Mac OS X Lion Server
At a Glance
Mac OS X Lion Server (10.7)
Amazon Shop buttons are programmatically attached to all reviews, regardless of products' final review scores. Our parent company, IDG, receives advertisement revenue for shopping activity generated by the links. Because the buttons are attached programmatically, they should not be interpreted as editorial endorsements.
The ninth major release of Apple’s server operating system is as big a change as the change from Mac OS X Server 1.0 to Mac OS X Server 10.0. (Readers with longish memories may remember that OS X Server had a pre-10.0 version, which was called version 1.0.) In many ways, Mac OS X Lion Server (version 10.7; Mac App Store link) succeeds, but it's hampered by UI annoyances and inconsistencies that will probably be fixed in future updates. But right now, using Lion Server is a tad more maddening than it should be.
Welcome Server.app; good-bye Server Admin—sort of
There’s a new kid in town for managing Lion Server, and it's called Server.app. I’m sure that this new server-management program will one day completely take over all the functions of the familiar Server Admin application, but right now it doesn’t, which results in a somewhat tedious bit of hopping back and forth between applications to get things done. For example, Server.app handles Address Book, File Sharing, iCal, iChat, Mail, and other service settings. Server Admin handles DHCP, DNS, NetBoot, Software Update, and others.
The impression is that Server Admin handles what Server.app doesn’t—but there are instances when you need to use both applications, such as for the Mail server and the Podcast server. Server Admin has access to more settings than Server.app does, so they complement each other. But when both applications manage the same settings, such as host name or SSH enabling, it’s really annoying.
Apple did a similar thing to the Workgroup Manager application, which was used for user/machine/group/ directory management. In Lion Server, Directory Utility now handles the directory-management tasks. If you want to edit the LDAP info for Open Directory in a more direct fashion than the regular UI lets you, you now do that in Directory Utility. Of course, you can also edit and create users in Server.app. That’s convenient.
Why have four applications doing the work of two? It’s a little like being nibbled to death by baby ducks. It’s certainly not some return-to-Unix idea where each application has a specific focus. Server.app is anything but that. The answer I think lies in Profile Manager, Apple’s new tool for managing Macs and iOS devices (more on that later). While you use Server.app to set up Profile Manager, most of the actual managing work is done via a Web interface. That’s not a bad idea; managing a server is something that, on the GUI level, can be handled quite well via a Web UI. (The UI mostly involves picking from a list, entering text, and selecting radio buttons, and checkboxes. Does it really matter if those controls are presented via Cocoa or HTML?)
However, the tools are very much a work in progress. Apple hasn’t even come close to a Web UI yet—if that is, in fact, the end goal for this. As a result, there are more tools than ever to manage Lion Server, and given the radical changes Apple has made to those tools (especially in Server.app), it actually makes managing Lion Server more work than Mac OS X 10.6 Server ( ).
Where did the controls go?
The other issue with Server.app is that, for the most part, there isn't a lot there. For example, unlike OS X 10.6 Server’s Server Admin utility, which lets you do a lot of the configuration tasks for the Web server, Lion Server’s Server.app really doesn’t let you do much more than add sites, specify the ports and the web root directory, and set up some basic access controls. Anything more than that, and you’re going to have to use and stay with the command line.
In and of itself, this is nothing new. Even though Apple provided a GUI for DNS, if you wanted to do anything other than the absolute basics, you had to learn the guts of DNS in the command line. For things like SNMP, all the GUI ever did was let you turn it on. All post-enablement SNMP configuration happens in text files and the command line. In some cases, especially with the Web server, this is a bit of a shock, because the differences in the GUI between versions 10.6 and 10.7 are rather huge. In the case of iChat server, the differences are rather minor.
The lack of a GUI is upsetting, but in light of what Apple thinks of as its main customer base, this makes some sense. For example, if you take the time to look at how Lion Server works and what it does with Apache and Web services, it’s obvious that Apple looks at Apache as a way to get things done. Apache provides the back end for the Web UI in things like Profile Manager; you need it for the Wiki service, file sharing for iOS devices, and other services. For Web publishing, it’s clear that Apple wants you to use the Wiki/Blog service built into Lion Server, rather than build sites the traditional way. Apple's point here seems to be, when it comes to things like pure Web hosting, there's not a lot of advantage to using OS X Server. It doesn’t provide you with any more capability than you’re going to get off of other platforms like Linux, BSD, or Windows. In fact, if you start talking about a lot of Web platforms, it’s obvious that the only reason OS X is mentioned is because it’s based on Unix, and so you can use Unix tools without a lot of work. But is there some advantage to OS X Server for generic services like Web hosting? Not really. It’s great that Lion Server provides this, but if you expect Apple to go after Linux’s market share as an enterprise Web hosting platform, you might be confusing Apple with some other company.
Another problem with Lion Server is that so little of this is documented. Apple’s server documentation for Lion Server is, to be charitable, thin. Apple moved some of the documentation to the Web, but you can’t get to all of it from the main documentation site. You have to be in Server.app to get to parts of the documentation, such as the Profile Manager—more specifically, you open Server.app and then click on the link to the Profile Manager Web UI (or go to https://serverdnsname/profilemanager), log in, and then, from the drop-down menu in the upper right, click on Help. That will take you to http://help.apple.com/profilemanager/mac/10.7/, which is an Apple webpage. If you go to http://help.apple.com, you’ll find that nothing about Lion Server exists as a direct link from that page.
This is the issue I have with Lion Server as a whole: even though Apple has made a lot of changes to OS X Server, the whole package is so obviously a work in progress. Take a simple task like file sharing: You go to the File Sharing section to enable sharing, and you can set some basic permissions, but if you want to set anything beyond read only, write only, or read-write, then you have to go to the hardware settings, then storage, and then you can set more-detailed ACLs. It’s a remarkably kludgy system; why not have all the file-sharing settings in one place, you know, under, maybe, the File Sharing section?
For Apple, the state of the server-management GUIs is bad, almost approaching appalling. Because of this, the pretty awesome new features in Lion Server aren’t as cool as they could be.
Prior to Lion Server, OS X used Samba, an excellent open-source project that allows non-Windows platforms to both access and serve files as a Windows server. Prior to Lion Server, Samba was how OS X Server handled Windows file- and print-serving tasks.
In July of 2007, the Samba group announced that it would be moving to version 3 of the Free Software Foundation’s General Public License. Some aspects of the GPL 3 created problems for Apple, so rather than continue with a dead version of Samba in OS X Server, Apple removed Samba and wrote its own SMB client and server for Lion Server. All the SMB support in OS X Server from that point on out has come from Apple.
Lion Server provides only basic file sharing. Windows NT Domain support is gone, but Vista works with NT domains only with some tweaking, and Windows 7 won’t work with NT domains at all, so this is not a huge problem. Microsoft has been running away from NT 4 domains since 2000.
What about print sharing?
Print sharing is still in Lion Server, but Apple no longer has any kind of custom GUI for it. Instead, you use the CUPS interface, which is a Web UI at http://localhost:631. You no longer need a special program to set up print sharing, which is an advantage. The downside is that while CUPS has thorough documentation, it’s not exactly geared toward novices, and without Samba, print sharing to Windows clients is a lot trickier.
If you have to do a lot of extensive print sharing, consider keeping your print server at version 10.6, and let Apple know you really need better print serving capabilities to upgrade fully to Lion Server.
MySQL is gone, replaced by PostgreSQL. Why? Apple isn’t telling. If I had to guess, I’d say it comes down to licensing. Oracle’s licensing for MySQL is a bit of a mess; the license you're issued depends on the way you use MySQL. PostgreSQL is under a BSD license, which is something Apple favors far more.
If you already have MySQL data or binaries, Lion Server doesn’t delete them, but Lion Server doesn’t provide even the rudimentary controls for MySQL that OS X 10.6 Server provided, and if you want to use PostgreSQL, any customization you want to do must be done via the command line or third-party tools.
Profile Manager is the one shining star in Lion Server. Profile Manager allows you to finally manage iOS devices from an Apple server OS (what a concept!), and it does so in a way that is really useful, well thought out, and rather friendly to both IT pros and users.
Going forward, Profile Manager is how Apple wants you to manage users, user groups, Macs, groups of Macs, iOS devices, and groups of iOS devices. It’s primarily a Web-based implementation with a focus on self-service. Users can go to a Web portal (https://serverdnsname/mydevices), log in with their directory credentials, and then add their Mac or iOS device into management. I haven’t had a chance to do a lot of work with the Mac side of things in Profile Manager, but the iOS side works really well.
The setup for managing Macs, iOS devices, or both is similar to the iPhone Configuration Utility that Apple used to use as its primary configuration tool for iOS devices. Configuration profiles are distributed as digitally signed XML .mobileconfig files via a number of methods, and it works really well.
With Profile Manager, Apple is taking the Mobile Device Management (MDM) concept it first applied for iOS devices and widening the scope to include things you used to do via Workgroup Manager and MCX. This is a boon to administrators, especially if you’re trying to manage iOS devices and you don’t want to write your own setup from scratch, or pay a lot of money to a third party just to manage Apple devices. Need to remote-wipe an iPad? You can do that from Profile Manager. Need to force complex passphrases on your iPhones? You can do that from Profile Manager. Even the documentation for Profile Manager, once you get to it, is solid.
Profile Manager is an example of just how well Apple can do things, which is maybe why the condition of the rest of Lion Server’s tools and documentation is so frustrating. When you see something done right, it lowers your tolerance for inferior quality, especially when it’s within the same package.
In Lion Server, Apple has reached farther than it has since version 10.0. With all the changes, every administrator using a previous version of OS X Server needs to think carefully before moving to Lion Server. I’ve migrated a couple of test servers, and while it wasn’t as smooth as, say, version 10.5 to 10.6, or even from 10.4 to 10.5, it’s not impossible. But you have to plan more carefully than you've had to plan for an Apple server version upgrade in the past. I’ve heard the cries for help from people who decided to upgrade on a whim, and they aren’t pretty.
Lion Server has some major bugs, like a problem with authentication against OpenLDAP directories, and a series of issues with Active Directory integration. Moving to Lion Server in these environments is not a great idea right now.
There is a lot to like about Lion Server, including its price, Profile Manager, and far better push support for things like Mail, iCal, and iOS devices. But the good is continuously overshadowed by the fact that you must bounce between multiple tools and that the documentation is skimpy, if not simply poor. And there's always bugs that happen with every major release of the OS and the server versions.
In time, Lion Server will be solid. However, as reviewed (version 10.7.1), Lion Server needs a lot of work, and I would think very, very carefully before upgrading.
Macworld’s buying advice
Unlike previous versions of Mac OS X Server, Lion Server is not a simple upgrade. Regardless of the price of this server package, the massive changes at every level of Lion Server—including the removal of some features customers rely on—make this upgrade one you’ll want to think hard about, regardless of price. The documentation and fit-and-finish issues will also help sway your decision on whether to upgrade or not.
[John C. Welch is the IT Director for The Zimmerman Agency, and is a longtime Mac IT pundit.]
[Editor's note: Updated 9/30/2011 at 11:45AM PT with new Server.app screenshot.]