Using Apple's Profile Manager for Mobile Device Management Overview & Best Practices

  • strict warning: Only variables should be passed by reference in /var/sites/e/ on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/ on line 61.
  • strict warning: Declaration of views_handler_field_user_name::init() should be compatible with views_handler_field_user::init(&$view, $data) in /var/sites/e/ on line 61.
Your rating: None (2 votes)
How does a school manage a few hundred iOS devices for only a few hundred dollars? During MacIT Conference, Derick Okihara demonstrated the pros and cons of using Apple's Profile Manager from his experience managing the Mid-Pacific Institute school. You can download the presentation slides here.


Why Use Apple's Profile Manager
  1. It's dirt cheap. Profile Manger is included in Lion Server which is $50-$80 flat. Contrasted with other MDM providers that charge an annual fee.
  2. It does MOST of what you want in an MDM solution.
  3. It's a First Party solution. You can call Apple for support.
Why NOT Use Apple's Profile Manager
  1. Large installs of devices - thousands of devices will require a more robust MDM solution.
  2. A required MDM element isn't available - see below and the complete comparison of MDM solutions.
How does Apple’s Profile Manager Measure Up?
  • App installs - You can push free Apps (getting conflicting reports on this) or in-house developed Apps to users. You can NOT push paid or volume purchased Apps to users.
  • Policy setting - Yes.
  • Security - Restrictions, VPN profiles, remote wipes.
  • Asset Tracking - Lion server will track the device.
  • Remote Control - Nope.
  • Backup - Nope. The only Apple way of doing backup is through iTunes right now.
  • Firmware / OS updates Control - Nope.
What Do You Need to Run Apple's Profile Manager?
  • Lion Server running on a Mac with Core 2 Duo or later, 2GB+ of RAM. A Mac mini for less than 1,000 devices is a very affordable solution.
  • Internet connection with certain ports open. You may need to troubleshoot push notifications.
  • Working DNS - Not just an IP address.
  • Open Directory Master - Server that holds user accounts.
  • Certificates - You'll need the following certificates: SSL/TLS Certificate (purchased from a registrar, StartCom offers the only free certificate for iOS devices), Apple Push Notification Service Certificate (free from Apple with an Apple ID), Code Signing Certificate (you can use the Lion server but a best practice is to purchase one from one of these authorities for around $300)
Lion Server Profile Manager Setup Tips and Best Practices
  • Change your Administrator account name to something besides the default of "diradmin" because someone could guess it.
  • Don't use a comma in your organization name, it'll cause the install to fail.
  • Don't use your personal Apple ID because your certificate will be tied to it. Create a new one for the institution. If the person whose Apple ID leaves you won't be able to manage it anymore.
  • If you use disable the App store your users won't be able to sync Apps via iTunes either.
  • If you use content restrictions, all Apps that allow web browsing are rated 17+.
  • You can run Profile Manager on an iPad because it's a web app.

Share your ideas

bluicedragos's picture


Joined: Apr 11, 2012

confused about app push

Your rating: None (1 vote)

I am seriously confused about app push with Lion Server profile manager. When you watch this video;
you see pages app which is a paid application in the app list in the video. I would be greatly appreciate if someone answer the questions below:
1) is it possible to push paid apps through Lion server's profile manager?
2) is it possible to push free and in house apps?
3) is it possible to push in-house apps' update?

Mehmet Akif Acar
MDM Admin and iOS Developer


Recent Activity