The concept of a Mac server has changed quite extensively since the very first version of the software hit the scenes in the late 1990s. In this chapter, we are going to explore the server capabilities that Apple has built into the macOS client operating system, the services that are added when installing the macOS Server application, how to determine if you need a dedicated Mac server, and how to configure and manage the server if you do.
A Brief History of macOS Server
The original Mac OS Server was code-named “Rhapsody,” and it was initially designed to be the first release of the next-generation Mac operating system that began development after Apple’s purchase of NeXT in 1996. Mac OS X is the client operating system that was eventually released in the early 2000s, and along with it, Apple began selling an OS X Server as an application that ran on top of the client OS to provide it with server-class capabilities. Over the years, the features of the Server application have been scaled back or migrated into the base feature set of macOS. Today, there are only a handful of services that still remain exclusive to macOS Server.
Services
When it first debuted, OS X Server provided a number of useful features for managing your Mac clients. Apple included its own Lightweight Directory Access Protocol (LDAP) called Open Directory (OD) which was built to manage users and groups similar to Microsoft’s (more popular) Active Directory (AD). In addition to LDAP, it also included file sharing, printer sharing, and a web server based on Apache. As a popular solution for Mac system admins, OS X Server also included NetBoot and Workgroup Manager for managing fleets of Macs.
Inaddition to various management tools, OS X Server also provided CalDAV, instant messaging, a mail server, and a number of other productivity-related services. However, as more of these kinds of solutions began migrating to various cloud-hosted models, Apple moved most of them to iCloud or decided to sunset the service altogether.
As Apple started to move to more of a mobile-first administration principle with iOS devices, and then eventually Macs, they began to transform macOS Server into a tool for Mobile Device Management. Many of the core “server” services were moved into the base install of macOS. Today, macOS Server retains the Open Directory LDAP service, and Workgroup Manager has been dumped in favor of Profile Manager, which allows you to create and deploy Configuration Profiles to iOS and macOS clients.
Hardware
Apple server hardware has also changed dramatically over the years. Some of the original hardware that ran OS X Server included the Power Mac G3 and Power Mac G4 workstations. Apple briefly became very serious about dedicated server hardware and released the Xserve and Xserve RAID products for a time but eventually discontinued these models in favor of the Mac Pro workstation. As the need for a dedicated server OS was diminished, it no longer made sense for Apple to continue to develop and manufacture dedicated server hardware.
Introduction to macOS Server
In this chapter, we are going to explore the most common functions of a server operating system and how macOS or macOS Server can be configured for these purposes. Some of these features are going to be available in the standard install of the client operating system, and others will only be available after you purchase and install the macOS Server application.
Do I Need a Mac Server?
Before we begin building our Mac server, let’s start by considering the use cases and if a dedicated Mac server is really necessary. As Apple has removed many of the services provided by a Mac server, they have also worked to build more cross-platform tools into macOS that allow it to fully participate as a client in other common networks, namely, those built on Microsoft and Linux technologies. More than likely, your organization already has some kind of LDAP, printer sharing, and file sharing solution, and you can use those with your macOS clients quite easily.
If you have been a Mac system administrator for a while, you may be familiar with the term golden triangle. This is where you would use a Mac server running Open Directory to sync with a Windows server running Microsoft’s Active Directory to manage user accounts and then use Workgroup Manager to set Mac-specific permissions or settings. Today, you can bind your Macs directly to an Active Directory domain instead of even bothering with running a second LDAP specifically for your macOS endpoints. Configuration Profiles replace the Workgroup Manager component for restricting devices and locking down specific settings.
File sharing has also changed in recent releases. Apple used to utilize their AppleTalk File Protocol as the preferred file sharing technology for macOS clients. Today, Samba is the default file sharing protocol and works seamlessly with Windows and Linux clients. The point here is that if you are already running various Windows- or Linux-based servers, before you start building a Mac server to create redundant Mac-only versions of these existing file shares, consider how you might leverage these existing technologies with your macOS clients.
Beyond directory services or file/print sharing, there are a number of cloud-based solutions that may be a better fit for your organization. Web hosting is one that immediately comes to mind. Several years ago, using a Mac server for hosting your web site was very common, and in many ways it was a preferable solution over using Microsoft’s IIS. While Apache is still available as an additional service in macOS, you could just as easily host your web site in the cloud using any number of low-cost web hosting solutions out there.
File Sharing: Starting with macOS High Sierra, Apple has integrated the File Sharing Server into the standard install of the operating system. You can enable this through the Sharing System Preference. This service allows you to share files and folders over the network.
Printer Sharing: Starting with macOS High Sierra, Apple has integrated the Print Sharing Server into the standard install of the operating system. You can enable this through the Sharing System Preference. This service allows you to share printers over the network.
Apple Remote Desktop: You can install Apple Remote Desktop in full console mode or as a Remote Task Server as described in Chapter 6 of this book.
Content Caching: Starting with macOS High Sierra, Apple has integrated the Content Caching Server into the standard install of the operating system. You can enable this through the Sharing System Preference. This service caches copies of content from the App Store and other Apple-hosted services like Software Update to conserve bandwidth when installing updates or content on multiple devices.
Web Server: Apache is integrated into the standard install of the Mac operating system. You can enable this through the command line.
Open Directory: Included with the installation of the macOS Server application, Open Directory is an LDAP that allows you to configure network-based users and groups.
Profile Manager: A basic Mobile Device Management solution that allows for the creation and assignment of Configuration Profiles to iOS and macOS clients—included with the macOS Server application.
Xsan: Included with the installation of the macOS Server application that enables the creation and management of a Storage Area Network (SAN) solution.
DNS: Starting with macOS High Sierra, Apple has removed DNS from the installation of macOS Server. You can use various other solutions including BIND or Knot DNS.
DHCP: Starting with macOS High Sierra, Apple has integrated the DHCP Server into the standard install of the operating system. You can enable and manage this through the command line.
NetBoot/NetInstall: Apple has continued to demote this service through the use of the T2 Security chip and the removal of these features in the more recent releases of macOS Server. The core technology is still available in macOS versions older than Mojave. If you are planning to use this workflow, I would recommend looking at DeployStudio as a solution (www.deploystudio.com).
So do you need a Mac server? To answer this question, it depends, but probably not. If you are a small business and you don’t have any existing directory services or need a local file/print server, then it might make sense to deploy a dedicated Mac server.
If you are a larger organization with a lot of preexisting server solutions, try to integrate your Macs into that ecosystem instead of building a separate Mac-only environment. It will be easier for you and better for your end users to be able to participate as a first-class citizen on an existing corporate network. Increasingly, the main reason you would want a Mac server is to run Profile Manager unless your organization already has an effective Mobile Device Management solution from a third-party vendor like JAMF, Mosyle, or Addigy.
Deploying a Mac Server
If you have determined that a dedicated Mac server would be useful in your environment, we can begin configuring a Mac to function as a server.
Hardware Considerations
Depending on how you plan to use your Mac server, you should select the right hardware for the job. Typically this involves deciding between a Mac Pro and a Mac mini. Apple sells a Mac mini for as low as $800 as of this writing and features enough raw horsepower for most server roles. The onboard storage is relatively anemic at 128 GB of SSD space, so if you plan to use it for extensive file sharing, you should plan to purchase some kind of external Thunderbolt storage solution.
For the highest level of performance, the new 2019 Mac Pro can be configured with an insane amount of RAM, internal disk space, and up to 28 processor cores! It can also cost upward of the same price as a new car, so be sure that you are matching your needs with the correct specification. Most organizations can get by with a Mac mini of some variety. Even if you opt for the build-to-order variety and boost that internal disk to a 2 TB SSD, it will be a fraction of the cost of a Mac Pro.
One thing that you should also consider, particularly if you are planning to use the Mac primarily as a Profile Manager server, is the cloud-hosted model. There are a couple of vendors out there that provide Mac servers in the cloud. The most popular is MacStadium, where you can get access to a bare metal Mac server for a low monthly fee. You can explore these options at www.macstadium.com.
Backup
As we discussed in Chapters 2 and 3, you can either opt for a cloud-based backup solution or use Time Machine to back up your Mac server to an attached external disk. The only caveat in choosing a backup solution for your server is that it backs up the entire disk and any attached storage. You should be backing up all of the user data, the configuration, and any applications running on your Mac server. For this reason, stay away from solutions like iCloud, OneDrive, or Dropbox as those will only synchronize the user’s home directory and not the entire disk.
If you are going to use a Time Machine drive or some other kind of attached storage for backing up your servers, be sure to implement some kind of regimen of rotating those drives to a secure off premises storage facility. Many organizations have data recovery sites or third-party services that will store backup drives off-site in case of a fire or other natural disasters. You should do the same with your Time Machine drives on a regular basis.
Initial Configuration
At this point you should have selected a suitable solution for your Mac server, storage, and backup. The next thing we need to do is install a fresh copy of macOS Catalina on the server. So boot into Internet Recovery mode or use a bootable USB installer to boot your Mac, use Disk Utility to partition and/or format the drive, and then install a copy of macOS.
Why do we care what the wallpaper is on our server? I tend to remote control into my servers and run them headless (without a monitor) in my data center. When I’m using a Screen Sharing window, it is helpful to remind me which system I’m on and to remind me to sign out after the session.
Next, run Software Update and install all the available patches and security updates available for your Mac. This will ensure we’re running the latest security and bug fixes.
Finally, open the Energy Saver System Preference and set the computer to never sleep, uncheck the box to put the hard disks to sleep whenever possible, and check the box to allow it to restart automatically after a power failure. These settings will ensure that your server performs optimally and can reduce the risk of having the server go offline after a power-related event.
Network Settings
The first thing we need to do is configure a name for our server and a static IP address. Using the Sharing System Preference, name your server. I’m going to call mine “MacServer.” If you have multiple existing servers, you may have a standardized server naming convention that you will want to use. This configuration assumes that you are simply sharing some data on the internal local area network.
Double-check the Local Hostname and the Unix hostname and ensure these are the same. As you can see in Figure 7-2, I have configured all three of my server names to match.
I have reserved the range of 192.168.1.2–192.168.1.9 for static IP addresses on my router. I’m going to use 192.168.1.9 as my static IP address for the MacServer.
If you are unsure of your DNS settings, you can also switch your Mac back to DHCP temporarily and see what information is automatically populated in the DNS tab and then replicate that into the static DNS entry after changing back to the Manual address option.
If your Mac is going to be participating in a larger network, for example, a Windows-based network, make sure your Windows system administrator or Network Administrator creates a DNS entry for your hostname and a reverse DNS entry for the IP address. Your clients should be able to use nslookup or the Lookup option in the Network Utility and return the hostname by IP and the IP by hostname.
Configuring Remote Access
Another useful service to enable for remote administration is Secure Socket Shell (SSH) . The friendly name of that service in the Sharing System Preference is Remote Login. Enabling SSH can be useful for communicating with your Mac server via the command line interface.
Depending on the size and design of your network, your Network Administrator may have divided your network into various smaller subnets. In some cases, due to security reasons, servers are placed in a subnet that is separate from your client systems. If this is the case in your network, when you use the ARD scanner to search for a server, it may not find it. You may have to add the computer manually using the Add By Address option.
Server Security Considerations
When it comes to configuring a server, you really want to try to disable any services that are not going to be used. In this way, you are limiting the number of possible vulnerabilities that could exist and therefore be exploited. This is not an exhaustive list of things you must lock down to secure your server, but it gives you a starting point. Nothing is 100% safe from hackers or other security threats.
Disable the Guest User: Open the Users & Groups System Preference and click the Guest User from the list of users in the left-side pane. Make sure Allow guests to log in to this computer and Allow guest users to connect to shared folders are both unchecked.
Disable Power Controls on the Login Screen: While in the Users & Groups System Preference, click the Login Options button. Uncheck the box next to Show the Sleep, Restart, and Shut Down buttons.
Disable Automatic Login: While in the Login Options, make sure that Automatic login is set to Off.
Disable the List of Users: While in the Login Options, choose to Display login window as Name and password.
Enable Software Update for Security Patches Only: Open the Software Update System Preference and click the Advanced… button. It is up to you if you want to automatically install all updates or not, but at bare minimum, make sure that the Install system data files and security updates box is checked. That way it will automatically patch your Mac server with important security updates.
Enable a Screen Saver Password: Open the Security & Privacy System Preference. Click the General tab and check the box next to Require password after sleep or screen saver begins. Set the drop-down to immediately.
Enable FileVault: Click the FileVault tab and enable FileVault encryption.
Enable the Firewall: Click the Firewall tab. Turn on the Firewall and then use the Firewall options as detailed in Chapter 3 of this book to configure the level of security you want and any application exceptions.
Disable Location Services: Click the Privacy tab and then click Location Services on the left-side pane. Uncheck the box next to Enable Location Services.
Disable Analytics: While you are still on the Privacy tab, click the Analytics button on the left-side pane. Uncheck Share Mac Analytics and uncheck Share with App Developers.
Disable Bluetooth: Open the Bluetooth System Preference. Click the Turn Bluetooth Off button to disable it.
Turn Off Wi-Fi: Assuming you are using Ethernet to connect your server to the network, we should turn off the Wi-Fi radio. Open the Network System Preference and click the Wi-Fi button on the left-side pane. Click the Turn Wi-Fi Off button to disable it.
Log Out of iCloud: If you signed into iCloud during the Setup Assistant process, go to the iCloud System Preference and sign out of iCloud.
Configuring Basic Server Services
Now that we have our Mac server ready to go, we can begin enabling some services. In this section, we are going to explore the server-class functions that are bundled with the core macOS client operating system. These are the most popular services found on Mac servers and include content caching, file services, print services, and web services.
Content Caching
One of the most popular features that was previously included in macOS Server but has been subsequently moved to the core macOS installation is content caching. This service runs on a device on your network and listens for clients that are downloading content from Apple or Apple-hosted services like the iBooks, App Store, Mac App Store, and so on. Then as that first client downloads the content, the computer running the content caching service downloads a copy and retains it. When the second, third, or any other device on the same subnet attempts to download that content, it gets copied from the cache server instead of being downloaded again over the Internet.
This solution has been extremely popular in businesses and schools that have multiple clients that share an Internet connection. I have used this with 1:1 iPad deployments and labs of Macs that need to download and install the same security updates or macOS releases, and it really speeds up the installation and saves on bandwidth utilization.
Because this can take a fair amount of space on your server’s hard disk, you can click the Options... button and choose how much disk space you want to devote to caching. Once the cache space is full, the service will make room for new content by deleting the oldest data first.
File Sharing
The next most common service that runs on Mac servers is file sharing. To enable local network file sharing, open the Sharing System Preference and click the checkbox next to File Sharing. By default, macOS shares files on the network using Samba. If for some reason you want to use the legacy AppleTalk protocol, you can click the Options… button and check the box next to Share files and folders using AFP. We will leave that unchecked as we do not want to use AppleTalk.
Adding shared folders is pretty simple and straightforward. Create a folder on the Desktop to use as a test. Typically you would want to create your folders inside of an attached volume like a Thunderbolt disk drive, but for our purposes in this example, we’ll just use the Desktop. Name the folder “Mac Shared File.”
This is the simplest form of file sharing because we are limiting access to the share based on the single user account on this particular Mac—Administrator. There is only one member of the Staff group, and that is the Administrator account. If we were to create additional users on this Mac, and if they were members of the Staff group, they would be able to read the contents of the file share but not write to it.
Printer Sharing
Web Server
You can also install PHP, MySQL, and other web technologies on your Mac web server if required. The configuration of those additional services is outside the scope of this book, but there are many good tutorials online that can step you through the process. If you are web developer and want to use your Mac workstation as a web server for development and testing purposes, there are also tools like MAMP that can install a LAMP stack-style development environment on your Mac in a snap. You can find out more by visiting www.mamp.info/en/.
Configure macOS Server Services
In this section, we will configure services that are only available after you purchase and install the macOS Server application.
Installing macOS Server
Each time Apple releases a new version of their operating system, they release a new update to macOS Server. For this reason, the current version of macOS Server requires Catalina. If you attempt to install it on an older Mac that isn’t running Catalina, you can opt for a slightly older version of macOS Server. The primary differences in the last few releases have been additional Profile Manager payloads that are specific to the more recent releases of iOS and macOS.
We are going to install macOS Server on macOS 10.15 so we can take full advantage of all of the new payloads for iOS 13 and macOS Catalina. Once the application is finished downloading from the Mac App Store, browse to the /Applications folder and open the Server application to continue with the installation and configuration.
If your server’s Host Name is not a fully qualified domain name (FQDN), you may need to click the Edit Host Name button and step through the Assistant to configure it as such. If you plan to use this server with Profile Manager, you should take this opportunity to register a domain name that will be used on the Internet and reconfigure your server name accordingly.
Internet reachability is Apple’s term for which services (if any) can be reached on this server from the public Internet. This capability relies on your network configuration. I have an internal IP address configured on this server, but I also have configured my router to allow incoming connections to this server in my DMZ. If you plan to use this server as an MDM using Profile Manager, you will need to work with your Network Administrator to make the necessary changes to your network to allow this server to be reachable over the Internet. You can use Apple’s Internet reachability test to validate those network settings and identify which services are available via the Internet.
As you can see, we only have one user account, the local Administrator account. I could add additional users here or click the Groups section and add additional groups and populate members of those groups. These accounts only govern the resources on this specific computer. I cannot use accounts that I create here to access shared resources on another computer. This is why they are part of the Local domain.
If I want to create users and groups that govern access to resources on multiple machines, I need to create those accounts in a Network domain. Network accounts allow me to create a single user that can sign into other computers, access shared resources on this computer or other computers if they have the permission to those resources, and generally simplify the administration of user accounts and data security across my entire network. To use this Network domain, we must have a directory service available to contain these user accounts and groups.
Open Directory
Open Directory is Apple’s Network Directory domain service based on the LDAPv3 specification. Many large organizations will already have some kind of LDAP that contains all of their network user accounts and shared resources. One of the most common is Microsoft’s Active Directory. If you are already running Active Directory, you should plan to leverage that for your network account directory domain with your Mac clients instead of turning on the Open Directory service. We will cover Active Directory integration in greater detail in Chapter 11.
Windows Pro Tip Microsoft system administrators will recognize this idea of a master and a replica from Active Directory. Earlier implementations of AD included a server that functioned as the Primary Domain Controller and additional servers that were called Backup Domain Controllers. Open Directory is similar as you have an Open Directory Master and then multiple Open Directory Replicas that synchronize any directory changes or share the load when responding to requests.
Pro Tip When you create Network Accounts in Open Directory, it is important to note that they should be unique to the Local Accounts on the client or server system. When the login window attempts to authenticate the user, it first looks for a matching account on the Local Directory domain of that Mac; and then if it doesn’t find one, it goes up a level to the Network Directory domain and checks there. If you have an account in the Local domain that matches the account in the Network domain, it will always log in as the local account because it found a match in the Local domain and quit looking.
At this point, we have configured our Open Directory Master. From here, you could configure additional servers to act as Replicas. If you have multiple locations and multiple servers, you may want to configure Locales. These can be configured in the Open Directory service window, and you can specify which servers should respond to requests from clients of a particular subnet. That way clients can query the nearest OD server depending on which network they reside on.
Differ from account name
Contain at least 8 characters
Be reset every 3 months
We can see our three user accounts and a couple of groups, but did you know that there are many more users and groups than what we see here that have been placed in our directory by the OS? You can show or hide these System users and groups by right-clicking any user and choosing Show System Accounts or Hide System Accounts to toggle these groups on and off.
Now that we have created a few users and placed them into a group, we want to be able to log into a workstation with one of these accounts. To do this, we need to bind our macOS clients to the Open Directory domain. Binding a client to the domain allows it to search the list of Network Accounts in addition to the Local Accounts to find a match and allow a Network User to login to the computer. Any enabled user in the domain can sign into any computer bound to that domain.
Congratulations! You have successfully created an Open Directory domain, populated it with users, bound a client Mac to the domain, and signed in successfully with a Network user account.
A quick note about file sharing and Open Directory: Prior to macOS Mojave, you could share files and folders and set permissions for Open Directory Network accounts. If you have shared folders on an Open Directory Master or Replica, you won’t be able to map those shares even if you are using the local user account, because it will not authenticate. If you plan to create shares on a Mac and share them with other Macs, the host cannot be running the Open Directory service; and even if you bind that Mac to the Open Directory domain, you cannot authenticate to those shares using Network accounts. The reason for this is because the ACL groups are no longer created in the directory for file sharing access like they used to be in older versions of Server. There are unofficial fixes out there for this, but that is outside the scope of this book.
Certificates
When you completed the steps to bind your Mac client to Open Directory, you may have received a message stating This server does not provide a secure (SSL) connection. Do you want to continue? In that case, because we were setting up a test server, we chose to ignore this message and continue. However, in a production environment, you will want to use SSL to secure your client’s communication with the server to prevent man-in-the-middle attacks, among others. Even if you are not using Open Directory and you are only deploying your server for use with Profile Manager, you will need some basic understanding of certificates and how to change them in macOS Server.
FallBack SSL Certificate
The most basic certificate that Apple provides is the Fallback Certificate. It gets created when you install the Server application, and it is available but not often used. You can find this certificate by opening the Keychain Access utility on your Mac server and clicking the Certificates for the System keychain.
Self-Signed Certificates
In the case of Open Directory, Apple provides a self-signed certificate that you can use that is generated when the Open Directory service is installed. Self-signed certificates will prompt users to trust them and are not usually the best choice for production installation. We can adjust the certificate that is being used for Open Directory if we want to replace this with a trusted third-party certificate.
Managing Certificates
Now that the service has been disabled, click the Certificates button in the sidebar. You will probably have something similar to Figure 7-41 with some kind of mix of certificates and the Secure services using pop-up menu. Using this menu, we can select which services are using which certificates.
Go back to the Open Directory settings and restart the service by flipping the switch back to the on position. If you go back to your test Mac and unbind it from our domain and then join it again, you will be prompted to trust the new certificate.
To unbind a Mac from the domain, log in as a user with local administrative privileges and use the Users & Groups System Preference ➤ Login Options dialog and click the Edit button, similar to how you joined the domain but in reverse. In the sheet that slides out and displays the Open Directory server, highlight that server and click the – button to remove it.
Trusted Certificates
If you are planning to use a trusted certificate in a production environment, make sure that your server hostname is unique on your network or, in the case of web sites, the public Internet. For SSL to work properly, it is not recommended to have a server hostname that ends in .local. If you need to change your Host Name for any reason, do so within the Server application so that the associated services get updated with the new name. You should also restart any services or the server itself after changing the Host Name.
Profile Manager
The final service we will configure in macOS Server is really the main reason to have a Mac server these days—Profile Manager. Profile Manager is a Mobile Device Management (MDM) solution that integrates with Apple’s cloud services like Device Enrollment Program (DEP) and Volume Purchase Program (VPP) that we’ve touched on throughout this book so far. We will be using Profile Manager to create Configuration Profiles to provision and manage iOS devices and Mac clients over the air in Chapters 8 and 9.
Before we begin, there are a couple of prerequisites that you need to be aware of when using Profile Manager. First, the server must be accessible over the Internet. For my test server, I enabled Apache temporarily and made sure I could hit the “It works!” page from both inside and outside of my network. I also created a domain and made sure that I could get to the server on the public Internet by DNS name, not just the IP address. Once you have tested it, you can disable the Apache service again. Second, once you have a functional web server, it also needs to be SSL encrypted. So you’ll need to procure a signed certificate from a Certificate Authority of your choice.
I have used namecheap.com or godaddy.com as my SSL certificate vendors for a small fee. There are also alternatives such as letsencrypt.org that you can use to get signed free SSL certificates.
We are going to get started with configuring the Profile Manager service by clicking the Profile Manager button in the sidebar and then clicking the on/off switch to turn it on as shown in Figure 7-46.
The next step is to select the trusted certificate from a third-party Certificate Authority. If you are planning to use Profile Manager as an MDM, which we will be doing throughout the rest of this book, you must have a certificate that is signed by a Certificate Authority. If you use a self-signed Certificate, it will not work.
If you go back to the server’s main status screen by clicking the button in the sidebar with the server’s name, you should see a green dot under Internet reachability. You can also click the Reachability Details button and make sure that Profile Manager is showing as available over the Internet as shown in Figure 7-49. If you are not seeing that, you should contact your Network Administrator and have them check the router or firewall configuration.
At this point, we have enabled the Profile Manager service and confirmed that it is working both internally and externally. There are additional options that we can configure for integration with Apple School Manager, Device Enrollment Program, and Volume Purchase. I will cover those in the next chapter when we discuss these various services within the larger topic of MDM.
Summary
In this chapter, we discussed the need for a dedicated Mac server, the server-class solutions built right into the core macOS client operating system, and the advanced services provided by installing the macOS Server application. While every organization is going to have different needs, it is clear that Apple has promoted the use of existing industry standard directory and file sharing and print sharing technologies over proprietary Mac-only solutions whenever possible.
As you can see, macOS Server has primarily become a tool for enabling Mobile Device Management through the Profile Manager tool. The case can be made that unless you want to use Profile Manager, you may not need a Mac server at all. If you do need Profile Manager, it could be the only service you need to run on your server, and it is not dependent on Open Directory or any other service.
In the next chapter, we will explore MDM concepts including User Approved MDM, Device Enrollment Program, and Volume Purchase Program. These solutions form the foundation for developing a next-generation deployment and support model for Apple-branded devices.