In-Depth with Mac OS X Lion Server
by Andrew Cunningham on August 2, 2011 8:00 AM ESTIf you’ve played around with iOS management at all, you might be familiar with the iPhone Configuration Utility that Apple has been maintaining for awhile now. Basically, it creates XML files with .mobileconfig extensions that can be downloaded to iOS devices and used to configure most of the device’s settings, from email to VPN to password requirements.
Lion Server and the Profile Manager build on this, giving administrators a centralized interface with which to create and deploy .mobileconfig files (which now support Lion as well). To turn on the Profile Manager, open up Server.app and flip the switch.
Since we’ve already configured our Open Directory, Profile Manager should start up without much fuss. Note that if you have other services running on your server that you’ve configured with Server.app (such as Mail, VPN, iCal, etc.), these will automatically be available to all of your users as a default configuration profile - that profile’s name and settings can easily be changed, and it can be turned off entirely if you want.
Now, open the Profile Manager (either by clicking the link in Server.app or typing <yourservername>/profilemanager into a browser and log in as the Directory Administrator account you made earlier. As an administrator, you should see all the users and groups with which you’ve populated your directory.
Go ahead and make a change or two - I want to make my iOS users use a passcode to lock their devices, while is available under Passcode - and when you’re done, click OK. You should now see an entry for every payload you configured under Settings. Cick Save to make your changes permanent, or Revert to discard.
Now, on my iPhone (you can use a Mac for this step too, as long as there’s an applicable setting to manage), I’ll navigate to the Profile Manager and login as a member of the group I just edited. Now, in addition to the Settings for Everyone option, the Settings for Workgroup profile is also ready to download and install.
Note that any profile installed this way will need to be refreshed manually in the event of updates.
For those of you who are interested in more active management of devices, you’ll have to go back to Server.app and enable Device Management.
You’ll need an SSL certificate to enable secure communication between your devices and your server - this isn’t going to work without a signed SSL certificate, at least not that I saw (feel free to correct me if I’m wrong in the comments), but we can still go through Device Management’s basic implementation.
Next, you’ll have to install a separate Apple Push Notification certificate to enable Push Notifications for your server and its clients. The only place to get one is from Apple, and the only way to do it is to associate an Apple ID with your server, though it doesn't cost anything extra.
If everything checks out, you should be told that your server meets all the Profile Manager requirements. Now, go ahead and start the Profile Manager by clicking the link in the lower right-hand corner of the window.
Now, if I take my iPhone to the Profile Manager site, there’s a second tab available with a giant “Enroll” button visible.
Clicking Enroll will establish a link between your device and the server - this will allow your server admin to update settings on your device, send out notifications, and even remotely lock and/or wipe your device in the event of theft.
Keep in mind that all of this is true both for iOS devices and Macs running Lion. While some of the iOS elements in Lion feel awkward and grafted on, Profile Manager really shows the promise of merging the two operating systems: it’s not just about making them look and act the same, but it’s also about making their management similar enough that it reduces time and money spent wrangling different management tools to manage the different OSes.
Since we’ve already configured our Open Directory, Profile Manager should start up without much fuss. Note that if you have other services running on your server that you’ve configured with Server.app (such as Mail, VPN, iCal, etc.), these will automatically be available to all of your users as a default configuration profile - that profile’s name and settings can easily be changed, and it can be turned off entirely if you want.
Now, open the Profile Manager (either by clicking the link in Server.app or typing <yourservername>/profilemanager into a browser and log in as the Directory Administrator account you made earlier. As an administrator, you should see all the users and groups with which you’ve populated your directory.
Go ahead and make a change or two - I want to make my iOS users use a passcode to lock their devices, while is available under Passcode - and when you’re done, click OK. You should now see an entry for every payload you configured under Settings. Cick Save to make your changes permanent, or Revert to discard.
Now, on my iPhone (you can use a Mac for this step too, as long as there’s an applicable setting to manage), I’ll navigate to the Profile Manager and login as a member of the group I just edited. Now, in addition to the Settings for Everyone option, the Settings for Workgroup profile is also ready to download and install.
Note that any profile installed this way will need to be refreshed manually in the event of updates.
Device Management
For those of you who are interested in more active management of devices, you’ll have to go back to Server.app and enable Device Management.
You’ll need an SSL certificate to enable secure communication between your devices and your server - this isn’t going to work without a signed SSL certificate, at least not that I saw (feel free to correct me if I’m wrong in the comments), but we can still go through Device Management’s basic implementation.
Next, you’ll have to install a separate Apple Push Notification certificate to enable Push Notifications for your server and its clients. The only place to get one is from Apple, and the only way to do it is to associate an Apple ID with your server, though it doesn't cost anything extra.
If everything checks out, you should be told that your server meets all the Profile Manager requirements. Now, go ahead and start the Profile Manager by clicking the link in the lower right-hand corner of the window.
Now, if I take my iPhone to the Profile Manager site, there’s a second tab available with a giant “Enroll” button visible.
Clicking Enroll will establish a link between your device and the server - this will allow your server admin to update settings on your device, send out notifications, and even remotely lock and/or wipe your device in the event of theft.
Keep in mind that all of this is true both for iOS devices and Macs running Lion. While some of the iOS elements in Lion feel awkward and grafted on, Profile Manager really shows the promise of merging the two operating systems: it’s not just about making them look and act the same, but it’s also about making their management similar enough that it reduces time and money spent wrangling different management tools to manage the different OSes.
Open Directory: Creating Users and Groups and using Workgroup Manager
Address Book, iCal, iChat, and Mail
Facebook
Twitter
RSS
77 Comments
View All Comments
ltcommanderdata - Tuesday, August 2, 2011 - link
Given the shift in corporate policy from being Blackberry focused to adopting other smartphone platforms including iOS, I think most CTOs would take a look at OS X Server if only for the easier iOS device management features. I don't really see it replacing existing Windows servers though, particularly since Apple doesn't sell dedicated server class hardware anymore.quakerotis - Tuesday, August 2, 2011 - link
This is simply not true. OS X Server has been for us a very good performer, both in stability and ease of use. B3an, you must be speaking anecdotally because I am not a fanboy. There are many server technologies to choose from. this is one of the better ones.diskrete - Tuesday, August 2, 2011 - link
As an IT manager for a small company, I would definitely use Lion Server to manage Macs and iPhones.It in no way replaces existing Windows/Linux infrastructure. But recycling a Mac mini to use for managing Apple devices? Absolutely. It’s worth it just for the ability to create machine-based 802.1X profiles.
IT today is not about standardizing on one platform, it’s about using the right tool for the job.
sligett - Thursday, August 4, 2011 - link
Unix isn't a server platform anyone in their right mind would use?There are thousands upon thousands of small and medium businesses as well as schools that are hostage to expensive windows "experts" that have put a Windows server in their business. The client can't do a thing with the server without the expensive help of the expert. You don't see that as a viable market?
So many people speak out on the Internet as though "I can't use this" is equivalent to "no one can use this".
erple2 - Thursday, August 4, 2011 - link
To be fair, any infrastructure that's put in place by an "expert" tends to continue to have to be maintained by another expensive expert. Non-techies have problems with Macs just as much as non-techies have problems with Linux, or Windows machines.BTW, I've found that the mac "experts" that have put a mac server in their business are also very expensive to hire back for help.
There are some very very nice manageability features that OSX Server buys you that aren't all that simple to implement by relative novices in other environments...
cwatt - Monday, September 26, 2011 - link
Ha ha, you are really ignorant! I am currently rolling this out to a big organization and this article is a really big help.. BTW ... those inferior products are actually extremely good quality and very easily managed and a lot more secure than other platforms... You should not let your opinion get in the way of your judgment, you should make the best decision based on the environment not because you are a fanboy or you randomly hate really good products!blueeyesm - Tuesday, August 2, 2011 - link
I have to agree that managing iOS devices using OS X Server is probably their only ace in the hole. The rest of what this offering serves can be replicated/managed better under Linux. That being said, if Apple wanted to be really smart, they'd help their community devise methods in which to enhance a shopping experience, or other interacive experiences with an iOS or tablet device.That is, until cloud computing becomes the de facto standard and Apple ceases to offer a server or client to download, you just are expected to do everything via iTunes/iLife Cloud edition.
badjohny - Tuesday, August 2, 2011 - link
With its drop in price, and ability to install on any mac, I would love to see apple take OSX server and shape it into a WHS for mac. It looks like all or many of those things are available in OSX server, but the ease and convenience of using a WHS is unreal. Push the Home server aspect of OSX server and really make a use for it in a standard home. itunes server edition, Apple TV media server, IOS update manager, Shared home calendars, email, and family based websites come to mind. These are all things that It can currently do, but they all need some "apple magic" to make them very powerful and at the same time very easy for anyone to setup. Apple could easy include a option in the setup of a mac to have it search your network for a server. If it finds one have it ask if you want to enable the features. They could even leverage the icloud system and have it linked by your itunes account. They all the data could sync through the icloud service. enter your apple ID and your client is setup to use your server instantly.They could even make a personal iCloud options. Every picture/video you take have it saved over to the server also.
I understand that OSX server is a niche item in big business. Apple should admit defeat in enterprise setups and push server to a more person level. Have it compete with windows SBS and WHS but make it have the apple easy of use. They have a real product here, but like most home server options it seems to be more of a niche item.
Ratman6161 - Tuesday, August 2, 2011 - link
Basically Apple does not make or sell server grade hardware. Sure, if you look on their online store you will find a version of the Mac Pro that calls itself a server and comes with OSX Server installed. But there are a variety of things about it that make it not enterprise ready and more suited to small business or home servers. If Apple really wanted to be in the enterprise market then what they would absolutely have to do is to allow it to run as a virtual machine on all the major virtualization platforms. For example where I work we are a VMWare shop and no server software is coming in our door that will not run on VMWare Esx server.Its my theory thought hat they have no intention or desire to compete in the enterprise server market. If they did, there would be no reason for a price drop as most businesses in that market place would not have blinked at the $499 price or even the $999 price - both are a drop in the bucket compared to all the other costs associated with a data center. No, the price drop to me definitely signals that its their intent to be in the small business and home server market.
HMTK - Wednesday, August 3, 2011 - link
You're right, Apple does not have anything that could even remotely be called server hardware.There have been rumors that Mac OS can run as a vm on vSphere 5 (if you're ok with the licensing). If true you could run it on real servers and real SANs and use nice features like high availability. The only show stopper is probably licensing but I would think that is VMware were taking the trouble of making OS X run on their hypervisor they would have a deal with Apple.
AFAIC Max OS X Server would be interesting only for managing iOS devices.