Apple Server and Configurator 2 pitfalls

Image for post
Image for post

MDM solutions for Apple products are simply a pain in the ass. After setting up two servers over the last month I decided to share the pitfalls I have encountered.

The goal is that you might recognize one of these as you inevitably encounter frustration working with these products.

We will start with the Apple Server program.

On the Apple Server program you will need some sort of SSL encryption or nothing will work. Apple helps you out a little and provisions the Apple Server program out of the box with a self signed certificate. This will work but you will have to deal with annoyance as most browsers will complain.

The solution is to have a real SSL cert for the domain you will eventually be serving profile manager under. Of course you have to pay for this and setting up the public and private keys to become an .pfx file is worthy of its own article.

If you are have to purchase an SSL cert I recommend springing for the wildcard such as *.<mydomain>.com so that you can reuse elsewhere or move your profile manger service to different subdomains.

Apple should simply turn the Apple Server product into a docker image in my opinion. Until then let’s hope you are a router expert or you read this. Your computer running the server behind your router should be wired in over ethernet and you should use the router software to fix the ip address of your server.

Finally, once you have a fixed ip you need to map the ports perfectly according to this documentation

Once you have your SSL Cert, fixed IP, and ports mapped hopefully you find your routers external facing IP. Once you have that you can make an ‘A’ record on your DNS Service under the domain or sub domain of your choice. Just make sure you have the correct SSL cert installed back from pitfall 1.

After (and only after) you have everything mapped correctly can you use the host name tool on the Apple Server program.

The pitfall here is that you will most likely be using the WIFI served by the router your Apple Server is behind. If you try and enroll a device locally and visit your nice new domain or subdomain things will go haywire. Something with routing on the local network that I don’t understand. All I know is that the Apple Server product has a tool to fix this and it only works if you made it past the first two pitfalls.

On the Apple Server product click the server then click the “Edit Host Name…” button. Select the bottom option

Image for post
Image for post

Go through the motions. Now you can successfully enroll a device on your local network with out barfing up error codes and Objective C code snippets.

Moving on to Apple Configurator 2. It is possible to do a touchless enrollment and supervision using this program.

When enrolling a device using Apple Configurator you need to provide a WIFI profile so that the device can reach out over the internet during different stages. This will go horribly wrong if you did not pay attention to the first three pitfalls and you are enrolling on the WIFI served by the router the server is mapped to. It will only go wrong if you are on a different WIFI.

Fear not. Follow these guidelines.

  1. Make the name of the WIFI payload short and with no spaces
  2. Only add one WIFI to the profile

If you don’t do this the WIFI will not work and you will not have any idea why.

Generating a valid Organization file that can be imported into any Apple Configurator 2 is hard and probably deserves its own Article. The real pitfall here is not knowing where the documentation is.

The documentation for this process only lives in the “Help” documents that ship with Apple Server.

To find the relevant section open up Apple Server and click Profile Manager. Then click the “Configure…” button below the Apple Business Manager section.

You will get this dialogue.

Image for post
Image for post

Click the “?” in the bottom left and follow the detailed instructions to export a .organization file. Then you have to import it into Apple Configurator by navigating to Preferences -> Organizations -> and then find the “Import Organization…” action on the Settings symbol.

Finally. You need to stay in Preferences in Apple Configurator and click on the Server option.

Image for post
Image for post

Replace the “Local” piece with your actual domain. Name the server anything you want. The pitfall here is actually handled… gracefully? The rest of the path that autofills in is not correct. Lucky some smart dev wrote code to change it for you when you hit next. If you inspect the Server after creation you will notice that the path changed

FROM: devicemanagement/mdm/dep_mdm_enroll

TO: devicemanagement/api/device/dep_mdm_enroll

I still don’t know where the official documentation on this is or if you would actually be able to input something else.

As an actual Apple developer I found the experience of setting this up humbling and very bad for my imposter syndrome. Regardless, once set up you have a reliable and cheep way to do MDM. Other services like JAMF coast 5$ a device for supervised mode and come with their own problems.

Good luck and please add, comment, or ridicule anything I said in the comments.

Written by

I contribute to the start-up grind in Seattle as an iOS Engineer. I also used to fly airplanes.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store