Profile manager trust on os x clients

Similar Messages

• Can't enroll new clients in Profile Manager 3.0.3

  I just upgraded a server from 10.8.5 to 10.9.2 and updated the Server app to v3.0.3. Almost everything seems to have gone smoothly, except that I can no longer enroll clients in Profile Manager, and the user under which all devices were originally enrolled disappeared.
  I manually re-added the user through the Server app, and used the same short name and password for the account.
  All of the old clients (OS X systems running 10.8.5) are still there. I can search within the device list, create profiles, edit profiles, and remove profiles. But none of them show up when I log into the My Devices web page with the re-created user.
  This user does not have admin privileges, but even when I try to enroll a device using an admin account I still get a "500 Internal Server Error".
  I can't seem to find any other threads covering this exact problem, although there seem to have been others with various PostgreSQL database migration issues during the upgrade. For examples, see this thread: Managed Settings missing in Profile Manager after upgrade to Server 3
  Looking for some ideas...

  Well, that is one idea that I've already had, Linc, but I'm reluctant to use the "nuclear option" for obvious reasons. I'm actually wondering now if the Secure Cert / OD problem is affecting Profile Manager. See this thread: https://discussions.apple.com/message/23686348#23686348

• App-V: A Configuration Template for Deploying to Stateless RDS Clients on Citrix Published Desktops with Citrix UPM for Profile Management

  Please Vote if you find this to be helpful!
  App-V:  A Configuration Template for Deploying to Stateless RDS Clients on Citrix Published Desktops with Citrix UPM for Profile Management
  Just posted this to the wiki:
  http://social.technet.microsoft.com/wiki/contents/articles/25318.app-v-a-configuration-template-for-deploying-to-stateless-rds-clients-on-citrix-published-desktops-with-citrix-upm-for-profile-management.aspx

  I would not recommend this and keep the package cache and the client on the same non-persistent drive and enable the Shared Content Store. If you separate the cache and the App-V client they could get out of sync and strange behaviour can occur. 
  You can use a temporary local profile with Citrix UPM or UE-V and specify what to roam/save.
  You can use the Shared Content Store so packages will stream over the network. When the user logs on there is a publishing phase where shortcuts etc are created for the user, this will take some time.
  Are you using the App-V full infrastructure?
  Are you using a boot disk, partition or PXE in combination with PVS?

• Profile Manager 3.1.2 home sync setting being ignored on client

  Hey,
  We currently have all of our Mac clients successfully home syncing with Server 2.2.2 and WGM but we would like to upgrade to the latest version and finally move over to Profile Manager.
  I am currently trying to test Server 3.1.2 on a closed network with a couple of test clients.
  Everything seems to be working as expected and all deployment settings are being correctly set on each client.
  However the one thing that refuses to work on the client is the Home Sync settings that have been deployed.
  I have Home Sync set to sync at logout and manually only.
  On the client i can clearly see that the variable "syncBackgroundSetAtLogout" is set to "sync" within the com.apple.homeSync.plist file. However when I logout on either client I get no sync happening at all.
  Manually syncing works fine but I need this logout sync setting to work as I do not wish to have to go to each client on our network and manually set the settings from the "mobile settings" pane in preferences.
  Has anyone else come across this with 3.1.2 and maybe overcome it?
  Thanks, Justin

  Figured it out. I think it's just my interpretation of the sync settings that was the problem. For some reason you have to manage settings that you don't want managed and specify not to manage them. (?!)

• Updated! App-V: A Configuration Template for Deploying to Stateless RDS Clients on Citrix Published Desktops with Citrix UPM for Profile Management

  I've updated my App-V Startup script that I use.  The new version includes Event Logging as well as detailed logging, and its in PowerShell finally)
  Check out the wiki!
  http://social.technet.microsoft.com/wiki/contents/articles/25318.app-v-a-configuration-template-for-deploying-to-stateless-rds-clients-on-citrix-published-desktops-with-citrix-upm-for-profile-management.aspx

  I've updated my App-V Startup script that I use.  The new version includes Event Logging as well as detailed logging, and its in PowerShell finally)
  Check out the wiki!
  http://social.technet.microsoft.com/wiki/contents/articles/25318.app-v-a-configuration-template-for-deploying-to-stateless-rds-clients-on-citrix-published-desktops-with-citrix-upm-for-profile-management.aspx

• Profile Manager – disable clients' Finder sidebars?

  Is it poss to get Profile Manager to disable or hide the sidebar in clients' Finder windows?

  As it turned out, I just needed to change the name of my server to the same domain name I was using externally. I did also have to change the certificate it was using, as it crated a new one once I changed the server name. Now it works fine.

• Clients can only reach profile manager via ip address

  I have been going through the process of setting up an OS X Mountain Lion Server. When trying to access the profile manger via http://servername.domain.private/mydevices within the internal network this can not be found. If I use the ipnumber i can reach the profile manager.
  I'm sure this is something to do with DNS and DHCP is being provided by a Netgear router.
  Any help would be much appreciated!

  All working now...
  Primary DNS router entry as the server. Then tested external access to the internet with:
  Only a Google DNS entry configured as sencondary on the router
  Then only with the Google DNS entries configured as additional DNS servers in the forwarders section on the server itself.
  Both times clients and devices could access the internet as well as internal addresses provided by the server. Moving forward to ensure redundancy if server is not available I have left both of the external DNS configurations above applied.
  Great support on here... thanks!

• Can I restrict OS version upgrades for client MacBook Airs through Profile Manager?

  Hello everyone,
  We have all our employees MacBook Airs (all on 10.9.3+) enrolled on Profile Manager as a group. When Mavericks first came out early adopters caused us no end of problems trying to work between 10.9 and those still on 10.8.
  We now have the Server App (3.1.2) running on our server (a Mac Mini running on OS X 10.9.4). Is it possible to restrict a group from installing the next OS X  release (I can't mention its name or Apple takes the question down as it's not released yet) through Profile Manager? We can restrict access to the App Store but this is too general for us as people still need to be able to update Apps just not OS version updates.
  Thanks,

  If your users are plain users, they can't install anything without Admin access.
  If your Users have Admin access, they can bypass anything, including whatever you THINK you gave them as restrictions with Profile Manager.

• Server 4.0 Profile Manager Supported Clients

  I'm not ready to pull the trigger on upgrading to Server 4.0 given the bug history, but I'm starting to look at it.
  When server 3.0 came out, Profile Manager abandoned support for 10.7.x and caught a few of us off guard.
  Does anyone know if Server 4.0 has dropped Profile Manager support for older devices e.g. 10.8.x or iOS 7?  I still have some production devices I've not upgraded yet.

  After I upgraded my desktop to OSX 10.10 Yosemite I had to upgrade Server to 4.0
  Unable to manage the server running 10.9 Server 3.X so I upgraded the server to 10.10 with Server 4.0
  Still unable to connect to server on LAN. Its not an IP or authorization issue since I can connect to the server via finder and manage the server via screen sharing...

• How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

  I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
  Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
  Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
  Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
  DVD>Disk Utility>Erase Disk  [or Recovery Partition>Disk Utility>Erase Partition]
  DVD>Install Lion
  Reboot, hopefully Lion install kicks in
  Update, update, update Lion (NOT Lion Server yet) until no more updates
  System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
  Terminal>$ sudo scutil --set HostName server.domain.com
  App Store>Install Lion Server and run through the Setup
  Download install Server Admin Tools, then update, update, update until no more updates
  Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
  System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
  A few DNS set-up steps and these most important steps:
  A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
  B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
  C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
  D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
  E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
  F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
  G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
  H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
  I. Test from web browser server.domain.com/mydevices: Lock Device to test
  J. ??? Profit
  12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
  You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
  Firewall
  Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
  SSH
  Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
  PermitRootLogin no
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
  Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
  client$ ssh-keygen -t rsa -b 2048 -C client_name
  [Securely copy ~/.ssh/id_rsa.pub from client to server.]
  server$ cat id_rsa.pub > ~/.ssh/known_hosts
  I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
  $ diff denyhosts.cfg-dist denyhosts.cfg
  12c12
  < SECURE_LOG = /var/log/secure
  > #SECURE_LOG = /var/log/secure
  22a23
  > SECURE_LOG = /var/log/secure.log
  34c35
  < HOSTS_DENY = /etc/hosts.deny
  > #HOSTS_DENY = /etc/hosts.deny
  40a42,44
  > #
  > # Mac OS X Lion Server
  > HOSTS_DENY = /private/etc/hosts.deny
  195c199
  < LOCK_FILE = /var/lock/subsys/denyhosts
  > #LOCK_FILE = /var/lock/subsys/denyhosts
  202a207,208
  > LOCK_FILE = /var/denyhosts/denyhosts.pid
  > #
  219c225
  < ADMIN_EMAIL =
  > ADMIN_EMAIL = [email protected]
  286c292
  < #SYSLOG_REPORT=YES
  > SYSLOG_REPORT=YES
  Network Accounts
  User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
  2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
       User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
  Oh well.
  Email
  Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
  root:           myname
  admin:          myname
  sysadmin:       myname
  certadmin:      myname
  webmaster:      myname
  my_alternate:   myname
  Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
  cd /etc/postfix
  sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
  sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
  sudo serveradmin stop mail
  sudo serveradmin start mail
  Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
  If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
  iCal Server
  Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
  Web
  The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
  $ diff httpd.conf.default httpd.conf
  95c95
  < #LoadModule ssl_module libexec/apache2/mod_ssl.so
  > LoadModule ssl_module libexec/apache2/mod_ssl.so
  111c111
  < #LoadModule php5_module libexec/apache2/libphp5.so
  > LoadModule php5_module libexec/apache2/libphp5.so
  139,140c139,140
  < #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  < #LoadModule encoding_module libexec/apache2/mod_encoding.so
  > LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
  > LoadModule encoding_module libexec/apache2/mod_encoding.so
  146c146
  < #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  > LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
  177c177
  < ServerAdmin [email protected]
  > ServerAdmin [email protected]
  186c186
  < #ServerName www.example.com:80
  > ServerName domain.com:443
  677a678,680
  > # Server-specific configuration
  > # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
  > Include /etc/apache2/mydomain/*.conf
  I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
  Alias /eyetv /Users/uname/Sites/EyeTV
  <Directory "/Users/uname/Sites/EyeTV">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
  <Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
      AuthType Digest
      AuthName "EyeTV"
      AuthUserFile /Users/uname/.htdigest
      AuthGroupFile /dev/null
      Require user uname
      Options Indexes MultiViews
      AllowOverride All
      Order allow,deny
      Allow from all
  </Directory>
  I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
  Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
  One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
  Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
  User-agent: *
  Disallow: /
  Misc
  VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

  Privacy Enhancing Filtering Proxy and SSH Tunnel
  Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
  If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
  $ ./ssht 8080:[email protected]:3128
  $ ./ssht 8080:alice@:
  $ ./ssht 8080:
  $ ./ssht 8018::8123
  $ ./ssht 5901::5900  [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
  $ vi ./ssht
  #!/bin/sh
  # SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
  USERNAME_DEFAULT=username
  HOSTNAME_DEFAULT=domain.com
  SSHPORT_DEFAULT=22
  # SSH port forwarding specs, e.g. 8080:localhost:3128
  LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
  REMOTEHOST_DEFAULT=localhost    # Default is localhost
  REMOTEPORT_DEFAULT=3128         # Default is Squid port
  # Parse ssh port and tunnel details if specified
  SSHPORT=$SSHPORT_DEFAULT
  TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
  while [ "$1" != "" ]
  do
    case $1
    in
      -p) shift;                  # -p option
          SSHPORT=$1;
          shift;;
       *) TUNNEL_DETAILS=$1;      # 1st argument option
          shift;;
    esac
  done
  # Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
  shopt -s extglob                        # needed for +(pattern) syntax; man sh
  LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
  USERNAME=$USERNAME_DEFAULT
  HOSTNAME=$HOSTNAME_DEFAULT
  REMOTEHOST=$REMOTEHOST_DEFAULT
  REMOTEPORT=$REMOTEPORT_DEFAULT
  # LOCALHOSTPORT
  CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      LOCALHOSTPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEPORT
  CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEPORT=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # REMOTEHOST
  CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
  CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR#:}                            # delete :
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      REMOTEHOST=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # USERNAME
  CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
  CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
  CAR=${CAR%@}                            # delete @
  if [ "$CAR" != "" ]                     # leading or trailing port specified
  then
      USERNAME=$CAR
  fi
  TUNNEL_DETAILS=$CDR
  # HOSTNAME
  HOSTNAME=$TUNNEL_DETAILS
  if [ "$HOSTNAME" == "" ]                # no hostname given
  then
      HOSTNAME=$HOSTNAME_DEFAULT
  fi
  ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
      && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
      || echo "SSH tunnel FAIL."

• Lion Server Profile Manager Configuration

  Hi Guys,
  Currently have been testing Lion Server and Profile Manager Configuration.
  So Far Have setup
  Lion with Server App and Server Admin Tools
  Configured Open Directory Master and enabled SSL on LDAP
  Once Configured OD has created a CA Certificate can use for Profile Manager
  Have Enabled in Server.app Web and Profile manager
  In SSL Certificate Configuration have set CA Certificate for Web and Enabled Apple push notifications with my apple ID
  In Profile Manager Enabled Device Management and Enabled Sign configuration profiles and selected CA Open Directory Certificate Created when setting up OD Master.
  On Server Originally could install Trust Profile OK and Enroll Server OK with no issues, but on any other 10.7 Devices could install Trust Profile OK but would always say unsigned and Enroll would never work or just hang.
  Now Since Played around with settings on 10.7 Server can no longer enroll but trust OK.
  Questions have is
  For SSL and Profile Manager to work properly as well as Certificates do you require to purchase a proper SSL Certificate or can we use the OD Master Certificate that gets created. All we are testing is on the Local LAN so don't want to get a SSL certificate from the internet.
  Also why cannot 10.7 clients trust profile and enroll Devices Properly? How do I get this working properly?
  Any ideas?
  Regards,
  Shane

  taubmas wrote:
  Not sure if its that as finally got Lion Server working on a VM setup so network shouldn't be an issue...
  Had 1 OSX Lion Server VM and 1 OSX Lion Client VM and OSX Lion Server VM gets profile and enrolls device fine but again OSX client doesn't get enroll just sits again at installing..... even if set keychain to trust and make trust profile verified..
  any other ideas? I think need to somehow get the server to trust trust profile by default instead of going to keychain all the time.
  Shane
  Did you get this to work in an ESXI envrionment? If so, which version are you running?

• Argh! Profile Manager and Code-Signing of profiles

  I am setting up Profile Manager in Mavericks with Server.app 3.0.1.
  I have DNS correctly setup, I have created an OD Master for Profile Manager, Profile Manager is running and network users can login and I can setup profiles. I also have the https site working properly for clients although that needed some help.
  We have a self-signed root CA and off that we have two intermediate CAs, one for signing server SSL certificates, and one for signing codesigning certificates. On my server I have installed the rootCA, and the intermediate CAs and of course the server SSL certificate itself. As mentioned initially I had a problem with the https site on the server and what was happening was that the server was not sending the intermediate certificate along with the server certificate to clients. (The clients already have our rootCA certificate installed and trusted.)
  As a result the chain was incomplete and clients did not trust the http site. I tracked this down to the files in /etc/certificates it turned out that of the four files for the server certificate i.e. .key.pem, .chain.pem, .concat.pem and .cert.pem that the .chain.pem did not contain the intermediate CA. I replaced it with the intermediate CA pem file and restarted Apache and clients now get the full chain and can therefore trust the https site.
  My problem now is with the codesigning certificate, this also has been selfsigned this time by the intermediate codesigningCA. It is accepted by Profile Manager and it does sign the profiles. However when I download the Trust profile and try installing it, it comes back unverified. (If it was unsigned it would say unsigned instead.) This trust profile contains a copy of the server certificate and the rootCA certificate but does not contain the intermediate codesigningCA certificate.
  I tried the same trick of swapping out the codesigning .chain.pem file in /etc/certificates but this did not help. I am currently stuck, any suggestions from any one?
  Thanks.

  I would really appreciate being walked through these steps. I just upgraded to Yosemite and Server.app 4 and am dealing with all the brokenness.
  Profile Manager does not show a code signing certificate when I ask it to sign configuration profiles.
  I DO NOT have the Code Signing Certificate in my keychain created when OD was created.
  I DO have the four code signing certificate files:
  /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.cert.pem
  /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.chain.pem
  /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.concat.pem
  /etc/certificates/host.domain.tld.Code Signing Certificate.<UUID hash>.key.pem
  Furthermore, when I search my System keychain passwords, for <UUID hash>, I see that have the password that decrypts these pem's, e.g. via the openssl command
  openssl rsa -outform der -in 'host.domain.tld.Code Signing Certificate.<UUID hash>.key.pem' -out 'host.domain.tld.Code Signing Certificate.<UUID hash>.key'
  What's the specific step-by-step to convert these four files into something that Profile Manager can use to sign configuration profiles?
  I am stuck.

• IOS 8.1.1 devices "pending" after enrollment in Profile Manager

  Setup:
  OS X Yosemite with server 4.0
  After installing the trust certificate and enrolling an iOS 8.1.1 client, I can see the specific device in Profile Manager. However the status of the device stays "Pending". It seems that the enrollment proces can't proceed.
  When I enroll a device with iOS 7.1.1 there are no issues. Everything works fine!
  Any suggestions?
  Thx

  The devices had been running ios 8.1 for a number of days.
  We've had two more do this since my last post.  In each occasion, the devices are running iOS 8.1, have been turned off and turned back on again to boot to the Apple logo and remain there indefinitely.
  Hard resets don't solve the issue, the only remedy is a full restore via iTunes resulting in complete data loss.
  Surely others are seeing this issue if we've had 6-7 devices in the past few days?
  iOS 8.1 + reboot = brick?

• Enrolled devices don't show up in profile manager

  Hi,
  I am trying to setup profile manager up so I can manage 100+ iPads. Have never touched a mac server before this
  I have successfully got it running with a self signed cert, I can open https://servername/mydevices on the iPads. Install the trust cert then enrol the device.
  The iPad successfully installs the remote management profile.
  After this no devices show up in the profile manager or on the mydevices site.
  To be able to view the mydevices page I had to set up a VPN connection on the mac server and connect to the VPN on the iPads, although I am not sure why as the mac server is on the same network as the iPads.
  This is being used in a school and we can't change the router settings or make the mac server have a public address. Is this a problem?
  Hopefully I have simply missed a step in the process.
  Any ideas?

  This is what the system log reports after I try enrol an iPad. Replaced the actual ip address with INTERNALIP
  Jun  4 08:40:53 mini sandboxd[760] ([778]): applepushservice(778) deny network-outbound INTERNALIP:8080
  Jun  4 08:40:53 mini sandboxd[760] ([778]): applepushservice(778) deny network-outbound INTERNALIP:8080
  Jun  4 08:40:53 mini applepushserviced[778]: Got connection error Error Domain=NSPOSIXErrorDomain Code=1 "The operation couldn\u2019t be completed. Operation not permitted" UserInfo=0x7fa483b1a340 {NSErrorFailingURLStringKey=https://albert.apple.com/WebObjects/ALUnbrick.woa/wa/deviceActivation?device=Mac OS, NSErrorFailingURLKey=https://albert.apple.com/WebObjects/ALUnbrick.woa/wa/deviceActivation?device=Mac OS}
  Jun  4 08:40:53 mini applepushserviced[778]: Failed to get client cert on attempt 2, will retry in 15 seconds
  The server is pehind a proxy, but the address reported in the first two lines is an internal ip that I can ping from the lion server.

• Problems setting up Profile Manager

  Hi everyone,
  I've got 35 iPads in one room and I'd like to be able to configure them to use Profile Manager. I am running OSX 10.7.3 and all the tools are up to date.
  I cannot get Profile Manager to run on the iPads. Here's what I've done so far:
  - Enabled Profile Manager on the server
  - Created a Self-Signed Certificate using Server.app
  - Able to login to Profile Manager via the browser
  I am stuck on the next part which is enroling the devices to Profile Manager. When I login to profile manager on the iPad, I get the option the "Enrol" the iPad, when I click "Enrol" I get the following error message:
  "Unverified Profile" - "The authticity of "Device Enrollment" cannot be vertified. Installing this profile will change settings on your iPad.". I select 'Install Now', enter my passcode and I get this error: "The server certificate for "https://servername.domain/devicemanagment/api/device/ota_service" is invalid. When I press OK, I go back to the "Install Profile" window.
  Has anyone had this issue before or know what's causing it? I suspect it's to do with certificates but I have created a Self-Signed one - do I need to do something else?
  Thanks is advance,
  Morgan

  I had a similar issue before.  I had changed the cert so many times that my keychain started having issues; ended up reformating the drive and reinstalling server.
  I set my server up with a public domain and bought a UCC certificate from go daddy.  Spending the money on a cert does bypass installing the whole trust profile as TeenTitan said.
  Here's how I did it:
  Setting up w/ Signed CA:
  Establish your host name (ex. server.domain.com)
  Don't turn on Profile Manager before setting up certs
  Open Server.app, click on your server under "Hardware"
  Go to "Settings"
  Click on "Edit" next to SSL Certificate
  In the drop down screen click the gear wheel in the left corner, select "Manage Certificates"
  Click the "+" in the window, Click "Create a Certificate Indentity"
  In the Name field type in your servers host name (ex. server.example.com)
  Click the check for "Let me override defaults"
  Fill out the next two windows with your organization's info
  Click through the next few windows leaving all the defaults until you get to the window labeled "Subject Alternate Name Extension"
  In the "dNSName" field add the the following records: yourdomain.com; server.yourdomain.com; www.yourdomain.com; autodiscovery.yourdomain.com (you could add more if you plan on hosting mail, address book, etc..)
  IMPORTANT- make sure you add those "dNSName"  addresses as Alternate name extensions when you are creating your SSL cert from an Authorized CA issuer like GoDaddy for example.
  Click continue and finish creating your self generated cert
  When you are finished you will return back to the Manage Certificates window and see your newly self generated SSL cert. 
  Click on the gear wheel and select "Generate Certificate Signing Request (CSR)"
  Copy the following text
  Close the window
  Next, you need to go to your CA issuer and generate your cert.  Copy the text into the field for generating your own SSL cert.  (Your milage may vary in this process; I only know how to do it in GoDaddy)
  After creating your cert, download it from your CA issuer's website.  You should have two files, one being your "gd_intermediate.crt" and the other "yourdomain.com.crt"
  Go back to the Settings section in Server.app and select "Edit" in "SSL Certificate" section
  click the gear wheel icon and select "Manage Certificates"
  Highlight your self genereated ssl that you created in the last steps
  click the gear wheel icon and select "Replaced Certificate With Signed Or Renewed Certificate"
  drag the "gd_intermediate.crt" that you downloaded into the window
  Allow the keychain to add the record
  Close Server.app
  Open "Keychain Access" in your App folder
  Click the lock in the bottom left corner and authenticate
  In the top left pane select, under Keychains, "System"
  in the bottom left pan, under Category, select "Certificates"
  Drag the "yourdomain.com.crt" file that you downloaded from you CA issuer
  Close keychain
  Go back to Server.app in the settings section
  select your newly generated SSL cert as your primary cert
  Next, Enable Apple Push Notifications
  Go to Profile Manager
  Configure your directory services  (I created an Open Directory Master)
  Click Sign configuration profiles and choose your new SSL cert
  Finally, turn on Profile Manager and if all goes well, you should be able to add your devices. 
  Hopefully this is helfpful; these were the steps I took to get my server going with a public address. 
  Other Info:
  iOS devices enrolled had iOS 5.0.1 or higher (Models 3GS, 4, 4S)
  I had ports 1640 & 2195 open for Profile Manager on my router
  OS X Lion 10.7.3
  Lion clients enrolled were 10.7.2 and up