- New Profile Manager
- support for iOS device management
- improvements to push services, Web Mail service
- full 64-bit support
- massive price drop from earlier versions
- Many bugs, some with major security implications
- inconsistent implementation of admin tools
- new tech may be problematic with legacy features
- documentation woefully skimpy
Unlike previous versions of Mac OS X Server, Lion Server is not a simple upgrade. Regardless of the price of this server package, the massive changes at every level of Lion Server – including the removal of some features customers rely on – make this upgrade one you’ll want to think hard about,regardless of price. The documentation and fit-and-finish issues will also help sway your decision on whether to upgrade or not.
There’s a new kid in town for managing Lion Server, and it’s called Server app. We’re sure that this new server-management program will one day completely take over all the functions of the familiar Server Admin application, but right now it doesn’t, which results in a somewhat tedious bit of hopping back and forth between applications to get things done. For example, Server app handles Address Book, File Sharing, iCal, iChat, Mail, and other service settings. Server Admin handles DHCP, DNS, NetBoot, Software Update, and others.
The impression is that Server Admin handles what Server app doesn’t – but there are instances when you need to use both applications, such as for the Mail server and the Podcast server. Server Admin has access to more settings than Server app does, so they complement each other. But when both applications manage the same settings, such as host name or SSH enabling, it’s really annoying.
Apple did a similar thing to the Workgroup Manager application, which was used for user/machine/group/ directory management. In Lion Server, Directory Utility now handles the directory-management tasks. If you want to edit the LDAP info for Open Directory in a more direct fashion than the regular UI lets you, you now do that in Directory Utility. Of course, you can also edit and create users in Server app.
Why have four applications doing the work of two? It’s certainly not some return-to-Unix idea where each application has a specific focus. Server app is anything but that. The answer we think lies in Profile Manager, Apple’s new tool for managing Macs and iOS devices (more on that later). While you use Server app to set up Profile Manager, most of the actual managing work is done via a web interface.
Server app is the main application used to manage Lion Server, replacing the Server Admin program in previous OS X Servers
However, the tools are very much a work in progress. Apple hasn’t even come close to a Web UI yet – if that is, in fact, the end goal for this. As a result, there are more tools than ever to manage Lion Server, and given the radical changes Apple has made to those tools (especially in Server app), it actually makes managing Lion Server more work than Mac OS X 10.6 Server.
Where did the controls go?
The other issue with Server app is that, for the most part, there isn’t a lot there. For example, unlike OS X 10.6 Server’s Server Admin utility, which lets you do a lot of the configuration tasks for the web server, Lion Server’s Server app really doesn’t let you do much more than add sites, specify the ports and the web root directory, and set up some basic access controls. Anything more than that, and you’re going to have to use and stay with the command line.
In and of itself, this is nothing new. Even though Apple provided a GUI for DNS, if you wanted to do anything other than the absolute basics, you had to learn the guts of DNS in the command line. For things like SNMP, all the GUI ever did was let you turn it on. All post-enablement SNMP configuration happens in text files and the command line. In some cases, especially with the web server, this is a bit of a shock, because the differences in the GUI between versions 10.6 and 10.7 are rather huge. In the case of iChat server, the differences are rather minor.
The lack of a GUI is upsetting, but in light of what Apple thinks of as its main customer base, this makes some sense. For example, if you take the time to look at how Lion Server works and what it does with Apache and web services, it’s obvious that Apple looks at Apache as a way to get things done. Apache provides the back end for the web UI in things like Profile Manager; you need it for the Wiki service, file sharing for iOS devices, and other services. For web publishing, it’s clear that Apple wants you to use the Wiki/Blog service built into Lion Server, rather than build sites the traditional way. When it comes to things like pure web hosting, there’s not a lot of advantage to using OS X Server. It doesn’t provide you with any more capability than you’re going to get from other platforms like Linux, BSD, or Windows, with the exception that it’s based on Unix, and so you can use Unix tools without a lot of work.
Another problem with Lion Server is that so little of this is documented. Apple’s server documentation for Lion Server is thin. From within the Server app you get access to some parts of the documentation, but if you go to http://help.apple.com, you’ll find that nothing about Lion Server exists as a direct link from that page.
This is the issue we have with Lion Server as a whole: even though Apple has made a lot of changes to OS X Server, the whole package is obviously a work in progress. Take a simple task like file sharing: you go to the File Sharing section to enable sharing, and you can set some basic permissions, but if you want to set anything beyond read only, write only, or read-write, then you have to go to the hardware settings, then storage, and then you can set more-detailed ACLs. It’s a remarkably kludgy system; why not have all the file-sharing settings in one place, like the File Sharing section?
Prior to Lion Server, OS X used Samba, an excellent open-source project that allows non-Windows platforms to both access and serve files as a Windows server. Prior to Lion Server, Samba was how OS X Server handled Windows file- and print-serving tasks.
In July of 2007, the Samba group announced that it would be moving to version 3 of the Free Software Foundation’s General Public License. Some aspects of the GPL 3 created problems for Apple, so rather than continue with a dead version of Samba in OS X Server, Apple removed Samba and wrote its own SMB client and server for Lion Server. All the SMB support in OS X Server from that point on out has come from Apple.
Lion Server provides only basic file sharing. Windows NT Domain support is gone, but Vista works with NT domains only with some tweaking, and Windows 7 won’t work with NT domains at all, so this is not a huge problem. Microsoft has been running away from NT 4 domains since 2000.
Profile Manager is the one shining star in Lion Server. Profile Manager allows you to finally manage iOS devices from an Apple server OS. Profile Manager is how Apple wants you to manage users, user groups, Macs, groups of Macs, iOS devices, and groups of iOS devices. It’s primarily a web-based implementation with a focus on self-service. Users can go to a web portal (https://serverdnsname/mydevices), log in with their directory credentials, and then add their Mac or iOS device into management.
Used to manage users, user groups, Macs, groups of Macs, iOS devices, and groups of iOS devices, Profile Manager is the shining star in Lion Server
The setup for managing Macs, iOS devices, or both is similar to the iPhone Configuration Utility that Apple used to use as its primary configuration tool for iOS devices. Configuration profiles are distributed as digitally signed XML .mobileconfig files via a number of methods, and it works really well.
With Profile Manager, Apple is taking the Mobile Device Management (MDM) concept it first applied for iOS devices and widening the scope to include things you used to do via Workgroup Manager and MCX. This is a boon to administrators, especially if you’re trying to manage iOS devices and you don’t want to write your own setup from scratch, or pay a lot of money to a third party just to manage Apple devices. Need to remote-wipe an iPad? You can do that from Profile Manager. Need to force complex passphrases on your iPhones? You can do that from Profile Manager. Even the documentation for Profile Manager, once you get to it, is solid.
Profile Manager is an example of just how well Apple can do things, which is maybe why the condition of the rest of Lion Server’s tools and documentation is so frustrating.
In Lion Server, Apple has reached farther than it has since version 10.0. With all the changes, every administrator using a previous version of OS X Server needs to think carefully before moving to Lion Server. We’ve migrated a couple of test servers, and while it wasn’t as smooth as, say, version 10.5 to 10.6, or even from 10.4 to 10.5, it’s not impossible. But you have to plan more carefully than you’ve had to plan for an Apple server version upgrade in the past.
Lion Server has some major bugs, like a problem with authentication against OpenLDAP directories, and a series of issues with Active Directory integration. Moving to Lion Server in these environments is not a great idea right now.
There’s actually a lot to like about Lion Server, including its new, lower price, Profile Manager, and far better push support for things like Mail, iCal, and iOS devices. But the good is continuously overshadowed by the fact that you must bounce between multiple tools and that the documentation is skimpy, if not simply poor.
In time, Lion Server will be solid. However, as reviewed (version 10.7.1), Lion Server needs a lot of work, and we would think very, very carefully before upgrading.