Using OS X Lion Server as a Home Server (Part 8 – Profile Manager and Apple Macs)

Next, to enroll a device, access Profile Manager on a browser running on the device you wish to enroll (using the web address You should see the page below:

If you’re using a self signed certificate, the first thing we need to do is to convince your Mac to trust the profiles pushed out by the server. To do so, click the Profiles Tab and you should see a Trust Profile for your server (the organisation name is shown).

Click install, and you should be fine to continue with the enrollment.

For those using an externally authorised SSL certificate (and for everyone else once the Trust Profile is installed), click the Enroll button in the Devices tab to proceed with the enrollment. A file called ota_profile.mobileconfig will be downloaded to the Mac from the server. Double click the downloaded file to continue.


To read the rest of this chapter, check out the Using Apple OS X Lion Server at Home eBook (Details below).

Download the Using Apple OS X Lion Server at Home eBook Now

If you’ve been enjoying our Using Apple OS X Lion Server as a Home Server series, then make sure you pick up a copy of the accompanying eBook. You’ll find additional chapters and information on using OS X Lion Server to power your digital home that won’t be available here on the site, and with all of our walkthroughs available in one convenient document (ePub or PDF), it’s far easier to install and configure your server without having to click backward and forwards to the website.

Buy Using OS X Lion Server at Home – £14.99



  1. have you managed to get the mobile accounts profile working with profile manager? I always get a "task failed" when it tries to update the devices.

    1. Yes, I have – but I found that if the mobile accounts have already been created, any subsequent mobility configuration that still includes a "create mobile account" action will fail.

    1. Yep ports are forwarded, I get the following "The profile is either missing some required information, or contains information in an invalid format."

      Cant seem to figure a work around?

  2. Great stuff as usual Terry! My experience is parallel with the series and I can't wait for the next installment. I have no problem waiting as long as it takes because having a walk-through as beautiful as those you provide make the process "cake". Thanks again!

  3. Such a nice feature but can't get past this certification issue…….seems to be an ongoing problem……..

    1. Hi Mark

      Try running "tail -F /var/log/system.log" in a Terminal window, then recreate the error – you should see some more detailed error information pop up in the terminal window which may help you troubleshoot.


      1. Seems to be a root issue

        Sep 8 12:54:29 xxxxxxxxxxx ProfileManager[366]: Could not retrieve root certificate from open directory server.

  4. Thanks for such a great article on Lion Server. This is by far the best piece of information I have found on the subject.

  5. Hi Terry, amazing article!

    Hoping you’re going to go so far as to show how you can access your media and files remotely (via browser) like you can with WHS….pretty please 😉


    1. Hi John

      Yes, that's the plan, but it'll take a little investigation – I'm covering the core services first, then we'll dip into remote access, media sharing streaming and so on.


  6. Hi Terry, thanks for this series. I have a problem with my email since running Server. I can receive but no longer send emails through my ISP (I can still send .me mails). I get a very quickly flashed message when I try to send (too quick to read) and then I cannot close the message I am trying to send. I have to exit Mail, and when I restart the app, the mail message I failed to send has moved to Drafts, from where I have to delete it. I have the email configuration on Server switched off, by the way. Thanks for your help. Simon

    1. Are you using the same domain for your Mac server as you use for your ISP mail? That may cause some setup problems. If there's an issue with the account setup in Mail, you should see an exclamation mark next to your inbox – double click and you should be able to see the error.

      1. Hi Terry. No, I have email on the server switched off, and there's no exclamation mark by my inbox. I received mail ok from my ISP, but can't send it. I'm also running .me mail and have no problems sending that. Hope you can help as my business is suffering….. Thanks. Simon

  7. Hi Terry,

    Will you also be doing virtual hosts and how to run two or more websites from the lion server?

  8. Superb walk through which I posted a link to on the Mac Rumors forum:

    I’m really looking forward to having a go at this myself.

    One request for the ‘remote access’ section. It would be great to cover the built in VPN service such that users can log into a VPN remotely and send all traffic via it, to ‘browse out’ – very useful when you are faced with an internet connection (hotspots, hotels etc) that may be not be secure.

    Thanks again – excellent series.

    1. Hi Dunstan

      Thanks very much for the link – very kind. Yes, Remote Access will definitely include the VPN service, as it's the primary built-in access method for file sharing.


  9. Hi Terry, really enjoying this series.
    I'm interested in getting my first server and also am keen to have a Mac in the house.
    But I need to know how it works with PC's as all of my Clients would be PC's (initially at leas).

    Will you cover this?

    1. Hi Matt

      With regard to PC support, you'll certainly be able to easily share and stream files hosted on the Mac Server to your PCs, but there's no backup support (Time Machine), Profile Manager support and user account support, all of which are Mac only.

      My advice, if you're a predominately Windows based home at this point is to go for Windows Home Server as the backbone, and then over time, if you end up swapping PCs for Macs, then there'll be a tipping point where a Mac Server makes more sense.

      Going forward, if Windows 8 allows PC backup to network devices through History Vault, and the feature itself is decent (eg, image based, incremental backup and restore) then I may revise this advice – we should find out more this week.


      1. Thanks Terry,

        Really impressed by the way you monitor and reply (in depth) to so many of the comments.
        Thank you.

        I only came across 'We Got Served' a few weeks ago, but I'm a regular reader now and I can tell that this site is going to be a helpful resource as I go about choosing (and using!) my setup.

        Thanks for all your hard work, really appreciated.

  10. Hi John

    The domain should work (in terms of pointing to your home network if it's been previously set up with WHS), but I'm not sure how you'd manage the certificates… have a go and let us know how you get on.


  11. Hi Terry, this is a very help walk through thank you.
    I've made my iMac i7 into a server and now i'm attempting to get my mac book's etc. setup as clients. I've followed every step I believe, registered a domain with go daddy and got SSL cert etc. so far so good. I didn't do the port forwarding because I'm using Time Capsule and I checked in the airport utility and everything seems to have registered. The users and groups have been setup and I can access profile manager on the Server, but the trouble i have is when I come to login to my server via web browser on my client to Enrol I get "Safari can't connect to the server". I am wondering if I setup the domain correctly on Go Daddy, I pointed the DNS manager to my IP address. I didn't register for Hosting at Go Daddy, is this required?

    Any ideas?


  12. Hi,

    This is really great work!

    I had this all fine until yesterday. Had a bunch of devices Enrolled and last night Profile manager stopped working. Its running in the server app and looks to be OK, but I am not able to login to the webpage.  At the moment I am getting page not found. My router etc is setup correctly, I have double (and was working before anyhow).
    Hope someone can help with this. I am about to do a full system rebuild to get this to work…


  13. quick question: i’ve followed all of your instructions up to this point, and setup an SSL certificate through GoDaddy, which is verified on the server.  but when I enroll my devices, the profile shows up as “unsigned”… not “verified” as in your screenshot.  any idea what i’m doing wrong?

  14. Terry,

    I would like first to thank you for all your help through the configuration of my Mac mini Server. 

    Everything looks exactly like you describe it up to the point of enrolling client computers. I do have the TrustProfile in place and verified, but I keep getting the following error message at the end of the enroll process with the ota_profile.mobileconfig file:

    “The profile “Remote Management (…………….com.mdm)” could not be installed due to an unexpected error.”

    What is you idea about this error?


    1. Not sure what’s happening here, but looks like others have had a similar issue:

      My hunch is that there may be a bug lurking around the certification process during enrollment. From memory (this was a good few weeks back) I was hitting a similar problem, but had to do a server reinstall anyway, which ultimately cleared the issue….

  15. Terry, I’m getting the “unexpected error” message when I try and enroll both the server and an additional device. AFAIK I have forwarded the two TCP ports you set out. Any thoughts? Thank again for the excellent article, and for taking the time to troubleshoot everyone else’s projects!

  16. Great walkthrough,
    But I run into problems when I want to open profile manager…
    I get:
    Service Temporarily Unavailable

    The server is temporarily unable to service your
    request due to maintenance downtime or capacity
    problems. Please try again later.

    Apache/2.2.20 (Unix) mod_ssl/2.2.20 OpenSSL/0.9.8r DAV/2 Server at imacgerritjan.local Port 80I’ve looked around at posts, but can not find a solution or a hint what might cause this problem?I’ve tried to disable the certificates, enable them?The webserver itself seems to work; http://imacgerritjan.local gives me the welcome screen

      1. I’ve received very helpfull support from Apple by Phone. I will try to summarize the causes and the improvement but i’ve not yet managed the Profile manager to work…
        The root cause, according to apple, for my error message is that the Profile Manager services rely on DNS to execute correctly (might be true also for other more complicated services)
        The reason DNS was not working on my iMAC is that it used to be just a client, relying for DNS on my ISP. my Imac receives the IP configuration from DHCP services of a airport extreme, which just forwards DNS requests to DNS services at my ISP. When i configured the host name and followed the walktrough of Terry i chose, in contrast to Terry, not to make my server (and family domain) visible from the internet, so i skipped the part where Terry configures DNS at goDaddy to contain the servername (hostname) of the homeserver.
        Apple advised my to configure DNS on the homeserver by downloading the server tools (10.7.2) and use server admin to configure DNS.
        @aa10f5735c1b56bac9d168bf63b95ec7:disqus ; it will be very helpfull if you could add a little about the optimal DNS configuration of a homeserver, i was struggling with naming conventions
        and frequently the tool generated names by extending the domainname behind the hostname. according to apple the rootcause for this is that I did not start with a Fully Qualified Domainname (i chose koekkoekfamily.local). But after changing my hostname (also tricky) and trying to update my certificate a godaddy with the new hostname i managed to get DNS working.
        Apple advised me to test DNS with the terminal command
        dig @###.###.#.## imacgerritjan.koekkoekfamily.local where you see the ip address of the homeserver after the @61b3ab9876313c8e8cae939fd8f75c28:disqus  symbol (it will then ignore other possible running DNS services and should respond with the same ip address of the home server. note the fully qualified hostname.
        After all this i at least no longer get the error about ‘temporary unavailable’ but i might be in a even more problematic condition;
        I now get “Profile manager is not running” clearly a message from server because its a nicely grey formatted message from apple, and not from apache. In the green dot of profile manager is showing the app thinks profile manager is RUNNING
        I think this is due to renaming hostname and domainname, in the logfile i see a lot of RUBY messages that do not look good…

  17. Hi, I’m running Lion Server 10.7.2 on a Mac Mini and I have a problem that the login screen does not open when I hit the Open Profile Manager link. The Safari window is blank. Any ideas?

  18. Hi, great stuff, like your how to setup very much, after hours of very demanding setup experiences found your how to do extremely helpful and I consider to by your publication.

    Smal question I have for you: I opened both ports 1640 and 2195. Portscan shows only 1640 open, Port 2195 remains closed whatever I do (restart, new start, reconfiguring a.s.o.) Consequently I am running at the end of the enroll process in to a unexpected failure. Any idea?

    Founding out that Ports for Web Services (80 and 443) must be open as well to get the expected web page displayed. Maybe this help someone a little.

    Thanks for attention


  19. I have turned on Profile Manager on the Server app but when i go to access it on the web browser, it says it is off. Also when I go to the /mydevices page I get a “Not Found” error. This happens on the server computer, another network computer, and an iPhone on a 3G network. FWIW, file sharing (the only other service I’ve set up so far) works on the local network.

    Any ideas on what the issue could be?

  20. Can you PLEASE add your ebook to ITUNES… It would be a GREAT help to those like me to which gift cards are the next best thing since the dollars and CENTS.

    1. Thanks for the feedback – Apple has a really convoluted acceptance process for iTunes (requiring, believe it or not, a US Tax Number (I’m not a US Citizen, BTW)) to get a supplier account. Will definitely try to sort this out though – watch this space. 

  21. Hi Terry
    Thanks for this guide. But after changing the ports on router my DNS on Lion Server stopped and I can’t start it anymore. Any clues? Thanks

  22. After I sign in to Profile manager (for the first time); Safari brings up “Safari can not connect…” 404 error.  I am using a Self Signed Cert, but that should not make a difference.  Thoughts? I am a very novice user with OS X and OS X Server.

  23. I’ve purchased the book and find it very helpful. After some struggles I was able to obtain a ssl certificate and get it properly installed. Now when I go to profile manager and try to import my SSL certificate it asks for my public and private keys. I dragged my SSK certificate into the box but where do I get my public and private keys?

  24. Hi Terry,  I have my trust profile installed using a self signed certificate.  When I try to enrol my server and download ota_profile.mobileconfig for mydevices and install I get this error:

        Profile installation failed.
        The certificate for this server is invalid. You might be     connecting to a server that is pretending to be 
        “gtiserver.local” which could put your confidential 
        information at risk.

    Any ideas what I have done wrong?

  25. What about making the port forwarding simpler?
    My problem: at some point of the process, the was no more able to connect to the server from another mac on the same network. After spending hours trying to find the issue, I realise that it was coming from the port mapping of my fritzbox router (by switching off the firewall). Internal connection are astonishingly going through the firewall of my router. I guess that it happened when I made the server accessible from Internet and gave as host name something like “my”.
    My first attempt: I started to enter manually tens of port mapping. Painfull.
    My fast and efficient solution: I forwarded all ports from my fritzbox router to the mac mini server (DMZ or exposed PC) but only for it he server,not the other mac. I activated the firewall of the mac mini server by one click. It worked within 10s.
    What do you think?

  26. It’s not working for me and this is my 7th day on the product.

    (With and without proxy being defined)
    Still having the same issue deploying the Auto-Join Devices Enrollment:

    transaction with the server at
    has failed with the status of “401”.

    But as soon as I add the
    iPad as placeholder in profile manager with it’s serial number it’s more
    than happy to accept the autojoin profile with or without proxy creds.



  27. Hi Terry, when you say Important: Before proceeding with enrollment, make sure you have the following ports forwarded to your server via your router – Port 1640 and Port 2195. Without these forwarded, you’ll receive an “unexpected error” when you try to enroll a device other than the server itself”. Does the forward need to point at or just thanks Chris

Leave a Reply