Newsroom Update
Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >
Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >
What is the intent of an enrollment profile vs. a trust profile combined with remote mgmt. and any specific configuration profiles for a type/group/subset of devices? I was/am able to enroll and manage my MacOS & iOS devices via Profile Mgr. on my Mtn. Lion server without ever creating an enrollment profile.
MacBook, Mac OS X (10.6.8)
A trust profile tells the client that if software is received from a particular server, that software is legit. A client computer can 'trust' any number of servers. The trust profile does not tell the client computer that it should check with a server for changes at any particular time, simply that if software is received from that server at some unspecified time in the future, it's trustworthy.
An enrollment profile tells the client computer that it must accept commands from a particular server about what to do. The enrollment profile will tell the client computer that it should (handwave for complexity) periodically check with that server to see if there's anything new. A client computer should be enrolled with a maximum of one server, else it might get conflicting commands. If a server sends an enrollment profile to a client, it also puts that client onto the list of enrolled clients it knows about, so its user can see what machines they control.
Both types of certificate can be removed by anyone with admin privilages on the client machine, or by the server the client is enrolled with.
A trust profile tells the client that if software is received from a particular server, that software is legit. A client computer can 'trust' any number of servers. The trust profile does not tell the client computer that it should check with a server for changes at any particular time, simply that if software is received from that server at some unspecified time in the future, it's trustworthy.
An enrollment profile tells the client computer that it must accept commands from a particular server about what to do. The enrollment profile will tell the client computer that it should (handwave for complexity) periodically check with that server to see if there's anything new. A client computer should be enrolled with a maximum of one server, else it might get conflicting commands. If a server sends an enrollment profile to a client, it also puts that client onto the list of enrolled clients it knows about, so its user can see what machines they control.
Both types of certificate can be removed by anyone with admin privilages on the client machine, or by the server the client is enrolled with.
But it appears that my server (or Profile Mgr. on it) shows all the (MacOS/iOS) devices I've enrolled via the user portal without ever having established a separate, dedicated enrollment profile to begin with. And after installing the requisite trust profile, any configuration profile which is installed seems to carry with it the prerequisite "remote management" profile that seems to be analagous to "binding" a computer (or other device) MCX-style that we've previously employed pre-10.7.
What I notice after creating an 'official' enrollment profile in Profile Mgr., downloading and installing it produces the same results that occurred when I just performed the actions I describe in the first paragraph (and OP).
[btw, Simon...thanks for your participation here and on the 'deprecated' OSX-Server list over the years. I look forward to reading your contributions in these fora].
Bob
Sorry, I should probably have explained this better in my earlier post. I believe there are acually three types of profile in use:
You can use the Profile inspector in the System Preferences panel to look at a remote management profile and fine out exactly what it allows to be done.
Putting these three together you see that the enrollment process goes like this: first an enrollment certificate is sent to the client. As a human tells the client to accept this (or it's automatically set up to accept it) the client contacts the server and says "I am such-and-such a device, enroll me.". If set up that way, the server makes some notes about this new device, sends it two other kinds of cert: a trust cert, and a remote management cert. And the client can then delete the enrollment cert because the enrollment process is done.
Note: the above is only my understanding. I do not work for Apple, I've just played arount with this for a bit.
illuminating... thank's!
Why use an enrollment profile?
