Newsroom Update
Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >
Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >
Hi everybody,
i just set up an Mac OS X Server with Profile Manager to manage and enroll devices.
Everything works so far.
My only concern is, that every user on that mac and in my Active Directory can login into the myserver/mydevices section.
So they can enroll devices.
I would like to use a group to restrict that access.
Is that posible?
kind regards,
Andi
iMac, OS X Mountain Lion (10.8.1)
Add the AD groups you like into the Groups section of the Server app.
presuming your osx server has your AD users and groups
in server admin click on your server name, look for access
choose profile manager add either the users or group who you whish to be able to access PM
Hi,
thanks for your reply. This didn't work for me.
The problem is, that everybody has access. I don't know how adding a group will limit that access.
There is a access section called "Profile Manager", but i dont want them to access Profile Manager.
Only a view users schould ble able to enroll Devices, not all.
Thanks for your help.
MadFill wrote:
Hi,
thanks for your reply. This didn't work for me.
The problem is, that everybody has access. I don't know how adding a group will limit that access.
There is a access section called "Profile Manager", but i dont want them to access Profile Manager.
Only a view users schould ble able to enroll Devices, not all.
Thanks for your help.
The initial behavior of Server.app is that everyone (in this all users rather than a group called everyone) has access to all services. If however you select a group (under Groups) in Server.app and then set the service access permissions for that group it will automatically stop everyone having access.
I've been working with Profile Manager for a while, trying to get it into producetion. So far I've not found a way to limit access to the enrolement process, at least with the existing Apple setup. Maybe I'm doing it wrong but so far using AD groups, Local Network Groups of AD users or evern local groups is not limiting access. I've set these groups to only be able to use Profile Manager but any user in our AD enviroment can login and enrole their device. It hasn't created problems yet but I'm sure it will.
limit access to /mydevices for AD Groups
