In-Depth with Mac OS X Lion Server
by Andrew Cunningham on August 2, 2011 8:00 AM ESTIf you’ve played around with iOS management at all, you might be familiar with the iPhone Configuration Utility that Apple has been maintaining for awhile now. Basically, it creates XML files with .mobileconfig extensions that can be downloaded to iOS devices and used to configure most of the device’s settings, from email to VPN to password requirements.
Lion Server and the Profile Manager build on this, giving administrators a centralized interface with which to create and deploy .mobileconfig files (which now support Lion as well). To turn on the Profile Manager, open up Server.app and flip the switch.
Since we’ve already configured our Open Directory, Profile Manager should start up without much fuss. Note that if you have other services running on your server that you’ve configured with Server.app (such as Mail, VPN, iCal, etc.), these will automatically be available to all of your users as a default configuration profile - that profile’s name and settings can easily be changed, and it can be turned off entirely if you want.
Now, open the Profile Manager (either by clicking the link in Server.app or typing <yourservername>/profilemanager into a browser and log in as the Directory Administrator account you made earlier. As an administrator, you should see all the users and groups with which you’ve populated your directory.
By default, every user on your directory who goes to <yourserveraddress>/profilemanager and logs in will be able to download and install the “Settings for Everyone” profile connecting them to your hosted services. That’s certainly not everything you can do, though - click a user or a group’s profile to bring up the profile editor.
This window shows you all of the configurable options for your devices - some apply to iOS, some apply to OS X, and many apply to both. Aside from connecting your clients to your hosted services, you can also control just about every major setting in either OS: password requirements, how the Dock looks and acts, whether iOS users can install apps to their devices, and more. Profile Manager refers to each configurable subsection as a “payload.”
Go ahead and make a change or two - I want to make my iOS users use a passcode to lock their devices, while is available under Passcode - and when you’re done, click OK. You should now see an entry for every payload you configured under Settings. Cick Save to make your changes permanent, or Revert to discard.
Now, on my iPhone (you can use a Mac for this step too, as long as there’s an applicable setting to manage), I’ll navigate to the Profile Manager and login as a member of the group I just edited. Now, in addition to the Settings for Everyone option, the Settings for Workgroup profile is also ready to download and install.
Note that any profile installed this way will need to be refreshed manually in the event of updates.
For those of you who are interested in more active management of devices, you’ll have to go back to Server.app and enable Device Management.
You’ll need an SSL certificate to enable secure communication between your devices and your server - this isn’t going to work without a signed SSL certificate, at least not that I saw (feel free to correct me if I’m wrong in the comments), but we can still go through Device Management’s basic implementation.
Next, you’ll have to install a separate Apple Push Notification certificate to enable Push Notifications for your server and its clients. The only place to get one is from Apple, and the only way to do it is to associate an Apple ID with your server, though it doesn't cost anything extra.
If everything checks out, you should be told that your server meets all the Profile Manager requirements. Now, go ahead and start the Profile Manager by clicking the link in the lower right-hand corner of the window.
Now, if I take my iPhone to the Profile Manager site, there’s a second tab available with a giant “Enroll” button visible.
Clicking Enroll will establish a link between your device and the server - this will allow your server admin to update settings on your device, send out notifications, and even remotely lock and/or wipe your device in the event of theft.
Keep in mind that all of this is true both for iOS devices and Macs running Lion. While some of the iOS elements in Lion feel awkward and grafted on, Profile Manager really shows the promise of merging the two operating systems: it’s not just about making them look and act the same, but it’s also about making their management similar enough that it reduces time and money spent wrangling different management tools to manage the different OSes.
Since we’ve already configured our Open Directory, Profile Manager should start up without much fuss. Note that if you have other services running on your server that you’ve configured with Server.app (such as Mail, VPN, iCal, etc.), these will automatically be available to all of your users as a default configuration profile - that profile’s name and settings can easily be changed, and it can be turned off entirely if you want.
Now, open the Profile Manager (either by clicking the link in Server.app or typing <yourservername>/profilemanager into a browser and log in as the Directory Administrator account you made earlier. As an administrator, you should see all the users and groups with which you’ve populated your directory.
By default, every user on your directory who goes to <yourserveraddress>/profilemanager and logs in will be able to download and install the “Settings for Everyone” profile connecting them to your hosted services. That’s certainly not everything you can do, though - click a user or a group’s profile to bring up the profile editor.
This window shows you all of the configurable options for your devices - some apply to iOS, some apply to OS X, and many apply to both. Aside from connecting your clients to your hosted services, you can also control just about every major setting in either OS: password requirements, how the Dock looks and acts, whether iOS users can install apps to their devices, and more. Profile Manager refers to each configurable subsection as a “payload.”
Go ahead and make a change or two - I want to make my iOS users use a passcode to lock their devices, while is available under Passcode - and when you’re done, click OK. You should now see an entry for every payload you configured under Settings. Cick Save to make your changes permanent, or Revert to discard.
Now, on my iPhone (you can use a Mac for this step too, as long as there’s an applicable setting to manage), I’ll navigate to the Profile Manager and login as a member of the group I just edited. Now, in addition to the Settings for Everyone option, the Settings for Workgroup profile is also ready to download and install.
Note that any profile installed this way will need to be refreshed manually in the event of updates.
Device Management
For those of you who are interested in more active management of devices, you’ll have to go back to Server.app and enable Device Management.
You’ll need an SSL certificate to enable secure communication between your devices and your server - this isn’t going to work without a signed SSL certificate, at least not that I saw (feel free to correct me if I’m wrong in the comments), but we can still go through Device Management’s basic implementation.
Next, you’ll have to install a separate Apple Push Notification certificate to enable Push Notifications for your server and its clients. The only place to get one is from Apple, and the only way to do it is to associate an Apple ID with your server, though it doesn't cost anything extra.
If everything checks out, you should be told that your server meets all the Profile Manager requirements. Now, go ahead and start the Profile Manager by clicking the link in the lower right-hand corner of the window.
Now, if I take my iPhone to the Profile Manager site, there’s a second tab available with a giant “Enroll” button visible.
Clicking Enroll will establish a link between your device and the server - this will allow your server admin to update settings on your device, send out notifications, and even remotely lock and/or wipe your device in the event of theft.
Keep in mind that all of this is true both for iOS devices and Macs running Lion. While some of the iOS elements in Lion feel awkward and grafted on, Profile Manager really shows the promise of merging the two operating systems: it’s not just about making them look and act the same, but it’s also about making their management similar enough that it reduces time and money spent wrangling different management tools to manage the different OSes.
Open Directory: Creating Users and Groups and using Workgroup Manager
Address Book, iCal, iChat, and Mail
77 Comments
View All Comments
Kristian Vättö - Tuesday, August 2, 2011 - link
Your Twitter was right, this really is endlessCharonPDX - Tuesday, August 2, 2011 - link
It was that pesky loop that started on page 23 that circled you back to page 8. By the time you'd read page 23, you'd forgotten what was on page 8, so you didn't notice you were in a loop until you were at what you thought was page 157...B3an - Tuesday, August 2, 2011 - link
Very in depth article... but i feel you've wasted time on this. No one in there right mind would use OSX as a server. Apart from Apple fanboys that choose an inferior product over better alternatives because it has an Apple logo, but i emphasize the words "right mind".FATCamaro - Tuesday, August 2, 2011 - link
For enterprise work, or a Windows-only network this is certainly true. For SMB, or even 500 mac/mixed users I think it could work if you can provide some glue to handle fail-over.Windows server is better for Office for sure as is Linux for web & applications.
Spivonious - Wednesday, August 3, 2011 - link
I can run a web server on the client version of Windows. It's just not installed by default.mino - Saturday, August 6, 2011 - link
Hint: for how many users/connections ....If it was THAT simple there would be no Web Edition, mind you.
AlBanting - Friday, August 19, 2011 - link
Same thing for client version of Mac OS X. I've done this for years.KPOM - Tuesday, August 2, 2011 - link
True, for an enterprise user. However, a small business or tech-savvy home user trying to manage multiple Windows PCs, Macs, and iOS devices might well be tempted by the $50 price tag.If should be obvious by the price drop and the discontinuation of the XServe that Apple no longer intends to compete with Windows Server or Linux in the enterprise market. They are a consumer-oriented company, and released a server OS intended for a consumer market.
zorxd - Tuesday, August 2, 2011 - link
Tech-savvy home user will run a free linux distro for a server. Plus it will work on any hardware, not only on a Mac. Many use older PCs as servers.Also the Mac Pro is too expensive and the Mac Mini can't even have 3.5" drives which mean that it is a bad solution for a file server.
richardr - Tuesday, August 2, 2011 - link
Actually, I have a real use case, though it may be a bit specialised for your tastes... non-computing departments of universities are full of people with underused desktops running Word, but also have other people doing analyses that take ages to run on their machines. Making them all Macs (you'll never persuade them to use linux) and wiring them up with xgrid and OSX Server is a pretty pain-free way of running my analyses on their machines without too much disruption to their lives...