In-Depth with Mac OS X Lion Server
by Andrew Cunningham on August 2, 2011 8:00 AM ESTIf you’ve played around with iOS management at all, you might be familiar with the iPhone Configuration Utility that Apple has been maintaining for awhile now. Basically, it creates XML files with .mobileconfig extensions that can be downloaded to iOS devices and used to configure most of the device’s settings, from email to VPN to password requirements.
Lion Server and the Profile Manager build on this, giving administrators a centralized interface with which to create and deploy .mobileconfig files (which now support Lion as well). To turn on the Profile Manager, open up Server.app and flip the switch.
Since we’ve already configured our Open Directory, Profile Manager should start up without much fuss. Note that if you have other services running on your server that you’ve configured with Server.app (such as Mail, VPN, iCal, etc.), these will automatically be available to all of your users as a default configuration profile - that profile’s name and settings can easily be changed, and it can be turned off entirely if you want.
Now, open the Profile Manager (either by clicking the link in Server.app or typing <yourservername>/profilemanager into a browser and log in as the Directory Administrator account you made earlier. As an administrator, you should see all the users and groups with which you’ve populated your directory.
Go ahead and make a change or two - I want to make my iOS users use a passcode to lock their devices, while is available under Passcode - and when you’re done, click OK. You should now see an entry for every payload you configured under Settings. Cick Save to make your changes permanent, or Revert to discard.
Now, on my iPhone (you can use a Mac for this step too, as long as there’s an applicable setting to manage), I’ll navigate to the Profile Manager and login as a member of the group I just edited. Now, in addition to the Settings for Everyone option, the Settings for Workgroup profile is also ready to download and install.
Note that any profile installed this way will need to be refreshed manually in the event of updates.
For those of you who are interested in more active management of devices, you’ll have to go back to Server.app and enable Device Management.
You’ll need an SSL certificate to enable secure communication between your devices and your server - this isn’t going to work without a signed SSL certificate, at least not that I saw (feel free to correct me if I’m wrong in the comments), but we can still go through Device Management’s basic implementation.
Next, you’ll have to install a separate Apple Push Notification certificate to enable Push Notifications for your server and its clients. The only place to get one is from Apple, and the only way to do it is to associate an Apple ID with your server, though it doesn't cost anything extra.
If everything checks out, you should be told that your server meets all the Profile Manager requirements. Now, go ahead and start the Profile Manager by clicking the link in the lower right-hand corner of the window.
Now, if I take my iPhone to the Profile Manager site, there’s a second tab available with a giant “Enroll” button visible.
Clicking Enroll will establish a link between your device and the server - this will allow your server admin to update settings on your device, send out notifications, and even remotely lock and/or wipe your device in the event of theft.
Keep in mind that all of this is true both for iOS devices and Macs running Lion. While some of the iOS elements in Lion feel awkward and grafted on, Profile Manager really shows the promise of merging the two operating systems: it’s not just about making them look and act the same, but it’s also about making their management similar enough that it reduces time and money spent wrangling different management tools to manage the different OSes.
Since we’ve already configured our Open Directory, Profile Manager should start up without much fuss. Note that if you have other services running on your server that you’ve configured with Server.app (such as Mail, VPN, iCal, etc.), these will automatically be available to all of your users as a default configuration profile - that profile’s name and settings can easily be changed, and it can be turned off entirely if you want.
Now, open the Profile Manager (either by clicking the link in Server.app or typing <yourservername>/profilemanager into a browser and log in as the Directory Administrator account you made earlier. As an administrator, you should see all the users and groups with which you’ve populated your directory.
Go ahead and make a change or two - I want to make my iOS users use a passcode to lock their devices, while is available under Passcode - and when you’re done, click OK. You should now see an entry for every payload you configured under Settings. Cick Save to make your changes permanent, or Revert to discard.
Now, on my iPhone (you can use a Mac for this step too, as long as there’s an applicable setting to manage), I’ll navigate to the Profile Manager and login as a member of the group I just edited. Now, in addition to the Settings for Everyone option, the Settings for Workgroup profile is also ready to download and install.
Note that any profile installed this way will need to be refreshed manually in the event of updates.
Device Management
For those of you who are interested in more active management of devices, you’ll have to go back to Server.app and enable Device Management.
You’ll need an SSL certificate to enable secure communication between your devices and your server - this isn’t going to work without a signed SSL certificate, at least not that I saw (feel free to correct me if I’m wrong in the comments), but we can still go through Device Management’s basic implementation.
Next, you’ll have to install a separate Apple Push Notification certificate to enable Push Notifications for your server and its clients. The only place to get one is from Apple, and the only way to do it is to associate an Apple ID with your server, though it doesn't cost anything extra.
If everything checks out, you should be told that your server meets all the Profile Manager requirements. Now, go ahead and start the Profile Manager by clicking the link in the lower right-hand corner of the window.
Now, if I take my iPhone to the Profile Manager site, there’s a second tab available with a giant “Enroll” button visible.
Clicking Enroll will establish a link between your device and the server - this will allow your server admin to update settings on your device, send out notifications, and even remotely lock and/or wipe your device in the event of theft.
Keep in mind that all of this is true both for iOS devices and Macs running Lion. While some of the iOS elements in Lion feel awkward and grafted on, Profile Manager really shows the promise of merging the two operating systems: it’s not just about making them look and act the same, but it’s also about making their management similar enough that it reduces time and money spent wrangling different management tools to manage the different OSes.
Open Directory: Creating Users and Groups and using Workgroup Manager
Address Book, iCal, iChat, and Mail
Facebook
Twitter
RSS
77 Comments
View All Comments
GrizzledYoungMan - Tuesday, August 2, 2011 - link
I probably should have toned down my sarcasm a bit, but my point is that while yes, Apple said they support SMB since 10.2, it just plain old doesn't work right.Google Thursby DAVE to see what I mean.
repoman27 - Tuesday, August 2, 2011 - link
I'm familiar with DAVE, and you're right that obviously much is to be desired with Apple's SMB implementation if there is still an aftermarket product that costs more than the OS itself just to fix this particular issue.I kinda feel like more of the problem has to do with Mac OS X's lack of native support for NTFS though, rather than SMB actually malfunctioning.
I chuckle that while you're thinking about "all the time that has been wasted trying to get OS X desktop clients to do things that have worked out in the real world for years now," I'm thinking about how much time I've wasted trying to get Windows Home versions to do things that Microsoft has artificially prevented them from doing so that they could sell customers an "upgrade". For instance, try setting up file sharing with user-level passwords and NTFS permissions on a network with Windows XP Home and Widows 7 Home Premium machines...
GrizzledYoungMan - Tuesday, August 2, 2011 - link
You'll get no argument from me that Windows' tiered pricing is a bummer. Up-selling is sleazy.But overall, I'd say that Windows actually represents a better value if you make the right upgrade choices (ie, XP straight to 7). For the price of a few of Apple's annual updates, you get something that lasts a few years longer, does a lot more, and puts you through the OS-version-transition rumpus less frequently.
While I can understand why the press loves the frequency of OS X revisions, I don't see it as a good thing for the user (and certainly not my own personal experience). Upgrading your OS is a pain, and to do it every year - lest you suffer the consequences of running a two year old, unsupported version of OS X - is a burden. And as I mentioned, the end result of this accelerated schedule is that the end users become the beta testers.
No wonder they're getting out of the desktop business. They can't handle anything much more complicated than a mobile phone OS.
repoman27 - Tuesday, August 2, 2011 - link
Since version 10.3, Mac OS X has been on a major revision update schedule that is much closer to once every 2 years (Leopard actually came 2.5 years after Tiger). In the early days of Mac OS X there were some teething issues that resulted in a more rapid release cycle, but I also seem to recall Microsoft releasing Windows 98, 98SE, ME, and 2000 in rather quick succession.Mac users are also free to skip every other version. Not to mention that upgrade pricing for Mac OS is way cheaper than Windows when you realize that you're getting the full-feature client version with a far more liberal license scheme and no activation based copy protection for $30. How much would it cost to legitimately upgrade every machine that you own or control from Windows Vista Home Basic 32-bit OEM to Windows 7 Ultimate 64-bit?
Apple released updates for Tiger for more than 3 years after it was discontinued. I guess if they had a stubborn enough install base they would be forced to continue support for a 9 year-old version of their OS as well.
What does a client version of Windows itself do that Mac OS does not, aside from allowing playback of Blu-ray discs?
If you've ever bought a retail Windows machine, you probably know that out of the box, under normal usage, the thing will be all but unusable in less than 18 months time, forcing you to buy another cheap POS Windows machine, or to perform a clean install of your OS. I love sacrificing 16% of a new system's performance to anti-virus software right off the bat, too.
RubberJ - Tuesday, August 2, 2011 - link
My system has been running Win7 since RTM and hasn't slowed.And does Antivirus really take 16% of your system performance or are you just talking out your arse?
http://www.tomshardware.com/reviews/anti-virus-vir...
Just as i thought...mac fanboy alert...
repoman27 - Wednesday, August 3, 2011 - link
Yeah, as soon as I posted that last comment I realized I had crossed the line into religious war territory.My point about crappy system performance and having to reinstall the OS was regarding the way retail PC's come preconfigured, and what the typical end-user then subjects them to, not your particular case. My personal Windows systems (I do actually use Windows on the daily) tend to work fine for years, but then again I also spend a lot of time building performance tuned system images. I also don't personally run antivirus software anymore, because I'm not a sucker.
As for that, I tend to refer more to the testing done by AV comparatives, and my own personal testing, but I certainly wasn't talking out my arse. 16% may indeed be hyperbole when talking about a new Sandy Bridge based system running Windows 7, but not at all on legacy equipment running XP or when running in a virtualized environment.
Anywho, my initial intent was merely to clarify various exaggerations or inaccuracies in this thread, but I guess I did end up painting myself as the fanboy with that previous rant.
Wizzdo - Wednesday, August 3, 2011 - link
As a power user, developer, and servicer for Windows and OS X I can tell you quite simply that, relative to OS X, Windows is an expensive frustrating bag of hurt for a great many typical users. OS X comes with a fantastic suite of software tailored very well to work with the OS and the OS is in turn tuned very well to work with the Hardware. Updates (even Major ones) are painless and offer excellent value for the investment. They are generally highly looked forward to by most OS X users.Anyone who claims Windows and a generic PC will likely serve the average user better simply does not have a clue. There really is little comparison now and OS X Lion just pushes the experience that much further ahead.
For much of my day I am forced to use Windows to develop SQL Server infrastructures. SQL Server is IMHO the best piece of software Microsoft has ever managed to make. However, my blood pressure drops considerably when I get to boot back into OS X where I can get some creative work done in a responsive pleasing modern environment that does not feel like a thinly veiled version of DOS.
Apple gets it right and that is why they are the revered technology leader in the industry right now.
Timemachine alone is worth the price of admission for anyone who values there work and wants effortless trustworthy backup and retrieval of it. Watch MS scramble to get this into their next OS just like so many other features. Apple didn't invent them all but knows how to make them work the way they should.
GrizzledYoungMan - Wednesday, August 3, 2011 - link
I would just like to point out that Wizzdo lives in a universe in which Windows 7 is a thinly veiled version of DOS, and Timemachine is a novel, useful feature.Sigh. OS X users.
ex2bot - Friday, August 5, 2011 - link
Actually, Time Machine IS a useful feature. Is it "novel"? It is novel in the sense that it is drop-dead simple. You plug in an external drive and click the 'Yes' button. Then as long as it is attached it makes complete + sequential backups. I use it on my Macs. I also clone periodically. Well, I don't clone. My drives do.The backup review interface works well, too. It's basically a specialized Finder window. I admit the star field is . . . interesting.
GrizzledYoungMan, has Time Machine not been useful for you? What happened when you used it? It's worked for me on multiple machines. Backing up is useful because hard drives fail eventually. Even hard drives attached to Windows PCs.
And Windows 7 *is* a thinly veiled version of DOS. See, Windows just a shell that sits on DOS. . . Nahhh! I'm just kidding ya. I know it's son of NT (or grandson maybe).
Ex2bot
Positronic Mac Fanbot ("Cannot harm humans" is just a guideline, I believe.)
justinf79 - Friday, August 5, 2011 - link
Way to show your ignorance there buddy...Windows, the security/virus nightmare where you're bombarded by OS security patches daily gets old fast. And quite frankly OS X is more powerful AND simpler. Windows has always been garbage.