OS X Server Lion Profile Manger

Working on one of the projects that I am on we have an iOS app that needed to be distributed via the enterprise distribution. Finding information about this though was very difficult as apple doesn’t have any information on the enterprise accounts without signing up first.

It is also hard to get any information on how to distribute these apps effectively across multiple devices while allowing app updates as well.

There is good news though. You don’t have to pay for a MDM (mobile device management) server unlike what Apple requests. If you buy OS X Lion Server in the app store there is a MDM server built into it. The cost is $49.99.

So here is what the software looks like.http://www.gurutechnologies.net/uploads/martyj/profile_manager/server_lion.png

Honestly if you ask me OS X Lion Server is a waste of $50 if you do not need this MDM server. Everything it includes is either built into the OS or is already available free on the web. Apple just rolled it into one application.

So what is the MDM server?

The MDM server is also known as the profile manager. This is a ruby application to manage iOS devices. If you have bought the actual application it can be found here /usr/shared/devicemgr/. There are two parts to this application. Backend/ and frontend/. Backend/ is the ruby application where as frontend is just a static html javascript page which calls upon the backend code to pull data.

I will go more in depth into these later. For now let’s see what it actually looks like. After browsing to your Mac’s address via https on a url like “https://localmacaddr/profilemanager” you will be redirected to a login screen. This login is the same as the login for Users under the OS X Lion Server software.

http://www.gurutechnologies.net/uploads/martyj/profile_manager/Mgink.png

As you can see Apple didn’t leave out their eye candy designs in this application. One of the things you will learn about apple from this is that appearance is everything. Usability is second place. A good example of this is that you can only upload iOS applications with safari.

Once you are authenticated there really isn’t many options to the profile manager. Although you don’t really need much. If you look on the left hand menu you see Devices, Device Groups, Users, Groups, Active Tasks, Completed Tasks.

http://www.gurutechnologies.net/uploads/martyj/profile_manager/device_list.png

Devices are the Apple hardware connected to your MDM service. As you can see in the picture above the current type of devices we have are the iPod/iPhones and iPads. There is also support for OS X computers as well. The devices are shown with their name given to them by iTunes along with the user that they were enrolled under. For example Volunteer Enrollment is the user that enrolled Guru’s iPad.

By having a device enrolled in your profile manager you can set up pass codes on the device, network information, vpn information, manage certificates, restrict what services the device can use such as camera use, app purchasing, application use like safari, media ratings, and many more options. This is mostly for iPhone/iPad/iPod restrictions. There are different restrictions for OS X.

http://www.gurutechnologies.net/uploads/martyj/profile_manager/app_restrictions.png

You can also get basic information about the device such as the installed apps (with their versions), Device UDIDs, serial numbers, MAC addresses, total space available, space remaining, battery life, and software version.

http://www.gurutechnologies.net/uploads/martyj/profile_manager/device_info.png

There are also features which allows you to remote wipe an app, clear the pass code, and lock the device.

http://www.gurutechnologies.net/uploads/martyj/profile_manager/device_options.png

Locking the device is basically the same as pressing the lock button on the top. If you have a pass code set locking the device requires you to re-enter the pass code.

Clear passcode removes the passcode on the device which prevents unlocking.

Wiping the device takes the device back to its out-of-the-box state.

http://www.gurutechnologies.net/uploads/martyj/profile_manager/device_groups.png

The profile manager also allows you to set up device groups which allows you to push the same settings, restrictions, and apps to multiple devices instead of each individual device. In the picture above you can see we have 3 groups for our alpha, beta, and production version of the app.

There is also the same functionality for devices that a specific user enrolled. You can also set up user groups to allow for devices enrolled by multiple users.

http://www.gurutechnologies.net/uploads/martyj/profile_manager/user_enrollment.png

These users and user groups are the same as the ones managed by OS X Server Lion.

http://www.gurutechnologies.net/uploads/martyj/profile_manager/os_x_lion_users.png

If you go to a device, device group, users, user groups page at the bottom you see a cog for options. The bottom option says “edit apps”

http://www.gurutechnologies.net/uploads/martyj/profile_manager/options.png

This is where probably the most useful feature of this app takes place in terms of enterprise development.

If you click on edit apps you see a dialog pop down which shows a list of apps uploaded to the profile manager.

http://www.gurutechnologies.net/uploads/martyj/profile_manager/apps.png

As you can see we have two apps in our MDM server. The apps are distinct by their bundle identifier. They also have a version as well.

You can upload apps which just asks you to select the .ipa file from your computer.

If you upload an app that has the same bundle identifier it will only overwrite the existing app if its version is higher than the one in the profile manager. Otherwise it will ignore the upload. You cannot have any spaces in the name of the .ipa that is uploaded to the server.

Clicking remove will instantly delete the app and the apps data from the device/device group/user’s devices/user group’s devices.

If you click add it will add the app to the device/device group/user’s devices/user group’s devices. Note: it will prompt the device upon app updates and application adding on the device to see if they wish to install it. Unlike removing it doesn’t happen automatically.

Lastly probably the most major downside is that this MDM application doesn’t allow you to update one specific device with a device version. If you update the app it updates all the devices who use that app. Not the specific device you are viewing. Apps are only unique by their bundle identifier and not their version as well.

That being said this application is just a simple ruby application. If you wish to change something about it you can easily do so. By default the application can be found in /usr/share/devicemgr/

http://www.gurutechnologies.net/uploads/martyj/profile_manager/mdm_app.png

There are two main sections of the app. The backend, and frontend sections. The backend is the rails application where as the frontend is a javascript/html interface to query the backend for information.

The application is served via apache and uses a postgres database.

http://www.gurutechnologies.net/uploads/martyj/profile_manager/httpconf.png

If any web routes match {HOST}/profilemanager by default the frontend code is used.

If any web routes match {HOST}/devicemanagement/ the backend is used.

The backend can be hit via the url as stated {HOST}/devicemanagement/api/{controller}/{action}

There is a apache rewrite to rewrite {HOST}/mydevices to {HOST}/devicemanagement/api/device/start_ota

If you wish to do any database changes you can connect to the postgres database via command line by using this command.

sudo -u _devicemgr psql device_management

If you know Ruby on Rails and PSQL changing the profile manager should be easy.

This entry was posted in Software Development and tagged , , , , , , , , , , . Bookmark the permalink.

6 Responses to OS X Server Lion Profile Manger

  1. click says:

    Just to let you know your website appears a little bit different in Firefox on my pc using Linux .

  2. Show says:

    Any chance that you might be able to imlemepnt actual Bluetooth HID (so it emulates a real Bluetooth keyboard & mouse) anytime soon? I bought it this afternoon thinking it could do HID, and planned to use my (Android) phone as a fake Bluetooth keyboard+mouse for my (Android) tablet. Unfortunately I just realized a little while ago that it apparently can’t do that (it’s really not obvious from the description in Android Market that the Bluetooth version still needs a server app running at the other end).If you can make this successfully emulate a real Bluetooth keyboard & mouse, you’ll have the ultimate killer app for anybody who owns a tablet and an Android phone, and could easily charge $5-10 for it (at least, until someone else wrote a similar program).One idea: in the free version, add a menu item that brings up 3 buttons: one that sends a string like Bluetooth Test as though it were typed on the keyboard, one that acts like a phantom mouse pointer wiggling back and forth until it gets pressed again, and one that acts like a phantom scroll wheel rolling back and forth. That way, somebody who’s not sure whether the Bluetooth version can do what he wants can verify first that it actually works without risking that they’ll be able to crack it and make it work for free (the real code wouldn’t be compiled into the free version at all just the code to send a string and/or wiggle the mouse/wheel to prove it works).

  3. I personally was basically searching for recommendations for my web site and uncovered your
    blog, “OS X Server Lion Profile Manger | Guru Technologies”,
    do you really care in the event that I actually apply some of ur concepts?
    Appreciate it ,Donald

  4. Vik says:

    Thanks! I have downloaded the lion server app instead on my mac. I have the same backend and frontend files but I have a server.app , so I can run profile manager. Do you know any way I can debug through the code ? I am not able to make much of the ROR scripts

Leave a Reply

Your email address will not be published. Required fields are marked *

* Copy This Password *

* Type Or Paste Password Here *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>