-
All replies
-
Helpful answers
-
by Strontium90,★HelpfulJun 25, 2015 7:40 PM in response to LRSFC CSD Helpdesk
Strontium90
Jun 25, 2015 7:40 PM
in response to LRSFC CSD Helpdesk
Level 5 (4,077 points)
Servers EnterpriseBasically, you need to sign up. Once you sign up, make sure you communicate to your Apple Education Sales rep that all new purchases are to be assigned to the DEP. Keep in mind that if you are using Mavericks or newer (officially, but I've really only had success under Yosemite) on existing machines, (you may be able to go back to 2011 Device Enrollment Program Frequently Asked Questions (FAQ) - Apple Support) you may be able to backdate existing devices into the program (this is really dependent on purchase history and the ability to track and prove ownership of the devices).
Basically, you complete enrollment to the program, download the token, add it to your MDM server, and then define the server in the Apple portal. Once defined, you can assign serial numbers to the MDM.
As for ports, the Kbase article says it all. Profile Manager is really 443. The larger challenge I've faces is environments with proxies. This prevent push notification from working.
Congrats and embrace this with open arms. DEP is a great program for institutions.
Reid
Apple Consultants Network
Author "Yosemite Server – Foundation Services" :: Exclusively available in Apple's iBooks Store
Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store
Author "Mavericks Server – Control and Collaboration" :: Exclusively available in Apple's iBooks Store
-
Jun 26, 2015 2:43 AM in response to Strontium90by LRSFC CSD Helpdesk,Thanks for that, that's quite informative.
Following on from what you've said I've got a few more questions. You mention port 443 - so does this mean our Profile Manager server needs to be available over the internet on port 443 as well? If that's the case, presumably it will also need an externally-valid SSL certificate rather than a self signed one - does it need to be a particular type of certificate, or is it just a standard web server style SSL certificate? Also, how do we generate the CSR in order to obtain such a certificate?
With regard to OS version, we're currently on a mix of 10.8 and 10.9 but we are planning to go to 10.10 across the board this summer.
-
Jun 26, 2015 5:15 AM in response to LRSFC CSD Helpdeskby Richard Cartledge,I gave up signing-up - be prepared to spend days jumping through hoops and messing about.
-
by Strontium90,★HelpfulJun 26, 2015 5:16 AM in response to LRSFC CSD Helpdesk
Strontium90
Jun 26, 2015 5:16 AM
in response to LRSFC CSD Helpdesk
Level 5 (4,077 points)
Servers EnterpriseRegarding the port, it all depends on where the devices will go and how you want to manage them. For example, if you have a fleet of iMacs that never leave the lab, opening Profile Manager for external access is unnecessary. Likewise, if you have carts of iPads that do not leave the building, then external management is not required. However, if you are a one to one environment, with mobile devices, than leave the environment, then you will need to open the port to allow external access. If you do not, then you will not be able to manage the devices when they are offsite. Remember, your MDM contains the configuration payloads. When assigned to a device Apples push services are notified to tell the device to go get the payload. The payload does not go direct. It is a push to pull process.
Regarding certificates. I am a fan of valid 3rd party certificates. This just removes to confusion and extra steps needed to support a self-signed cert. A 3 year cert from a trusted vender should be less than $60 a year. You can generate the CSR in three ways. You can use Server.app, Keychain Access, or the openssl command. I generally use the openssl command because it gives me direct access to both the CSR and the private key.
sudo openssl req -new -newkey rsa:2048 -nodes -keyout your.domain.key -out your.domain.csr
Upload the CSR to the certificate authority and they will create your public certificate. These can be imported into Server.app.
When using Apple's tools these pieces are buried deep in the system. And you guessed it. DNS plays an important role here. The address on the outside (WAN) and address on inside (LAN) must match. And this ties into the certificate as the cert needs to match the fully qualified host name.
Reid
Apple Consultants Network
Author "Yosemite Server – Foundation Services" :: Exclusively available in Apple's iBooks Store
Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store
Author "Mavericks Server – Control and Collaboration" :: Exclusively available in Apple's iBooks Store
-
Jun 26, 2015 5:22 AM in response to Strontium90by LRSFC CSD Helpdesk,Well, it's less about machines that never leave the campus and more about machines that do leave the campus (either accidentally or deliberately) when they are not supposed to. I have been led to believe that having DEP would mean that even if such machines were formatted and reinstalled with OS X, they would automatically re-enroll themselves on our chosen MDM system (in this case Profile Manager, though we are reviewing third party alternatives for the longer term). However to do this I am assuming that said MDM system would need to be available from the internet for this to happen - is that a safe assumption?
EDIT: also regarding the openssl command you mention, what do you do with the private key it generates? Is there somewhere in Server.app to import that as well?
-
by Strontium90,Jun 26, 2015 5:21 AM in response to Richard Cartledge
Strontium90
Jun 26, 2015 5:21 AM
in response to Richard Cartledge
Level 5 (4,077 points)
Servers EnterpriseDon't give up. Yes it can take a week. But remember that this program is all about chain of ownership. Apple needs to make sure you and your organization are real and proper. Devices are attached to a corporate entity and making and breaking that attachment must be proper. My first customer took over 3 weeks to get approved. Now we are below a week. Education seems to be easier (as they are limited to Apple Education sales). Customers that buy direct are next easiest. Customers that buy through us (reseller) take the longest but that is because we also need to involve distribution channels.
In the end, if you are an organization that provides institutionally owned devices to individuals as a one to one deployment model and you have an MDM to automate deployment and management, this is (in my opinion) an absolute no brainer. Sign up for the program no matter the pain and suffering. Also works with one to many.
-
Jun 26, 2015 5:23 AM in response to Strontium90by LRSFC CSD Helpdesk,We're one to many, but we have experienced some device losses over the past few years so anything that helps us crack down on that is something we are very interested in right now.
-
by Strontium90,Jun 26, 2015 5:25 AM in response to LRSFC CSD Helpdesk
Strontium90
Jun 26, 2015 5:25 AM
in response to LRSFC CSD Helpdesk
Level 5 (4,077 points)
Servers Enterprise100% correct. Once a device is assigned to MDM, the device will seek the MDM even if a drive is replaced. The user will be forced to enroll in order to get past the setup assistant. If you are investigating alternatives, look at Bushel (pure MDM + DEP + VPP) or JAMF (everything you can imagine if you have a lot of OS X).
-
Jun 26, 2015 5:51 AM in response to Strontium90by LRSFC CSD Helpdesk,JAMF Software is already one of the options we are investigating. Thanks for the suggestion about Bushel, however it looks like they don't yet do educational pricing so it might not be the right fit for us at this time.
EDIT: the other ports mentioned on the Profile Manager ports page (OS X Server: Ports used by Profile Manager - Apple Support) do they need to be open outbound only, inbound only, or both?