In-Depth with Mac OS X Lion Server
by Andrew Cunningham on August 2, 2011 8:00 AM ESTIf you’ve played around with iOS management at all, you might be familiar with the iPhone Configuration Utility that Apple has been maintaining for awhile now. Basically, it creates XML files with .mobileconfig extensions that can be downloaded to iOS devices and used to configure most of the device’s settings, from email to VPN to password requirements.
Lion Server and the Profile Manager build on this, giving administrators a centralized interface with which to create and deploy .mobileconfig files (which now support Lion as well). To turn on the Profile Manager, open up Server.app and flip the switch.
Since we’ve already configured our Open Directory, Profile Manager should start up without much fuss. Note that if you have other services running on your server that you’ve configured with Server.app (such as Mail, VPN, iCal, etc.), these will automatically be available to all of your users as a default configuration profile - that profile’s name and settings can easily be changed, and it can be turned off entirely if you want.
Now, open the Profile Manager (either by clicking the link in Server.app or typing <yourservername>/profilemanager into a browser and log in as the Directory Administrator account you made earlier. As an administrator, you should see all the users and groups with which you’ve populated your directory.
Go ahead and make a change or two - I want to make my iOS users use a passcode to lock their devices, while is available under Passcode - and when you’re done, click OK. You should now see an entry for every payload you configured under Settings. Cick Save to make your changes permanent, or Revert to discard.
Now, on my iPhone (you can use a Mac for this step too, as long as there’s an applicable setting to manage), I’ll navigate to the Profile Manager and login as a member of the group I just edited. Now, in addition to the Settings for Everyone option, the Settings for Workgroup profile is also ready to download and install.
Note that any profile installed this way will need to be refreshed manually in the event of updates.
For those of you who are interested in more active management of devices, you’ll have to go back to Server.app and enable Device Management.
You’ll need an SSL certificate to enable secure communication between your devices and your server - this isn’t going to work without a signed SSL certificate, at least not that I saw (feel free to correct me if I’m wrong in the comments), but we can still go through Device Management’s basic implementation.
Next, you’ll have to install a separate Apple Push Notification certificate to enable Push Notifications for your server and its clients. The only place to get one is from Apple, and the only way to do it is to associate an Apple ID with your server, though it doesn't cost anything extra.
If everything checks out, you should be told that your server meets all the Profile Manager requirements. Now, go ahead and start the Profile Manager by clicking the link in the lower right-hand corner of the window.
Now, if I take my iPhone to the Profile Manager site, there’s a second tab available with a giant “Enroll” button visible.
Clicking Enroll will establish a link between your device and the server - this will allow your server admin to update settings on your device, send out notifications, and even remotely lock and/or wipe your device in the event of theft.
Keep in mind that all of this is true both for iOS devices and Macs running Lion. While some of the iOS elements in Lion feel awkward and grafted on, Profile Manager really shows the promise of merging the two operating systems: it’s not just about making them look and act the same, but it’s also about making their management similar enough that it reduces time and money spent wrangling different management tools to manage the different OSes.
Since we’ve already configured our Open Directory, Profile Manager should start up without much fuss. Note that if you have other services running on your server that you’ve configured with Server.app (such as Mail, VPN, iCal, etc.), these will automatically be available to all of your users as a default configuration profile - that profile’s name and settings can easily be changed, and it can be turned off entirely if you want.
Now, open the Profile Manager (either by clicking the link in Server.app or typing <yourservername>/profilemanager into a browser and log in as the Directory Administrator account you made earlier. As an administrator, you should see all the users and groups with which you’ve populated your directory.
Go ahead and make a change or two - I want to make my iOS users use a passcode to lock their devices, while is available under Passcode - and when you’re done, click OK. You should now see an entry for every payload you configured under Settings. Cick Save to make your changes permanent, or Revert to discard.
Now, on my iPhone (you can use a Mac for this step too, as long as there’s an applicable setting to manage), I’ll navigate to the Profile Manager and login as a member of the group I just edited. Now, in addition to the Settings for Everyone option, the Settings for Workgroup profile is also ready to download and install.
Note that any profile installed this way will need to be refreshed manually in the event of updates.
Device Management
For those of you who are interested in more active management of devices, you’ll have to go back to Server.app and enable Device Management.
You’ll need an SSL certificate to enable secure communication between your devices and your server - this isn’t going to work without a signed SSL certificate, at least not that I saw (feel free to correct me if I’m wrong in the comments), but we can still go through Device Management’s basic implementation.
Next, you’ll have to install a separate Apple Push Notification certificate to enable Push Notifications for your server and its clients. The only place to get one is from Apple, and the only way to do it is to associate an Apple ID with your server, though it doesn't cost anything extra.
If everything checks out, you should be told that your server meets all the Profile Manager requirements. Now, go ahead and start the Profile Manager by clicking the link in the lower right-hand corner of the window.
Now, if I take my iPhone to the Profile Manager site, there’s a second tab available with a giant “Enroll” button visible.
Clicking Enroll will establish a link between your device and the server - this will allow your server admin to update settings on your device, send out notifications, and even remotely lock and/or wipe your device in the event of theft.
Keep in mind that all of this is true both for iOS devices and Macs running Lion. While some of the iOS elements in Lion feel awkward and grafted on, Profile Manager really shows the promise of merging the two operating systems: it’s not just about making them look and act the same, but it’s also about making their management similar enough that it reduces time and money spent wrangling different management tools to manage the different OSes.
Open Directory: Creating Users and Groups and using Workgroup Manager
Address Book, iCal, iChat, and Mail
Facebook
Twitter
RSS
77 Comments
View All Comments
HMTK - Wednesday, August 3, 2011 - link
OK so you can definitely run a Mac OS X vm on vSphere 5 but only on Apple hardware. What a joke! Probably Apple idiocy rather than a technical limitation.Spazweasel - Wednesday, August 3, 2011 - link
Apple is a hardware company. OS/X and iOS exist to make hardware sales possible (thus the cost of development is included in the pricing for Apple hardware, something the Apple haters conveniently overlook) Allowing the running of OS/X on non-Apple hardware reduces Apple hardware sales, so they don't do it."Idiocy"? Yeah, sure, whatever.
HMTK - Wednesday, August 3, 2011 - link
Not allowing Mac OS to run under a hypervisor on non-Apple branded hardware won't help them either. Or do you think a halfway decent IT-department would put a desktop machine or a hard disk posing as a server in a data center? They'd rather pay a few 100 € more for a license if they could run it on ESXi/XenServer/Hyper-V and reliable hardware.Spazweasel - Wednesday, August 3, 2011 - link
Apple makes its money on the desktop, not the server room. I doubt it's worth the effort. OS/X in the server room is a niche product, and Apple know it; it's much more suited as a workgroup/small office server, and those environments do not have ESX or Xen installations.Apple has no incentive to support OS/X in a VM, and plenty of reasons not to. Really, I don't see why this is a surprise.
HMTK - Thursday, August 4, 2011 - link
I'm not saying it's a big surprise, I'm saying it's stupid. why not make good manegement tools for their iOS available in a way that companies can integrate better in their infrastructure?You might be surprised as to how many small shops are going the virtualization route. Even if you have only a single server it makes sense in the long run when the time comes to replace the hardware. Just import the VM on the hypervisor on the new hardware and you're done.
GotThumbs - Tuesday, August 2, 2011 - link
This is an interesting article and I enjoyed the depth of detail. As a builder of my own systems for years, does the use of this software bind you to using only a ready built Apple system? It seems Apple is slowly trying to create a close proprietary system where you have to use apple hardware and apple software. I know their are hackintosh systems but it seems its still going to be quite a bit of effort and so far seems to be a waste of time for me. As the article mentions, there are lots of alternatives available. Apples MO seems to be offering zero options for using outside sources. Apple consumers are being channeled to Itunes and the Mac App Store for all purchases. I'm personally not a fan of that trend and have no intentions of bowing down to that kind of control. I can see where the general consumer who has very little technical knowledge is quite accepting of Apples controls as its a very simple and somewhat brainless system packaged in a slick looking package.GrizzledYoungMan - Tuesday, August 2, 2011 - link
Or is it still something we're all going to pretend works, when it very clearly doesn't out in the real world (If it worked, why would DAVE exist)? I'm referring here to the myriad of permissions issues and oodles of useless garbage sidecar files that pop up after a few days of operation in a mixed environment.Haven't read the article. Probably won't. Sorry. Apple is a joke at anything that designing anything that doesn't fit in your pocket/surrogate vagina of choice.
I get this feeling, deep in my angry muscle, every time some imbecile waves around his iThing, raving about Apple's genius, while I'm thinking about all the time that has been wasted trying to get OS X desktop clients to do things that have worked out in the real world for years now.
blueeyesm - Tuesday, August 2, 2011 - link
Not in Lion, as Samba moved to GPL3 licensing.http://www.appleinsider.com/articles/11/03/23/insi...
GrizzledYoungMan - Tuesday, August 2, 2011 - link
You know what's wild? I should actually be excited they're moving to a new standard - the NAS' I often recommend to clients support SMB2, and see useful performance gains from it.But then I read "Windows networking software developed by Apple" and my heart sinks. Realistically, what are the odds this is going to work?
Honestly, I don't really blame the design teams over there so much as a closed corporate culture that both ignores the feedback of their customers and denies any complaints exist.
They're really missing out on the sorts of improvements that most big software developers make using the information gathered during large, open betas and the like.
repoman27 - Tuesday, August 2, 2011 - link
As the article you linked to points out, since version 10.2 Mac OS X has shipped with Samba, an open-source, reverse engineered version of SMB 1.0. With Lion, Apple dropped Samba and added native support for SMB2 while maintaining the ability to connect with SMB 1.0 machines as long as they use UNICODE and extended security. This means Mac OS X 10.7 can no longer connect out of the box with some SMB 1.0 or Samba machines (which it had done for the last 9 years), but it does have full support for SMB2.As for GrizzledYoungMan's "oodles of useless garbage sidecar files," it's not like Mac users have any use for a thumbs.db file either. Just hide the metadata files, or don't allow write permissions on the folder if you don't want to see that kind of stuff, but these types of files are most likely only going to become more prevalent as time goes by.