In-Depth with Mac OS X Lion Server
by Andrew Cunningham on August 2, 2011 8:00 AM ESTIf you’ve played around with iOS management at all, you might be familiar with the iPhone Configuration Utility that Apple has been maintaining for awhile now. Basically, it creates XML files with .mobileconfig extensions that can be downloaded to iOS devices and used to configure most of the device’s settings, from email to VPN to password requirements.
Lion Server and the Profile Manager build on this, giving administrators a centralized interface with which to create and deploy .mobileconfig files (which now support Lion as well). To turn on the Profile Manager, open up Server.app and flip the switch.
Since we’ve already configured our Open Directory, Profile Manager should start up without much fuss. Note that if you have other services running on your server that you’ve configured with Server.app (such as Mail, VPN, iCal, etc.), these will automatically be available to all of your users as a default configuration profile - that profile’s name and settings can easily be changed, and it can be turned off entirely if you want.
Now, open the Profile Manager (either by clicking the link in Server.app or typing <yourservername>/profilemanager into a browser and log in as the Directory Administrator account you made earlier. As an administrator, you should see all the users and groups with which you’ve populated your directory.
Go ahead and make a change or two - I want to make my iOS users use a passcode to lock their devices, while is available under Passcode - and when you’re done, click OK. You should now see an entry for every payload you configured under Settings. Cick Save to make your changes permanent, or Revert to discard.
Now, on my iPhone (you can use a Mac for this step too, as long as there’s an applicable setting to manage), I’ll navigate to the Profile Manager and login as a member of the group I just edited. Now, in addition to the Settings for Everyone option, the Settings for Workgroup profile is also ready to download and install.
Note that any profile installed this way will need to be refreshed manually in the event of updates.
For those of you who are interested in more active management of devices, you’ll have to go back to Server.app and enable Device Management.
You’ll need an SSL certificate to enable secure communication between your devices and your server - this isn’t going to work without a signed SSL certificate, at least not that I saw (feel free to correct me if I’m wrong in the comments), but we can still go through Device Management’s basic implementation.
Next, you’ll have to install a separate Apple Push Notification certificate to enable Push Notifications for your server and its clients. The only place to get one is from Apple, and the only way to do it is to associate an Apple ID with your server, though it doesn't cost anything extra.
If everything checks out, you should be told that your server meets all the Profile Manager requirements. Now, go ahead and start the Profile Manager by clicking the link in the lower right-hand corner of the window.
Now, if I take my iPhone to the Profile Manager site, there’s a second tab available with a giant “Enroll” button visible.
Clicking Enroll will establish a link between your device and the server - this will allow your server admin to update settings on your device, send out notifications, and even remotely lock and/or wipe your device in the event of theft.
Keep in mind that all of this is true both for iOS devices and Macs running Lion. While some of the iOS elements in Lion feel awkward and grafted on, Profile Manager really shows the promise of merging the two operating systems: it’s not just about making them look and act the same, but it’s also about making their management similar enough that it reduces time and money spent wrangling different management tools to manage the different OSes.
Since we’ve already configured our Open Directory, Profile Manager should start up without much fuss. Note that if you have other services running on your server that you’ve configured with Server.app (such as Mail, VPN, iCal, etc.), these will automatically be available to all of your users as a default configuration profile - that profile’s name and settings can easily be changed, and it can be turned off entirely if you want.
Now, open the Profile Manager (either by clicking the link in Server.app or typing <yourservername>/profilemanager into a browser and log in as the Directory Administrator account you made earlier. As an administrator, you should see all the users and groups with which you’ve populated your directory.
Go ahead and make a change or two - I want to make my iOS users use a passcode to lock their devices, while is available under Passcode - and when you’re done, click OK. You should now see an entry for every payload you configured under Settings. Cick Save to make your changes permanent, or Revert to discard.
Now, on my iPhone (you can use a Mac for this step too, as long as there’s an applicable setting to manage), I’ll navigate to the Profile Manager and login as a member of the group I just edited. Now, in addition to the Settings for Everyone option, the Settings for Workgroup profile is also ready to download and install.
Note that any profile installed this way will need to be refreshed manually in the event of updates.
Device Management
For those of you who are interested in more active management of devices, you’ll have to go back to Server.app and enable Device Management.
You’ll need an SSL certificate to enable secure communication between your devices and your server - this isn’t going to work without a signed SSL certificate, at least not that I saw (feel free to correct me if I’m wrong in the comments), but we can still go through Device Management’s basic implementation.
Next, you’ll have to install a separate Apple Push Notification certificate to enable Push Notifications for your server and its clients. The only place to get one is from Apple, and the only way to do it is to associate an Apple ID with your server, though it doesn't cost anything extra.
If everything checks out, you should be told that your server meets all the Profile Manager requirements. Now, go ahead and start the Profile Manager by clicking the link in the lower right-hand corner of the window.
Now, if I take my iPhone to the Profile Manager site, there’s a second tab available with a giant “Enroll” button visible.
Clicking Enroll will establish a link between your device and the server - this will allow your server admin to update settings on your device, send out notifications, and even remotely lock and/or wipe your device in the event of theft.
Keep in mind that all of this is true both for iOS devices and Macs running Lion. While some of the iOS elements in Lion feel awkward and grafted on, Profile Manager really shows the promise of merging the two operating systems: it’s not just about making them look and act the same, but it’s also about making their management similar enough that it reduces time and money spent wrangling different management tools to manage the different OSes.
Open Directory: Creating Users and Groups and using Workgroup Manager
Address Book, iCal, iChat, and Mail
Facebook
Twitter
RSS
77 Comments
View All Comments
ex2bot - Friday, August 5, 2011 - link
Upgrading OS X is not much of a pain, as Repo says. Plus, it's practical to skip at least every other upgrade. So, upgrading every four years (2 + 2) at $60 isn't a big deal and the improvements are worth it.I especially appreciate Expose', Time Machine, Spotlight, and Quick Look and use them regularly And every Mac user has benefitted from Quartz GL (uses 3d graphics card to speed up screen draws).. There have been myriad "invisible" or subtle improvements as well. See Apple's "Mac OS X" section for details.
Four years between OS upgrades is not bad, as I said. Longhorn was supposed to come out about 4 or 5 years after XP. Microsoft just had eyes bigger than its stomach and it was delayed. But Windows 7 was worth the wait. Especially features like the display compositor + aesthetically pleasing UI + improved security (and no more yellow speech bubbles popping up all the time)
Ex2bot
Automated System Process
ex2bot - Friday, August 5, 2011 - link
BTW, Expose's successor is called "Mission Control."Sahrin - Tuesday, August 2, 2011 - link
a reduction in advertising, if you guys are going to do all these paid reviews for Apple.Johnmcl7 - Tuesday, August 2, 2011 - link
It's getting a bit of a joke these days that anything with the Apple badge will get a news article, preview, in depth review the moment it's out dwarfing everything else which barely seems to get a look-in. I get that Anand likes Apple stuff and if I don't I should go elsewhere but I like the non-Apple reviews when they do occasionally get published.John
ex2bot - Friday, August 5, 2011 - link
It's no joke. Check Anand's mailbox some time*.Ex2bot
*Crazies, please don't mess with his mailbox.
ex2bot - Friday, August 5, 2011 - link
I know for a fact that Apple employees stuff money into Anand's mailbox*. Lots and lots of money. They use $20s and $50s straight from Jobs' car, who burns them to light his cigs.Ex2bot
Currency Calculating Mac Fanbot
* Anand, I don't really believe this. I was kidding, as I'm sure you've figured out. Actually, I'm sure they are $100s, not $20s and $50s. After all, he's a Billionaire.
the_engineer - Tuesday, August 2, 2011 - link
Thanks for this great in-depth look at Lion Servers new & continued functionality, I learned a lot reading this. However, I'm still very confused at where XSAN fits into the picture. As a storage power-user I've used software Linux raid, semi-hardware windows raid (Intel, Highpoint), and I've lately dabbled into ZFS because it seems like it's really got everything I could ever want as far as straight storage capabilities are concerned (I'm running a raidz6 with 6 750GB drives currently running on Nexenta). I'd really like to put Lion Server on a mac and install a generic SATA card and add 6 3TB hard drives and do a great big raid5 in a mac pro, but am very confused as to whether or not this will work. I was very hopeful that Lion Server would integrate 'software' RAID5 or similar functionality, but it's not clear anywhere whether it does this or not. Simply put, Do I still need to buy a dedicated raid5 card to have a redundant array of inexpensive disks on a mac or am I missing something still?-Looking for a great user experience AND a ton of redundant storage
HMTK - Wednesday, August 3, 2011 - link
Why not set up a NAS with iSCSI or NFS ?the_engineer - Wednesday, August 3, 2011 - link
LONG story short, geting a deidciated NAS box means spending more money than ought to be necessary at this point (I have an i7 desktop and a core2 desktop, both capable of running Lion, Windows, FreeBSD, you name it... Just fine, as well as plenty of vanilla SATA ports & cards available). I'm Trying to weigh all purely software options available to me, with ZFS/BSD sitting on top of the heap for storage features but OSX sitting on top of the heap from a usability standpoint. The longer I look at it the more likely I am to end up running one huge 20-drive ZFS based NAS under FreeBSD but was trying to avoid getting to this point.HMTK - Wednesday, August 3, 2011 - link
If you put it on the network you can access it with all decent OS's. I've got a little HP mini proliant just for that.