Skip to main content

On the cusp of releasing 3000-ish Macbooks to our students for the 2012-13 school year, and just discovered a major bug with 10.7.4 mobile users with Managed client settings via the "golden triangle".



I was going to wait till next year to implement Profiles, but now I'm frantically trying to figure them out as an alternative to OD MCX settings... however, I'm finding several things frustrating about trying to understand how these things work. Hoping I can find help with some questions here.



Without further rambling, here are my questions:



1) With MCX I can nest settings in multiple inherited workgroups - ie: I have a workgroup for base mcx settings that all users receive - this group contains both Staff and Student groups which inherit the base settings, and custom settings. The student group then nests down to a series of student Dock settings groups (labs have different settings than 1 to 1 laptops for example), and then school specific settings (some custom things for printers and whatnot). Can I do this kind of nesting with Profiles?



2) With MCX I manage a mix of Once, Often and Always settings. IE: For student Safari for example, I always restrict Private browsing due to mandate from higher up, but I also set default home page, downloads folders, etc Once. I know by default profiles are Always, but from dabbling with Tim Sutton's mcxtoprofile tool that you can set the whole thing as Once, Often or Always, but anyone know if you can have mixed sets? Another example is our student dock, which we add apps to Always (but allow user to add extra apps), but set default hide, magnify etc settings once that users can change.



3) The real core question for me - distribution and troubleshooting. With MCX I know pretty well how it gets deployed and can troubleshoot. This is especially important with updates to settings - ie: during testing when I'm tweaking settings, or if something needs to be changed. With MCX a logoff / logon, or a custom script I wrote using the mcxrefresh tool would allow me to update settings on the fly. In my testing with Casper though, once I push a profile, I'm seeing very intermittant results if I make a tweak to the profile.



4) Application of restrictions - when do restricted settings actually get applied? For example, if I push App limits, I see the Profile appear on my test client computer, but I can still run all apps... at least till a logout or something. Any way to script this? Or refresh MCX from profiles?



I'm looking for any kind of documentation on the processes behind Profiles, but to be honest I'm finding it kind of scarce. Especially with Apple's push servers involved it's all kind of a black box, and I just don't trust that when I update a Profile, that my 3-5000 computers will actually GET the updates. Doesn't exactly instill confidence.



Anyone know the answers to my questions above? Or have a link to some detailed documentation on Profiles so I can dig in?



Thanks in advance for any help offered.



Jeff

Also, the practical differences between computer and user level assignments would be good as well. The Casper admin guide barely even mentions them.

Also, it seems like I can push a profile to a group, but then if I remove a computer from the group that machine keeps the profiles. Also, if I add a computer to the group, the profile doesn't seem to get installed. I was hoping to use some smart groups, but that's going to kill that idea pretty quickly. I did see a reference to that being an issue supposedly resolved in JSS 8.6, but that's what I'm using.

So, I might be able to offer a little insight into the way profiles work... They are constructed differently from MCX. The trick with a profile is that you really only want to put one setting per profile, maybe two if they are related. The result is that you wind up with many profiles, each doing one thing. The reason for this is two-fold: It give you greater flexibility, and it prevents one large profile from having to re-load every time you deploy it. You almost have to think of profiles in the reverse way from MCX. In MCX you have your groups and then figure out which settings you want for each group. with Profiles, you think of all the settings you need to deploy, create a profile for each, and then assign your groups to whichever ones they should have.



As for pushing and troubleshooting, this is a sticking point. In MCX, computers would simply check into the server they were bound to. With Profiles, there is no binding. In fact, Open Directory is only really there for Profile Manager to store stuff in in OS X Server. Profiles require the use of the APNS (Apple Push Notification Server). The way these things work is Casper sends out a push request to the APNS, the APNS then sends the push request to the client. The client receives the push, and then connects up to the server to get the profile. If any of those steps fail, the profile doesn't get deployed properly. And there is no detailed record of the APNS steps.

Reply


Terms & ConditionsCookie settings