Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

panjandrum

macrumors 6502a
Original poster
Sep 22, 2009
732
920
United States
Getting way better advice on this forum that from Apple, that's for sure:

TLDR; We really need a way to begin micro-managing basic settings again across a network of Macs. Back in the day, before MDMs (such as Profile Manager) and the like, pretty much everything was easy as pie. Create an image or two and then restore that image to every system using CCC or another piece of cloning software. Every system got every setting without issue. Extremely important settings include things like "disabling" Do Not Disturb (which distracts students to no end), trackpad and mouse settings, and the Safari Home Page and Search engine. Use to be absolute cake.

More details:

Fast forward to today, and Apple (along with all the other big players in the industry) really, with a palpable desperation, wants every user to have their own device. Many important preferences are now "by host" - meaning that even a full clone no longer properly retains these settings (why Apple? Why?!!!) Also, along come tools like Profile Manager, and while they work well for large groups of devices where basic management is all that is needed, they don't allow micro-managing of every little setting like proper cloning used to do. Add to the the problem with cloning system pre-binding to Profile Manager (where PM will incorrectly believe all systems are the same system because they are relying on something other than the serial number to differentiate bound machines (again, Why Apple? Why?!!!))

So I'm trying to find a solution that will let us regain control; pushing ALL critical settings to all systems, preferably in a way which can be refreshed without physical access to each machine, but heck even a way to *properly* image systems again post-binding to Profile Manager (or another MDM) would work. We only have about 80 Macs to manage, I can re-image them, in-person, physically, with a bunch of USB drives, without any issue in a single weekend (I've done so many times!).

Those of you managing small networks - what are you using to manage them? Do any of the tools you use provide for true micro-level-setting management? Thanks!
 
We haven't been 1:1 MacBook for some time (we switched to iPads, and now I'm transitioning 6th-8th grades from iPad to Chromebooks), but we do still have carts of MacBooks kicking around. The way I've managed this most recently is as follows:
  1. Configure a master MacBook with all the settings that are NOT pushed out by our MDM. Sounds like you probably want to modify the default user template for some of these; hopefully you're familiar with that. Do not enroll it with MDM yet. (Mosyle Manager; check it out if you need a cloud MDM! There's a free tier that allows management of one OS -- macOS or iOS. You need Premium for both.)
  2. Make an image of it (I use DeployStudio on an Xserve running Yosemite).
  3. In DeployStudio, you can actually set an automatic post-image script to enroll the device with the MDM after cloning. This avoids identity issues in the MDM.
  4. After the post-deployment scripts run, you've got a MacBook with your non-MDM settings locked in AND your MDM profiles.
Looking forward, I'm planning to stop messing with settings that can't be managed by the MDM. With Custom Commands and Custom Profiles in Mosyle Manager, I'm usually able to control any plist-based setting even if it isn't a default option. I suspect my next imaging job will be vanilla OEM images of Mojave, and the MDM can handle the rest for me.

You might also look into Munki — I use this to push out software updates like Flash. It allows students/staff to install these approved updates on their own without admin credentials.
 
  • Like
Reactions: Flint Ironstag
If you are even considering imaging at this time, please stop considering. As far as Apple is concerned "Imaging is Dead." You should be looking at DEP/MDM workflows exclusively at this point. (If there is any question about imaging's life, take a look at the T2 based MacBookPros and iMac. They can not be imaged at this point, no NetBoot at all.)

There are a number of good MDMs out there, some cheap (microMDM, SimpleMDM) and some not (AirWatch, JAMF Pro.) I used JAMF Pro, but it can get expensive. The biggest problem is that, other than JAMF Pro, most MDMs only give lip service to Mac management as compared to iOS management. If you go with another MDM, you will probably want to look at Munki to manage Applications and Packages.

With each revision, Apple is opening more and more options to profiles. But, for those settings that are not available, you can usually find the correct PLIST to modify and, with some simple bash scripting, make these setting changes as well.
 
  1. Sounds like you probably want to modify the default user template for some of these; hopefully you're familiar with that. Do not enroll it with MDM yet. (Mosyle Manager; check it out if you need a cloud MDM! There's a free tier that allows management of one OS -- macOS or iOS. You need Premium for both.)
  2. Make an image of it (I use DeployStudio on an Xserve running Yosemite
  3. You might also look into Munki — I use this to push out software updates like Flash. It allows students/staff to install these approved updates on their own without admin credentials.
Thanks! I had not heard of Mosyle Manager yet, and have already gotten in contact with them as them seem very iOS & Mac OS focused. They claim to be able to push essentially all of the settings I need to, so I'm going to keep my fingers crossed that they know what they are talking about and give it a try later this year when I have time to really dig into it, at first trying their free-tier for Mac OS only. And no, I admit that I really don't know how to modify default user templates: the last time I looked into it was about 2 years ago when a huge equipment donation meant we were finally able to move to recent version of the Mac OS. At that time the information I could find seemed to indicate that it was unsupported by Apple and likely to cause problems, especially with SIP. Also, a number of the tools were either extremely out-of-date or no-longer available. Speaking of which, I have looked at DeployStudio and it also looks really out-of-date, so I discounted it (checked again yesterday after you recommended it, and their main documentation hasn't been updated since 2012 and their Quick Start Guide is a corrupt file... so... Would love to give it a try in my spare time, but those aren't good signs!)

But you've given great advice in the past and if you know a good, currently supported tool, that has actual documentation, I would absolutely look into modifying default user templates again. I recently found this guide here: http://www.grivet-tools.com/blog/2015/customizing-default-user-template-os-x/ but was too-unsure about the whole process to try and use it, since other sources indicate it's a bad idea.

I've looked into Munki and will definitely do so again. At the time I really didn't see much advantage as I have a caching server and can just use ARD's built-in "softwareupdate -i -a" command to do updates on my schedule, instead of Apple's schedule, and thus avoiding bothering staff (or students). Most other updates I can push easily just by copying the app (Firefox) or installing a Package (Flash Player - UGH! Thank goodness the world is almost rid of that albatross!), and ARD, while no where close to as reliable as it once was, is still nominally functional-enough for my continued use (for now).

I think one place I routinely run into issues getting things done the way we want to comes right back to the current "everyone needs their own device" mentality coming out of the big tech-firms. This school will never, ever, work that way. It's not something we want, period, ever, full-stop. We don't want staff or students to have to manage things like updates on their own, or even see notifications that such updates are available. Our students are too young (K-8) and our staff need to be focused on those aspects of teaching that really matter, not being nagged by technology that should be there to support their needs, not the other way around. It's a philosophy that Apple certainly no-longer seems to understand at any level.
[doublepost=1537557119][/doublepost]
If you are even considering imaging at this time, please stop considering. As far as Apple is concerned "Imaging is Dead." You should be looking at DEP/MDM workflows exclusively at this point. (If there is any question about imaging's life, take a look at the T2 based MacBookPros and iMac. They can not be imaged at this point, no NetBoot at all.)

There are a number of good MDMs out there, some cheap (microMDM, SimpleMDM) and some not (AirWatch, JAMF Pro.) I used JAMF Pro, but it can get expensive.

Yeah, I'm going to look at JAMF Pro also, but cost is a real concern in Education. Our current systems are not actually imaged, they are wiped and the Mac OS cleanly installed - the last time I was able to easily push all the setting we really do need pushed was back when imaging worked properly. You would have to see the students trying to use the systems understand it, but so many settings that I absolutely *should* be able to enforce on a network-wide basis can't be, and that's a real problem. Trackpad defaults, for example, are utterly befuddling to most of our students. The younger students are always getting confused, and even by they time they get to 7th/8th grade many of them still have issues. So I really do need to turn off every dang special-function with the exception of the right-click. Don't even get me started with the whole Notification Center debacle - it will sometimes even overlay "full screen" testing apps with crap like "take a tour!" while students are in the middle of incredibly important state-wide testing. Think I can push a 4:00am - 3:59am Do Not Disturb setting? Nope! (And, why, why Apple don't you just have a system-wide function to turn the Notification Center off - it has zero use in an educational environment!) So the short of it is that I've moved away from imaging, but have yet to find any other solution that actually produces results anywhere close to as reliably and consistently as imaging used to do...
 
Last edited:
I work in an AASP and we've just started a managed services solution, using Jamf Pro. It's amazing versus the competition and, frankly, there's no comparison for Mac. They also bought the company behind NoMAD, which is going to be a great asset for B2B support.

Thanks again for the input. I've put it back on my list of things to consider this year. Realistically it may come down to cost. Some companies don't understand the realities of the Education environment, and some do (dnsfilter, for example, costs us only $1 per year per student/staff member. Now that's educational pricing done right!)
[doublepost=1538156198][/doublepost]Somewhat off-topic Profile Manager question;

Any of you know where Profile Manager in Mac OS Server version 5.3.1 (Sierra) stores downloaded app files (i.e. those purchased through VPP?)

I just noticed that some of ours are reporting a size of "--" and will fail every time I try to push them to clients - probably the "--" indicated a size of "0" and thus corrupt files. Unfortunately, now that I think about it, I believe this probably happened a couple of weeks back and I failed to notice, but I've changed a ton of settings and bound a number of machines since that time. I don't relish the idea of a restore of any kind. I would *hope* that being able to locate those downloaded files would allow me to delete them and simply allow PM to download them again. No luck finding them on my end however, and posts to Apple's Server Support forums have gone unanswered.
 
Last edited:
Good stuff all around.

To reiterate, try to do all preferences via Profiles. I still do a few manually, but we all have to move away from that.

Munki is worth the time to push out apps and updates. Very good, and good reporting. And not just software installers....anything you can build into packages can be pushed out: installers, profiles, printers, preferences, user accounts, etc. And it can uninstall stuff too...which is worth the price of admission.

If you want to run your own SUS to save time and bandwidth, JAMF has a free open source NetSUS that works great to push out Apple updates. You can even run it as a VM on a Synology NAS.

NetSUS + Munki = no more manual updates.

DockMaster is a great, easy way to build Dock profiles

NoMAD and NoMAD login let you use AD credentials, without having to bind to AD.
 
I work in a school district that uses JAMF. Like some have said, "Imaging" is dead as of 10.13. Jamf has the capability to install software, as well as run scripts that remove some software. Unfortunately, the management details are above my personal job description, so I don't know too much about it. Worse comes to worse, I sometimes wipe the computer, clean install macOS & the Jamf client. Jamf installs many of the settings & software after that.
 
Thanks again for the feedback. As usual I get much better info here than I do on most forums, and I do appreciate the time you've taken to respond.

I've made contact with the makers of Mosyle Manager and JAMF and both of them claim to offer the level of setting-granularity I'm trying to achieve. I'll be digging into both options at some point for hopeful rollout next summer.
 
Jamf is super solid. All comes down to budgets, and what control and automation is worth.

Easily replaces a full time tech, and probably several, depending on the number of machines managed. And that's before you try and factor in the value of stuff working, happy users, easy property audits, etc. Typically the "soft" advantages are under valued by those with the purse strings.
 
Cheap and proper alternative would be your Profile Manager on OsX Server.
Together with Munki (works nearly same as Jamf) it makes a great combo.
I'm using this to manage 1500+ devices.

For normal patches I use reposado to sync the store
 
Cheap and proper alternative would be your Profile Manager on OsX Server.
Together with Munki (works nearly same as Jamf) it makes a great combo.
I'm using this to manage 1500+ devices.

For normal patches I use reposado to sync the store
Using Profile Manager at that scale is very brave.
 
Using Profile Manager at that scale is very brave.
This is like the third time I get such a response.. Why is it? Up till now it's going very (VERY) well.
I use a hexacore macpro on a 10gb core network, it's really fast tho

and btw I actually use it the other way around. Munki enrolls the device to profile manager, which pushes the settings as desired. (on the local network, as I'm not allowed to do port forwarding or tunneling to manage the devices on home-offices over the public internet)
 
Last edited:
This is like the third time I get such a response.. Why is it? Up till now it's going very (VERY) well.
I use a hexacore macpro on a 10gb core network, it's really fast tho

Last time I tried Profile Manager, it choked on 330 iPads and pushed next to nothing out. Constant problems. Very annoying. I don't have nearly as many issues with Mosyle Manager in the cloud. Several years ago, I heard multiple Apple Education reps saying Profile Manager was really just a proof of concept / wasn't meant to be used at scale; they steered me to Mosyle instead.
 
Last time I tried Profile Manager, it choked on 330 iPads and pushed next to nothing out. Constant problems. Very annoying. I don't have nearly as many issues with Mosyle Manager in the cloud. Several years ago, I heard multiple Apple Education reps saying Profile Manager was really just a proof of concept / wasn't meant to be used at scale; they steered me to Mosyle instead.
Hi good morning to you, thanks for your reply. I'm fullfilling complete IT tasks from infra to software development and 1st,2nd,3rd line support on a big DC. That you couldn't manage more than 300 devices more seems like a network issue to me. I've did research before and the test lab showed few thousand of devices. Like said I mainly manage iMacs and macBooks on the LAN, and we have a redundant 10gb network core.

It's working very well for me up till now.
Still waiting for ~100-200 macs to enroll but these might be somewhere underneath a pile of dust or not used in last 6 months :'-D
Can't be bothered to walk around each and every one, they will enroll one day when they come online. If not they will complain it's not working due my new PKI infrastructure
 
This is like the third time I get such a response.. Why is it? Up till now it's going very (VERY) well.
I use a hexacore macpro on a 10gb core network, it's really fast tho

and btw I actually use it the other way around. Munki enrolls the device to profile manager, which pushes the settings as desired. (on the local network, as I'm not allowed to do port forwarding or tunneling to manage the devices on home-offices over the public internet)
Some problems are:
  • it's a single point of failure with no way to provide any sort of redundancy.
  • Profile Manager sometimes decides to stop working for no obvious reason.
  • Backup/restore of Profile Manager is a poorly documented and unreliable process.
  • Profile Manager isn't a fully functional MDM.
 
Some problems are:
  • it's a single point of failure with no way to provide any sort of redundancy.
  • Profile Manager sometimes decides to stop working for no obvious reason.
  • Backup/restore of Profile Manager is a poorly documented and unreliable process.
  • Profile Manager isn't a fully functional MDM.

Agreed. Profile Manager is Borked. Like just about everything network-management-related coming out of Apple these days, it is exceedingly unreliable, fails to function for no apparent reason, and then requires seemingly random actions to get it to begin functioning properly again (for example, the need to renew your APN certificate, even though it has not expired, in order to get PM to begin Pushing to clients again when it randomly fails). And note that I'm big on clean installs, these reliability issues show up just about immediately, even on completely clean installs. Install from scratch, get everything configured, prove that everything is indeed functioning reliably and properly, change absolutely nothing about the server, and then just wait for the problems to begin. Might be weeks. Might be days, Might be hours. I'm actually going to split our server functions and migrate our PM to a VM when I get time so I can reboot it without also taking-down other functions (like Caching, File Sharing, and Time Machine).

Other tools such as Apple Remote Desktop, once rock-solid, are also unreliable at even the most basic functions (such as bothering to show which systems are currently online without needing to restart ARD; I've taken to quitting the app and re-launching it every time I use the app.) Again, completely clean installs make ZERO difference; the unreliability is built-in!

Part of the reason I stuck with Apple's software up through this point is, admittedly, the stubborn belief that Apple should continue to provide the same quality of product they historically did. I very much dislike being forced into third-party products simply to replace functionality that Apple is either unwilling, or unable, to continue to provide.

*Soapbox* Seriously, take the time-machine back just a few years to when Apple actually knew what they were doing and things worked extremely, almost unbelievably well in their small-business / education ecosystem. Email, Open Directory, Web-Server, Wikis, Address Book server. You name it; you could set it up easily and once it was working you could leave it, for years, and barring hardware-failure it just worked. That's what Apple is supposed to be. And though I'm far from the only person to say it, I would agree that the beginning of the end came just after Snow Leopard, with Lion (that's when we started seeing significant issues with things that historically worked well - such as the ever-deleting Address Book bug). I think I had to delve into unix-land a single time pre-Lion; to set our web-server to properly display iFrame content, which it didn't by default). It's been a downward spiral from then onward). *Soapbox off*
 
Last edited:
Agreed. Profile Manager is Borked....

Absolutely agreed. It was around the time Lion came out that I realized macOS Server was no longer a viable option for us. We already had our email and stuff in G Suite, and I transitioned us from Open Directory to Active Directory. I think the final straw was the day I came in to find our Open Directory master had decided to corrupt itself for no reason; thankfully I had backups and was able to restore. AD doesn't do that — at least not in my experience.

Similar experience with ARD too. I hardly touch it anymore. I think Apple is doing fine from an end-user perspective, but the enterprise side of things has been a mess for a while. I do have to give them credit on Apple School Manager and Apple Classroom though — great tools to enhance the usefulness of iPads in the classroom.
 
Update & Bump:

Jamf bought Nomad, but have pledged to keep the basic version freely available. Kudos to them for that.

Munki continues to get refined, and is well worth anybody's time that is savvy enough to leverage it...and automate things.

I would also recommend Synology NAS gear for those keeping server/services on site, and not going all in with cloud. Overall, very good compatibility with Macs for file sharing. I find ours less fiddly about user permissions than I ever did with OS X Server. Lots of other handy features that are more enterprise, or enterprise-adjacent, compared to other options in the price range. Most importantly, less technical skills required to setup, manage and monitor than many other server platforms I have seen or used. Goes along way to retire or move away from both legacy Mac servers, and Win servers too. There may be other good options too such as QNAP, but I can't speak to those.

Other tools

Even if Jamf PRO MDM is off the table, their package builder tool Composer is great to easily build your own .pkg or .dmg installers. One time purchase...worth it!

Need to take a a.pkg apart easily? Check out unpgk.

Profile Creator is a handy, really great tool to, well, create your own profiles. This is better than Profile Manager in many ways.

FileWave (Jamf competitor for MDM) has—or had—a slick tool for creating and simply cloning thunderbolt Macs: Lightning.

Similar free tool actively under development is AutoDMG.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.