Apple Server and Configurator 2 pitfalls
MDM solutions for Apple products are simply a pain in the ass. After setting up two servers over the last month I decided to share the pitfalls I have encountered.
The goal is that you might recognize one of these as you inevitably encounter frustration working with these products.
We will start with the Apple Server program.
Pitfall 1 — SSL Cert
On the Apple Server program you will need some sort of SSL encryption or nothing will work. Apple helps you out a little and provisions the Apple Server program out of the box with a self signed certificate. This will work but you will have to deal with annoyance as most browsers will complain.
The solution is to have a real SSL cert for the domain you will eventually be serving profile manager under. Of course you have to pay for this and setting up the public and private keys to become an .pfx file is worthy of its own article.
If you are have to purchase an SSL cert I recommend springing for the wildcard such as *.<mydomain>.com so that you can reuse elsewhere or move your profile manger service to different subdomains.
Pitfall 2 — Static IP and Router mapping
Apple should simply turn the Apple Server product into a docker image in my opinion. Until then let’s hope you are a router expert or you read this. Your computer running the server behind your router should be wired in over ethernet and you should use the router software to fix the ip address of your server.
Finally, once you have a fixed ip you need to map the ports perfectly according to this documentation
Pitfall 3 — Server host name mapping
Once you have your SSL Cert, fixed IP, and ports mapped hopefully you find your routers external facing IP. Once you have that you can make an ‘A’ record on your DNS Service under the domain or sub domain of your choice. Just make sure you have the correct SSL cert installed back from pitfall 1.
After (and only after) you have everything mapped correctly can you use the host name tool on the Apple Server program.
The pitfall here is that you will most likely be using the WIFI served by the router your Apple Server is behind. If you try and enroll a device locally and visit your nice new domain or subdomain things will go haywire. Something with routing on the local network that I don’t understand. All I know is that the Apple Server product has a tool to fix this and it only works if you made it past the first two pitfalls.
On the Apple Server product click the server then click the “Edit Host Name…” button. Select the bottom option
Go through the motions. Now you can successfully enroll a device on your local network with out barfing up error codes and Objective C code snippets.
Moving on to Apple Configurator 2. It is possible to do a touchless enrollment and supervision using this program.
Pitfall 4 — WIFI Payload
When enrolling a device using Apple Configurator you need to provide a WIFI profile so that the device can reach out over the internet during different stages. This will go horribly wrong if you did not pay attention to the first three pitfalls and you are enrolling on the WIFI served by the router the server is mapped to. It will only go wrong if you are on a different WIFI.
Fear not. Follow these guidelines.
- Make the name of the WIFI payload short and with no spaces
- Only add one WIFI to the profile
If you don’t do this the WIFI will not work and you will not have any idea why.
Pitfall 5 — Organization Import
Generating a valid Organization file that can be imported into any Apple Configurator 2 is hard and probably deserves its own Article. The real pitfall here is not knowing where the documentation is.
The documentation for this process only lives in the “Help” documents that ship with Apple Server.
To find the relevant section open up Apple Server and click Profile Manager. Then click the “Configure…” button below the Apple Business Manager section.
You will get this dialogue.
Click the “?” in the bottom left and follow the detailed instructions to export a .organization file. Then you have to import it into Apple Configurator by navigating to Preferences -> Organizations -> and then find the “Import Organization…” action on the Settings symbol.
Pitfall 6 — Server URL
Finally. You need to stay in Preferences in Apple Configurator and click on the Server option.
Replace the “Local” piece with your actual domain. Name the server anything you want. The pitfall here is actually handled… gracefully? The rest of the path that autofills in is not correct. Lucky some smart dev wrote code to change it for you when you hit next. If you inspect the Server after creation you will notice that the path changed
FROM: devicemanagement/mdm/dep_mdm_enroll
TO: devicemanagement/api/device/dep_mdm_enroll
I still don’t know where the official documentation on this is or if you would actually be able to input something else.
Conclusion
As an actual Apple developer I found the experience of setting this up humbling and very bad for my imposter syndrome. Regardless, once set up you have a reliable and cheep way to do MDM. Other services like JAMF coast 5$ a device for supervised mode and come with their own problems.
Good luck and please add, comment, or ridicule anything I said in the comments.
