Applying Profile Manager settings for AD users / groups

Question

Level 1

0 points

Applying Profile Manager settings for AD users / groups

Hi there. Novice needs basic questions answered.

I have an iMac running OS 10.9.4 and Server 3.1.2. It is bound to an AD. I can see AD users and groups in both Server app and Profile Manager.

Whilst testing, I managed to apply some settings to an AD group, and see those settings reflected when the appropriate AD user logs in to a client machine. When trying to Enroll client machines via MyDevices, I found there was buggy behaviour, so reset the Profile Manager database (http://support.apple.com/kb/HT5349) (I am not sure how I managed to get any devices enrolled at all, because I am not using a trusted certificate). Since then, it has not been possible to apply settings to AD users or groups.

I have a lot of questions about this:

1) When hitting Save at the lower right corner of Profile Manager, and no settings have been applied to Devices or Device groups, the settings are pushed out to the AD server, right?

2) Is there any way of finding out whether they actually got there, and if they can be successfully used? Is there some way of monitoring this from the AD side? With Device settings, there is a activity tab where you can view the progress of these settings being pushed out to the devices. It would deb nice to have something like this for AD settings too!

3) Do I need a certificate provided by the AD in order to successfully push out settings?

4) I read somewhere that Profile Manager contains an OD master. If this is the case, and no other services are to be provided by the Mavericks Server machine other than configuring AD users and groups, can the OD section be switched off?

5) What is the process when an AD user logs in? Their user name and password is authenticated at the AD server that the client machine is bound to. Then are the settings (Dock, etc) pulled from AD server? Or should the client machine be bound to the Mavericks Server as well, so that their record can be looked up in Profile Manager?

Apologies for these basic questions, it's just I have been reading thread upon thread, and am getting nowhere in understanding these basic fundamentals.

Many thanks in advance. Any answers would be hugely appreciated.

Simon

iMac, OS X Mavericks (10.9.4)

Posted on Jul 22, 2014 4:25 AM

Reply

Answer 1

simioliolio Author

Level 1

0 points

Jul 22, 2014 4:41 AM in response to simioliolio

Ah, does each device need to be Enrolled, and then the settings are pushed out to each device, and compared with credentials supplied by the user at login, which in turn dictates the OS behaviour?

If so, I better sort out a trusted certificate...

Reply

Answer 2

Jul 22, 2014 5:00 AM in response to simioliolio

There could be others who may help you further and possibly with some of the detail you need but in brief:

1. Wrong. See 3.

2. Yes. On a client mac that's been enrolled the profile will appear in a preference pane (if you like the Mac equivalent of a Window's control panel) in System Preferences. You can't monitor this from the AD side as it has nothing to do with AD. You can however access Profile Manager's portal on any PC (mac or otherwise) with pretty much any browser. For example you could do this on your DC using IE if you wish?

3. Not really. What you do need is to allow access from and to your internal network for Apple's Push Notification Service (APNS) otherwise the Profile's won't reach your target machines:

OS X Server: Ports used by Profile Manager

Hampering access to these ports may explain why enrolment is hit and miss and why profiles are not reaching your target machines? APNS does involve the use of trusted certificates but these can be self-signed. Seeing as they come from your trusted servers in your trusted network all you have to do is trust them.

4. You can't start the Profile Manager service without starting Open Directory. One gives 'birth' to the other so to speak. Open Directory is Apple's equivalent of Active Directory. Both directory systems are based around LDAP. Microsoft's less so than Apple's. Profile Manager is loosely equivalent to AD's GPO Management Console. Don't make the mistake that they are exactly the same because they're not.

5. Macs are bound to AD and enrolled in Profile Manager (no need to bind Macs to OD any more - more on this later). User in AD presents their credentials to a Mac workstation's login screen. These credentials are checked against AD and if they are in good order and if the user's home folder is correctly defined and if ACLs giving access to that folder are also correctly defined, login will be successful. Any profiles containing the Mac equivalent of GPOs will be applied either to the machine itself (persistent settings independent of login) or to the user and/or Group that user is part of as login occurs.

The 'more' for 5 is you can still use Apple's Legacy GPO application - WorkGroup Manager - up to a point even though the application was deprecated two OSes ago. WorkGroup Manager is not web-based and applies management settings using a different mechanism to Profile Manager. To use WorkGroup Manager you do have to 'bind' Mac workstations to your Mac Server configured as an Open Directory Master - the equivalent to a Windows DC. In this integration scenario you would have Mac workstations (picture it as the apex of a triangle) bound and authenticated to AD (the bottom left hand corner of the same triangle) and joined to OD for their GPOs (the other corner). Hence the 'Magic Triangle' although in my mind it's not a triangle at all.

Reply

Answer 3

simioliolio Author

Level 1

0 points

Jul 22, 2014 8:21 AM in response to simioliolio

Hang on, you don't need a trusted certificate just to enroll an iMac on a local network, right?

On the client iMac, I go to https://<server host name>/mydevices, and I only get the option to install a Trust Profile, which I have done, and still that's the only option.

In Profile Manager tab of Server app, Device Management is disabled, and will not enable, despite choosing a certificate and clicking finish. Is this certificate related?

Sorry for all the ramblings...

Simon

Reply

Answer 4

simioliolio Author

Level 1

0 points

Jul 22, 2014 8:33 AM in response to Antonio Rocco

Antonio only just seen this reply thank you so so much for clarifying everything in such fine detail. This has really helped me a lot. I'll check the port you linked to see if that's why there is no option for enrolling.

Reply

Answer 5

Jan 5, 2015 3:41 AM in response to simioliolio

I have the same issue with Device Manager not enabling despite going through the configuration routine and device manager saying it's started - Has this got anything to do with an LDAP problem Now WG doesn't attach to LDAP?

please let me know how you got on.

Thanks

Robin

Reply