Applies to: Centrify DirectControl 5.2.0 and higher on Mac OS X 10.7 and higher.
Some configuration profiles (mobileconfig files) can be exported from the iPhone Configuration Utility or Profile Manager in OS X Server and used on OS X systems. These are very useful for deploying settings which are not yet available via GP, such as some wireless and VPN configurations.
Can these mobileconfig profiles be deployed using Centrify group policies?
- Profile Manager:
- iPhone Configuration Utility:
(All external links are provided as a courtesy)
For Centrify User Suite 2014.1 (Mac agent version 5.2.0) and higher:
Deployment of Apple mobileconfig files is now natively supported via the following group policies:
- Computer Configuration / Centrify Settings / Mac OS X Settings / Custom Settings / "Install MobileConfig Profiles"
- User Configuration / Centrify Settings / Mac OS X Settings / Custom Settings / "Install MobileConfig Profiles"
- The Computer Configuration GP will install profiles at the Device Level and is supported for OS X 10.7 and higher.
- The User Configuration GP will install profiles at the User Level and is supported for OS X 10.9 and higher.
- Make sure to check the Explain tabs in both GPs for correct usage and deployment.
For systems with Mac agent versions lower than 5.2.0:
For system that have not yet been updated to 5.2.0, it may be possible to install the profiles via a login script using the steps below:
- The following scripting hints are provided as a proof-of-concept ONLY.
- Centrify Support does not cover custom-scripting - please contact Centrify Professional Services for further assistance with any scripting.
Example steps for configuring and deploying Wi-Fi mobileconfig settings via GP:
- Using the iPhone Configuration Utility, create a new Configuration Profile and enter the wireless settings under the section:
Configuration Profiles > Wi-Fi
- In the General section, enter a unique identifier name in the "Identifier" box and make a note of this for later:
Configuration Profile > General
- Export the profile settings and when asked, select "None" for the Security option.
- Download the attached login script and open it with a UNIX capable text editor.
(Notepad++ is recommended on Windows systems, do not use notepad.exe)
- Find and edit the following lines to match the exported mobileconfig file:
- (The identifier name from Step 2.)
- (The filename of the exported mobileconfig file)
- Copy the mobileconfig profile to the AD server in the folder:
\\ <domain> \SYSVOL\ <domain> \
- Copy the install_mobile_config.sh script to the folder:
\\ <domain> \SYSVOL\ <domain> \scripts\
- Set up the "Copy file" GP at:
Computer Configuration / Centrify Settings / Common UNIX Settings / "Copy files"
- In the GP, click Add, then Browse and select the mobileconfig file.
- Destination: /var/db/ConfigurationProfiles/
- Do not copy as binary file
- Set up the Login Script GP at:
User Configuration / Centrify Settings / Mac OS X Settings / Scripts / "Specify login script"
- Enter the filename of the script only: install_mobile_config.sh
- Run with root user privileges: Enabled
- To allow the GP to take affect immediately, go to the Mac as the AD user, open up Terminal and run the command:
- The wireless profile should take immediate affect and if within range, will automatically connect.
- The attached example script will install the mobileconfig as a 'Device Profile'.
- To install the mobileconfig as a 'User Profile', open script change the instructions starting with:
sudo /usr/bin/profiles ...
(There are three instances).
- Once the sudo commands have been edited, place the script in the "Specify multiple login scripts" GP instead of the "Specify login script" GP.
(All external links provided as a courtesy.)