Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Restricting network accounts in OS X Server

I am needing to restrict network users access to specific applications.

I thought that profile manager could handle this, but I'm not having the desired result.

Using profile manager, I'm configuring the restrictions for the group the user is in, but when the user logs in over the network the restrictions do not seem to apply.


Am I missing something here? Do the settings from the profile manager need to be downloaded for each user?


Any assistance with this would be great.


Thanks!

Mac mini, OS X Yosemite (10.10.2)

Posted on Apr 18, 2015 8:55 AM

Reply
3 replies

Apr 18, 2015 6:20 PM in response to miked01

Are the devices enrolled into Profile Manager? You state that you are setting group policy but if Profile Manager is not aware of the device it can not apply policy automatically. You can download the policies and distribute manually but that negates the purpose of push and auto configure.


From a workstation, visit https://your.server.address/mydevices/ From that page, log in as the user and enroll the device into Profile Manager. This will get the base MDM policies. To manage at the user level, bind the device to your OD or AD domain.

Reid

Apple Consultants Network

Author "Yosemite Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

Author "Mavericks Server – Control and Collaboration" :: Exclusively available in Apple's iBooks Store


Apr 18, 2015 7:32 PM in response to Strontium90

I have the devices bound to the OD, but I do not have the separate devices enrolled in Profile Manager.

I did notice that once I log in using the OD account, I can access the web interface of Profile Manager and download the profile for that user.

So having each device enrolled in Profile Manager, when an OD user logs in, the profile for that user will automatically be downloaded?


Thanks for the help.

Apr 20, 2015 9:09 AM in response to miked01

Generally speaking, yes. The process to provide management at a group and user level is to (1) Bind to the domain, (2) enroll into Profile Manager (requires enabling device enrollment in Server.app), (3) manage by setting policy to users (not very efficient), groups, devices, or device groups. Then, make sure you have added a push certificate to the server which will allow your policies to be pushed to the devices automatically. (You must allow push notification on your network) If you don't use push, you can press the Download button and distribute manually. But that does not scale well.


The idea here is that many of the services are designed to work independently but they enhance each other as you integrate them. For example, OD can be used without Profile Manager if you are looking to centralize your users, groups, and password policy. Profile Manager can be used without OD if you are looking to manage devices but not user accounts (BYOD, Apple ID centric deployments, etc). Likewise Profile Manager is really three services in one. It is the management of devices, VPP, and DEP. Each can be used in any combination depending on your needs.


Reid

Apple Consultants Network

Author "Yosemite Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

Author "Mavericks Server – Control and Collaboration" :: Exclusively available in Apple's iBooks Store

Restricting network accounts in OS X Server

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.