Yosemite Profile Manager

What specifically are you trying to accomplish, management-wise? Profile Manager is a good solution if your needs are fairly simple, but third-party tools might offer more flexibility.

800+ machines is way out of the scope of Profile Manager. You need to use a product that can scale to that level. Apple includes Profile Manager as a reference implementation of the configuration profile management framework. It was never intended to be used for such quantities of devices. I am successful using it with up to 30 devices (small businesses). 50 if I push my luck.

Now, is there a technical reason why you can't use the built in Profile Manager? Not really. It supports all the features including DEP and VPP. It often gets new payloads before the third parties have had a chance to implement. It generally works well and without much trouble. I believe Apple put a soft cap at 1000 devices (can't find my document on that so I am pulling that from memory). Using Profile Manager gets you OS X Server which also gets Caching Server. But server is worth the price for Caching Server alone. However...

But the challenge is what hardware do you run it on that you have confidence in and what will happen when the next upgrade or update comes out? Server.app runs on Apple hardware only and there is no "server." Sure, any device can be a server but unless you have an old Mac Pro or old Mac mini Server, you don't have a device that can support drive level redundancy. Apple provides no simple backup mechanism and the Postgres implementation has not been without error. Likewise, even if you figure out how to back it up, there is no obvious way to restore. And trust me, even with 20 devices, the last thing you want to do is track them all down to re-enroll because the database ate itself. The tools (Server.app and the portal) are not designed to handle large data sets. You have limited sorting and filtering options. Apple still does not implement variables correctly (well, maybe they are correct but they are not intuitive).

At 800+ devices you really are a candidate for JAMF. However, if you are looking only for Profile Management and not patch and deployment solutions, you might look at Bushel, AirWatch, MobileIron, or other basic MDM solutions. Cisco/Meraki has an MDM built in. Many can be off-prem hosting eliminating the need to manage a server onsite.

with no technical details on why it's not the solution for us except for that the tools have changed a lot and it's harder to manage

I disagree. Yes Mac management has changed. MCX is deprecated and Profile Manager is now the king. Yes, it took Apple about three OS releases to make the transition and if you really want you can continue to (mostly) use MCX on Yosemite. But Profile Manager is by far easier to implement and in general requires less infrastructure, more flexibility, and greater reach.

Reid

Apple Consultants Network

Author "Yosemite Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

Author "Mavericks Server – Control and Collaboration" :: Exclusively available in Apple's iBooks Store

I think that a big weakness in PM is that, unless I've missed something, it doesn't seem to be designed to make replication/failover straightforward so one has to have a contingency plan. Apart from that I am getting to prefer profiles to MCX.

Strontium90 says:

800+ machines is way out of the scope of Profile Manager. You need to use a product that can scale to that level.

Apple says:

Profile Manager 2 running on a Mac mini (mid 2011) with 8GB RAM and Mountain Lion can support up to 5,000 devices and computers on a single server. Profile Manager 2 manages the number of tasks processed in parallel to ensure outstanding profile updates are processed as quickly as possible. On average, each device or computer will take less than 800 milliseconds from the time it is scheduled to receive and process a signed profile update, up to the tested limit of 5000 clients.

Reference: Profile Manager 2: Scalability - Apple Support

Personally, I normally deploy as packages via DeployStudio during re-imaging or with with ARD and try to exploit multicasting when possible so don't know whether PM handles this part okay. Deploying gigabytes to hundreds of clients in a short space of time takes a certain amount of care regardless of how you do it.

C.

Profile Manager should handle 800 devices without too much trouble in general, but it will depend somewhat on how you group your devices and apply your settings. If you have all 800 devices in a single device group and try to push a profile to all of them at the same time, it will take a significant amount of time for that to complete. Profile Manager can only service about 100 device requests simultaneously, and can only have about 300 requests active on the server at a time. I would expect pushing a profile to 800 devices to take roughly 15-20 minutes to complete with Profile Manager. Trying to push a large enterprise app to all 800 devices at one time may disappoint you, but VPP apps should be just fine at this scale.

cdhw is correct in that there is no failover capability with Profile Manager, but for recovery options I HIGHLY recommend running OS X Server as a virtual machine. Using a product like VMware Fusion or Parallels Desktop gives you snapshots and their inherent near-instant rollback capabilities, plus a much easier backup mechanism. (Just copy the virtual machine file instead of worrying about bugs in Time Machine or having to take down the server to make whole disk image copies. Time Machine backups of VM files tend to be far more reliable than Time Machine backups of boot volumes.) I run numerous Profile Manager servers, all of them as VMs, and personally would never even consider a production deployment on "bare metal." But that's just me. 😉

Running a VM does add a bit more cost (about $70 for Fusion/Parallels) and is a bit more complicated to setup, but not much and in the long run will save you countless hours.

Thank you cdhw for looking up the real specs. I was trying to pull from memory and clearly, it was not accurate.

1. When you say "800+ machines is way out of the scope of Profile Manager" you mean it won't do the job for this number of machines in Yosemite only? we have been managing this number of machine in 10.6.8 with no issues at all, will Yosemite continue to do the same even if it's managed differently (via command line not the GUI)

10.6 was a different animal. As much as Workgroup Manager was maligned, it was rather capable of handling thousands of records and providing clear details on each record. Server.app does not do as well of a job. Once again, you can do it, but the suggestions of mscott_mdm are valid and reflect my concerns regarding hardware choice. In the 10.6 days we had server class hardware to run server class tools. Today we have consumer grade equipment to run reference utilities that are excellent for small deployments. Can OD still support thousands of users? Sure. Do you want to manage then in Server.app when you need to add 100 to a group? Ouch. Also, consider the support issue. When Server.app breaks, you come to a discussion forum and hope you collide with someone who had the same problem and can solve it. With a 3rd party tool you have vender support. This is not to say I don't recommend Server.app. Clearly I am a fan. However, I pick my battles.

2. If we are not planning on using it for deployment. only pushing preferences and configurations to both machines & users can Yosemite server do this for this number of users & machines (3000 users & 800+ machines)?

As noted by cdhw, Apple says yes. (Are you a school?) You are in range. If you are a school and you are performing annual resets, then Server.app may work for you. Deploy in September and lock down until June. Then reevaluate each summer.

3. We use simple backup & restore solution (CCC) and it has been working fine for us so far, can we continue doing teh same?

Trust but verify. Profile Manager is backed by a database. Make sure which ever tool you are using to backup can backup the database files. Simulate a failure and attempt a restore. Always validate your backup solutions by performing periodic restores.

The bottom line is that your barrier to experimentation is low. Server.app costs $20 and Yosemite is free. Fine a spare device and begin the experimentation process. You know your environment best. Test out the tools. Create 1000 placeholder records in Profile Manager and explore the interface. See if it is a fit.

Wondering how the VM is working out and if any issues, whether performance or otherwise? I've had my share of Profile Manager and Open Directory issues over the years.

Can you detail a bit the best way to set this up in Fusion or Parallels if I already have a working clean bare metal server? I'm just using OD, VPN and Profile Manager. How is it working out, as far as backups(snapshots) if the services are not shut off first?

Thanks,

TM

One word of caution if you go the Profile Manager route as I learned past week!

If you enroll your 800+ devices and have any payloads you will lose them all if you turn off the toggle for Open Directory(OD) BEFORE you turn off Profile Manager toggle. Meaning your enrollment for all 800 computers will be broken and payloads will be deleted! At least in 10.10 Server Apple displays a warning if toggle in OD is turned off that you will lose all configs. You don't see that warning in 10.9 server. No way to get that back at that point even if you have a backup as the enrollments are broken at the device level.

That's really poor written code. No way should that do that. Restarting a server won't cause a break so that is fine. Apple engineering should put in a "feature" that if you or someone else who is managing accidentally turns off OD it should check first if Profile Manager is on, then turn that off and then turn off OD. Or something like that. Or better yet never break the enrollment just due to turning off OD.

TM