Tag Archives: profile manager

Hacking Profile Manager on Mavericks

Dear Fellow OS X Server Geeks,

Just a heads up that I have updated my earlier posts about gaining access to Apple’s Profile Manager PostgreSQL database. The commands therein now work on Mavericks.

If you’ve upgraded from OS X Server 2.0 on Mountain Lion, you’ll have to open up remote access from scratch. Data is retained (flawlessly in my case), but the PostgreSQL instance has been moved and a new database (with a new name) created beside the old one.

Virtual hugs,

Me

Under the hood: OS X Server’s Profile Manager

Updated on 6-Nov-13 for OS X Server 3.0 on Mavericks

Let’s say you’re running the MDM software Apple ship with OS X Server, Profile Manager. (You’ve chosen this because you don’t really need the fancy features of Casper and friends.)

Let’s say you’re also running other services that would benefit from live access to Profile Manager’s device metadata, e.g. a Squid proxy that implements MAC-based iOS authentication (because proper proxy authentication has been broken on iOS since forever). “An external_acl_type that could check enrolled device MAC addresses be super-awesome!” you say to yourself.

Where to start?

Turns out, Profile Manager data lives in an embedded PostgreSQL database, and opening it up for remote access is relatively straightforward.

First, you’ll need to modify /Library/Server/ProfileManager/Config/PostgreSQL_config.plist (note: this path has changed in Server 3.0) to enable access over TCP/IP (by default, postgres only listens on a UNIX socket). Edit the existing listen_addresses= entry, and add the last two lines:

<string>-c</string>
<string>listen_addresses=OSX_SERVER_LAN_IP</string>
<string>-c</string>
<string>port=5432</string>

Note: Server 3.0 creates multiple instances of PostgreSQL, one for each service that depends on it, all on different UNIX sockets. Just in case another instance opens PostgreSQL for TCP connections on localhost, I recommend binding the Profile Manager instance to a LAN-facing IP. Alternatively, you could use a non-standard port.

Then tell postgres that any host on your network is allowed to connect with an encrypted password, by adding a line like this to /Library/Server/ProfileManager/Data/PostgreSQL/pg_hba.conf (note: changed in Server 3.0):

host all all 192.168.0.0/16 md5

Almost done! Now you just need to set up a postgres user to connect as. Start by opening a psql session:

sudo -u _devicemgr psql -h /Library/Server/ProfileManager/Config/var/PostgreSQL devicemgr_v2m0

(This entire command has changed in Server 3.0; note particularly the new database name.)

Then you’ll probably want to run a couple of commands like:

CREATE USER squid WITH PASSWORD 'XXXX';
GRANT SELECT ON ALL TABLES IN SCHEMA public TO squid;

If you want to create a more privileged user:

CREATE USER dbadmin WITH PASSWORD 'XXXX';
GRANT ALL ON ALL TABLES IN SCHEMA public TO dbadmin;
GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO dbadmin;
GRANT ALL ON ALL FUNCTIONS IN SCHEMA public TO dbadmin;

Reboot the server and test with pgAdmin or some other PostgreSQL admin tool.

Oh, and don’t blame me if you break your Profile Manager, or Open Directory, or your entire OS X Server.