JSS API information: add and scope new mobiledeviceconfigurationprofiles

pzingg
New Contributor

I wanted to provision a unique email configuration profile ("Exchange ActiveSync") for each of 200 iPads, so they all get distinct email addresses in my Gmail domain at configuration time. Using the JSS API seems like a nice way to automate this, creating the .mobileconfig profiles uploading them to the JSS server and scoping them to individual iPads.

It took me two hours to get past the cryptic explanation for the apiExplorer information for the mobiledeviceconfiguration POST API. If you have tried this technique, maybe this discussion can help you get past 400 Bad Request errors. Here's what the documentation says:

"Note that payloads must be specified as xml. You can use Apple's iPhone Configuration Utility to create a .mobileconfig file that can be listed, in its entirety, as the value of the payloads element."

I finally got things to work like this:

  1. Export the .mobileconfig file from IPCU (or make one yourself--it's a plist file).

  2. Wrap it inside an XML document with a <configuration_profile> root, that contains a <general> element, inside of which are a <name> and a <payloads> element:

<?xml version="1.0" encoding="UTF-8"?>
<configuration_profile>
<general>
<name>New Profile Name</name>
<payloads>
&lt;?xml version="1.0" encoding="UTF-8"?&gt;
&lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt;
&lt;plist version="1.0"&gt;
&lt;dict&gt; &lt;key&gt;PayloadContent&lt;/key&gt; &lt;array&gt; &lt;dict&gt; &lt;key&gt;EmailAddress&lt;/key&gt;
... rest of escaped .mobileconfig file goes here ...
</payloads>
</general>
</configuration_profile>

  1. POST it using curl or another method: curl -k -v -u username:password -T "test.xml" -X POST https://myjss:8443/JSSResource/mobiledeviceconfigurationprofiles/name/New+Profile+Name

Finally got a 201 Created response after lots of failed experiments. Now I will have to see about adding the <mobile_device> information in the <scope> section to scope the profile to a specific device.

5 REPLIES 5

pzingg
New Contributor

I got scoping to a single device by name to work just by including it in the <configuration_profile> XML document. Replace "ipad-name" below with the name of the device in the JSS database--hopefully you have unique names for all your ipads!). Otherwise obtain the device's <id> from a JSS GET query and use it. Now to script up 330 configuration profiles and scope them!

<?xml version="1.0" encoding="UTF-8"?>
<configuration_profile>
<general>
... see original post -- profile name and .mobileconfig contents go here ...
</general>
<scope> <all_mobile_devices>false</all_mobile_devices> <mobile_device_groups> <size>0</size> </mobile_device_groups> <mobile_devices> <size>1</size> <mobile_device> <name>ipad-name</name> </mobile_device> </mobile_devices> <departments> <size>0</size> </departments> <buildings> <size>0</size> </buildings> <limit_to_users> <user_groups> <size>0</size> </user_groups> </limit_to_users> <network_limitations> <any_ip_address>true</any_ip_address> <network_segments> <size>0</size> </network_segments> </network_limitations>
</scope>
</configuration_profile>

bbergstein
New Contributor III

Do you have the email addresses assigned in the devices' inventory in the JSS? If so, you can create one configuration profile in the JSS using the variables $USERNAME, $EMAIL, etc to assign the email and username to the device. You would have to specify the password on the device, unless its the same for every account.

pzingg
New Contributor

I guess I can assign the email addresses using the API first, then apply the generic profile with the $ macros. Thanks for the tip. I was able to mass assign departments and buildings to the devices using the API, so I suppose email address is another field I can update using the API.

Frustrated because I was sure I had the profile updating working through the API two days ago; now I'm getting "500 Internal Server Error - String index out of range: -1". Something I'm trying to do is bollocksing up the Java code in JSS.

I will try your technique of one email profile with $USERNAME and $EMAIL fields. I think I tried something like this before and it didn't take--I had to enter the username and password manually on each iPad...

drenwick
New Contributor

Guys - thanks for sharing this information. Great post.

I was able to use the information in here to create a scope that assigned my profile to a known Static Group - here..

<scope> <all_mobile_devices>false</all_mobile_devices> <mobile_device_groups> <size>1</size> <mobile_device_group> <name>Known-Static-Group</name> </mobile_device_group> </mobile_device_groups> <mobile_devices> <size>0</size> </mobile_devices> <departments> <size>0</size> </departments> <buildings> <size>0</size> </buildings> <limit_to_users> <user_groups> <size>0</size> </user_groups> </limit_to_users> <network_limitations> <any_ip_address>true</any_ip_address> <network_segments> <size>0</size> </network_segments> </network_limitations>
</scope>

However, it occurred to me that I might want to assign directly to an individual device using just the device ID. Is that possible? I can't find any documentation on the scope XML? Wondering if that instead of <name>xxx</name>
I can use;
<id>xx</id>

Any clues?

Thanks again.

dave

drenwick
New Contributor

Was able to test this myself this morning.
<id>xx</id> works just fine