Mac OS X 10.7 Lion Server adds innovative features and a new low price tag, but cuts in services and the elimination of advanced GUI administration tools may force some enterprise departments to think twice about the role of Mac servers on their networks.
Some of the new features will please managers in business and education: The Profile Manager, a slick new Web-front-end tool for providing automatic push configuration and group policy management for Mac Lion and iOS clients, is miles ahead of Mac OS X Snow Leopard Server's old Managed Preferences features. Then there's built-in support for Microsoft's distributed file system (DFS) and Apple's Xsan file system, the latter for accessing storage-attached networking (SAN) over Fibre Channel.
But once the initial excitement subsides and you start looking more deeply inside Lion Server, it's impossible to avoid the conclusion that Lion Server is not built for those of us in IT.
The £34.99 price tag is the first clue that Lion Server trying to be a server for the consumer. Apple's slogan is "servers made easy." To that end, a new administration tool, called Server, is more logical and easier to use than the old Server Preferences that it replaced. And Server can do more than Server Preferences could.
But the ironic part for IT administrators is that Lion Server actually requires a greater degree of technical knowledge than its predecessors. Many routine tasks that were formerly a mouse click away now can be accomplished only via the Unix shell command line. Worse yet, some routine tasks are no long possible at all.
Lion Server: A great big app that's tricky to install
For the enterprise, the first clue that something is amiss in Lion Server comes right at installation. Lion Server installs like a great big iPhone app. It's available only as a download from the Mac App Store and self-installs as soon as it's downloaded; all you can configure is the admin email address. Finally, it deletes the installer, though you can stop the install to make a copy before it's deleted. This app philosophy filters down through the software as well.
But Lion Server isn't Angry Birds. The installation process includes downloading the 4GB Lion OS client installer, plus hundreds of megabytes more of server components. Depending on the type of installation (such as upgrade or new), you may have to make a second trip to the App Store to get the server components. A problem for administrators is that there is no supported way to make your own bootable installation DVD. There is an unsupported hack to create one, but it can bring up other complications.
Worse, there's no clean install option from within the installer itself. To do any install, you need to boot the Mac with Mac OS X 10.6.8 Snow Leopard or Mac OS X 10.7 Lion from a volume (hard disk, partition, or USB flash drive) and run the installer from that boot drive. To do a clean install, you need two volumes: one to boot from, one to install onto.
Apple has streamlined the server configuration process from previous versions, with fewer screens asking questions and more done automatically. The installer is smarter as well. If you tell the setup assistant to create an Open Directory master, it will do that as well and DNS for the server's IP address if it doesn't find it on the network or the Internet.
That's pretty nice, particularly if you don't know what DNS is. Unfortunately, if you do know what DNS is, the Server application -- now the only management tool installed with Lion Server -- won't show you the DNS configuration is. It provides no way to edit settings for DNS, DHCP, Open Directory, and other network services.
The old administration tools that can access to these services -- Server Admin and Workgroup Manager -- are no longer part of Lion Server. Instead, they are available are a separate download -- but not from the Mac App Store, where you get Lion Server app. You have to go to Apple's support site. Nothing I could find in the installation screens, the help files, or Apple's main Server website even mentions them. To quote Douglas Adams, the tools were "on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the leopard.'"
Lion Server's many missing services
Once you locate and download the Server Admin tool, experienced Mac OS X Server administrators will notice it's a much thinner tool than it used to be. Roughly half the services that used to be there are missing. Most user-based services, such as file sharing, calendaring, and Web services, have been moved to the simple Server application. Others, such as QuickTime Streaming Server, have been completely removed.
One of the more significant feature rollbacks comes in reduced support for Windows clients. For years, Mac OS X Server's LDAP-based Open Directory had the ability to function as a primary domain controller (PDC) to support Windows clients. The PDC provided Windows clients with single sign-on authentication, and for those who work on both platforms, it gave users access to the same accounts and server-based home folders from their Windows PCs as well as their Macs. In Lion Server, Windows clients still have access to file sharing, but are now second-class clients.
On the flip side, Lion Server retains Open Directory integration with Active Directory. Mac clients can still bind to Active Directory using the "golden triangle" configuration, where Mac OS X Server and Open Directory bind to Active Directory.
Another service that Apple deleted is the print server of previous Mac OS X Server builds. Lion Server contains only the same ability to share printers found in every copy of Mac OS X client for the past five years: the open source Common Unix Printing System (CUPS), which gives Macs the ability to host shared print queues and simple pools of printers but lacks the enterprise features that previous print servers had. For example, Lion Server's CUPS cannot prioritize printers in the pool or set quotas for individual users or printers. And you can't publish printers to Open Directory.
Lion Server: GUI, GUI, gone
Other services that appear to be missing in Lion Server are actually still there. NFS (the Unix-based file sharing protocol) is gone from Server Admin, but it is accessible via the command line. Podcast Producer, Mac OS X Server's podcast workflow system, still uses NFS, and you can create NFS-based home folders for users. But where before you could click check boxes to configure it, you now need to type Unix commands. Similarly, the FTP server isn't available in Server or Server Admin but is available through the command line.
If you're looking for the configuration for MySQL, you won't find it, either in the GUI or in the command line. That's because Apple has replaced it with PostgreSQL, another open source database. On one hand, this is an improvement, because PostgreSQL is considered to be more powerful than MySQL. But whereas Snow Leopard's Server Admin tool had GUI settings for MySQL, PostgreSQL is command line only in Lion Server.
With others services, GUI administration tools survived -- barely. Lion Server still has industrial-strength Apache Web services, but it has replaced several windows' worth of settings with little more than an on/off switch and a button to add another host website path and domain name. This makes it more difficult to host multiple websites as virtual hosts or at least more difficult to figure out why it isn't working.
The admin tools no longer provide a way to set URL aliases and redirects, which point to files or folders while keeping the location hidden from uses. Also eliminated is the ability to set domain-name-level Web alias. And the GUI tools provide no way to configure the execution of CGI scripts on a website. You can no longer set maximum simultaneous connections, connection timeouts, or persistent connections. These and other configurations were available in the Server Admin tool in previous incarnations of Mac OS X Server. Rather than simplify Web configuration, this puts much of Apache's features out of reach to those less adept in editing config files.
The same is true for VPN configuration, iChat (Jabber) service, and to a lesser degree the iCal calendaring service.
The exception to all this is email service, which still the same level of configuration detail as in previous versions of Mac OS X Server, and with a better Web mail implementation.
Lion Server's Profile Manager: The sole bright spot
For business and education, Profile Manager is the shining spot in Lion Server. Once you turn on services and switch on Profile Manager, it automatically creates configuration profiles, which are XML files that can be pushed to Mac and iOS clients that automatically configure them to receive the service. You can send out an enrollment profile, which enables changes to be pushed out (when the user accepts it). You can have different sets of profiles that apply to groups of users, as well as to individual devices and groups of devices.
Profile Manager goes well beyond simply configuring clients for networking, VPN, and mail. You can set hundreds of group policies. For example, you can prevent iOS and Mac users from accessing the App Store, prevent Mac and iOS applications from launching, block users from making changes to system preferences, block Macs from accessing external storage devices or optical discs, prevent iOS users from watching YouTube, set parental controls, and much more. (Users can see the settings applied to their Mac in the new Profiles system preference, or in the familiar Settings app in iOS.)
The drawback to Profile Manager is that the Mac clients it supports must run Lion. Fortunately, the old Managed Preferences for older versions of Mac OS X clients is still available through Workgroup Manager.
Still, Profile Manager does more than Managed Preferences, and it does more automatically, and in way that is easier and faster to set up, no command line necessary.
But even here, one item may rub IT managers the wrong way: The data stores for Profile Manager, Address Book Server, iCal Server, Webmail, and the built-in wiki are bundled in one database in a location that cannot be moved: on the server's boot disk. I suppose the thought is that consumers usually have only one hard disk.
So what does IT do now with Mac OS X Server?
Lion Server's debut poses a dilemma to many IT shops using Mac OS X Server. Of course, IT departments can keep running Snow Leopard Server to serve clients that include Mac OS X Lion, older Mac OS X versions, Windows, and Linux. Or you can use both the Lion and Snow Leopard Mac OS X Server versions. For example, if you wanted to keep the Windows PDC functionality but also want Profile Manager, you could run Snow Leopard Server as an Open Directory master (and PDC) and bind Lion Server to it. You could even run both servers in virtual machines on a single Mac.
But in the longer term, I won't be surprised to see some enterprise sites phase out Mac OS X Server and move to Windows Server -- even as they embrace more Mac clients. When you consider Lion Server's truncated capabilities along with the discontinuation of the Apple Xserve rack-mount hardware, the signal from Apple seems to be it's not that interested in keeping businesses on Mac OS X Server.