Preference Management with Profiles links

Here are links to some of the tools and resources I mention today in my MacSysAdmin 2015 presentation, Preference Management with Profiles:

mcxToProfile: https://github.com/timsutton/mcxToProfile

make-profile-pkg: https://github.com/timsutton/make-profile-pkg

Profile Manager (Server 4): https://help.apple.com/serverapp/mac/4.0/index.html?localePath=en.lproj#apd0E2214C6-50F0-48C9-A482-74CEA1D77A9F

Profile Manager (Server 5): https://help.apple.com/serverapp/mac/5.0/index.html?localePath=en.lproj#apd0E2214C6-50F0-48C9-A482-74CEA1D77A9F

Configuration Profile reference: https://developer.apple.com/library/mac/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html

Preference Management with Profiles links

3 thoughts on “Preference Management with Profiles links

  1. Hi Greg! Thanks again for a great presentation at MacSysAdmin.

    In cooking up some profiles to experiment with I came up with something interesting that I’d like to ask about. TL;DR — Is there a better tool to manually create .mobileconfig files for Macs than firing up Profile Manager? Bonus question would be I’d like to make sure I can sign them before distribution, if possible. A red ‘Unverified’ is better than a red ‘Unsigned’ at this point…

    Background: I’m currently running Bushel (www.bushel.com) as an MDM, but it’s password policy is a bit too bare-bones, as you might guess. Basically ‘passcode=yes’ with (currently) no settings for complexity, ageing or reuse. I have set up Profile Manager in El Cap server, and downloaded Apple Configurator 2.

    What I need: a password policy that restricts iCloud passwords from being used, defines minimum length, is alphanumeric and age set in X number of days, and disallows the previous 3 passwords from being reused. Kind of basic.

    What I did: Set up Profile Manager and Open Directory (so I could sign the profiles… seems like OD is needed for that) and created a manually downloadable profile for password policies with the granular settings as outlined above. I also created a separate iCloud restriction profile that prevents users from using the iCloud passwords for their workstations. I signed the password policy but didn’t sign the iCloud restriction, as I wanted to edit out all the junk settings you pointed out in your presentation and as far as I know, signing prevents editing. I opened the iCloud restriction profile in TextWrangler (after using plutil to convert it to binary and back to xml, again as you suggested) and removed all the stuff not related to the payload I wanted. Then opened in Apple Configurator 2 to sign it. I was able to sign the custom profile and install on my test machine.

    What I’m curious about: Profile Manager has great settings for Macs (as well as iOS devices, but I’m just doing Macs for this exercise) but it’s restrictions config does add a crap-ton of stuff that’s not needed in the payload. If I want custom-made config profiles without all that, are my only options PM, then command line conversion, then text editing the xml, then adding to Configurator for the signing? Seems like someone could make a Configuration Profile Cooker-Upper, that Allows Signing with Certificates and has a restrictions reference…

    Thanks again for a great presentation!

  2. Signing: you can sign profiles at the command line; no need for a trip through Configurator 2.
    https://osxdominion.wordpress.com/2015/04/21/signing-mobileconfig-profiles-with-keychain-certificates/
    I didn’t cover this in the presentation because it’s a bit complex and would have taken too much time. (and is not _necessary_ for internal use of config profiles)

    As for “someone” making a nice GUI tool to replace Profile Manager as a GUI config profile generator — Server.app costs $20. Hard to think of someone willing to write and maintain something that will replace it at that price point. But if you are looking for a project you can contribute to the Mac community, you may have found one…

    1. Thanks, Greg. Good points about PM being inexpensive way to grind out config profiles and about the (un)necessity of signing for internal config files. Mayhap I got too focused on that. Didn’t know about the command line signing, so I’ll look at that if it becomes a thing. Cheers.

Comments are closed.