We still have an old macOS server with profile manager running, with a domain wildcard SSL certificate. After renewing the certificate, I checked that https: was working, and also that management profiles could be downloaded. Great! However, when setting up a new device, the device says that the certificate is invalid, and will not install the profile. Reverting back to the (soon to be expiring) old certificate, everything works fine. So, I'm at a loss for why this is happening. As far as I can tell, the root for both certs is the same. In fact, the CA which was provided by Digicert/Geotrust looks to be the same as last year's. I've exhausted my basic knowledge of "openssl" commands trying to spot any differences, to no avail. In testing, I see the same behavior in iOS16, iOS17, iOS18, macOS14, and macOS15. When using the expiring certificate, new devices can download the profile, but when using the newer certificate, errors occur. Also, with the newer certificate, all of the above devices are able to install profiles (manually, from the /mydevices URL). One interesting note, is that yesterday the error was "invalid certificate"; however, today, it just says "canceled" (iOS16). I read that ABM was having issues overnight, so this may be related. But, my trouble with new devices and the new certificate started over a week ago. PS - I'm not using profile manager because _I_ want to. But, feel free to add more reasons why it's a bad idea (as long as you try to help solve the original problem).

Currently, we're implementing 802.1X authentication in the company, but having some trouble with getting an IP address when using some Macs (MacBook Pro). I created a profile through Profiler Manager of macOS Server. After the profile installed, I was able to get an IP address by manually clicking "Connect". **PS: We are using the EAP-TLS.** But I have to manually click "Connect" to get an IP address, every time I disconnected the Mac from the LAN cable or reboot the Mac. Q: Is there any way to trigger the 802.1X authentication to get an IP address automatically or is there is any way to click (without interaction or silently in the background, maybe command line or plist files?) the "Connect" button automatically once a user logs in? Any ideas would be appreciated.

I recently had my work MacBook Pro's admin software removed (by IT, the same department that initially set them up) and the macOS freshly installed, with the old profiles removed. I had a Time Machine backup of the computer and (maybe stupidly) restored the laptop's settings from this backup. The old profiles that were managed by IT have been removed, but there are still some "login items" that remain. My guess is that I "restored" these login items when restoring from the time machine backup. The login items say that "this setting has been configured by a profile" but when I look at "Profiles" in system settings I don't see any profiles. Assuming that I somehow reinstalled these items, how would I go about removing them?

I am the admin user on the Mac. My sister was logged into her account (it has a password that idk) and I ended up using it while it was logged into her account. I stepped away from the computer and it locked me out and now I can’t get back into her profile. Im currently in the middle of planning a surprise for her and I had left all my tabs open. Whenever I log into the Mac it always brings up whatever tabs and applications I had open. **Is there any way at all I can close her tabs out from my end so it doesn’t open when she logs in?** I obviously don’t want to reset her password as that will tip her off.

I want to enable DNS over TLS for my MacOS using custom DNS server. I am building my custom DNS infrastructure and I have set up an Unbound DNS server on a local network. For now DNS resolution flow looks like this: - Mac sends DNS request over port 53 to local Unbound server in plaintext. - Unbound server forwards this request over port 853 using DoT. As you can see, between my MacOS and Unbound server traffic is transferred as a plaintext, and I want to prevent. From what I have found, if you want to enable DoT for your Mac you need to download and install profile. For example, [this is how Quad9 does this](https://support.quad9.net/hc/en-us/articles/4814293189773-Setup-MacOS-and-DNS-over-HTTPS-or-DNS-over-TLS) . Also, I have found [this page](https://simpledns.plus/apple-dot-doh) , where you can generate this profile, but I doubt that this is going to work because I doesn't set certificate here. So, I need to generate this profile, using Apple Configurator, I guess, but it's still a little confusing. If someone has ever done this before, has step-by-step instruction and can share one or can clarify if I'm wrong somewhere, I would be grateful. Thanks in advance!

I have added a global password policy which enforces password rotation for every 90 days. But there are two types of accounts: 1. User Accounts - Enable Password rotation for 90 days 2. Admin Accounts - No Password rotation I don't want to enable password rotation for Admin Accounts but should enable for User Accounts. Please suggest a clean approach to achieve this. **Similar Problem:** https://www.jamf.com/jamf-nation/discussions/18574/user-password-policies-on-non-ad-machines (Global Policy = All Users except "admin")

I created Open Directory and ProfileManager with self-signed certificate. Now I try to replace the self-signed certificate with the already Signed Certificated currently use on our Active Directory 2008. I do an Export .pfx cert from this link: http://www.digicert.com/ssl-support/pfx-import-export-iis-7.htm When I try "Import a Certificate Identity" from Certificate Menu on Left Sidebar of Server.app the application hangs. I also use the keychain to import .pfx by follow this link http://www.digicert.com/ssl-support/p12-import-export-mac-server.htm but it also not available in Server.app Certificate. Is there any command line that could help or a better way to add a private key + cert to Server.app?

Initially hi everyone, im having trouble with deleting profiles. I've searched but I couldn’t find anything. I got so many profiles installed on my mac and when i try to delete them the minus button is not active therefore i can't change my screen saver options etc like as; as you can see i can't change my screen saver timer System info: macOS Monterey Version 12.0.1 MacBook Pro 2016 15" 2.6 GHz Quad-Core Intel Core i7 processor 16 GB 2133 MHz LPDDR3 memory Intel HD Graphics 530 AMD Radeon pro 450

I remember adding a DNS service (NextDNS) via a profile some time ago. Unfortunately I cannot remove it from the Network list in System Preferences because the minus button is grayed out. Surprisingly the profile has disappeared, and there is no Profile icon in System Preferences. This is weird since another profile is installed and works well (a Wifi profile) but is not accessible anymore. I tried several solutions listed in other StackExchange questions such as:

$ networksetup -listallnetworkservices

Which returns:

Wi-Fi
Bluetooth PAN
Thunderbolt Bridge

So the DNS service is not listed. I then try to edit /Library/Preferences/SystemConfiguration/preferences.plist but the DNS service is not listed here neither, there is only the 3 services mentioned above. I also tried to list the profiles manually using profile list but it says there are no installed profiles. I wonder if I'm even editing the right preferences.plist file. I did a search for a file with the same name system wide but did not find useful results.

Good evening, someone know the best practice for deploy printer on a mac with Profile Manager? I have add to my Server on System->Printer the printer with AirPrint and it is recognised, with model and position. I use payload "Print", but the printer is deployed on mac only with "generic driver". I have tried to install first the driver and after push the payload, but doesn't work. Always "generic driver". The problem is, generic driver some function are unavailable... Some ideas? Thanks

Good morning, I have an old Apple server with macOS 10.12 and Server.app version 5.3 Now I need export the information about devices with DeviceName, SerialNumber and ICCID (for iPad) I found some thread with command for read information with PostgreSQL, but no one with ICCID information. Someone know the correct select command? I found this: 1 - connect to the database sudo psql - U _devicemgr d devicemgr_v2m0 h/Library/Server/ProfileManager/Config/var/PostgreSQL 2 - If you want the names and serial numbers, use Select "DeviceName", "SerialNumber" of devices; I try to use: Select * from devices; And I see the title of the DB columns listed, but none traceable to ICCID... Any help? Thanks

I have enabled the guest account for all of the iMacs and Macbooks in my school. I would now like to use Profile Manager to trim down the dock for the Guest user, set a custom homepage for Safari and configure Safari to launch new windows with the homepage. I am struggling to find a tutorial for accomplishing this. Any tips?

I install OS X Server for MDM profile manager on iMac with High Sierra. Then used Apple Configurator 2.5 to enroll 16 iPad Air 2 on iOS11 to the MDM and added wifi Profile. All iPads are showing up as supervised devices on AC2. Now on each iPad, I see the Remote Management screen, hit the NEXT on the top right corner to attempt to install the remote management, and they all came back saying failed timed out. The same profile worked fine on iMac.

How can I create a terminal command to open another user's profile in Chrome? It takes me a long time to switch between them because I have a lot of users in Chrome.

I have an Mac Pro running Lion, my wife has a Macbook Air also running Lion. We have the same apps installed. I want to steal my wife's Macbook while I'm out of town on business. To do so, I'll have to bribe her, but I'll also need to give her a seamless experience using the Mac Pro for the week. How can I easily copy her profile, including all settings, mail, and documents, over to my Mac Pro so she can use it, and then send it all back to her Macbook when I get back? I know there's a migration wizard, but neither of these is a new machine, and I only want to copy one profile (hers).

We are looking for a way on a Mac to measure the time in milliseconds from after a shell script issues a command until that command actually begins execution on the cpu. This time would represent the time to fork, exec the command, run the exec syscall, page in the first page or so of the process and start it running.

I've been tweaking the command profiles quite sometime now but the -password parameter doesn't work. I've wanted to enroll machines using an MDM profile but it will require the user to input credentials via prompt which defeats our automation. Additional: I can install Trust profiles from macOS server via terminal by simply executing `profiles -I -F but not the MDM.

We have a few Macs in the office and a server running macOS Mojave 10.14.6 + Server 5.8. Profile Manager is set up and working, and company-owned Macs are enrolled. Mostly we use it for volume app distribution at this time. Right now, people in the office have a few locations set as Favorites in Finder's Go > Connect to Server… and some of them have taken the subsequent step of dragging one or more network folders into their sidebar. I am in the process of reorganizing how documents are share and stored. In Windows, I would probably use Group Policy to add or adjust drive mappings. Is there a way to accomplish any/all of the following: - Add or adjust favorites in Finder's Connect to Server… - Add or adjust shortcuts in Finder's sidebar? Using Profile Manager payloads or via some bash script that I could distribute via Profile Manager?

I see a lot of talk about mobileconfig files for standing up new boxes. It seems as if they're a configuration file for Profiles. Is there a spec or standard from which they're generated, or can be parsed? Is there any where this is documented?

I need to deploy the Microsoft Office 2019 suite to a bunch of MacBooks. I only use Profile Manager (part of MacOS Server) and am struggling to figure out how to do this successfully. I've experimented with mdmctl to create a .plist file and have applied it by uploading it under Custom Settings but nothing happens on the Mac. I've not been able to find any guides on how to use Custom Settings to deploy these plist files.