PREREQUISITES: This document represents a detailed guide for Managing Remote Devices and creating device groups; if Administrators already perform Mobile Devices Management, skip Device Group creation and spreading Trust Profiles across devices, you can move on directly to adding appropriate payload to the profile. |
Server
There is a number of tools for managing Mac users remotely, with JAMF Pro and macOS Server being the most popular in this category.
NOTE: JAMF Pro is only available for 50+ devices.
MacOS Server
MacOS Server is an official tool provided by Apple for managing multiple devices and distributing settings across them remotely. It can be purchased from the official Apple Store and costs $24,99. MacOS server can be installed on every Apple device running Majove and Catalina and doesn’t need to be in the same network as target devices.
Profile Manager
Right after macOS server installation has been completed, it’s necessary to enable Profile Manager (it’s disabled by default). For details on how to start Profile Manager, refer to Apple documentation.
If the Profile Manager has already been activated, devices and profiles can be configured. Profile Manager can be accessed via any web browser. For the purpose of this example we are using Google Chrome.
Device Group
Once Profile Manager has been activated, System Administrator is now able to create a new Device Group to handle multiple devices at once.
Next, a special profile can be created and it will be distributed around every device within the device group.
Custom Settings are available for forced installation; access Your Device Group > Settings > Edit.
NOTE: It’s necessary to add profile payload with property domain, especially for Google Chrome.
Here is an example of how it should look like. It’s necessary to create this property exactly as shown on the example below, with proper Type and item:
Preference Domain | com.google.Chrome |
Key | EXTENSIONINSTALLFORCELIST |
Type | Array |
Value | Leave blank |
Button should change to “Add Item” after clicking the first key. | |
Child Type | String |
Value | bpgnbhpmapjejjgieobojikijibkabnl;https://<customerURL>/api/public/admin/exten sions/player/updates.xml |
NOTE: It can be used to install more than one extension, if necessary. In order to do that, add another item under “ExtensionInstallForcelist”.
Trust profile
To add a new device to the Device Group, download and install Trust Profile on a target device. Go to Blue Brick > Download Trust Profile.
It is a standard profile file and can be launched on target device with double click.
NOTE: Installation process require administrator permissions.
Remote Profile Management
To manage remote devices automatically, install “Enrollment profile” on every device. At the bottom left corner of the macOS Server Profile Manager clicking the Plus button to create new enrollment.
NOTE: The “Restrict use to devices with placeholders” option should be unchecked.
It should be saved, downloaded and installed in the same manner as Trust Profile. Installed profiles on target devices should look as follows:
Now, administrator should be able to view new remote device and add it to Device Group.
Automatic Enrollment
After saving the Device Group settings every profile should be distributed automatically across connected devices. It could be checked at profiles settings:
NOTE: Replace the above custom settings highlighted with red with the value below:
bpgnbhpmapjejjgieobojikijibkabnl;<customerURL>/api/public/admin/exten sions/player/updates.xml
Summary
New extension will be force installed on next Google Chrome start. User without administrative privileges won’t be able to uninstall it or even disable it. To change extension or add another one, just edit Device Group settings and save it - it will be rolled out automatically across devices.