Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

How to update client profile manually (without APNs)

Currently implementing an OS X Server with a specific goal of device management using the Profile Manager. I have a thorough understanding of APNs roll in this where communication is sent to APNs which then gives the client a notification to "check-in" with the server for updates. So the actual data exchange is only between the server and client. (Like the diagram below...)


User uploaded file


However, for security reasons I want to be able to accomplish Client-Server mdm checkin manually without APNs if I want to. In theory, this should be possible because the client obviously runs code to search for the server, communicate, and apply any changes to its configuration profile. Based on the OS X server documentation for this, it does this over SSL to the server for an mdm_checkin. The client also automatically checks the server on each startup, so restarting the machine does in-fact tell it to check the server and gets any profile changes that are holding as tasks. (Obviously, its not ideal to restart every time I want a change...)


Again, for security and troubleshooting purposes, I want to avoid APNs and do this communication manually. I'd also like to avoid downloading from the myDevices portal, or transferring a profile to be double-clicked/opened, etc etc. However, for the life of me I can't find any other documentation or code that may direct me how to do this! It seems like there should be sometime to run or few terminal commands to accomplish this...


Has anyone else attempted this or had success telling a client manually to talk to it's mdm server? (or even using mdmclient?)


Thanks!

Mac Pro, OS X Server

Posted on Feb 25, 2015 9:00 AM

Reply
Question marked as Best reply

Posted on Feb 26, 2015 2:18 AM

Enrolling a device to an MDM e.g. Apple's Profile Manager does not require APNs, it merely requires 'installing' the enrolment profile and optionally a trust profile. However normally if you make a change to a profile this would be 'pushed' to client devices by sending an APN message to tell the client to 'phone home' to download the new profile.


I install the trust and enrolment profiles during a DeployStudio imaging workflow and at the moment use APNs to send notification for updates, however for another different network I am looking at the following instead of APNs.


The latest Munki software now supports installing Profiles directly, before it used to be necessary to wrap the profiles inside Apple installer packages.


Note: Profiles can be distributed 'over the air' via APNs, hosted as files to b manually downloaded from a web server, or emailed to users/devices as a file attachment, and as mentioned above wrapped inside an Apple Installer package which would run a post-install script to install the profile.


Therefore you could generate the updated profile and use Munki 2.2 to manage distributing and installing the updated versions. Of course an important limitation is that Munki is for Macs only and does not cover iOS devices. Munki does not use APNs. The Munki client needs to be able to talk to your Munki server which ideally should only be contactable on your LAN, a VPN connection would work.


Note: It is probably not worth looking at Casper Suite even though it supports iOS as it uses APNs.

3 replies
Question marked as Best reply

Feb 26, 2015 2:18 AM in response to jjcarstens

Enrolling a device to an MDM e.g. Apple's Profile Manager does not require APNs, it merely requires 'installing' the enrolment profile and optionally a trust profile. However normally if you make a change to a profile this would be 'pushed' to client devices by sending an APN message to tell the client to 'phone home' to download the new profile.


I install the trust and enrolment profiles during a DeployStudio imaging workflow and at the moment use APNs to send notification for updates, however for another different network I am looking at the following instead of APNs.


The latest Munki software now supports installing Profiles directly, before it used to be necessary to wrap the profiles inside Apple installer packages.


Note: Profiles can be distributed 'over the air' via APNs, hosted as files to b manually downloaded from a web server, or emailed to users/devices as a file attachment, and as mentioned above wrapped inside an Apple Installer package which would run a post-install script to install the profile.


Therefore you could generate the updated profile and use Munki 2.2 to manage distributing and installing the updated versions. Of course an important limitation is that Munki is for Macs only and does not cover iOS devices. Munki does not use APNs. The Munki client needs to be able to talk to your Munki server which ideally should only be contactable on your LAN, a VPN connection would work.


Note: It is probably not worth looking at Casper Suite even though it supports iOS as it uses APNs.

Feb 27, 2015 11:35 AM in response to John Lockwood

Thanks John.


Coincidentally, I have actually solved this (mostly). Because the machine would get the settings from the mdm on reboot, I was sure it actually knew how to call the OS X server (or any MDM) on its own to get the changes. And since startup = deamons & agents, I went looking there. Turns out there is a com.apple.mdmclient.daemon.plist! Restarting that causes the client to call out to the OS X Server looking for updated profile configurations. I can script, cron, or flat out manually assign that task whenever I need to avoid using APNs and is especially helpful for troubleshooting. (And I'm currently in the process of building an in-house solution to bypass APNS scripting this...so far, so good!)


To restart that daemon and have the client request profile configuration updates, use these two commands:

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.mdmclient.daemon.plist

sudo launchctl load /System/Library/LaunchDaemons/com.apple.mdmclient.daemon.plist

How to update client profile manually (without APNs)

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.