User profile for user: Ludeth
Ludeth Author
User level: Level 1
88 points

Is Golden or Magic Triangle Still Used

Hey All,


First, a little background. I have am the primary Mac support for my organization. We are a large company with around 35,000 to 40,000 Windows 7 and Windows 10 computers. We have a large and mature AD environment running on Server 2008r2 (as far as I know, could be 2012 also). We have between 300 and 400 Mac computers spread across the enterprise.


I have worked with Macs and have about 10 years of experience supporting end users and their Mac computers. So I know my way around OS X, Terminal\Bash fairly well. When I got to my company there were 300 Macs with absolutely no management at all. The build process was broken and certificate chains were all in the wrong places etc. I have repaired the build processes and gotten all needed software working on the Macs so the user environment is stable. Now onto my question.


I have setup a test OS X server on a spare Mac Mini in our test lab. I chose OS X Server because even though we have between 300 and 400 Macs we have $0 budget to manage them. So things like Casper, Centrify, AirWatch etc are out. What I need to be able to do is, enroll the macs and have them join AD and install 2 certificates (got that working as a device profile via a Device Group). Then I want to take one of our AD groups and get it to pull the user certificates and lock the macs down depending on what group the user is in.


The issue is that although the Device settings push fine the user settings are not pushing at all. When a domain user logs in they are authed against AD without issue but OS X server never pushes a profile. I have scoured all the logs and its just not triggering anything even though the device shows as being managed and linked to the user in question in OS X Profile Manager.


In looking into this I saw something called the golden triangle. Is this used anymore. I was concerned that it had gone out of style since ProfileManager was introduced. Can anyone provide guidance on this and what might be causing the managed device not to even try and reach out for a user profile on logon?


Thanks,

Ed

OS X El Capitan (10.11.6)

Posted on Sep 15, 2016 3:32 PM

Reply
5 replies
User profile for user: cdhw
cdhw
User level: Level 4
3,594 points

Sep 15, 2016 4:41 PM in response to Ludeth

AFAIK, Magic Triangle setups still work but Profiles are 'the future' and provide most of what's needed for many people.


For a happy life, don't fight with Profile Manager. Some bits of it work great first time; use them. Other things you'd think ought to work don't; file a bug report and devise a workaround.


I had a similar sort of problem to yours. My solution was to use PM to install a login script. With one of these you're back in the driving seat again. Such a script runs with admin privileges and gives you environment variables containing the user and group of the person who just logged in. Keep such scripts simple so they execute quickly. There is some time limit (a few seconds IIRC) after which they get killed. If you have complicated requirements get the script to start an autolaunch process.


C.

Reply
User profile for user: Antonio Rocco
Antonio Rocco
User level: Level 6
12,404 points

Sep 16, 2016 1:11 PM in response to Ludeth

Your AD infrastructure may even have older variants of Windows server still working? Strange as it may seem I would not be surprised if there was still the odd NT server in there, somewhere? I too support a smallish mac estate in a very large and mature AD environment. Although policies from on high may mean how you approach managing your mac estate is different to mine, it's possible I've been down the same route and therefore my experience may help?


My approach depended on whether the users were static or roaming. They were all static with some being local admins. Local admin users are omitted from my solution/support as there's no chance of managing them. For the others I modified the user template so as they all get some management from the outset when they create their account on first login. Additional scripts were also applied that enhance and 'control' their experience in some way. It's worked like this for 3 years and continues to do so. I had to take this approach as pushing profiles would not have worked as the network is heavily policied and access to APNS is restricted.


Historically the Magic or Golden Triangle described a mac client being at the apex with AD and OD at either corner. Authentication, Identification and Authorisation with user homes with AD and policies with OD. With PM and APNS I suppose you could still see this as a triangle of some sort? IMO it never seemed like a triangle to me as this 'classic' view of using it had many variations and in many cases was not used.


You still have to bind workstations to AD but you don't need to (never had to really) to do the same with Server. You could simply enroll via whatever deployment solution you use. Even ARD will do the job. In this scenario you manage at workstation/device level which is probably the 'best' way or the way Apple prefers/recommends. In my experience it does seem more reliable.


With roaming profiles and free access to APNS, PM does work well at AD group level. Incidentally WorkGroup Manager still works albeit after a fashion. You were never able to apply policies at AD user level with WGM and with PM it continues to be the same in my experience. With WGM expect random crashes and oddities if you plan on using it. One caveat is don't overlap policies with PM and WGM. For example don't have some of the Finder policies in PM and others in WGM. Stick with one or the other. Don't have PM and WGM open at the same time and always, always quit WGM when you're done.


Perhaps there'll be others with a different experience who may post?


My 2p

Reply
User profile for user: Ludeth
Ludeth Author
User level: Level 1
88 points

Sep 16, 2016 1:14 PM in response to Antonio Rocco

Hey Antonio,


I think my big thing is that I really need to get User profiles via AD groups working. Everything else seems fine. I cannot use just a device profile because I need to pull a user certificate from AD and if I use the device profile to try it uses the machine name and thus the request is rejected. If I use a user profile however I think it should work.. At least it works with a manual profile install so I want to get it going with an automated push. Right now I can push and edit device profiles all day long but no luck with either single user or group users push. Nothing happens.. no error no nothing. Thoughts?


Thanks,

Ed

Reply
User profile for user: Antonio Rocco
Antonio Rocco
User level: Level 6
12,404 points

Sep 18, 2016 3:03 PM in response to Ludeth

Hi Ed. Difficult to advise further without being there. But - if I've understood correctly - this support article may help?


OS X Server: Installing profiles that require user interaction - Apple Support


Are your users roaming or static? If they're static, install the user specific certificate post deployment, either with whatever you're using for deployment or ARD. Should work? If they're roaming then I think you may be looking at an impossible task? The management settings profiles are applied for users as they log into whichever workstation they decide to use. The profile stays with the workstation. If that user moves to another workstation the same thing has to happen again. It makes more sense to install a certificate based on machine authentication which is the norm in all of the AD environments I've worked in. Is there no way this can change? Quick questions and only if you think it's OK to answer them: what is the certificate for? What does it do exactly and why does it have to be a user certificate?


Tony

Reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,697 points

Sep 19, 2016 7:04 AM in response to Ludeth

I am sure some would disagree but it seems the majority would say that you should use Mac solutions to manage Macs, and Windows solutions to manage Windows. This does not mean you cannot have some integration between the two.


Moving on…


The following strongly implies you can link Apple's Profile Manager to Active Directory to authenticate users. See OS X Server: Using the Profile Manager or Wiki service with Active Directory or third-party LDAP services - Apple Suppor…


I would suggest that you need the Profile Manager server setup as the Profile Manager server which whether you like it or not means you get a local Open Directory server as well. You should then bind the Profile Manager server to the Active Directory network just like a normal Mac. Then you might need to use Directory Utility to adjust the search order so that Active Directory gets priority over the local Open Directory system.


The following is old but may help. See http://krypted.com/mac-security/integrating-mac-os-x-lion-servers-profile-manage r-with-active-directory/ again this implies that what you want to do should be possible.


Note: Apple do not support Workgroup Manager any more but it is possible to still use it even in El Capitan. It's installer will not run but you can either copy an already installed copy of Workgroup Manager 9 from an older Mac, or use Pacifist.


There are also Mobile Device Management (MDM) solutions available to run on Windows systems, and these can manage iOS devices just like Apple's Profile Manager. Some of them can similarly manage Macs but not all.


You could consider using JAMF Casper Suite instead of Profile Manager but it will cost a lot more. It does not require a Mac server.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Is Golden or Magic Triangle Still Used

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up