Help! Profile Manager Skullduggery!

[panjandrum]

TLDR; Does anyone know where Profiles pushed by Profile Manager (or other MDMs one would imagine) are stored locally on client macs? I would like to try manually copying a profile from one mac to another mac as a temporary solution because PM has decided to begin un-enrolling devices; I have permanently taken it off-line, and won't be coming back!

Longer: So Monday, in the middle of Covid-19 school-at-home initiatives, our Profile Manager decided to go out and begin de-configuring devices. I'm not kidding. Not a thing done or changed on our end; one day the PM is working as it should, the next day every device that successfully connects to it magically becomes nigh-unto useless. Nothing out of date - I had checked all our certificate expirations, push certificates, etc as soon as the stay-at-home order came down just to be sure everything was in good shape. Luckily I caught it very quickly and shut the machine permanently down before it could destroy every single piece of equipment as it came online, so we still have many configured devices; more than enough to hand out through the rest of the school-year to those families in need, and we are already slated to move to JAMF or Meraki or something else this summer (was supposed to happen last summer since Apple's "server" software has deteriorated into nothing but complete s h i t e, but then other things took precedence). The last time this happened it turned out to be a corrupt profile being pushed to iPads. This time it was wholesale slaughter, and any device we had used Apple's Profile Manager to push out configuration profiles to was seeing those profiles deleted, settings reverting to defaults, apps removed in the case of iPads, etc. Lovely! Looking very, very briefly at the PM webadmin completed tasks it appears as if the PM was unenrolling devices and attempting to re-enroll them, completely unbidden by me, and failing to re-enroll. Lovely! And, frankly, zero surprise to me. I expect nothing better out of Apple anymore.

At this point I can either manually clone in-full a still functional machine using CCC as an emergency measure if I really need to, but it would be nice to be able to just send someone a copy of the appropriate profile and have them manually install it if it someone opens laptop and finds it suddenly un-configured. So if anyone knows where those profiles live, I'll give manually copying one a try. I realize I could save those directly from Profile Manager itself, but I can't possibly risk bringing it back online even for a few minutes, and I'm fairly sure the way Server resolves the Profile Manager webadmin, if I disconnect completely from the internet I will be unable to access the interface. I seem to remember trying various localhost methods of access that webadmin interface in the past with zero luck.

 

[minik]

They should be living in the /var/db/ConfigurationProfiles/ directory. You may take a look of the profiles man page in Terminal.

 

[hobowankenobi]

All I can say is...get an MDM you can trust.

Profile Manager is not one of them...for an environment where you can't lay hands on every device (like a school lab).

I have used Munki, Jamf, and Meraki, but there are tons of others. Fleetsmith, AirWatch, FileWave, Hexnode, etc.

 

[minik]

I agree even Apple doesn't recommend Profile Manger for anything bigger than 20 devices or so. It's just like a 'template' for third parties MDM. I know it's bundled with the Server app and free.

 

[panjandrum]

Yeah, I know. It was very much planned for last summer, but then physical changes to the building required my hours elsewhere - I'm responsible for 100% of tech work for the school (it's a 1-building K-8 non-profit), so the summer went to VESA mounting TVs, routing cables, you name it and Profile Manager was actually doing an OK job. Not great, but OK, so migrating had to be put off.

Any advice as to which MDM to look for? Ultimately I would love one that's as "Mac Like" as possible, although I realize that's a term that doesn't mean very much anymore. But a good UI goes a long way towards usability. I've already investigated Jamf and Meraki to some extent, but both look like they may be major overkill for what we need. On the other hand, one thing we really do need, is the ability to push settings that Apple's Profile Manager can't easily do or do at all (create accounts with specific preferences, such as default search engines, bookmarks, complete control over every System Preferences settings etc.) I'm looking at Twocanoes MDS software for a totally new deployment this summer, possibly, as it looks like that may be a solution that will do what I want prior to binding to whatever MDM we choose. Still, wouldn't be bad to find an MDM that could simply push all that stuff itself, rather than having to rely on a multi-step process.

 

[hobowankenobi]

Jamf is great, but not cheap, if you factor in the cost to get Jamf certified (which, last I heard, was required.)

Munki is free, and you can run it on just about any hardware, or a VM. More setup time, and perhaps not the most "Mac-like" to get setup. You can keep it pretty simple though, to just push out Profiles, apps, and updates.

Meraki used to give up to 100 devices for free, not sure what they offer these days. Pretty slick web interface. Again, you don't have to use every feature, so you can ignore what is not required, or roll out as needed, with very little to configure.

It has been over a decade since I have seen FileWave. They have been around about as long as Jamf, might be worth checking out. Used to be very Mac-like".

Oh, and you might like Profile Creator. Pretty slick, hope it sticks around and development continues.

 

[chrfr]

Jamf is great, but not cheap, if you factor in the cost to get Jamf certified (which, last I heard, was required.)

Munki is free, and you can run it hust abour any hardware, or even a VM. More setup time, and perhaps not the most "Mac-like" to get setup. You can keep it pretty simple though, to just push out Profiles, apps, and updates.

Meraki used to give up to 100 devices for free, not sure what they offer these days. Pretty slick web interface. Again, you don't have to use every feature, so you can ingnore what is not requried, or roll out as needed, with very little to configure.

It has been over a decade since I have seen FileWave. They have been around about as long as Jamf, might be worth checking out. Used to be very Mac-like".

Oh, and you might like Profile Creator. Pretty slick, hope it sticks around and development continues.

Munki, while exceedingly useful, is not an MDM. Having an MDM is critical for management of modern Mac systems.

 

[hobowankenobi]

Munki, while exceedingly useful, is not an MDM. Having an MDM is critical for management of modern Mac systems.

Fair enough. But some feature/function overlap.

Anybody use MicroMDM, Mosyle Manager, or SimpleMDM?

 

[DJLC]

Anybody use MicroMDM, Mosyle Manager, or SimpleMDM?

Any advice as to which MDM to look for?

Vote for Mosyle Manager here. I used it in my previous life as an IT director for a K-8 charter school. Awesome MDM platform, awesome support, and awesome feature set. They have a free tier (one OS only) and a very reasonable fee structure. Its integration with Apple School Manager is slick and easy to use. AND it gives teachers some management power over the devices in their classrooms.

We started with the free tier for iOS only and very quickly upgraded to a paid plan to manage our Macs, iPads, and Apple TVs. Perhaps the coolest thing it can do is leverage Google Suite as the directory for macOS user authentication. Thanks to Mosyle, I was well on the way to dumping AD entirely before I moved on to a new job.

 

[hobowankenobi]

Vote for Mosyle Manager here. I used it in my previous life as an IT director for a K-8 charter school. Awesome MDM platform, awesome support, and awesome feature set. They have a free tier (one OS only) and a very reasonable fee structure. Its integration with Apple School Manager is slick and easy to use. AND it gives teachers some management power over the devices in their classrooms.

We started with the free tier for iOS only and very quickly upgraded to a paid plan to manage our Macs, iPads, and Apple TVs. Perhaps the coolest thing it can do is leverage Google Suite as the directory for macOS user authentication. Thanks to Mosyle, I was well on the way to dumping AD entirely before I moved on to a new job.

Thanks for the input. Sounds pretty great, especially using Google directory.

------

For anybody else that has AD running...and no plans to retire it...NoMAD and NoMAD Login are great free tools (there is a more advanced paid version called Jamf Connect) that lets you use AD to authenticate users on Macs, without having to bind. A few handy features in the menu bar icon too. While Jamf bought the company, they committed to keeping the basic tools free and open source.

 

[panjandrum]

Thanks again for the tips and recommendations. We are in the process of moving to Mosyle and so far I'm very happy with the feature set. Overall the webadmin and feature set looks quite good, although I have to admit that the organizational structure is sooooooo far removed from Apple's Profile Manager that there will be a fair learning curve when it comes to what should be the relatively simple task of "how do I construct my cascading groups of iPads properly" and that kind of thing.

For an update on what borked our Profile Manager in the first few weeks of the COVID school closings; when on the phone with Apple support migrating our old VPP account to ASM in preparation I mentioned the issue and the rep knew exactly what had happened: at that time Apple pushed out a new restriction to Profile Manager that caused all self-signed security certificates (note, this was a fully support feature prior to this) to stop working. So basically the kind of semi-routine de-enroll and re-enroll process that Profile Manager would do (I don't know why) automatically would only succeed in de-enrolling. When trying to re-enroll it would encounter the self-signed security certificates and fail to re-enroll the clients. And Apple employees who implemented this didn't think to themselves "gosh golly gee whiz, maybe we shouldn't randomly disable this critical currently supported feature this right now, when people might be relying on our software." I can't tell you how much better the process has been working with Mosyle so far than *anything* has been with Apple over the past 5 years or so.

Will be deploying iPads using Apple Configurator 2 as usual, and Macs using Twocanoes MDS software, so I'll try and remember to stop back and report on how that entire process has gone. (We don't use ASM/DEP to enroll/deploy our equipment as only about half of it even qualifies under Apple's guidelines, and I would rather use a single consistent process for equipment that two different process).

Oh, and due to Covid I get to build my very first actual wireless bridge soon, to a public building across the street, this is something I'm really looking forward to.

 

[chrfr]

(We don't use ASM/DEP to enroll/deploy our equipment as only about half of it even qualifies under Apple's guidelines, and I would rather use a single consistent process for equipment that two different process).

I’d reconsider this decision and use DEP where you can and phase it in on the non-DEP devices as you replace them.

 

[panjandrum]

I’d reconsider this decision and use DEP where you can and phase it in on the non-DEP devices as you replace them.

Maybe we will eventually move to DEP (or maybe we will be forced to), once all of our hardware actually qualifies for it. At this point that is years out as much of our hardware should serve our students well for many years to come. For now I would much rather have a single method to enroll iPads and a single method to enroll Macs. Unfortunately in both cases we have a lot of equipment that won't qualify for DEP according to Apple's guidelines, and that basically just ends up giving me 4 ways to roll out hardware instead of 2 ways. Our hardware fleet is so limited that it's just not worth my time trying to "streamline" anything using DEP. I could easily enroll every iPad and Mac in a single day myself if I wanted to. We also populate the school with very, very little new equipment each year. The entire advantage that DEP system offers really doesn't mean much (or anything) to me. Plus we like to micro-manage certain aspects anyway, so the reality is going to be a hands-on deployment of devices, at least until someone provides the tools to do what we really need without having to touch the machines (Learning ProfileCreator currently, very impressed. That's going to be a real time-saver this year.)

 

[TriBruin]

Maybe we will eventually move to DEP (or maybe we will be forced to), once all of our hardware actually qualifies for it. At this point that is years out as much of our hardware should serve our students well for many years to come. For now I would much rather have a single method to enroll iPads and a single method to enroll Macs. Unfortunately in both cases we have a lot of equipment that won't qualify for DEP according to Apple's guidelines, and that basically just ends up giving me 4 ways to roll out hardware instead of 2 ways. Our hardware fleet is so limited that it's just not worth my time trying to "streamline" anything using DEP. I could easily enroll every iPad and Mac myself in a single day myself if I wanted to. We also populate the school with very, very little new equipment each year. The entire advantage that DEP system really doesn't mean much to me. Plus we like to micro-manage certain aspects anyway, so the reality is going to be a hands-on deployment of devices, at least until someone provides the tools to do what we really need without having to touch the machines (Learning ProfileCreator currently, very impressed. That's going to be a real time-saver this year.)

Not sure if you are aware, but you can manually enroll any iOS device in to DEP using Apple Configurator. Apple is effecting shouting from the mountain at this point, if you don't use Automated Device Enrollment (ADE/DEP), you will not be able to fully manage your iOS devices. I think we are less than a couple years away from a binary choice, Automated Enrollment (and full management) and User Enrollment (and minimal management.) If you are enrolling your iPads using AC2, there is very little reason to not click the checkbox and get them in your ABM/ASM environment.

Ironically, with macOS, the situation is essentially reversed. Apple still does not provide any retroactive ADE enrollment. instead they are moving back a little bit and, in macOS 11.0, making user enrollment nearly equal to ADE enrollment by allowing user enrolled devices to be Supervised.

 

[panjandrum]

Not sure if you are aware, but you can manually enroll any iOS device in to DEP using Apple Configurator. Apple is effecting shouting from the mountain at this point, if you don't use Automated Device Enrollment (ADE/DEP), you will not be able to fully manage your iOS devices. I think we are less than a couple years away from a binary choice, Automated Enrollment (and full management) and User Enrollment (and minimal management.) If you are enrolling your iPads using AC2, there is very little reason to not click the checkbox and get them in your ABM/ASM environment.

Ironically, with macOS, the situation is essentially reversed. Apple still does not provide any retroactive ADE enrollment. instead they are moving back a little bit and, in macOS 11.0, making user enrollment nearly equal to ADE enrollment by allowing user enrolled devices to be Supervised.

Unfortunately, according to Apple's documentation our iPads are too old to qualify for that method (we thought about it while going through our initial on-boarding session with Mosyle). Well, except for one of them (1). Apple's docs specify the device must be on iOS 11 or newer, ours are old enough that 10.x.x is the latest version of iOS that they can run. Of course that might just be a BS limitation and maybe it would actually work, I guess I could give it a try.

 

[hobowankenobi]

Just try to remember to DEP all your new hardware purchases moving forward...

 

[Noel Rivera]

All I can say is...get an MDM you can trust.

Profile Manager is not one of them...for an environment where you can't lay hands on every device (like a school lab).

I have used Munki, Jamf, and Meraki, but there are tons of others. Fleetsmith, AirWatch, FileWave, Hexnode, etc.

 

[panjandrum]

Once again, thanks for the pointing me to these MDMs. I ended up with Mosyle for a variety of reasons and reasonably happy with it. Like anything else there are things I wish it would do better, but overall it's been solid, not overly complicated, and does what we need well. Most of my complaints are actually related to Apple not providing the underlying functionality anyway, which isn't something Mosyle can do anything about (i.e. ability to specify a fixed set of printers to iThings the same way I can to Macs - see question below).

Combined with ProfileCreator and the Mosyle ability to create and push custom .pkg files I'm also able to rely quite a bit less on ARD, which is good news since ARD continues to become less and less reliable. Pushing small packages we host on our website so they can go to remote learners, and large packages on SMB. Great stuff and world apart from the terrible Profile Manager from Apple that we struggled with for far too long.

My question: Anyone know a way to completely manage the printer list available to iOS devices? (OLD iOS devices, iOS 10.x.x) We use Printopia (nice product BTW) to manage a series of printers for a variety of purposes and to enable easy printing to PDF on network volumes. I can easily limit the student Macs to only seeing the Printopia printers I specify, but iThings automatically detect all AirPrint printers. According to Mosyle this is a function Apple does not provide, so the only thing I can do is push a setting to completely disable AirPrint (no). Any ideas?

Off Topic: Ubiquiti NanoBeam wireless bridge: Nice. Really, really nice and dirt cheap. Setup was cake and performance is excellent. On any given day we might have up to 40 pieces of equipment on the other side of this bridge (we rented space in a public building across the street for 3 additional classrooms so we could socially distance students) and there are zero performance issues. This is the first wireless bridge I've built out of hardware actually designed for the purpose. Previous bridges I've cobbled together out of regular WAPs; functional but far less than ideal.

 

[hobowankenobi]

Thanks for the update and info. Always good to hear what works...and what doesn't.

Good to hear specifics about UBNT NanoBeam. No first-hand experience with that much traffic/number of devices. Impressive.

As for printing...I don't have any quick fix. I would agree that generally, it does seem to be the route folks take: manage the printers.

Print servers seem to be the way to go, so direct access in including AirPrint is off, and devices find printers broadcast and controlled by the print server, or if needed, a print release station. PaperCut is mature, and keeps adding features to manage printer access, plus allow billing or setting limits. Here is what an iOS user would see and do to print. But that would likely be a bigger project, with a new system to learn, license and maintain.

Does Printopia Pro offer anything similar?

 

[DJLC]

My question: Anyone know a way to completely manage the printer list available to iOS devices? (OLD iOS devices, iOS 10.x.x) We use Printopia (nice product BTW) to manage a series of printers for a variety of purposes and to enable easy printing to PDF on network volumes. I can easily limit the student Macs to only seeing the Printopia printers I specify, but iThings automatically detect all AirPrint printers. According to Mosyle this is a function Apple does not provide, so the only thing I can do is push a setting to completely disable AirPrint (no). Any ideas?

Disclaimer: I got a new job, and I'm not working in a school anymore. BUT: my only thought here would involve disabling the AirPrint on everything that isn't Printopia (assuming Printopia itself doesn't rely on it). That'll help some; won't really solve it all though.

Also interesting to hear your experience with the NanoBeam. I considered that as an option at my last job, but we (thankfully) ended up with some leased 1Gbit fiber between our locations.

PaperCut is mature, and keeps adding features to manage printer access, plus allow billing or setting limits. Here is what an iOS user would see and do to print. But that would likely be a bigger project, with a new system to learn, license and maintain.

+1 to PaperCut. That's what we used and exactly what I did. Disable AirPrint on everybody, then use PaperCut and print sharing on our 2009 Xserve to advertise it out to Macs, iOS, and even Chromebooks. Everybody hated me and my PaperCut allowances, but it reduced operating costs AND made it easier to manage our printers and copiers. That said, I still had some extra duplicate devices — used to tell people "if you don't pick the printers ending in '@Xserve,' you're gonna have a bad time."

 

[panjandrum]

Thanks, I'll check out Papercut. Maybe going with two products will be the solution in the end (Printopia does everything we want - but it insists on turning every single printer it creates into an Airprint capable device, meaning any iThing on your network is going to automatically find any printer managed by Printopia).

The NanoBeam has been fine, at our range we are getting a theoretical 650Mbps performance, although real-world is of course less. Importantly it seems to have high reliability and low latency and I believe it's bridge is built with 8x MIMO device to device? (Don't quote me on that). That's more important to us than actual maximum throughput. We wanted to go with the UniFi Building to Building Bridge as that integrates better with our UniFi Controller software and has about double the performance, but they have been unavailable for months on end.

 

[hobowankenobi]

PaperCut:

Last I checked, PaperCut would let you setup and manage a limited number of printers for free...so you can test the heck out of it. If you like it, and decide to proceed, you can keep your setup and apply a license, which is nice. No need to start over.

There are 2 main vesions: NG and MG. NG is lower cost, and does not support 3D printers and multifunction copiers. We have NG at work for both lasers and shared photo ink jets.

There is a bit to wrap your head around, but once set up it is pretty slick. I have run it for years, first on an Xserve, and now on a Mini. May look at running it as a VM, as the server can be on Mac OS, Windows, or Linux.