© Drew Smith 2020
D. SmithApple macOS and iOS System Administrationhttps://doi.org/10.1007/978-1-4842-5820-0_7

7. macOS Server

Drew Smith1 
(1)
Cincinnati, OH, USA
 

The concept of a Mac server has changed quite extensively since the very first version of the software hit the scenes in the late 1990s. In this chapter, we are going to explore the server capabilities that Apple has built into the macOS client operating system, the services that are added when installing the macOS Server application, how to determine if you need a dedicated Mac server, and how to configure and manage the server if you do.

A Brief History of macOS Server

The original Mac OS Server was code-named “Rhapsody,” and it was initially designed to be the first release of the next-generation Mac operating system that began development after Apple’s purchase of NeXT in 1996. Mac OS X is the client operating system that was eventually released in the early 2000s, and along with it, Apple began selling an OS X Server as an application that ran on top of the client OS to provide it with server-class capabilities. Over the years, the features of the Server application have been scaled back or migrated into the base feature set of macOS. Today, there are only a handful of services that still remain exclusive to macOS Server.

Services

When it first debuted, OS X Server provided a number of useful features for managing your Mac clients. Apple included its own Lightweight Directory Access Protocol (LDAP) called Open Directory (OD) which was built to manage users and groups similar to Microsoft’s (more popular) Active Directory (AD). In addition to LDAP, it also included file sharing, printer sharing, and a web server based on Apache. As a popular solution for Mac system admins, OS X Server also included NetBoot and Workgroup Manager for managing fleets of Macs.

Inaddition to various management tools, OS X Server also provided CalDAV, instant messaging, a mail server, and a number of other productivity-related services. However, as more of these kinds of solutions began migrating to various cloud-hosted models, Apple moved most of them to iCloud or decided to sunset the service altogether.

As Apple started to move to more of a mobile-first administration principle with iOS devices, and then eventually Macs, they began to transform macOS Server into a tool for Mobile Device Management. Many of the core “server” services were moved into the base install of macOS. Today, macOS Server retains the Open Directory LDAP service, and Workgroup Manager has been dumped in favor of Profile Manager, which allows you to create and deploy Configuration Profiles to iOS and macOS clients.

Hardware

Apple server hardware has also changed dramatically over the years. Some of the original hardware that ran OS X Server included the Power Mac G3 and Power Mac G4 workstations. Apple briefly became very serious about dedicated server hardware and released the Xserve and Xserve RAID products for a time but eventually discontinued these models in favor of the Mac Pro workstation. As the need for a dedicated server OS was diminished, it no longer made sense for Apple to continue to develop and manufacture dedicated server hardware.

Introduction to macOS Server

In this chapter, we are going to explore the most common functions of a server operating system and how macOS or macOS Server can be configured for these purposes. Some of these features are going to be available in the standard install of the client operating system, and others will only be available after you purchase and install the macOS Server application.

Do I Need a Mac Server?

Before we begin building our Mac server, let’s start by considering the use cases and if a dedicated Mac server is really necessary. As Apple has removed many of the services provided by a Mac server, they have also worked to build more cross-platform tools into macOS that allow it to fully participate as a client in other common networks, namely, those built on Microsoft and Linux technologies. More than likely, your organization already has some kind of LDAP, printer sharing, and file sharing solution, and you can use those with your macOS clients quite easily.

If you have been a Mac system administrator for a while, you may be familiar with the term golden triangle. This is where you would use a Mac server running Open Directory to sync with a Windows server running Microsoft’s Active Directory to manage user accounts and then use Workgroup Manager to set Mac-specific permissions or settings. Today, you can bind your Macs directly to an Active Directory domain instead of even bothering with running a second LDAP specifically for your macOS endpoints. Configuration Profiles replace the Workgroup Manager component for restricting devices and locking down specific settings.

File sharing has also changed in recent releases. Apple used to utilize their AppleTalk File Protocol as the preferred file sharing technology for macOS clients. Today, Samba is the default file sharing protocol and works seamlessly with Windows and Linux clients. The point here is that if you are already running various Windows- or Linux-based servers, before you start building a Mac server to create redundant Mac-only versions of these existing file shares, consider how you might leverage these existing technologies with your macOS clients.

Beyond directory services or file/print sharing, there are a number of cloud-based solutions that may be a better fit for your organization. Web hosting is one that immediately comes to mind. Several years ago, using a Mac server for hosting your web site was very common, and in many ways it was a preferable solution over using Microsoft’s IIS. While Apache is still available as an additional service in macOS, you could just as easily host your web site in the cloud using any number of low-cost web hosting solutions out there.

Here are some of the more common services that you may want to run on a Mac server, if you choose to deploy one. We will cover many of these in greater detail throughout this chapter:
  • File Sharing: Starting with macOS High Sierra, Apple has integrated the File Sharing Server into the standard install of the operating system. You can enable this through the Sharing System Preference. This service allows you to share files and folders over the network.

  • Printer Sharing: Starting with macOS High Sierra, Apple has integrated the Print Sharing Server into the standard install of the operating system. You can enable this through the Sharing System Preference. This service allows you to share printers over the network.

  • Apple Remote Desktop: You can install Apple Remote Desktop in full console mode or as a Remote Task Server as described in Chapter 6 of this book.

  • Content Caching: Starting with macOS High Sierra, Apple has integrated the Content Caching Server into the standard install of the operating system. You can enable this through the Sharing System Preference. This service caches copies of content from the App Store and other Apple-hosted services like Software Update to conserve bandwidth when installing updates or content on multiple devices.

  • Web Server: Apache is integrated into the standard install of the Mac operating system. You can enable this through the command line.

  • Open Directory: Included with the installation of the macOS Server application, Open Directory is an LDAP that allows you to configure network-based users and groups.

  • Profile Manager: A basic Mobile Device Management solution that allows for the creation and assignment of Configuration Profiles to iOS and macOS clients—included with the macOS Server application.

  • Xsan: Included with the installation of the macOS Server application that enables the creation and management of a Storage Area Network (SAN) solution.

  • DNS: Starting with macOS High Sierra, Apple has removed DNS from the installation of macOS Server. You can use various other solutions including BIND or Knot DNS.

  • DHCP: Starting with macOS High Sierra, Apple has integrated the DHCP Server into the standard install of the operating system. You can enable and manage this through the command line.

  • NetBoot/NetInstall: Apple has continued to demote this service through the use of the T2 Security chip and the removal of these features in the more recent releases of macOS Server. The core technology is still available in macOS versions older than Mojave. If you are planning to use this workflow, I would recommend looking at DeployStudio as a solution (www.deploystudio.com).

So do you need a Mac server? To answer this question, it depends, but probably not. If you are a small business and you don’t have any existing directory services or need a local file/print server, then it might make sense to deploy a dedicated Mac server.

If you are a larger organization with a lot of preexisting server solutions, try to integrate your Macs into that ecosystem instead of building a separate Mac-only environment. It will be easier for you and better for your end users to be able to participate as a first-class citizen on an existing corporate network. Increasingly, the main reason you would want a Mac server is to run Profile Manager unless your organization already has an effective Mobile Device Management solution from a third-party vendor like JAMF, Mosyle, or Addigy.

Deploying a Mac Server

If you have determined that a dedicated Mac server would be useful in your environment, we can begin configuring a Mac to function as a server.

Hardware Considerations

Depending on how you plan to use your Mac server, you should select the right hardware for the job. Typically this involves deciding between a Mac Pro and a Mac mini. Apple sells a Mac mini for as low as $800 as of this writing and features enough raw horsepower for most server roles. The onboard storage is relatively anemic at 128 GB of SSD space, so if you plan to use it for extensive file sharing, you should plan to purchase some kind of external Thunderbolt storage solution.

For the highest level of performance, the new 2019 Mac Pro can be configured with an insane amount of RAM, internal disk space, and up to 28 processor cores! It can also cost upward of the same price as a new car, so be sure that you are matching your needs with the correct specification. Most organizations can get by with a Mac mini of some variety. Even if you opt for the build-to-order variety and boost that internal disk to a 2 TB SSD, it will be a fraction of the cost of a Mac Pro.

One thing that you should also consider, particularly if you are planning to use the Mac primarily as a Profile Manager server, is the cloud-hosted model. There are a couple of vendors out there that provide Mac servers in the cloud. The most popular is MacStadium, where you can get access to a bare metal Mac server for a low monthly fee. You can explore these options at www.macstadium.com.

Backup

As we discussed in Chapters 2 and 3, you can either opt for a cloud-based backup solution or use Time Machine to back up your Mac server to an attached external disk. The only caveat in choosing a backup solution for your server is that it backs up the entire disk and any attached storage. You should be backing up all of the user data, the configuration, and any applications running on your Mac server. For this reason, stay away from solutions like iCloud, OneDrive, or Dropbox as those will only synchronize the user’s home directory and not the entire disk.

Pro Tip

If you are going to use a Time Machine drive or some other kind of attached storage for backing up your servers, be sure to implement some kind of regimen of rotating those drives to a secure off premises storage facility. Many organizations have data recovery sites or third-party services that will store backup drives off-site in case of a fire or other natural disasters. You should do the same with your Time Machine drives on a regular basis.

Initial Configuration

At this point you should have selected a suitable solution for your Mac server, storage, and backup. The next thing we need to do is install a fresh copy of macOS Catalina on the server. So boot into Internet Recovery mode or use a bootable USB installer to boot your Mac, use Disk Utility to partition and/or format the drive, and then install a copy of macOS.

Once it has finished installing the OS, step through the Setup Assistant. Create a local Administrator account on the machine and sign into that account. Once you have reached the local Administrator user’s Desktop, change the wallpaper to something that signifies that this is the server. I like to use some shade of gray, although some system administrators like to create a custom server wallpaper. Your server should look like mine does in Figure 7-1.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig1_HTML.jpg
Figure 7-1

macOS is installed on our server

Pro Tip

Why do we care what the wallpaper is on our server? I tend to remote control into my servers and run them headless (without a monitor) in my data center. When I’m using a Screen Sharing window, it is helpful to remind me which system I’m on and to remind me to sign out after the session.

Next, run Software Update and install all the available patches and security updates available for your Mac. This will ensure we’re running the latest security and bug fixes.

Finally, open the Energy Saver System Preference and set the computer to never sleep, uncheck the box to put the hard disks to sleep whenever possible, and check the box to allow it to restart automatically after a power failure. These settings will ensure that your server performs optimally and can reduce the risk of having the server go offline after a power-related event.

Network Settings

The first thing we need to do is configure a name for our server and a static IP address. Using the Sharing System Preference, name your server. I’m going to call mine “MacServer.” If you have multiple existing servers, you may have a standardized server naming convention that you will want to use. This configuration assumes that you are simply sharing some data on the internal local area network.

Pro Tip

Double-check the Local Hostname and the Unix hostname and ensure these are the same. As you can see in Figure 7-2, I have configured all three of my server names to match.

../images/492151_1_En_7_Chapter/492151_1_En_7_Fig2_HTML.jpg
Figure 7-2

Use the Terminal to verify the hostnames

Next, we need to assign the static IP address to our server so that it remains consistent when we use services like file sharing. Open the Network System Preference, click the active network connection (Wi-Fi or Ethernet), and click the Advanced button and select the TCP/IP tab. We need to set a static IP address that isn’t going to conflict with other computers on our network. You will need to consult with your Network Administrator or check your DHCP or router settings to determine the correct IP address, subnet mask, and gateway/router for this step. Figure 7-3 shows my complete IP address settings.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig3_HTML.jpg
Figure 7-3

Set a static IP address for our server

Pro Tip

I have reserved the range of 192.168.1.2–192.168.1.9 for static IP addresses on my router. I’m going to use 192.168.1.9 as my static IP address for the MacServer.

In addition to configuring a static IP address, we also need to click the DNS tab and enter our DNS server information. In my network, my router is also my DNS server, so I’m entering 192.168.1.1 as my DNS server. You may also need to consult with your Network Administrator to determine the IP address for your DNS server. Figure 7-4 shows the static DNS server entry for my network.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig4_HTML.jpg
Figure 7-4

Add a static DNS server

Pro Tip

If you are unsure of your DNS settings, you can also switch your Mac back to DHCP temporarily and see what information is automatically populated in the DNS tab and then replicate that into the static DNS entry after changing back to the Manual address option.

Once you have set your DNS and static IP address information, open Safari and hit a web site like www.apple.com and make sure it resolves. You should see something similar to Figure 7-5 where you are able to successfully browse the Web. I would encourage you to use the Network Utility to ping various internal IP addresses and try to ping your server from another computer just to make sure everything is communicating properly on the local area network.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig5_HTML.jpg
Figure 7-5

Browse the Web to make sure your network settings are correct

Pro Tip

If your Mac is going to be participating in a larger network, for example, a Windows-based network, make sure your Windows system administrator or Network Administrator creates a DNS entry for your hostname and a reverse DNS entry for the IP address. Your clients should be able to use nslookup or the Lookup option in the Network Utility and return the hostname by IP and the IP by hostname.

Configuring Remote Access

As I mentioned earlier, I typically run my servers without an attached monitor, keyboard, or mouse. When I need to interact with the server, I will use Screen Sharing or remote control from my primary workstation. You can use a VNC client or another Mac using the Finder to remote control the server, or you can use Apple Remote Desktop (ARD). Figure 7-6 shows the two different configuration options, deepening on whether you plan to use ARD or not. Using the Sharing System Preference, enable either the Screen Sharing option or the Remote Management option.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig6_HTML.jpg
Figure 7-6

Enabling Screen Sharing on your Mac server

Pro Tip

Another useful service to enable for remote administration is Secure Socket Shell (SSH) . The friendly name of that service in the Sharing System Preference is Remote Login. Enabling SSH can be useful for communicating with your Mac server via the command line interface.

I am planning to use Apple Remote Desktop, so I will configure that service; and then using the ARD application on my primary Mac, I will add the MacServer computer to my server’s computer list using the same steps we followed in Chapter 6. If you are using ARD, you’ll see something similar to Figure 7-7 when you have finished adding the MacServer to your console.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig7_HTML.jpg
Figure 7-7

Adding my server to the ARD console on my Mac workstation

Pro Tip

Depending on the size and design of your network, your Network Administrator may have divided your network into various smaller subnets. In some cases, due to security reasons, servers are placed in a subnet that is separate from your client systems. If this is the case in your network, when you use the ARD scanner to search for a server, it may not find it. You may have to add the computer manually using the Add By Address option.

Server Security Considerations

When it comes to configuring a server, you really want to try to disable any services that are not going to be used. In this way, you are limiting the number of possible vulnerabilities that could exist and therefore be exploited. This is not an exhaustive list of things you must lock down to secure your server, but it gives you a starting point. Nothing is 100% safe from hackers or other security threats.

Here are some recommended changes to consider when you deploy a Mac server:
  • Disable the Guest User: Open the Users & Groups System Preference and click the Guest User from the list of users in the left-side pane. Make sure Allow guests to log in to this computer and Allow guest users to connect to shared folders are both unchecked.

  • Disable Power Controls on the Login Screen: While in the Users & Groups System Preference, click the Login Options button. Uncheck the box next to Show the Sleep, Restart, and Shut Down buttons.

  • Disable Automatic Login: While in the Login Options, make sure that Automatic login is set to Off.

  • Disable the List of Users: While in the Login Options, choose to Display login window as Name and password.

  • Enable Software Update for Security Patches Only: Open the Software Update System Preference and click the Advanced… button. It is up to you if you want to automatically install all updates or not, but at bare minimum, make sure that the Install system data files and security updates box is checked. That way it will automatically patch your Mac server with important security updates.

  • Enable a Screen Saver Password: Open the Security & Privacy System Preference. Click the General tab and check the box next to Require password after sleep or screen saver begins. Set the drop-down to immediately.

  • Enable FileVault: Click the FileVault tab and enable FileVault encryption.

  • Enable the Firewall: Click the Firewall tab. Turn on the Firewall and then use the Firewall options as detailed in Chapter 3 of this book to configure the level of security you want and any application exceptions.

  • Disable Location Services: Click the Privacy tab and then click Location Services on the left-side pane. Uncheck the box next to Enable Location Services.

  • Disable Analytics: While you are still on the Privacy tab, click the Analytics button on the left-side pane. Uncheck Share Mac Analytics and uncheck Share with App Developers.

  • Disable Bluetooth: Open the Bluetooth System Preference. Click the Turn Bluetooth Off button to disable it.

  • Turn Off Wi-Fi: Assuming you are using Ethernet to connect your server to the network, we should turn off the Wi-Fi radio. Open the Network System Preference and click the Wi-Fi button on the left-side pane. Click the Turn Wi-Fi Off button to disable it.

  • Log Out of iCloud: If you signed into iCloud during the Setup Assistant process, go to the iCloud System Preference and sign out of iCloud.

Configuring Basic Server Services

Now that we have our Mac server ready to go, we can begin enabling some services. In this section, we are going to explore the server-class functions that are bundled with the core macOS client operating system. These are the most popular services found on Mac servers and include content caching, file services, print services, and web services.

Content Caching

One of the most popular features that was previously included in macOS Server but has been subsequently moved to the core macOS installation is content caching. This service runs on a device on your network and listens for clients that are downloading content from Apple or Apple-hosted services like the iBooks, App Store, Mac App Store, and so on. Then as that first client downloads the content, the computer running the content caching service downloads a copy and retains it. When the second, third, or any other device on the same subnet attempts to download that content, it gets copied from the cache server instead of being downloaded again over the Internet.

This solution has been extremely popular in businesses and schools that have multiple clients that share an Internet connection. I have used this with 1:1 iPad deployments and labs of Macs that need to download and install the same security updates or macOS releases, and it really speeds up the installation and saves on bandwidth utilization.

To enable the content caching service, open the Sharing System Preference and enable the checkbox next to Content Caching as shown in Figure 7-8. You can select which content to cache, and I usually stick to the default All Content option. If you are just wishing to use content caching with iOS devices connected physically via USB to Apple Configurator, click the box next to Internet Connection.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig8_HTML.jpg
Figure 7-8

Enabling content caching on our server

Because this can take a fair amount of space on your server’s hard disk, you can click the Options... button and choose how much disk space you want to devote to caching. Once the cache space is full, the service will make room for new content by deleting the oldest data first.

File Sharing

The next most common service that runs on Mac servers is file sharing. To enable local network file sharing, open the Sharing System Preference and click the checkbox next to File Sharing. By default, macOS shares files on the network using Samba. If for some reason you want to use the legacy AppleTalk protocol, you can click the Options… button and check the box next to Share files and folders using AFP. We will leave that unchecked as we do not want to use AppleTalk.

Adding shared folders is pretty simple and straightforward. Create a folder on the Desktop to use as a test. Typically you would want to create your folders inside of an attached volume like a Thunderbolt disk drive, but for our purposes in this example, we’ll just use the Desktop. Name the folder “Mac Shared File.”

Back in the Sharing System Preference under File Sharing, click the + button and select the Mac Shared File folder. Set the permissions as shown in Figure 7-9. We are using very simple permissions with only one user account that is able to connect to the shared folder. The Administrator has Read & Write, the group Staff has Read Only, and Everyone else will not be able to access the file share.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig9_HTML.jpg
Figure 7-9

Enabling the file sharing service and configuring permissions

This is the simplest form of file sharing because we are limiting access to the share based on the single user account on this particular Mac—Administrator. There is only one member of the Staff group, and that is the Administrator account. If we were to create additional users on this Mac, and if they were members of the Staff group, they would be able to read the contents of the file share but not write to it.

Printer Sharing

Printer sharing is pretty simple and straightforward as well. The first step involves connecting a print queue to your Mac using the Printers & Scanners System Preference. As you can see in Figure 7-10, I have connected to an IP printer on my network, and now I want to share this printer queue with other Macs on my network.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig10_HTML.jpg
Figure 7-10

Add one or more print queues to the Printers & Scanners System Preference

To do this, open the Sharing System Preference and click the checkbox next to Printer Sharing to enable the service. You will see the list of print queues on my server in the next pane. Check the box next to the printer to share that queue and then set permissions with the rightmost pane. The default is Everyone Can Print as shown in Figure 7-11. You can also add additional users and groups and restrict access to these print queues by user or group.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig11_HTML.jpg
Figure 7-11

Sharing a printer and setting permissions

Web Server

While Apple has removed the UI for turning on the Apache web server that is built into macOS, you can still enable it via the command line. Open the Terminal and enter sudo apachectl start at the prompt to enable the built-in Apache web server as shown in Figure 7-12.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig12_HTML.jpg
Figure 7-12

The command to start the Apache service

Enter your Administrator password, and this will turn the Apache web server on. We can test to make sure it is running by going to http://localhost in the Safari browser as shown in Figure 7-13. It works!
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig13_HTML.jpg
Figure 7-13

Confirmation that the web server is up and running

The built-in HTML file that displays “It works!” can be found by browsing the Finder to /Library/WebServer/Documents/index.html. You can add other HTML files into this directory to upload them to the web server. Feel free to try this out by creating a simple HTML file in a word processor or using the TextEdit application. Name it index2 and save it to the same directory. Next, browse to http://localhost/index2 as shown in Figure 7-14. This confirms that the web server is up and running, and you are able to add new content to your web site.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig14_HTML.jpg
Figure 7-14

Confirmation that you can upload new content to the web site hosted on your Mac

You can also install PHP, MySQL, and other web technologies on your Mac web server if required. The configuration of those additional services is outside the scope of this book, but there are many good tutorials online that can step you through the process. If you are web developer and want to use your Mac workstation as a web server for development and testing purposes, there are also tools like MAMP that can install a LAMP stack-style development environment on your Mac in a snap. You can find out more by visiting www.mamp.info/en/.

Configure macOS Server Services

In this section, we will configure services that are only available after you purchase and install the macOS Server application.

Installing macOS Server

As you can probably guess, Apple makes the macOS Server application available for $19.99 on the Mac App Store, and the current version as of this writing is 5.9. Go ahead and purchase and download it as shown in Figure 7-15.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig15_HTML.jpg
Figure 7-15

Downloading the macOS Server application on the Mac App Store

Pro Tip

Each time Apple releases a new version of their operating system, they release a new update to macOS Server. For this reason, the current version of macOS Server requires Catalina. If you attempt to install it on an older Mac that isn’t running Catalina, you can opt for a slightly older version of macOS Server. The primary differences in the last few releases have been additional Profile Manager payloads that are specific to the more recent releases of iOS and macOS.

We are going to install macOS Server on macOS 10.15 so we can take full advantage of all of the new payloads for iOS 13 and macOS Catalina. Once the application is finished downloading from the Mac App Store, browse to the /Applications folder and open the Server application to continue with the installation and configuration.

Once you agree to the terms and conditions, the various services will be installed as shown in Figure 7-16.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig16_HTML.jpg
Figure 7-16

Configuring your Mac for the first run of the Server application

Once the Server application completes its configuration and installation, you will be presented with a window like the one shown in Figure 7-17. This is the main GUI for managing your server services including Profile Manager, Xsan, and Open Directory. There are also links to view the server logs, hardware statistics, and any alerts. You can see the Host Name, Computer Name, and if the server is reachable over the Internet.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig17_HTML.jpg
Figure 7-17

The details of our server including uptime, IP address, and Host Name

Pro Tip

If your server’s Host Name is not a fully qualified domain name (FQDN), you may need to click the Edit Host Name button and step through the Assistant to configure it as such. If you plan to use this server with Profile Manager, you should take this opportunity to register a domain name that will be used on the Internet and reconfigure your server name accordingly.

You can click the Settings tab and enable or disable remote access services. Note that you can enable SSH and Screen Sharing or Apple Remote Desktop here or in the Sharing System Preference. You can also allow access to the server using the Server app running on a remote Mac. That would allow you to install the Server app on the Mac in your office and then use it to control this server. The Access tab allows you to manage the users with permission to these remote access services and if they are reachable over the Internet or just on the local area network as shown in Figure 7-18.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig18_HTML.jpg
Figure 7-18

Configuring server access settings

Pro Tip

Internet reachability is Apple’s term for which services (if any) can be reached on this server from the public Internet. This capability relies on your network configuration. I have an internal IP address configured on this server, but I also have configured my router to allow incoming connections to this server in my DMZ. If you plan to use this server as an MDM using Profile Manager, you will need to work with your Network Administrator to make the necessary changes to your network to allow this server to be reachable over the Internet. You can use Apple’s Internet reachability test to validate those network settings and identify which services are available via the Internet.

In terms of macOS Server, there can be more than one directory domain. In the default installation, you will only have the Local Directory domain. This is where the users and groups exist that we create on our Mac using the Users & Groups System Preference. Members of this domain can log in to the Mac workstation, they can access network resources provided that they have the appropriate permissions to those resources, and once the Server app is installed, they can be managed either in the Users & Groups System Preference or in the Server application under the Accounts section as shown in Figure 7-19.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig19_HTML.jpg
Figure 7-19

The User Account window in macOS Server

As you can see, we only have one user account, the local Administrator account. I could add additional users here or click the Groups section and add additional groups and populate members of those groups. These accounts only govern the resources on this specific computer. I cannot use accounts that I create here to access shared resources on another computer. This is why they are part of the Local domain.

If I want to create users and groups that govern access to resources on multiple machines, I need to create those accounts in a Network domain. Network accounts allow me to create a single user that can sign into other computers, access shared resources on this computer or other computers if they have the permission to those resources, and generally simplify the administration of user accounts and data security across my entire network. To use this Network domain, we must have a directory service available to contain these user accounts and groups.

Open Directory

Open Directory is Apple’s Network Directory domain service based on the LDAPv3 specification. Many large organizations will already have some kind of LDAP that contains all of their network user accounts and shared resources. One of the most common is Microsoft’s Active Directory. If you are already running Active Directory, you should plan to leverage that for your network account directory domain with your Mac clients instead of turning on the Open Directory service. We will cover Active Directory integration in greater detail in Chapter 11.

If your organization does not already have a Network Directory, Open Directory can be configured using the Server application. If you do not see Open Directory listed on the sidebar under the Advanced heading as shown in Figure 7-20, click the View menu and select Open Directory. This will add it to the sidebar.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig20_HTML.jpg
Figure 7-20

Adding Open Directory as an available service if it doesn’t already exist in the sidebar

Create An Open Directory Master
We are going to enable Open Directory on this server, so click the Open Directory button on the sidebar and then click the on/off switch in the top-right corner to enable the service. The Configure Network Users and Groups Setup Assistant will appear and prompt you to choose to create a new Open Directory domain, restore from an archive, or join an existing Open Directory domain as a replica. Select the option to Create a new Open Directory domain as shown in Figure 7-21 and click the Next button to continue.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig21_HTML.jpg
Figure 7-21

Choose to create a new Open Directory domain

Windows Pro Tip Microsoft system administrators will recognize this idea of a master and a replica from Active Directory. Earlier implementations of AD included a server that functioned as the Primary Domain Controller and additional servers that were called Backup Domain Controllers. Open Directory is similar as you have an Open Directory Master and then multiple Open Directory Replicas that synchronize any directory changes or share the load when responding to requests.

The next step is to create an Administrator account for the new Open Directory domain. You can specify a username and password here or use the default Directory Administrator (diradmin) account. I am going to stick with the default for this example. Enter a secure password as shown in Figure 7-22 and click the Next button to continue. I recommend using a different password than the one you use for the local Administrator account to log in to the server as a security best practice.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig22_HTML.jpg
Figure 7-22

Create a username and password for the admin account for Open Directory

Pro Tip When you create Network Accounts in Open Directory, it is important to note that they should be unique to the Local Accounts on the client or server system. When the login window attempts to authenticate the user, it first looks for a matching account on the Local Directory domain of that Mac; and then if it doesn’t find one, it goes up a level to the Network Directory domain and checks there. If you have an account in the Local domain that matches the account in the Network domain, it will always log in as the local account because it found a match in the Local domain and quit looking.

Step through the rest of the Setup Assistant and click the Set Up button to finish the initial configuration of the Open Directory Master. When the Assistant completes, you will see the Open Directory service is on; and if you click the Users or Groups button, you’ll have a slightly modified interface that shows a drop-down menu for filtering your accounts and a column that designates the directory domain the account exists within as shown in Figure 7-23.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig23_HTML.jpg
Figure 7-23

After configuring Open Directory, we now have both a Local Directory and Network Directory

At this point, we have configured our Open Directory Master. From here, you could configure additional servers to act as Replicas. If you have multiple locations and multiple servers, you may want to configure Locales. These can be configured in the Open Directory service window, and you can specify which servers should respond to requests from clients of a particular subnet. That way clients can query the nearest OD server depending on which network they reside on.

You can also view all of your Open Directory servers in the Servers section as shown in Figure 7-24. This is where you can select a particular server and create an archive of the Open Directory Master so that you can restore it later if something were to happen to it. You can also promote one of your Replicas as a new Master if required.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig24_HTML.jpg
Figure 7-24

Additional options for Replicas, Locales, and backing up your Master directory to an archive

Create Network Users And Groups
Next, let’s start using this new directory by populating some Network users and groups. Click the Groups button in the sidebar and click the + button as shown in Figure 7-25. Create a group called “Executive Team.” Make sure that the Directory option is Local Network Directory and not Local Directory. It should look something like Figure 7-26.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig25_HTML.jpg
Figure 7-25

Adding a new Group

../images/492151_1_En_7_Chapter/492151_1_En_7_Fig26_HTML.jpg
Figure 7-26

Create the Executive Team Network Group

Once we have that group created, we need to put some users into the group. Click the Users button on the sidebar to switch to the Users tab. Click the + button and create a new user named “User1” and a password of your choosing. Make sure you add this as a Local Network Directory account. Once you have created the account, click the All Users pop-up menu as shown in Figure 7-27 and choose Local Network Users.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig27_HTML.jpg
Figure 7-27

Use the pop-up menu to filter out your local users

Next, click the gear pop-up menu as shown in Figure 7-28 and choose the Edit Password Policy… option. We can use this to set a minimum-security policy for our end-user passwords. Go ahead and check the following boxes to set some basic requirements:
  • Differ from account name

  • Contain at least 8 characters

  • Be reset every 3 months

Click the OK button to continue.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig28_HTML.jpg
Figure 7-28

The gear pop-up menu provides access to configure the network users’ password policy

Our next step is to modify our User1 account. Right-click User1 in the Local Network Users screen and choose Edit Access to Services…. Uncheck SSH and Screen Sharing as shown in Figure 7-29 and then click OK.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig29_HTML.jpg
Figure 7-29

Disable this user’s access to SSH and Screen Sharing

Next, right-click again the User1 account and choose Edit User. In the Groups field, click the + button and start typing “Executive Team” into the field. This will add the user to the Executive Team group we created earlier. If the User1 is a member of the Workgroup group, click the Workgroup group to highlight it and then click the button to remove it. When completed, your User1 should look like Figure 7-30. Click the OK button.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig30_HTML.jpg
Figure 7-30

Configure the User1 account as shown

Pro Tip Instead of editing each user account individually, you can also restrict access to the server by going to the server’s Access tab and changing the default User Access to only some users and specifying specific users or groups as shown in Figure 7-31.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig31_HTML.jpg
Figure 7-31

Configuring Default User Access

Finally, now that we have our User1 configured with the correct group, we are going to create a template from this user and create a couple more just like it. To create a template, click User1 to highlight it and then choose Create Template from User… from the gear pop-up menu as shown in Figure 7-32. When prompted, change the Template Name to “Executive User Template” and then leave the other settings as default and click the Done button to save the template.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig32_HTML.jpg
Figure 7-32

Creating a template from the User1 account

Now we are going to create two more users based on the Executive User Template. To do this, click the + button on the Users window, and this time you will see a pop-up menu in the New User window that that will allow you to create a user from a template as shown in Figure 7-33. Select Executive User Template and create User2 and User3 accounts.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig33_HTML.jpg
Figure 7-33

Create a new user from the Executive User Template

Now that we have our three user accounts created, your Users window should look like the one in Figure 7-34. Don’t forget to restrict their access to SSH and Screen Sharing too.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig34_HTML.jpg
Figure 7-34

You should have three user accounts—User1, User2, and User3

Finally, let’s explore the advanced options for a user. Right-click User3 and choose Advanced Options… as shown in Figure 7-35. This will look familiar to you from the Users & Groups System Preference. Just like the local workstation, we can make adjustments like the home directory, login shell, and aliases. The option for configuring a Share Point URL is used for mapping a network drive at login, not to be confused with Microsoft SharePoint. We are not going to make any changes at this time, so click the Cancel button to continue.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig35_HTML.jpg
Figure 7-35

Advanced user settings for User3

Pro Tip

We can see our three user accounts and a couple of groups, but did you know that there are many more users and groups than what we see here that have been placed in our directory by the OS? You can show or hide these System users and groups by right-clicking any user and choosing Show System Accounts or Hide System Accounts to toggle these groups on and off.

Now that we have created a few users and placed them into a group, we want to be able to log into a workstation with one of these accounts. To do this, we need to bind our macOS clients to the Open Directory domain. Binding a client to the domain allows it to search the list of Network Accounts in addition to the Local Accounts to find a match and allow a Network User to login to the computer. Any enabled user in the domain can sign into any computer bound to that domain.

Binding Macos Clients To Open Directory
Switch over to one of your test Mac clients and sign in as a local user with administrative rights. Open the Users & Groups System Preference and authenticate to unlock the preference pane. Click the Login Options button as shown in Figure 7-36. Next, click the Join… button next to the Network Account Server prompt.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig36_HTML.jpg
Figure 7-36

Joining a Mac client to a Network Account Server

You will be prompted with a dialog box to select or enter a server. You can enter an IP address or a hostname. If your network is small and simple like mine is for this example, you can also click the drop-down arrow as shown in Figure 7-37, and it may find the broadcasted host to select from the menu. Enter the server information and click the OK button to continue. If it prompts you to trust the Secure Socket Layer (SSL) certificates provided by the server, click the Trust button to continue.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig37_HTML.jpg
Figure 7-37

Enter the hostname or the server name in the field and click OK

You may receive a message that the server does not use Secure Socket Layer (SSL) authentication. You can click the Continue button past this message for now as we are not concerned with encryption for this exercise. It will prompt you for your local administrator account credentials, and then after a few moments of configuration, you will see your Open Directory server listed next to the Network Account Server and a green dot signifying that the connection is working. You may also want to make a couple changes to the login window as shown in Figure 7-38.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig38_HTML.jpg
Figure 7-38

Our client is now bound to our Open Directory domain, and you may want to change some login window options as shown

Now that we have bound our Mac to the Open Directory, go ahead and log out and then sign in using the User1 account. If all goes well, you should be prompted with a couple of Setup Assistant questions on first login and then dropped into a clean /Users/User1/Desktop directory with all the default new user settings as a Network user. You can confirm this by going to the Users & Groups System Preference or browsing to /Users to see your home directory as shown in Figure 7-39.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig39_HTML.jpg
Figure 7-39

Home directory and Network user account type as shown in the Users & Groups System Preference

Congratulations! You have successfully created an Open Directory domain, populated it with users, bound a client Mac to the domain, and signed in successfully with a Network user account.

Pro Tip

A quick note about file sharing and Open Directory: Prior to macOS Mojave, you could share files and folders and set permissions for Open Directory Network accounts. If you have shared folders on an Open Directory Master or Replica, you won’t be able to map those shares even if you are using the local user account, because it will not authenticate. If you plan to create shares on a Mac and share them with other Macs, the host cannot be running the Open Directory service; and even if you bind that Mac to the Open Directory domain, you cannot authenticate to those shares using Network accounts. The reason for this is because the ACL groups are no longer created in the directory for file sharing access like they used to be in older versions of Server. There are unofficial fixes out there for this, but that is outside the scope of this book.

Certificates

When you completed the steps to bind your Mac client to Open Directory, you may have received a message stating This server does not provide a secure (SSL) connection. Do you want to continue? In that case, because we were setting up a test server, we chose to ignore this message and continue. However, in a production environment, you will want to use SSL to secure your client’s communication with the server to prevent man-in-the-middle attacks, among others. Even if you are not using Open Directory and you are only deploying your server for use with Profile Manager, you will need some basic understanding of certificates and how to change them in macOS Server.

FallBack SSL Certificate

The most basic certificate that Apple provides is the Fallback Certificate. It gets created when you install the Server application, and it is available but not often used. You can find this certificate by opening the Keychain Access utility on your Mac server and clicking the Certificates for the System keychain.

Self-Signed Certificates

In the case of Open Directory, Apple provides a self-signed certificate that you can use that is generated when the Open Directory service is installed. Self-signed certificates will prompt users to trust them and are not usually the best choice for production installation. We can adjust the certificate that is being used for Open Directory if we want to replace this with a trusted third-party certificate.

Managing Certificates

We can change out the certificates we are using for any service at any time. Before we do anything with these certificates, we need to stop the services that are using them. In this case, we need to temporarily turn off the Open Directory service by clicking the on/off toggle switch in the top-right corner of the Open Directory window as shown in Figure 7-40.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig40_HTML.jpg
Figure 7-40

Disable Open Directory before attempting to make any changes to certificates

Now that the service has been disabled, click the Certificates button in the sidebar. You will probably have something similar to Figure 7-41 with some kind of mix of certificates and the Secure services using pop-up menu. Using this menu, we can select which services are using which certificates.

Click the Secure services using pop-up menu and choose Custom. You will be presented with some services and their matching certificates. I have two certificates to choose from. Both of these were generated automatically for me by the server, but only one is valid. I’m going to select the MacServer certificate in the Certificate column and click OK to continue.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig41_HTML.jpg
Figure 7-41

Selecting the certificate you want to use for a particular service

Now you will see that I’m securing my Open Directory service using my MacServer certificate. The last step is to open the Keychain Access application and search for the OPENDIRECTORY_SSL_IDENTITY identity preference. Double-click it to open it and select a new Preferred Certificate as shown in Figure 7-42. Click the Save Changes button to close it.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig42_HTML.jpg
Figure 7-42

Selecting the certificate for the SSL identity for the Open Directory service

Go back to the Open Directory settings and restart the service by flipping the switch back to the on position. If you go back to your test Mac and unbind it from our domain and then join it again, you will be prompted to trust the new certificate.

Pro Tip

To unbind a Mac from the domain, log in as a user with local administrative privileges and use the Users & Groups System PreferenceLogin Options dialog and click the Edit button, similar to how you joined the domain but in reverse. In the sheet that slides out and displays the Open Directory server, highlight that server and click the button to remove it.

Trusted Certificates

If you are hosting a web site or deploying a production server and need encryption, you will want to install a certificate from a known Certificate Authority. To do this, you need to create one and add it to your macOS Server Certificate list. To create a certificate, you begin by clicking the + button on the Certificates window and choosing Get a Trusted Certificate… as shown in Figure 7-43.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig43_HTML.jpg
Figure 7-43

Starting the process to get a trusted certificate

This will open the Get a Trusted Certificate Assistant. Step through the prompts to provide your personal information and click the Next button to continue. This will bring you to the Certificate Signing Request (CSR) window. The CSR includes the information you need to provide to your chosen signing authority as shown in Figure 7-44 so they can generate the certificate for your server. You can copy/paste this string, or you can click the Save button to save the ∗.csr file. Since this is the end of the first step, you can click Finish to close the dialog box.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig44_HTML.jpg
Figure 7-44

The CSR string that you need to provide to your signing authority

Next, you will notice that it created a placeholder for this certificate while you contact the signing authority. Once you have completed the validation process and you have received your SSL certificate, double-click the placeholder certificate and drag and drop the SSL certificate and/or cert bundle into the placeholder’s Certificate Files section as shown in Figure 7-45. Click OK to save it, and now you can use the third-party certificate with your server.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig45_HTML.jpg
Figure 7-45

Double-click the placeholder certificate once you receive the file(s) from the signing authority and drop it into the highlighted field

Pro Tip

If you are planning to use a trusted certificate in a production environment, make sure that your server hostname is unique on your network or, in the case of web sites, the public Internet. For SSL to work properly, it is not recommended to have a server hostname that ends in .local. If you need to change your Host Name for any reason, do so within the Server application so that the associated services get updated with the new name. You should also restart any services or the server itself after changing the Host Name.

Profile Manager

The final service we will configure in macOS Server is really the main reason to have a Mac server these days—Profile Manager. Profile Manager is a Mobile Device Management (MDM) solution that integrates with Apple’s cloud services like Device Enrollment Program (DEP) and Volume Purchase Program (VPP) that we’ve touched on throughout this book so far. We will be using Profile Manager to create Configuration Profiles to provision and manage iOS devices and Mac clients over the air in Chapters 8 and 9.

Before we begin, there are a couple of prerequisites that you need to be aware of when using Profile Manager. First, the server must be accessible over the Internet. For my test server, I enabled Apache temporarily and made sure I could hit the “It works!” page from both inside and outside of my network. I also created a domain and made sure that I could get to the server on the public Internet by DNS name, not just the IP address. Once you have tested it, you can disable the Apache service again. Second, once you have a functional web server, it also needs to be SSL encrypted. So you’ll need to procure a signed certificate from a Certificate Authority of your choice.

Pro Tip

I have used namecheap.​com or godaddy.​com as my SSL certificate vendors for a small fee. There are also alternatives such as letsencrypt.​org that you can use to get signed free SSL certificates.

We are going to get started with configuring the Profile Manager service by clicking the Profile Manager button in the sidebar and then clicking the on/off switch to turn it on as shown in Figure 7-46.

This will begin the Configure Device Management Assistant. Step through the first dialog box to enter your Name, Email Address, Phone Number, and Physical Address. This will be disclosed to your end users on their managed devices, much like when we created an Organization in Apple Configurator.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig46_HTML.jpg
Figure 7-46

Turn on the Profile Manager service to initiate the Configuration Assistant

The next step is to select the trusted certificate from a third-party Certificate Authority. If you are planning to use Profile Manager as an MDM, which we will be doing throughout the rest of this book, you must have a certificate that is signed by a Certificate Authority. If you use a self-signed Certificate, it will not work.

Next, you will need an Apple ID to use for Apple Push Notifications . You should not use a personal Apple ID here; you should use one that you configured solely for business use. Enter that information in the fields and click Next as shown in Figure 7-47. Once you have entered your Apple ID, click the Finish button to enable Device Management on this server.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig47_HTML.jpg
Figure 7-47

Enter your institutional Apple ID for use with Push Notifications

At this point, the service is on, and you should be able to open the Profile Manager web site. We need to test this by browsing to the site in three different ways. First, launch a browser on the server and browse to the //localhost/profilemanager site and make sure it brings you to the Profile Manager login screen. Next, open a browser on another computer on your internal network and make sure you can get to the server’s internal IP /profilemanager. In my case it’s 192.​168.​1.​9/​profilemanager. Finally, hit the server from an external device via the name you registered over the Internet—in my case it’s http://579testing.com/profilemanager. If all is well, you should not receive any certificate errors, and you should see a login screen as shown in Figure 7-48.
../images/492151_1_En_7_Chapter/492151_1_En_7_Fig48_HTML.jpg
Figure 7-48

The Profile Manager login window via a web browser

Pro Tip

If you go back to the server’s main status screen by clicking the button in the sidebar with the server’s name, you should see a green dot under Internet reachability. You can also click the Reachability Details button and make sure that Profile Manager is showing as available over the Internet as shown in Figure 7-49. If you are not seeing that, you should contact your Network Administrator and have them check the router or firewall configuration.

../images/492151_1_En_7_Chapter/492151_1_En_7_Fig49_HTML.jpg
Figure 7-49

Use Apple’s reachability service to confirm that Profile Manager is available from the public Internet

At this point, we have enabled the Profile Manager service and confirmed that it is working both internally and externally. There are additional options that we can configure for integration with Apple School Manager, Device Enrollment Program, and Volume Purchase. I will cover those in the next chapter when we discuss these various services within the larger topic of MDM.

Summary

In this chapter, we discussed the need for a dedicated Mac server, the server-class solutions built right into the core macOS client operating system, and the advanced services provided by installing the macOS Server application. While every organization is going to have different needs, it is clear that Apple has promoted the use of existing industry standard directory and file sharing and print sharing technologies over proprietary Mac-only solutions whenever possible.

As you can see, macOS Server has primarily become a tool for enabling Mobile Device Management through the Profile Manager tool. The case can be made that unless you want to use Profile Manager, you may not need a Mac server at all. If you do need Profile Manager, it could be the only service you need to run on your server, and it is not dependent on Open Directory or any other service.

In the next chapter, we will explore MDM concepts including User Approved MDM, Device Enrollment Program, and Volume Purchase Program. These solutions form the foundation for developing a next-generation deployment and support model for Apple-branded devices.