In-Depth with Mac OS X Lion Server
by Andrew Cunningham on August 2, 2011 8:00 AM ESTIf you’ve played around with iOS management at all, you might be familiar with the iPhone Configuration Utility that Apple has been maintaining for awhile now. Basically, it creates XML files with .mobileconfig extensions that can be downloaded to iOS devices and used to configure most of the device’s settings, from email to VPN to password requirements.
Lion Server and the Profile Manager build on this, giving administrators a centralized interface with which to create and deploy .mobileconfig files (which now support Lion as well). To turn on the Profile Manager, open up Server.app and flip the switch.
Since we’ve already configured our Open Directory, Profile Manager should start up without much fuss. Note that if you have other services running on your server that you’ve configured with Server.app (such as Mail, VPN, iCal, etc.), these will automatically be available to all of your users as a default configuration profile - that profile’s name and settings can easily be changed, and it can be turned off entirely if you want.
Now, open the Profile Manager (either by clicking the link in Server.app or typing <yourservername>/profilemanager into a browser and log in as the Directory Administrator account you made earlier. As an administrator, you should see all the users and groups with which you’ve populated your directory.
Go ahead and make a change or two - I want to make my iOS users use a passcode to lock their devices, while is available under Passcode - and when you’re done, click OK. You should now see an entry for every payload you configured under Settings. Cick Save to make your changes permanent, or Revert to discard.
Now, on my iPhone (you can use a Mac for this step too, as long as there’s an applicable setting to manage), I’ll navigate to the Profile Manager and login as a member of the group I just edited. Now, in addition to the Settings for Everyone option, the Settings for Workgroup profile is also ready to download and install.
Note that any profile installed this way will need to be refreshed manually in the event of updates.
For those of you who are interested in more active management of devices, you’ll have to go back to Server.app and enable Device Management.
You’ll need an SSL certificate to enable secure communication between your devices and your server - this isn’t going to work without a signed SSL certificate, at least not that I saw (feel free to correct me if I’m wrong in the comments), but we can still go through Device Management’s basic implementation.
Next, you’ll have to install a separate Apple Push Notification certificate to enable Push Notifications for your server and its clients. The only place to get one is from Apple, and the only way to do it is to associate an Apple ID with your server, though it doesn't cost anything extra.
If everything checks out, you should be told that your server meets all the Profile Manager requirements. Now, go ahead and start the Profile Manager by clicking the link in the lower right-hand corner of the window.
Now, if I take my iPhone to the Profile Manager site, there’s a second tab available with a giant “Enroll” button visible.
Clicking Enroll will establish a link between your device and the server - this will allow your server admin to update settings on your device, send out notifications, and even remotely lock and/or wipe your device in the event of theft.
Keep in mind that all of this is true both for iOS devices and Macs running Lion. While some of the iOS elements in Lion feel awkward and grafted on, Profile Manager really shows the promise of merging the two operating systems: it’s not just about making them look and act the same, but it’s also about making their management similar enough that it reduces time and money spent wrangling different management tools to manage the different OSes.
Since we’ve already configured our Open Directory, Profile Manager should start up without much fuss. Note that if you have other services running on your server that you’ve configured with Server.app (such as Mail, VPN, iCal, etc.), these will automatically be available to all of your users as a default configuration profile - that profile’s name and settings can easily be changed, and it can be turned off entirely if you want.
Now, open the Profile Manager (either by clicking the link in Server.app or typing <yourservername>/profilemanager into a browser and log in as the Directory Administrator account you made earlier. As an administrator, you should see all the users and groups with which you’ve populated your directory.
Go ahead and make a change or two - I want to make my iOS users use a passcode to lock their devices, while is available under Passcode - and when you’re done, click OK. You should now see an entry for every payload you configured under Settings. Cick Save to make your changes permanent, or Revert to discard.
Now, on my iPhone (you can use a Mac for this step too, as long as there’s an applicable setting to manage), I’ll navigate to the Profile Manager and login as a member of the group I just edited. Now, in addition to the Settings for Everyone option, the Settings for Workgroup profile is also ready to download and install.
Note that any profile installed this way will need to be refreshed manually in the event of updates.
Device Management
For those of you who are interested in more active management of devices, you’ll have to go back to Server.app and enable Device Management.
You’ll need an SSL certificate to enable secure communication between your devices and your server - this isn’t going to work without a signed SSL certificate, at least not that I saw (feel free to correct me if I’m wrong in the comments), but we can still go through Device Management’s basic implementation.
Next, you’ll have to install a separate Apple Push Notification certificate to enable Push Notifications for your server and its clients. The only place to get one is from Apple, and the only way to do it is to associate an Apple ID with your server, though it doesn't cost anything extra.
If everything checks out, you should be told that your server meets all the Profile Manager requirements. Now, go ahead and start the Profile Manager by clicking the link in the lower right-hand corner of the window.
Now, if I take my iPhone to the Profile Manager site, there’s a second tab available with a giant “Enroll” button visible.
Clicking Enroll will establish a link between your device and the server - this will allow your server admin to update settings on your device, send out notifications, and even remotely lock and/or wipe your device in the event of theft.
Keep in mind that all of this is true both for iOS devices and Macs running Lion. While some of the iOS elements in Lion feel awkward and grafted on, Profile Manager really shows the promise of merging the two operating systems: it’s not just about making them look and act the same, but it’s also about making their management similar enough that it reduces time and money spent wrangling different management tools to manage the different OSes.
Open Directory: Creating Users and Groups and using Workgroup Manager
Address Book, iCal, iChat, and Mail
Facebook
Twitter
RSS
77 Comments
View All Comments
Wizzdo - Wednesday, August 3, 2011 - link
Lion's web server IS Apache. LOL.jigglywiggly - Tuesday, August 2, 2011 - link
I am too much of an elitist fag to succumb to this.I just installed my Debian GUI-less server today to replace my o'll ubuntu 10.04 LTS GUI server, got everyhting setup, mysql, apache, php, samba settings, everything gud to go with only 100 megs of ram usage.
Sure it took much longer to setup, but I am an elitist fag
don_k - Wednesday, August 3, 2011 - link
Since when is netboot unique to OSX server? Last I checked all *nix variants have had that ability for decades.But really, organisations concerned about the sticker price on their server software are not going to go get an apple 'server' for $1k when they can download an iso in 5min and get going are they?
Not to mention the complete lack of necessary system tools (archiving, compiing especially) without installing macports or something.
Call it like it is - 1k to manage all those damn pads and phones everyone in the company demands they are able to access the company intranet.
johnbouy - Wednesday, August 3, 2011 - link
Time Machine took a big step backwards with Lion Server. In Snow Leopard Server you could allow time machine backups on individual share points. This allows you to partition a disk and set up individual partitions for specific Time Machine backups. I use this to control how much disk space is allocated for a backup. In Lion you get to nominate one share point/partition as the Time Machine backup storage point. Hence any client that backs up to the server uses the same disk space. A real step backwards!Another issue is that Server.app rewets .config files when started up so you potentially lose any changes you were forced to make due to the lousy Lion Web service interface.
digitalzombie - Wednesday, August 3, 2011 - link
I like the idea but still... I wouldn't do it. Apparently they got desperate enough to offer it for 50 bucks. Good job for noticing that no one give a damn since Linux is free and both Linux and Window is established already. I still wouldn't give em my money when they tried to charge in the past an arm and a leg. Who the hell do they think they're going fool? The platform isn't the most active for server development tools. Linux got cloud all up in there and it's actively evolving in many area especially server. Don't even try to bring out that pathetic iCloud. It's not open so nothing is going to back that crap other than Apple, openstack have 50 vendors, big companies, backing that project up compare to iCloud. Apple probably won't ever be able to compete in the server sector but they can leverage their UI and simplicity for their user base, such as the gui sys admin tools described in this articles. They should just stick with consumer base products, trying to compete in the server space market is going to kill em.matthi - Wednesday, August 3, 2011 - link
On page 4 of this review, it says ".. our next entries are Accounts and Stats under the Status heading". 'Accounts' should be replaced with 'Alerts'.slayernine - Wednesday, August 3, 2011 - link
If only this was a review of Windows Server it might be useful. I have never met a fellow tech person/geek who uses any version of Apple Server products. (aside from one customer about 3 years ago who was curious about them).It is just the simple facts that apple products are know for a lack of an ability to upgrade, locked to features that Apple thinks you should have and a lack of price efficiency. Windows and Linux offer far superior server products that will run on pretty much any hardware that suits your needs and the only reason I can see there being a point to review this product is due to Apple padding your pockets.
Schafdog - Wednesday, August 3, 2011 - link
I know that it seems like Apple (or Steve) has lost faith in the PC as a hub, but I would really love seeing a iTunes Server that multiple users can control using iOS devices playing on Airplay or iOS device itself.Some NAS is now getting this features, so I might drop the OS X Server for one of those instead.
sodi - Wednesday, August 3, 2011 - link
What kind of crazy organization would use a Lion Server? At works, standard is a necessity. A Lion Server is just oddball.Oscarcharliezulu - Thursday, August 4, 2011 - link
This seems a bit like OSX Server Lite and Easy rather than a true upgrade to Snow Leopard Server. I wasPthinking of converting an older 'mini to Lion Server (to serve a small business which has MBPs and iMacs, but now I think getting a copy of Snow Leopard Server would be better if I could somehow get it cheap (yet legal).