Mac IT Guy: Access Exchange from home

I use Mail.app at home for both my home and work e-mail (Mobile Me and Microsoft Exchange 2003 respectively). For a while, it worked great. Then all of a sudden I couldn't send messages from the work e-mail account—I could receive, but I couldn't send; the Mobile Me account continued to work just fine, in both directions. When I asked my IT department, I was told there had been a problem with one of the Exchange servers and that it had to be reset or replaced. But they also said that that should not have affected me. They suggested that I recheck the account from an iPhone. Of course, the iPhone worked perfectly. But that doesn't help Mail on my home Mac or my work laptop. One funny thing: When I bring the laptop to work and connect wirelessly there, I can send, without changing its settings. One other thing that might be helpful: To connect the iPhone to the Exchange server, we use a Webmail server. The IT department has given up at this point. Can you help?

The things you point out, like the fact that “it works from the internal WiFi”, tell me that your IT folks may not have made sure that SMTP is visible from the outside world. Using Outlook Web Access (OWA) on the iPhone is absolutely nothing like using SMTP from another mail client, so the fact that they can get to a Webmail page is of no use whatsoever in connecting to Exchange via SMTP from the outside world. Also, checking the SMTP settings with an iPhone will work only if the iPhone is using SMTP and not Exchange ActiveSync (EAS).

Without knowing how your iPhone is set up, there’s almost no way to tell if that’s really a valid test. However, there are a few things I’d check with your IT people:

  • Is SMTP actually turned on for your server? That’s not a default with Exchange, so they should double-check.
  • If SMTP is turned on for that server, can you use it from outside the firewall? If the IT guy is checking only via an internal WiFi network, he's not checking it in the way you need it to work.
  • If the iPhone is working with SMTP over 3G, can the IT people take some screenshots of the iPhone settings, including the advanced settings, and e-mail those to you? The SMTP settings for the iPhone are similar to those for Mail on Mac OS X, so those would be a big help.

-----

Our campus has switched almost completely to dual-boot Macs. We're looking for the best way to manage these machines in an Active Directory-based environment. Right now, we manage deployment and imaging with DeployStudio running on a late-model Xserve; we then manage the Macs via Apple Remote Desktop (ARD) or direct interaction (with directory binds via the Snow Leopard Active Directory plugin). I know we could use dual-directory Active Directory/Open Directory for management. But what are the pros and cons of other possibilities—Active Directory schema extension, Centrify, LANrev, JSS, and so on? We need a way to gather master images, deploy them to many machines, and then (ideally) apply policies to those machines throughout their service life.

Wow, that's a lot of questions in a small space, but the gist is: how do I integrate Macs into an Active Directory (AD) environment beyond basic authentication?

The most popular way to do that is (as you say) with dual directories, also known as “The Magic Triangle,” in which you use Mac OS X Server as an Open Directory (OD) server that is also bound to AD. Clients then bind to both AD and OD, and you use the Mac OS X Server to actually manage your Mac users and computers. That’s a good technique, but it does come at a cost—namely, the expense of a Mac and a copy of Mac OS X Server.

The second common method is called schema modification. All directories—whether AD, OD, Novell’s eDirectory, or OpenLDAP—define objects within their purview using schema. You can modify Active Directory schema in such a way that Workgroup Manager can manage Mac users and computers—no copy of Mac OS X Server required.

With early versions of AD (particularly 2000), this was a bit of a risk, because if such schema modifications broke something, there was no way to cleanly back out. In current versions of Active Directory, this problem has been solved, and schema modifications are now a solid way to integrate Macs into Active Directory environments—with some caveats:

  • Modifying AD is not something you should undertake lightly. You’re going to have to support those customizations and keep them current whenever upgrades and patches are applied to AD. While third-party modifications are available, many AD admins are leery of them if don’t come with third-party support.
  • Such mods really only enable you to use Apple tools with Active Directory. They won't make your Macs suddenly able to fully use Group Policies and other tools. They’re still Macs, not Windows PCs.
  • Schema mods don’t actually help much with the deployment of images; they just allow you to use Apple tools to manage Macs in an AD environment.

In other words: Schema mods are a solid way to solve many of the problems of managing Macs in an AD environment, but they won't solve every problem and they aren’t something you can just do and forget about it.

The Centrify Suite for Mac OS approaches Mac integration with AD from the Windows point of view. It allows Windows administrators to integrate and manage Macs using standard Windows Active Directory management tools. For example, password policies are set via Group Policy Objects (GPOs) instead of by Apple’s Managed Client for Mac OS X (MCX) settings. Centrify also helps integrate Macs into environments where smart cards and two-factor authentication are required. Centrify is not free, nor is it cheap, but it does give you a lot of capability for the money, in a way that allows AD administrators to manage Macs without needing a Mac themselves. However, Centrify is not a deployment solution. It works well with other deployment solutions, such as Apple Remote Desktop, LanRev, and Casper. But, in and of itself, it isn't a deployment solution.

LanRev, Casper, and DeployStudio are all oustanding deployment/management systems, and they all work well with AD. But they won't do much to integrate your Macs into Active Directory.

This is where we hit the crux of theproblem: No one package will do it all for you. What I would recommend is to deal with this as two separate but related issues:

First, AD integration: For your environment and budget, which of the three AD integration methods—dual-directory, schema modifications, or a third-party solution like Centrify— will work best? Unfortunately, that’s something you'll have to figure out with your AD administrators; any recommendation I make from here is going to be purely a guess. If your AD administrators aren’t opposed to using Macs to manage Macs, then dual-directory or schema mods are an option. If they insist on using Windows, and are willing to pay to do so, then Centrify is quite usable.

Second, deployment: Almost any of the products I listed above—Casper, LANRev, or DeployStudio—will do the job. Given the choice right now, I would probably go with Casper, because it's only one with full iOS support, including Over-the-Air (OTA) and Simple Certificate Enrollment Protocol (SCEP) enrollment, wireless app distribution, and full Mobile Device Management (MDM) support for iOS devices. Casper's only problem is that it's really a Mac/iOS-only solution. But, again, there is no one uber-product that will do it all.

[Editor's Note: Got a Mac IT question? Coming to Macworld Expo? John C. Welch will be answering questions there live on the Macworld Live stage Friday, January 28th starting at 2:00 PM. Come on by and see if he can help.]

Subscribe to the Apple @ Work Newsletter

Comments