr:state = "STOPPED"
  postgres_server:state = "RUNNING"
  (in /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend)
  (in /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend)
  devicemgr:state = "STARTING"
  bash-3.2# serveradmin start wiki
  wiki:state = "RUNNING"
  bash-3.2# /Applications/Server.app/Contents/ServerRoot/usr/bin/psql -U _postgres -h "/Library/Server/PostgreSQL For Server Services/Socket" -l
                                          List of databases
         Name        |   Owner    | Encoding |   Collate   |    Ctype    |    Access privileges   
  -------------------+------------+----------+-------------+-------------+-------- -----------------
  caldav            | caldav     | UTF8     | en_GB.UTF-8 | en_GB.UTF-8 |
  collab            | collab     | UTF8     | en_GB.UTF-8 | en_GB.UTF-8 |
  device_management | _devicemgr | UTF8     | en_GB.UTF-8 | en_GB.UTF-8 |
  postgres          | _postgres  | UTF8     | en_GB.UTF-8 | en_GB.UTF-8 |
  template0         | _postgres  | UTF8     | en_GB.UTF-8 | en_GB.UTF-8 | =c/_postgres           +
                     |            |          |             |             | _postgres=CTc/_postgres
  template1         | _postgres  | UTF8     | en_GB.UTF-8 | en_GB.UTF-8 | =c/_postgres           +
                     |            |          |             |             | _postgres=CTc/_postgres
  webauth           | webauth    | UTF8     | en_GB.UTF-8 | en_GB.UTF-8 |
  (7 rows)
  bash-3.2#

  qwince wrote:
  Yes but my point is that the device may not be able to connect to the internet for a period of time.  Thus all devices will have different data on them.
  So you are constantly (multiple times per hour/day) changing contacts/calendars on different devices with no internet around?
  The data gets sync'd only when it changes.
  So you are out in the field with no internet.
  You make a change on your iPhone. It doens't get sync'd to your computer.
  Who cares,? Yo have the data on your phone and you don't have your computer.
  Now you drive back to town. When you get a data connection, everything sync's up.
  why remove the functionality to sync everything else at the same time, should the user choose or need to do so.
  The Sync Services functionality was removed from the OS, so there is nothing for iTunes to use.
  It still works in Windows.

• Disallow app access to Calendar and Contacts by app in Profile Manager

  Is there a method to disallow app access to Calendar and Contacts by app within a profile and push that out via Profile Manager?
  I'm aware that you can do this on the device itself but I'd like to enforce policy.
  I'm guessing I'd need a custom profile.
  Thanks
  Tim

  Create a profile that contains an Restrictions profile and add thoase apps to the list of app you want to restrict.

• Calendar and Profile Manager Services - Service Unavailable

  Not sure what has changed in my environment, because I have not made any manual changes lately.  However I can't seem to access either iCal or Profile Manager from the web.  Nor does the iCal seem to be propagating any informtion across the same account to different devices.  I've read through many, many of the listings in these forums to no avail.  That said, I haven't really been able to find one that displays the same error logs as I'm experiencing.
  When trying to access from the web, I always get a the below...
  Service Temporarily Unavailable
  The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
  Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/0.9.8r DAV/2 PHP/5.3.8 with Suhosin-Patch Server at jared-hill.com Port 443
  I've monitored my logs and here's the output I'm given....
  Apr 27 16:15:24 jared-hill servermgrd[88]: servermgr_devicemgr: response statusCode: 0
  Apr 27 16:15:24 jared-hill servermgrd[88]: servermgr_devicemgr: waiting for devicemgr to respond
  Apr 27 16:15:24 jared-hill com.apple.launchd[1] (com.apple.collabcored4[2877]): Tried to setup shared memory more than once
  Apr 27 16:15:25 jared-hill com.apple.collabcored4[2877]: /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/fileuti ls.rb:1217:in `chmod': Operation not permitted - /var/log/collabd/coreclient.log (Errno::EPERM)
  Apr 27 16:15:25 jared-hill com.apple.collabcored4[2877]:     from /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/fileuti ls.rb:1217:in `chmod'
  Apr 27 16:15:25 jared-hill com.apple.collabcored4[2877]:     from /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/fileuti ls.rb:870:in `chmod'
  Apr 27 16:15:25 jared-hill com.apple.collabcored4[2877]:     from /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/fileuti ls.rb:869:in `each'
  Apr 27 16:15:25 jared-hill com.apple.collabcored4[2877]:     from /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/fileuti ls.rb:869:in `chmod'
  Apr 27 16:15:25 jared-hill com.apple.collabcored4[2877]:     from /usr/share/collabd/coreclient/config/application.rb:83
  Apr 27 16:15:25 jared-hill com.apple.collabcored4[2877]:     from /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/rubygem s/custom_require.rb:31:in `gem_original_require'
  Apr 27 16:15:25 jared-hill com.apple.collabcored4[2877]:     from /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/rubygem s/custom_require.rb:31:in `require'
  Apr 27 16:15:25 jared-hill com.apple.collabcored4[2877]:     from /usr/share/collabd/coreclient/config/environment.rb:11
  Apr 27 16:15:25 jared-hill com.apple.collabcored4[2877]:     from /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/rubygem s/custom_require.rb:31:in `gem_original_require'
  Apr 27 16:15:25 jared-hill com.apple.collabcored4[2877]:     from /System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/rubygem s/custom_require.rb:31:in `require'
  Apr 27 16:15:25 jared-hill com.apple.collabcored4[2877]:     from /usr/share/collabd/coreclient/config.ru:13
  Apr 27 16:15:25 jared-hill com.apple.collabcored4[2877]:     from /Library/Ruby/Gems/1.8/gems/rack-1.2.1/lib/rack/builder.rb:46:in `instance_eval'
  Apr 27 16:15:25 jared-hill com.apple.collabcored4[2877]:     from /Library/Ruby/Gems/1.8/gems/rack-1.2.1/lib/rack/builder.rb:46:in `initialize'
  Apr 27 16:15:25 jared-hill com.apple.collabcored4[2877]:     from /usr/share/collabd/coreclient/config.ru:1:in `new'
  Apr 27 16:15:25 jared-hill com.apple.collabcored4[2877]:     from /usr/share/collabd/coreclient/config.ru:1
  Apr 27 16:15:25 jared-hill com.apple.launchd[1] (com.apple.collabcored4[2877]): Exited with code: 1
  Apr 27 16:15:25 jared-hill com.apple.launchd[1] (com.apple.collabcored4): Throttling respawn: Will start in 9 seconds
  Any help would be greatly appreciated!!!!

  hi there. did you find a way to solve this?
  I am getting many (non-stop every minute) of "10/8/12 4:24:48.966 PM com.apple.launchd[1]: (com.apple.collabcored4) Throttling respawn: Will start in 7 seconds" errors. And my wiki is now unstable with error page once every few clicks.
  Thanks in advance for any suggestion you might have.
  Edward

• How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

  I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
  Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
  Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
  Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
  DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
  DVD>Install Lion
  Reboot, hopefully Lion install kicks in
  Update, update, update Lion (NOT Lion Server yet) until no more updates
  System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
  Terminal>$ sudo scutil --set HostName server.domain.com
  App Store>Install Lion Server and run through the Setup
  Download install Server Admin Tools, then update, update, update until no more updates
  Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
  System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
  A few DNS set-up steps and these most important steps:
  A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
  B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
  C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
  D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
  E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
  F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
  G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
  H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
  I. Test from web browser server.domain.com/mydevices: Lock Device to test
  J. ??? Profit
  12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
  You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
  Firewall
  Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
  SSH
  Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
  PermitRootLogin no
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
  Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
  client$ ssh-keygen -t rsa -b 2048 -C client_name
  [Securely copy ~/.ssh/id_rsa.pub from client to server.]
  server$ cat id_rsa.pub > ~/.ssh/known_hosts
  I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
  $ diff denyhosts.cfg-dist denyhosts.cfg
  12c12
  < SECURE_LOG = /var/log/secure
  > #SECURE_LOG = /var/log/secure
  22a23
  > SECURE_LOG = /var/log/secure.log
  34c35
  < HOSTS_DENY = /etc/hosts.deny
  > #HOSTS_DENY = /etc/hosts.deny
  40a42,44
  > #
  > # Mac OS X Lion Server
  > HOSTS_DENY = /private/etc/hosts.deny
  195c199
  < LOCK_FILE = /var/lock/subsys/denyhosts
  > #LOCK_FILE = /var/lock/subsys/denyhosts
  202a207,208
  > LOCK_FILE = /var/denyhosts/denyhosts.pid
  > #
  219c225
  < ADMIN_EMAIL =
  > ADMIN_EMAIL = [email protected]
  286c292
  < #SYSLOG_REPORT=YES
  > SYSLOG_REPORT=YES
  Network Accounts
  User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
  2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
       User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
  Oh well.
  Email
  Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
  root:           myname
  admin:          myname
  sysadmin:       myname
  certadmin:      myname
  webmaster:      myname
  my_alternate:   myname
  Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
  cd /etc/postfix
  sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
  sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
  sudo serveradmin stop mail
  sudo serveradmin start mail
  Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
  If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
  iCal Server
  Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
  Web
  The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
  $ diff httpd.conf.default httpd.conf
  95c95
  < #LoadModule ssl_module libexec/apache2/mod_ssl.so
  > LoadModule ssl_module libexec/apache2/mod_ssl.so
  111c111
  < #LoadModule php5_module libexec/apache2/libphp5.so
  > LoadModule php5_module libexec/apache2/libphp5.so
  139,140c139,140
  < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  < #LoadModule encoding_module libexec/apache2/mod_encoding.so
  > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  > LoadModule encoding_module libexec/apache2/mod_encoding.so
  146c146
  < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  177c177
  < ServerAdmin [email protected]
  > ServerAdmin [email protected]
  186c186
  < #ServerName www.example.com:80
  > ServerName domain.com:443
  677a678,680
  > # Server-specific configuration
  > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
  > Include /etc/apache2/mydomain/*.conf
  I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
  Alias /eyetv /Users/uname/Sites/EyeTV
  <Directory "/Users/uname/Sites/EyeTV">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
  <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
  Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
  One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
  Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
  User-agent: *
  Disallow: /
  Misc
  VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

  Privacy Enhancing Filtering Proxy and SSH Tunnel
  Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
  If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
  $ ./ssht 8080:[email protected]:3128
  $ ./ssht 8080:alice@:
  $ ./ssht 8080:
  $ ./ssht 8018::8123
  $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
  $ vi ./ssht
  #!/bin/sh
  # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
  USERNAME_DEFAULT=username
  HOSTNAME_DEFAULT=domain.com
  SSHPORT_DEFAULT=22
  # SSH port forwarding specs, e.g. 8080:localhost:3128
  LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
  REMOTEHOST_DEFAULT=localhost    # Default is localhost
  REMOTEPORT_DEFAULT=3128         # Default is Squid port
  # Parse ssh port and tunnel details if specified
  SSHPORT=$SSHPORT_DEFAULT
  TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
  while [ "$1" != "" ]
  do
    case $1
    in
      -p) shift;                  # -p option
          SSHPORT=$1;
          shift;;
       *) TUNNEL_DETAILS=$1;      # 1st argument option
          shift;;
    esac
  done
  # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
  shopt -s extglob                        # needed for +(pattern) syntax; man sh
  LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
  USERNAME=$USERNAME_DEFAULT
  HOSTNAME=$HOSTNAME_DEFAULT
  REMOTEHOST=$REMOTEHOST_DEFAULT
  REMOTEPORT=$REMOTEPORT_DEFAULT
  # LOCALHOSTPORT
  CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      LOCALHOSTPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEPORT
  CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEHOST
  CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEHOST=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # USERNAME
  CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%@}                            # delete @
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      USERNAME=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # HOSTNAME
  HOSTNAME=$TUNNEL_DETAILS
  if [ "$HOSTNAME" == "" ]                # no hostname given
  then
      HOSTNAME=$HOSTNAME_DEFAULT
  fi
  ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
      && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
      || echo "SSH tunnel FAIL."

• Change the display name of the Profile Manager Portal?

  Hello.
  Does anyone know if it's possible to change the name that's displayed on the Profile Manager User Portal? It's using my server name and I'd rather it be something a little more generic? Is this possible?
  Thanks,
  Kristin.

  Hello,
  Currently, the Power View report doesn't support the drillthrough feature like "Go to URL".
  Personally, I recommend you that submit a suggestion at
  https://connect.microsoft.com/SQLServer/. Your feedback is valuable for us to improve our products and increase the level of service provided.
  For more information about the features supported in Power View, please see
  Power View (SSRS).
  Regards,
  Fanny Liu
  TechNet
  Subscriber Support
  If you are TechNet
  Subscription user and have any feedback on our support quality, please send your feedback
  here.
  Fanny Liu
  TechNet Community Support

• Delete list of past subscriptions in the iTunes' "Managing Past Subscriptions."

  There is a bunch of list of subscription that I have cancelled in the iTunes' "Managing Past Subscriptions".
  I would like to remove this list out permanently other than just stop/cancel the subscription. However, I were not able to find any "Delete".
  Please help me on how to delete thsi list or delete some of the past subscription from this list.
  Thank you.

  I added a calendar subscription and cannot delete it because the subscription does not appear in the list.
  My other subscriptions (Birthdays, US Holidays) are listed.
  I want to delete it because somehow it was added to both my icloud/home and my Exchange/Calendar so the events are listed twice as I view both icloud and exchange together. 
  I can delete the subscription from either the icloud or the exchange calendar but neither gives it in the list. 

• Can I use OS X Server 4.0 Profile Manager to distribute iOS apps with iOS Developer Enterprise Program (iDEP)?

  We are developing an iOS and complementary Mac OS X app for in house use by about 1500 users. I need to manage the devices and distribute the in-house app to these users.
  We have an iOS Developer Enterprise Program (iDEP) licence.
  Can I combine OSX Server and iDEP to distribute and manage the app? Or do I nee dot move to something like Air Watch?

  You should not have to do anything the user/group import should be automatic and you should not have to manually create any accounts and it does onging syncs automatically but I do not know how often.
  Once you are install and connect to profile manager all the accounts should show up just by clinking on users or the groups icons and they will work with that. You should not need to mess with them in the actual server application Although I would assume the other services all ink into the OD directory I don't know exactly how services like email, file sharing or VPN work as we have other more full featured better scaling services for that like MS Exchange for email/calendar and Cisco VPN.
  We are only using OD, Profile Manager and Software Update.
  Just a note I am using Server 3.2 on OS 10.9.5 if you are using Server 4.X your mileage will probably vary slightly as I am not sure what the areas of major change are.

• CalDAV and Profile Manager question

  I am attempting to set up CalDAV in Profile Manager for our mobile devices. I am applying these settings to a group. I can't complete configuring the CalDAV payload because Profile Manager tells me that a CalDAV username is required. Again, this profile is for a group, so each user should be entering his own username to connect to his personal calendar. I've included a screenshot below to illustrate what's happening.
  Is there something I'm misunderstanding about how CalDAV needs to be configured, or is this a bug?

  Hi Adams,
  You can use variables keys in Profile Manager to push groups settings
  (I don't know if this list is exhaustive or not)
  User keys:
        email
        full_name
        guid
        short_name
        first_name
        last_name
        job_title
        mobile_phone
        uid
  Device keys:
        udid
        device_type
        guid
        scep_uuid
        scep_challenge
        reg_cert
        reg_cert_uuid
        reg_challenge
        mdm_cert
        mdm_cert_uuid
        mdm_challenge
        user_id
        pending_user_id
        token
        unlock_token
        push_magic
        last_checkin_time
        Version
        Serial
        Product
        ProductName
        PhoneNumber
        DeviceName
        OSVersion
        BuildVersion
        ModelName
        Model
        SerialNumber
        DeviceCapacity
        AvailableDeviceCapacity
        IMEI
        MEID
        JailbreakDetected
        ModemFirmwareVersion
        Query
        ICCID
        BluetoothMAC
        WiFiMAC
        CurrentCarrierNetwork
        SIMCarrierNetwork
        CarrierSettingsVersion

• Profile Manager hint for restart

  After applying (yesterday) the 2.2.2 Server-Update to my 10.8 server, I got stuck with "Profile Manager cannot read settings... error"... Hmm, everyhting seems to work fine, just profile manger would not accept switch on or off, tried anything to get it startet, but I found an easy way.
  In this order I switched every service I had running off. (I did not switch all off at once, just the first, then waited, til it was done and Server.app not writing anything, than the second and so on...
  1. Caching
  2. Sharing
  3. Calendar
  4. Contacts
  5. Softwareupdate
  6. Time Machine
  7. VPN
  8. Wiki
  9. Websites
  10. Open Directory
  11. DHCP
  12. DNS
  After switching off the services in this 1-10 order, I made a restart and switched all the services on again in reverse order (starting with DNS). I also waited til DNS was started, Server.app did not write anything, and went on to DHCP, again wating this service to the finish.
  And voalà, after this procedure, Profile Manager switched on (after Open Directory) and it works again like it did before the update.
  Maybe that helps someone here. ;-)

  WOW!  Nice find Rob Rocket.  I just went in to use profile manager and was hit with the error.  Followed your directions and back to normal. 

• Yosemite Server Signed Certificate vs OD and Profile Manager

  Hello Again,
  For more info on my setup follow the thread exchange Yosemite Server forward zone vs SSL types
  I've purchased a Comodo Positive SSL that covers www.example.com and example.com
  I asked OS X Server to use it and it went on to set up this Comodo signed Certificates up for Calendar, Mail (Pop and iMAP), Mail (SMTP), Messages and Websites.....
  ... But not for Open Directory which uses the xyz.example.com OD Intermediate CA.
  In Profile Manager, Configuration Profile Sections, I have checked "Sign Configuration Profile" and the only choice if I click the "edit" button is the "xyz.example.com OD Intermediate CA".
  1- Should OD use the Comodo Certificate like all other services?
  2- Will the Comodo certificate appear in the Profile Manager If I tell OD to use it?
  Francois

  Sorry Here,
  Hope I understand this correctly.
  The Comodo Positive SSL is a Web certificate. Although I ask OD to use it, it didn't.
  Then Profile Manager expects a "code signing" certificate which is why all it saw was Open Directory's one.
  Francois

• Unable to push user profiles to AD groups with Profile Manager since upgrade to Server v3

  Since upgrading our OS X Mac server from 10.8.5 to 10.9.1, and OS X Server app to v3 (now 3.0.2) I have been unable to push or modify user profiles to AD groups (or AD users) using Profile Manager. This was working fine on OS X 10.8.5. Pushing device profiles is still working OK after the upgrade.
  From what I can see from the logs on the client side and server side, it seems related to a problem with the mdm authtoken.
  In the client console I can see this entry:
  27/01/14 14:30:15.844 mdmclient[38557]: *** ERROR *** [Agent:636102071] Unable to proceed with connection to: https://ourserver.ourdomain/devicemanagement/api/device/mdm_connect (com.apple.mdmconfig.mdm) because don't have valid MDM AuthToken
  On the server, in the php.log I can see the corresponding attempt to authenticate:
  1::Jan 27 14:29:50.930 [158] <192.168.28.171> {require_once (mdm_checkin.php:11)} vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv - PUT mdm_checkin
  0::Jan 27 14:29:50.931 [158] <192.168.28.171> checkin: 'UserAuthenticate'
  1::Jan 27 14:29:50.936 [158] <192.168.28.171> {Target_for_incoming_request (target.php:209)} Found target NETWORK LS: <User[156]@ourclientmachine>
  0::Jan 27 14:29:50.937 [158] <192.168.28.171> {LabSession_validate_auth_token (mdm_checkin.php:22)} Failed auth for target NETWORK LS: <User[156]@Device[1697]>, incoming_request={
  0::Jan 27 14:29:50.937 [158] <192.168.28.171>   'MessageType'=>'UserAuthenticate',
  0::Jan 27 14:29:50.937 [158] <192.168.28.171>   'UDID'=>'17aff5c5a40f51acbbd78023d0028c80',
  0::Jan 27 14:29:50.937 [158] <192.168.28.171>   'UserID'=>'A5EA25B7-7CCD-4EF4-B240-F23DED275EEC'
  0::Jan 27 14:29:50.937 [158] <192.168.28.171> }
  1::Jan 27 14:29:50.965 [158] <192.168.28.171> {SendFinalOutput (mdm_checkin.php:145)} Sent Final Output (407 bytes)
  1::Jan 27 14:29:50.965 [158] <192.168.28.171> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - /devicemanagement/mdm/mdm_checkin
  0::Jan 27 14:29:50.965 [158] <192.168.28.171> {SendFinalOutput (mdm_checkin.php:145)} Completed in 34ms | 200 OK [https://ourserver.ourdomain/devicemanagement/api/device/mdm_checkin]
  So I can see there is a failure to authenticate, but don't really know how to troubleshoot this further. Or maybe this is just a bug in the new server app?
  I have tried to remove and re-enroll clients in Profile Manager but no joy there.
  In the client's Keychain I can see an MDM user AuthToken linked to the correct user account.
  Thanks in advance for any help or suggestions

  I just wanted to update my post, as this issue for me is resolved.
  I uninstalled and reinstalled the Server.app on our Mac server, since then I've been able to push profiles to AD Users and Groups. I guess that in my case the Server app got into a bit of a mess when it was upgraded to v3.
  Now the next headache I have is that my AD Groups which are displayed in Profile Manager are not syncing any recent changes. I think I'm probably seeing the same issue as described in this post
  https://discussions.apple.com/message/25420919#25420919

• VPP Distribution issues with OSX Server Profile Manager

  Hi, I have a new issue with my OSX 10.9.5 Server. I use VPP to distribute apps to users devices, when I would add a new user I would send them an invitation message through /profilemanager . All was working well until recenetly , the message still arrives in the users mailbox however when you click the "sign in" link on the "receive apps and books from xxxxx" email instead of opening through the Mac App store app it now opens Safari and connects to the profile manager server , any ideas ? it never has done this before and although I thought it was a new feature or method I can not seem to resolve the issue.

  Hi if when you are redirected back to your Mac Server you enter the user name and password of the user you are trying to receive VPP apps for i.e the Open Directory credentials it will then open the App Store providing the credentials are correctly entered so it looks like an additional layer of security. The process is click on the link in the VPP invite email, this takes you to your Mac Server profile manager, log on with your OD account, App store then opens on your Mac like it used to.