To use Profile Manager as a mobile device management service (MDM), your Mac with OS X Server should have a static Internet address and a fully qualified domain name, and it can’t be on a closed network. Apple devices communicate with the server to obtain configuration profiles over the network.
After a device is enrolled with the service, it’s called a “managed device,” and you can update its configuration and query its status using Profile Manager. Additionally, you can lock and wipe devices. You can also clear the passcode on iOS devices, if its owner has forgotten his or her passcode.
Follow the steps below to enable device management.
Open the Server app, click Profile Manager, then click the Configure button next to Device Management.
A setup assistant appears. You may be notified that a network directory, called “Open Directory,” will be enabled. Users and groups can be created in either the local directory or the newly created network directory. Both of these directories reside on the server, and the decision about where to create users and groups depends on how they’ll be managed outside of Profile Manager.
Select your SSL certificate for communicating between Profile Manager and users’ devices.
A default certificate may appear, based on the name of your server. If you already configured your server with another certificate, you can select it now. If you have not configured your server with a certificate and all of the intermediates necessary to establish its trust, you must select the default certificate to continue.
Obtain an Apple Push Notification service certificate.
Enter an Apple ID to automatically download and install the certificates that permit Profile Manager to use Apple Push Notification service. This is how your server notifies devices to contact the Profile Manager service for configuration information. These certificates will appear in the system keychain on the server.
Note: Review the Certificates section of this page if you plan to use trusted certificates.
Click Done.
You can now do one of several tasks:
Associate devices with your MDM service to begin managing them.
Associate users with devices for increased management capabilities.
Assign and push apps and books to users and groups.
Push profiles you create to users and devices.
Direct users to download profiles you create with the user portal. The URL is similar to https://server.example.com/mydevices/.
Certificates
Devices must be able to establish a trusted, secure connection to Profile Manager service. If your server’s SSL certificate isn’t issued by a trusted CA known to devices, those devices must install the necessary root certificate to verify your server’s certificate. They do so by downloading the trust profile from the user portal.
Profile Manager can sign configuration profiles so devices can verify that the profiles haven’t been modified prior to installation on the device. This requires a code-signing certificate, which Profile Manager can generate for you.
Alternatively, you can use a signing certificate with an established chain of trust. In the Profile Manager pane of the Server app, enable profile signing and select your installed code-signing certificate from the system keychain. Tell your users to download the trust profile from the user portal to install the intermediate certificates that verify signed profiles.