Overview of Lion Server’s Profile Manager
Profile Manager is one of the most useful new features introduced with Lion Server. It’s an automated way to configure account settings on Macs running Lion, as well as iPad, iPhone, and iPod touch devices.
Profile Manager sets up the client devices for services running on Lion Server, adding configuration information about e-mail and virtual private networks (VPN), as well as other services, including non-Apple technologies, such as Microsoft Exchange Server. You can create profiles for all users, as well for specific users, for groups, or for certain devices.
Lion Server provides three places where this happens:
The Server app, where you turn on Profile Manager service. The Server app automatically pulls together basic user configuration information for client access to the services.
The Profile Manager web app is where you edit the default configuration profile and create others for specific users, groups, or devices. The Profile Manager web app also pushes settings and invitations to enroll to users. The web interface is automatically created by Lion Server’s web and wiki services.
The My Devices user web portal, a unique web interface for each user with accounts in the shared directory. Users do two things with the web portal:
Download settings profiles to their Lion Macs and iOS devices.
Enroll devices in the Profile Manager service. Once devices are enrolled, configurations and changes to configuration will be automatically pushed to the devices. Users get another benefit as well: From the web portal, a user can remotely lock or even wipe the data from a lost Mac, iPhone, iPad, or iPod touch.
There are a few prerequisites. You need to have users’ accounts in a shared directory, such as Open Directory, and you need web and wiki services turned on. It’s also best to have services configured before running Profile Manager so that it can gather the data from the services.
A configuration profile is a small XML file that Profile Manager sends to Lion clients and iOS devices. When a Lion client or an iPod, iPhone, or iPod touch receives a configuration profile, software on the device recognizes the configuration profile file and imports the settings. There are dozens of settings that a configuration profile can create in a client device. Here are a few:
Basic account info in a directory service (Open Directory, Active Directory, or LDAP)
E-mail, calendar, contacts, and chat. Install user address, passwords, and server info, such as POP and SMTP servers.
Microsoft Exchange Server settings for connecting to Windows servers
VPN and network settings
Printing preferences and restrictions
Enforcement of password policies, which you can set in the Server app
Restrictions, such as preventing Mac and iOS applications from launching, blocking users from making changes to System Preferences, blocking Macs from accessing external storage devices or optical discs, preventing iOS users from watching YouTube, parental controls, and much more
Certificates (a configuration profile can install security certificates in a device)
Custom preferences for other applications