How to add a device to macOS Server?

I've just purchased macOS Server and am trying to add devices to its management. I've tried going to the "My Devices" page,

enter image description here

and downloading a configuration profile for MDM enrollment:

enter image description here

The configuration profile has the following contents:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadContent</key>
            <dict>
                <key>CAFingerprint</key>
                <data>
                Q0MzMkNBMzNGMjFGRTgyNUJFOTI5RTU3Qjc1NUIyMTU4
                MDlFQTE1REZBQ0FCODkwQjc3ODJBRkVEQkRFMUJGRA==
                </data>
                <key>Challenge</key>
                <string>eN23VUrSBk1GJWa5/y4ViIUGGkdr3gPqYwEU/l8VQAo=</string>
                <key>Key Type</key>
                <string>RSA</string>
                <key>Key Usage</key>
                <integer>0</integer>
                <key>Keysize</key>
                <integer>2048</integer>
                <key>Name</key>
                <string>Profile Manager Device Identity CA</string>
                <key>Subject</key>
                <array>
                    <array>
                        <array>
                            <string>CN</string>
                            <string>MDM Identity Certificate:728ad81d-a72f-467b-a9bb-ae74bff37fd4</string>
                        </array>
                    </array>
                </array>
                <key>URL</key>
                <string>http://Kurts-MacBook-Pro-13:80/mdm/scep</string>
            </dict>
            <key>PayloadDescription</key>
            <string>Configures SCEP</string>
            <key>PayloadDisplayName</key>
            <string>Device Credential Request</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.mdmconfig.SCEP</string>
            <key>PayloadOrganization</key>
            <string>Kurt Peek</string>
            <key>PayloadType</key>
            <string>com.apple.security.scep</string>
            <key>PayloadUUID</key>
            <string>AECB99D7-9F26-4460-853B-C6D7DF366354</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
        <dict>
            <key>AccessRights</key>
            <integer>8191</integer>
            <key>CheckInURL</key>
            <string>https://Kurts-MacBook-Pro-13/devicemanagement/api/device/mdm_checkin</string>
            <key>CheckOutWhenRemoved</key>
            <true/>
            <key>IdentityCertificateUUID</key>
            <string>AECB99D7-9F26-4460-853B-C6D7DF366354</string>
            <key>PayloadDescription</key>
            <string>Configures Mobile Device Management</string>
            <key>PayloadDisplayName</key>
            <string>Device Management</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.mdmconfig.mdm</string>
            <key>PayloadOrganization</key>
            <string>Kurt Peek</string>
            <key>PayloadType</key>
            <string>com.apple.mdm</string>
            <key>PayloadUUID</key>
            <string>2AE2D020-2473-47DB-A773-EC00E76C1C66</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>ServerCapabilities</key>
            <array>
                <string>com.apple.mdm.per-user-connections</string>
            </array>
            <key>ServerURL</key>
            <string>https://Kurts-MacBook-Pro-13/devicemanagement/api/device/mdm_connect</string>
            <key>Topic</key>
            <string>com.apple.mgmt.XServer.49f0f7d5-260f-49b5-b723-d40953cc7376</string>
        </dict>
        <dict>
            <key>PayloadContent</key>
            <data>
            MIIDfTCCAmUCCBZNzg5s/HalMA0GCSqGSIb3DQEBCwUAMIGAMQsw
            CQYDVQQGEwJVUzEdMBsGA1UECgwUS3VydHMtTWFjQm9vay1Qcm8t
            MTMxKzApBgNVBAMMIlByb2ZpbGUgTWFuYWdlciBEZXZpY2UgSWRl
            bnRpdHkgQ0ExJTAjBgkqhkiG9w0BCQEWFmhvc3RtYXN0ZXJAZXhh
            bXBsZS5jb20wHhcNMTkxMjI5MTM0ODI2WhcNMjExMjI4MTM0ODI2
            WjCBgDELMAkGA1UEBhMCVVMxHTAbBgNVBAoMFEt1cnRzLU1hY0Jv
            b2stUHJvLTEzMSswKQYDVQQDDCJQcm9maWxlIE1hbmFnZXIgRGV2
            aWNlIElkZW50aXR5IENBMSUwIwYJKoZIhvcNAQkBFhZob3N0bWFz
            dGVyQGV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
            MIIBCgKCAQEAvZHvIUgimKNdg14uOMCew0xILjUE8iTWxz+Aau8I
            cLrgWpZaNl6oCQ6l7J+C7J0ZyRpXu4Eb7KxNyQX5MO/yd8a/TtoY
            WcjhyUbx3c3ANEcW6vV0BtN9NGsv7oH7woeywNzRZ72VroUlZMMG
            8GzF9gICj8crnm/qWuiewpbgPiXoRRTfuLUyuQXKei0hpFyFKmht
            qn2z0BrrPCTe/L2vApUg4IPowDylVU31efFXYuGWzCX+lGWggEQU
            WxQKyBZnslUmC7O+JdFSyqk7vbJsjKS2LziKhIQp9rCJElyy83sK
            kbJ6c9j4yQtwRp09uJWx1MDOUHWe0MN+aEKlNFhEnQIDAQABMA0G
            CSqGSIb3DQEBCwUAA4IBAQBiGEylUhMfxJkTPsaS3vwC5AKEqtCJ
            xzoMttIaHxRl5Cs38s9B0gaUN0tw/1yGs15Py3Gl2eR1rxQ7YOPJ
            9Py720cNNmYzxFx4LoxqBF7PTMwI23cNlbkoOkKbGLhEH7hTRN3b
            JEYp1Z8615FifAMiBALT10nUY3fQlNH1gcHNbz4cna7Owm73DiKu
            32hyyV9Qu8h6PAvHCdiVPtplay0RxgSrPrPe8QDAvjz13i9FUvZn
            CkL/lhwZ4TxQ/FO7XmFZyftBcQYcvnXdLvOnqNOz976P1r5/uxoZ
            bgw1t0twm7lBZFp8QJ7MM4PV4L+wRbcFHO+XWqfV8GLJ4JQo3isS
            </data>
            <key>PayloadDescription</key>
            <string>Configures your device to trust the Profile Manager server Kurt Peek.</string>
            <key>PayloadDisplayName</key>
            <string>Trust Profile for Kurt Peek</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.scep.certificate</string>
            <key>PayloadOrganization</key>
            <string>Kurt Peek</string>
            <key>PayloadType</key>
            <string>com.apple.security.root</string>
            <key>PayloadUUID</key>
            <string>52AA91DB-7A74-4BE4-B712-1F0791DA5FE9</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
        <dict>
            <key>PayloadContent</key>
            <data>
            MIIDhzCCAm+gAwIBAgIEbt1oJTANBgkqhkiG9w0BAQsFADBzMTkw
            NwYDVQQDDDBLdXJ0IFBlZWsgU2VydmVyIENlcnRpZmljYXRpb24g
            QXV0aG9yaXR5IFJvb3QgQ0ExEjAQBgNVBAoMCUt1cnQgUGVlazEi
            MCAGCSqGSIb3DQEJARYTa3VydC5wZWVrQGdtYWlsLmNvbTAeFw0x
            OTEyMjkxMzU0MjlaFw0yNDEyMjcxMzU0MjlaMHMxOTA3BgNVBAMM
            MEt1cnQgUGVlayBTZXJ2ZXIgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
            dHkgUm9vdCBDQTESMBAGA1UECgwJS3VydCBQZWVrMSIwIAYJKoZI
            hvcNAQkBFhNrdXJ0LnBlZWtAZ21haWwuY29tMIIBIjANBgkqhkiG
            9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqnEL8Ybh5Nj1uDs6OwMvK/Xr
            VQ+X8Of/8CeTxGoKjWTQdTLoWd9R5JqMVEZcSSmQL6h36MWvkquL
            O3Dt9jflhn+sx94ONj8j8bnGMDiWUrc0OIv2phfSNRRdxWjPQ8TL
            O5Ye/NVoM8lWRY5RtAkh4qvh8icW8f4/IbAllWptpcOIs7854YuW
            o4uHcADb6ChTAKswQGn+wof2r0qtSCG0M1ZuA4QUHf1owwpq6yQ8
            i0i0OYV7Xi9y1/JAg4E3M4AdZYjpMLQCvp8EgyN2pbqXe+PnD0pm
            ZKeEJOcV+ew6xUnbG8QmnYOenTWlsDG8pOcu4GJW9z956Z7V6ITB
            nIu1HQIDAQABoyMwITAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB
            /wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAMSDPJDVMzyKkRpdd
            2yVVn6+S1Cy88FPO7LVJo5vdpOX8G/3QIKECSsMrPkjJtXoUcUeA
            9W5JZWeco5hsX0zFUt2O/spCa7HkG8H4luQWupueT479R7ww5ogC
            LvqMZXokq4yZc+e5Lu9XsS09IUtfa/Aa0x3ugtV6xeiHsD1YrL/V
            hjXZfkiQ3fUmUXrY0ndHpEqa7uEEPIOFfdVuZ7NYd8OuK6aDR+hs
            865ZaDPmSuNvraKgxccwFJEYrOkLjkOsapkYweBdGTARbvMFapYN
            +SuTLOdzNzHXRs50Ds+csS0H8VRIKTg7+GmQNcfcly5Di4NrdVLM
            WDcr9JYJq8MjEA==
            </data>
            <key>PayloadDescription</key>
            <string>Configures your device to trust the Profile Manager server Kurt Peek.</string>
            <key>PayloadDisplayName</key>
            <string>Trust Profile for Kurt Peek</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.root.certificate</string>
            <key>PayloadOrganization</key>
            <string>Kurt Peek</string>
            <key>PayloadType</key>
            <string>com.apple.security.root</string>
            <key>PayloadUUID</key>
            <string>B0716D15-5A7D-48D1-912C-E8BB7412DD9B</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Allows the server to manage your device.</string>
    <key>PayloadDisplayName</key>
    <string>Remote Management</string>
    <key>PayloadIdentifier</key>
    <string>com.apple.config.Kurts-MacBook-Pro-13.mdm</string>
    <key>PayloadOrganization</key>
    <string>Kurt Peek</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>D4562B5A-1B37-45D8-84FF-BE27611A8893</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

However, if I Airdrop this mdm_profile.mobileconfig to another device and try to open it, I get an error message "Unable to contact the SCEP server":

enter image description here

Am I supposed to install macOS Server on every device I want to manage? (I would have thought that it sufficed to install it on one 'admin' device).


Solution 1:

You’ll want to get ready for some setup and reading of the docs: https://support.apple.com/guide/profile-manager/intro-to-profile-manager-pm9cz84lqi/mac

Your first hurdle is your DNS on the enrolling device can’t find the dns name of the server - Kurts-macbook-pro-13. If you set up the IP address or make a dns name that resolves, you will be able to complete enrollment on the second device. Or add .local like you did in the web browser if you are only managing local devices.

You can find the local DNS name of any Mac by going to System Preferences > Sharing. And right at the top under the field with "Computer Name" it will give you the local network DNS name of that computer. It is likely that if you add a ".local" to the end of the server's name when you set up the enrollment profile, other Macs on your local network should be able to find it. EG: kurts-macbook-pro-13.local

You are correct, you have one server that manages all the devices. Server can be installed on several Macs to manage the main device, but as long as all Macs to be enrolled are on the same network that should be unnecessary..