Lion server printer management.

Lion Server no longer has printer management and I believe CUPS has the ability to set quotas. Has anyone found a way to do this for open directory users? Possibly a terminal script can run at login that sets a quota for each user?

What's more important/relevant is the Page In/Out rates.
If these are low (or zero) then you have nothing to worry about - the server simply doesn't need more memory, and it's not swapping to disk.
Most background tasks take way less memory than forground/GUI tasks, so it's not unreasonable to think this could run in 4GB.

Similar Messages

Lion Server Profile Manager Configuration

Hi Guys,
Currently have been testing Lion Server and Profile Manager Configuration.
So Far Have setup
Lion with Server App and Server Admin Tools
Configured Open Directory Master and enabled SSL on LDAP
Once Configured OD has created a CA Certificate can use for Profile Manager
Have Enabled in Server.app Web and Profile manager
In SSL Certificate Configuration have set CA Certificate for Web and Enabled Apple push notifications with my apple ID
In Profile Manager Enabled Device Management and Enabled Sign configuration profiles and selected CA Open Directory Certificate Created when setting up OD Master.
On Server Originally could install Trust Profile OK and Enroll Server OK with no issues, but on any other 10.7 Devices could install Trust Profile OK but would always say unsigned and Enroll would never work or just hang.
Now Since Played around with settings on 10.7 Server can no longer enroll but trust OK.
Questions have is
For SSL and Profile Manager to work properly as well as Certificates do you require to purchase a proper SSL Certificate or can we use the OD Master Certificate that gets created. All we are testing is on the Local LAN so don't want to get a SSL certificate from the internet.
Also why cannot 10.7 clients trust profile and enroll Devices Properly? How do I get this working properly?
Any ideas?
Regards,
Shane

taubmas wrote:
Not sure if its that as finally got Lion Server working on a VM setup so network shouldn't be an issue...
Had 1 OSX Lion Server VM and 1 OSX Lion Client VM and OSX Lion Server VM gets profile and enrolls device fine but again OSX client doesn't get enroll just sits again at installing..... even if set keychain to trust and make trust profile verified..
any other ideas? I think need to somehow get the server to trust trust profile by default instead of going to keychain all the time.
Shane
Did you get this to work in an ESXI envrionment? If so, which version are you running?

Mac OS X 10.7 Lion Server - Device Management?

Hi,
I would like to know in details what devices does the Mac OS X Lion Server manages? And how does the server manage the devices such as iPhone and iPad etc?
My company is currently using Apple Mac Mini Server. and would like to manage the devices.
Many Thanks.
Carson

You could try booting from an external USB hard drive and using a data recovery utility like Data Rescue X. Your mileage will vary depending on the circumstances. I would only try recovering data files and not recover the whole system. No sense fooling with an OS when it is trivial to reinstall and know it is working. Make an image of a freshly configured OS to aid in recovery like this.
Retrieve your documents & preferences if you are lucky. The data may still be there, but file names and other meta data may not be recoverable. If file names are not recoverable, then you will have tons of files to sort through trying to make sense of what is what. They are sorted by type, but you will be surprised at the number of such files used by the system and in temp/cache files. I recently had a case where someone deleted a bunch of files and then emptied the Trash. I got the files back, but with no file names. I was unable to find a way to retrieve the file names and even asked a forensic recovery expert for any reasonably priced software to do it.
If this is your only Apple computer and you need to make a bootable external drive, then make sure to install OSX on the external drive and not on the internal drive you are trying to recover.

Lion Server Profile Management error reading settings

After starting up Lion Server the profile management pane showed an error. It is also not possible to login via de browser to the profile manager. How can I fix this? Using the default httpd.conf file did not help.
This is one of the many problems I have with Lion server that does not work as expected. So if someone has a solution to remove all profile settings from my client MBP than I can try to revert back to Lion on my server also.
I hope this question is also read by someone of apple as this is not the quality I expected from apple. It lacks decent documentation and the setup of Portable Home Users is not possible. I thought apple product were self explaining and intuitive. This reminds me of the old Windows days: sitting days to figure it out and use a lot of terminal commands.

Did you ever find a resolution? If not then this might help Server: An error with code -1 occurred while setting up Device Management

How to write .CSV file to import device placeholder into Lion Server Profile Manager?

I'm now using Mac Mini with Lion Server (10.7.4). I've already setup a server with Profile Manager to manage some iOS devices.
Now I need to add many devices into Profile Manager. From some articles, (for example http://my.safaribooksonline.com/book/-/9780132778879/chapter-4dot-managing-accou nts/ch04lev1sec3), I found that I can use .CSV file to import many device placeholders at a time. So I create a .CSV file "devices.csv" with the content as the following:
iPhone001,12345ABCD12,,,
Then I import this file to "Devices" in Profile Manager, but in vain. It says that the placeholder is invalid.
If there's any one could provide some exemples? Thanks a lot.

Hi Nien-Yi Ho,
A little late, but perhaps someone else can benefit ...
The way I did this, is:
- create an empty Excel spreadsheet
- add 5 headers in the first row: DeviceName, SerialNumber, IMEI, MEID, UDID
- in the next rows add your devices and specs (for the iPhones and iPads I only added DeviceName, SerialNumber and IMEI specs)
- IMPORTANT: save the file as a Windows CSV file.
If you import the CSV file now, all should go well.

HT200088 Error Reading Settings in Lion Server Profile Manager

Whenever I try to use Profile Manager in Lion Server, it says "Error Reading Settings". Can anybody help?

I did a clean install of Lion/Lion Server, but I ran ino the same problem too with "Error Reading Settings" for both the profile manager and the wiki.
INVESTIGATION: I checked to see if the postgres database (which I presumed was were the settings were being read from).
# sudo serveradmin fullstatus postgres
postgres:dataDirHasBeenInitialized = yes
postgres:PG_VERSION = "9.0.4"
postgres:dataDir = "/var/pgsql"
postgres:postgresIsResponding = no # !!! why isn't it responding???
postgres:dataDirIsDirectory = yes
postgres:PGserverVersion = 0
postgres:dataDirExists = yes
postgres:setStateVersion = 1
postgres:state = "RUNNING"
PROBLEM: The postgres service hadn't been started properly; I found this by doing the following:
# sudo serveradmin stop postgres
postgres:state = "STOPPED"
# sudo serveradmin start postgres
postgres:error = "CANNOT_START_SERVICE_TIMEOUT_ERR"
FIX: The postgres service couldn't create the log file because it didn't have permission. I did this to fix it, then simply restarted it and all was well:
# sudo chmod 777 /Library/Logs/
# sudo serveradmin start postgres
postgres:state = "RUNNING"
I hope this helps someone.

How to use Lion Server Profile Manager to require password after screensaver

Our Company is upgrading to Lion server. One of our requirments for network security is to require a password to wake the computer from sleep or screensaver. In SL Server you would add a key to the com.apple.screensaver entery in workgroup manager.
In Profile Manager in Lion server there is a custom setting section and I have tried adding a key there but it does not seem to work. Can anyone offer some help on how to put the require password to wake from sleep or screensaver in Profile Manager so the setting gets pushed out?

Hi CodyCodes,
Just discovered the same issue today as well. Further complicating things, the screensaver timeout setting in Login Window doesn't apply to Profile Manager clients no matter what the setting. This was reproduced and confirmed by the Apple Tech I was working with. He's submitted the bug to their engineering staff. I requested that he ask them why there is no setting for password on sleep or screensaver. Hopefully this is resolved soon, as this feature is 99% of the reason we're implementing Profile Manager to begin with.
Cheers

Mountain Lion Server Profile Manager wont erase

I cant seem to get rig of these blank profiles in Moutain Lion Server. CAn anyone help? I have not been able to find a solution in the forum.
Thanks,
Tom

Nelson -
Pretty much everything boiled down to DNS, firewalls and ports. Unfortunately, I was never able to acertain which of the three items were causing this problem because we have a separate group who manages the network and firewall (plus a separate security team). If I recall, once they focused on what it was I was trying to accomplish, most of the problems "magically" went away.
Is your reverse DNS working the way it's supposed to? Ex:
yourserver:~ login$ hostname
yourserver.yourdomainname
yourserver:~ login$ host yourserver.yourdomainname
yourserver.yourdomainname has address 10.x.x.x
yourserver:~ login$ host 10.x.x.x
3.34.2.10.in-addr.arpa domain name pointer yourserver.yourdomainname
yourserver:~ login$
Also be sure to follow "burton11234's" posts. https://discussions.apple.com/people/burton11234?view=overview

Mountain Lion Server Profile Manager error

I recently setup a Mountain Lion server (10.8.2) to manage multiple ipads and Macs with Profile Manager in a PC oriented Active Directory environment.
I setup an SSL certificate and bound to the organization's active directory (with Directory Utility) and that all works fine.
We are now simply trying to assign the rights to individual users to use Profile Manager and running into trouble.
Using the Server app, we click on a user (or group) and then go to assign rights (with the gear menu).
The list of items to assign is supposed to come up.
Instead the list never comes up.
Can anyone shed any light on what we have to do?

What are you trying to do
Assign what users can use the profile managers web interface
or restrict what users can and can't have devices registered to their name in profile manager

Mountain Lion Server Profile Manager not accessible externally

What do I need to be checking if I can't access our Mountain Lion server's Profile Manager externally. From a test iPad on a carrier's 3G network, I get a "server not found" error when using http://fqdn/. I can bring up the server page if I use https://publicipaddress. but not https://publicipaddress/profilemanager. Apple tried accessing the server with the same findings. We're a state agency behind tight firewall and security and we're told that all Profile manager needed ports are open... Thanks.

Nelson -
Pretty much everything boiled down to DNS, firewalls and ports. Unfortunately, I was never able to acertain which of the three items were causing this problem because we have a separate group who manages the network and firewall (plus a separate security team). If I recall, once they focused on what it was I was trying to accomplish, most of the problems "magically" went away.
Is your reverse DNS working the way it's supposed to? Ex:
yourserver:~ login$ hostname
yourserver.yourdomainname
yourserver:~ login$ host yourserver.yourdomainname
yourserver.yourdomainname has address 10.x.x.x
yourserver:~ login$ host 10.x.x.x
3.34.2.10.in-addr.arpa domain name pointer yourserver.yourdomainname
yourserver:~ login$
Also be sure to follow "burton11234's" posts. https://discussions.apple.com/people/burton11234?view=overview

Lion Server Profile Manager - Windows Enviroment

My company needs to be able to manage mobile devices, specifically iPhones and iPads, that connect to our corporate MS Exchange server. We are looking at mobile device management solutions to manage password policy, software restrictions, device registrations, etc., and I have come across the built in Profile Manager in Lion Server. Is it possible to introduce or integrate a Lion Server into our existing Active Directory environment for the purposes of mobile device management or are we better off on finding another third party solution?

taubmas wrote:
Not sure if its that as finally got Lion Server working on a VM setup so network shouldn't be an issue...
Had 1 OSX Lion Server VM and 1 OSX Lion Client VM and OSX Lion Server VM gets profile and enrolls device fine but again OSX client doesn't get enroll just sits again at installing..... even if set keychain to trust and make trust profile verified..
any other ideas? I think need to somehow get the server to trust trust profile by default instead of going to keychain all the time.
Shane
Did you get this to work in an ESXI envrionment? If so, which version are you running?

Mountain Lion Server- Profile Manager- No such file or directory

When trying to start Profile Manager I recieve this message:
I have tried the following fix provided by Apple:
/Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/wipeDB. sh
However, my problem seems to exist a step before this is even useful. I have been all over the Apple Support Community and web looking for an answer, but everyone seems to assume all problems exist at a point where you don't receive the following from the Console:
ProfileManager[29045]: devicemgrd: Terminating on unhandled exception No such file or directory - /var/devicemgr/ServiceData/Data/migration at /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devi cemgrd:238:in `initialize'
/Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:238:in `new'
/Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:238:in `SetupRails'
/Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:158:in `Run'
/Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:851
com.apple.launchd[1]: (com.apple.devicemanager[29045]) Exited with code: 1
com.apple.launchd[1]: (com.apple.devicemanager) Throttling respawn: Will start in 9 seconds
serveradmin[28989]: servermgr_devicemgr: response statusCode: 503
serveradmin[28989]: servermgr_devicemgr: waiting for devicemgr to respond
serveradmin[28989]: servermgr_devicemgr: response statusCode: 503
serveradmin[28989]: servermgr_devicemgr: waiting for devicemgr to respond
serveradmin[28989]: servermgr_devicemgr: response statusCode: 503
serveradmin[28989]: servermgr_devicemgr: waiting for devicemgr to respond
serveradmin[28989]: servermgr_devicemgr: response statusCode: 503
serveradmin[28989]: servermgr_devicemgr: waiting for devicemgr to respond
ProfileManager[29053]: Failed to delete '/var/devicemgr/ServiceData/Data/tmp'. No such file or directory - /var/devicemgr/ServiceData/Data/tmp
serveradmin[28989]: servermgr_devicemgr: response statusCode: 503
serveradmin[28989]: servermgr_devicemgr: waiting for devicemgr to respond
ProfileManager[29053]: devicemgrd: Terminating on unhandled exception No such file or directory - /var/devicemgr/ServiceData/Data/migration at /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devi cemgrd:238:in `initialize'
/Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:238:in `new'
/Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:238:in `SetupRails'
/Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:158:in `Run'
/Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:851
com.apple.launchd[1]: (com.apple.devicemanager[29053]) Exited with code: 1
com.apple.launchd[1]: (com.apple.devicemanager) Throttling respawn: Will start in 9 seconds
serveradmin[28989]: servermgr_devicemgr: response statusCode: 503
serveradmin[28989]: servermgr_devicemgr: waiting for devicemgr to respond
serveradmin[28989]: servermgr_devicemgr: response statusCode: 503
serveradmin[28989]: servermgr_devicemgr: waiting for devicemgr to respond
serveradmin[28989]: servermgr_devicemgr: response statusCode: 503
serveradmin[28989]: servermgr_devicemgr: waiting for devicemgr to respond
serveradmin[28989]: servermgr_devicemgr: response statusCode: 503
serveradmin[28989]: servermgr_devicemgr: waiting for devicemgr to respond
ProfileManager[29061]: Failed to delete '/var/devicemgr/ServiceData/Data/tmp'. No such file or directory - /var/devicemgr/ServiceData/Data/tmp
serveradmin[28989]: servermgr_devicemgr: response statusCode: 503
serveradmin[28989]: servermgr_devicemgr: waiting for devicemgr to respond
ProfileManager[29061]: devicemgrd: Terminating on unhandled exception No such file or directory - /var/devicemgr/ServiceData/Data/migration at /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devi cemgrd:238:in `initialize'
/Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:238:in `new'
/Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:238:in `SetupRails'
/Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:158:in `Run'
/Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/webserver/devic emgrd:851
com.apple.launchd[1]: (com.apple.devicemanager[29061]) Exited with code: 1
com.apple.launchd[1]: (com.apple.devicemanager) Throttling respawn: Will start in 9 seconds
serveradmin[28989]: posting dist not
ProfileManager[29069]: Failed to delete '/var/devicemgr/ServiceData/Data/tmp'. No such file or directory - /var/devicemgr/ServiceData/Data/tmp
I'm looking for a solution that doesn't involve reinstalling Mountain Lion if that is at all possible. It seems to me like it should, as that's not so much a solution as just starting over. If you need more from Console, just let me know. Also, I have tried all the threads that relate to restarting, rebooting, or reconfiguring Device Manager and none of them work; at the end I still get the message "No such file or directory."
Thanks for the help!

Finally figured the problem out on my own. Thank you to the apple support community for all your help. Full story, I installed OSX Server and then changed the Service Data location to an external hard drive. After that the Profile Manager immediately stopped working. Several reinstallations later and still not working. The problem was not even a little related to /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/wipeDB .sh, which is the answer everyone else on the internet was giving. The problem was that Profile Manager was no longer installed/installing for whatever reason. So, I went in and reinstalled just Profile Manager from the Server.app and now everything is working great. If things stop working I'll update this post. This is how:
To begin, delete /private/var/devicemgr. This file is created during the install and if it already exists, the install won't work.
Open terminal and copy sudo /Applications/Server.app/Contents/ServerRoot/System/Library/ServerSetup/CommonE xtras/80-devicemgrcommon.sh
That is all I had to do and Profile Manager works great for me now. Hope this helps someone.

Lion Server: iOS 5 clients can't connect to Address Card Server

I have set up shared accounts on the server for Calendar and Address Book (family) sharing. Although I can add and use the Address Book shared account on OS X Lion clients, I can't get this to work on iOS 5 clients (iPhone nor iPad). I keep on getting "CardDAV account verification failed".
Calendar sharing works just fine on both OS X and iOS5 clients
Let me briefly describe my setup and observations:
Server:
Running Lion Server 10.7.2 on Mac Mini (server)
Using SSL connections with keys generated during set-up of the server
Portforwarding in router (ao) for 8008 and 8843 (iCal and Address Book)
Created shared accounts on server for Calendar ("sharedcalendar") and Address Book ("sharedcontacts")
In the DNS server I created services in my primary zone for "_caldavs._tcp." and "_carddavs._tcp." both on port 8443
OS X Client (Calendar)
Created additional CalDAV account in preferences (user "sharedcalendar")
Left the server settings untouched (server path, port "auto" and using SSL but not Kerberos)
Created in "sharedcalendar" different calendars and reminder lists for the family members which each can access from their OS X client
This account is now set-up through Profile Manager (tried this with Address Book as well but didn't make any difference)
iOS 5 Client (Calendar)
Once tested on standalone and got this working I'm now using the Profile Manager to push the definition of the shared account to all clients
Hostname with port 8443 (default)
Left Principal URL blank since it was optional
User "shared calendar" with the appropriate password
Ticked "Use SSL"
OS X client (Address Book)
Created additional CardDAV account in preferences (user "sharedcontacts").
Left the server settings untouched (port 443 using SSL)
iOS 5 client (Address Book)
In the settings add a CardDAV account (server, user "sharedcontacts", password, description).
First error message "Cannot connect Using SSL. Do you want to try setting up the account without SSL?". When I press continue I get the error "CardDAV account verification failed"
If I then save the account details still and edit the account I can access the "advanced settings". When I change to SSL I have tried port 0 (default value), 8443 (the one that's listed in the documentation) and 8843 (which is used by default if you try to set up the
account in Profile Manager). All to no avail, including Profile Manager
Observations:
Lion Server app nicely lists both Calendar and Address Book Server as active (plus Profile Manager, File Server, Web server and Wiki server)
When I access my server home page, Calendar is listed in addition to other services (Mail | Calendar | Change Password | Profile Manager) but not Address Book. Is this normal behaviour? i.e. can't Address Book entries be changed through a web interface?
Address Book on OS X client uses 443 for SSL but does not require me to define port 8443 for secure iCal or Address Book server communications
Lion Server Profile Manager specifies port 8843 as port for SSL communication. I only saw 8443 listed in documentation
The response "can't connect .." or "account verification failed" happens very quick which make me think either the verification doesn't even leave the iPad or there is something wrong in the SSL connection
Since iCal set-up works nicely using the same ports I am puzzled why it doesn't work for Address Book
Your solutions or suggestions how to investigate are most welcome,
Erik

Thanks for joining the discussion.
Although port 8443 is mosten quoted as correct port for CalDAV and CardDAV, port 8843 can be found both on Apple's website and other places:
see Technical Note 1649 to find port 8443 listed for iCal and port 8843 for Address Book
Mac OS X Lion Server for Dummies (sic) lists port 8843 on pages 236 and 238 but port 8443 in many other places
when you want to push iCal and Address Book information with Profile Manager, Profile Manager lists port 8443 for iCal but port 8843 for Address Book as default:
So I hope you understand I'm somewhat puzzled.
I did get the Address Book working for my Lion desktops with the all the necessary certificates as far as I know, just not for the iOS devices (iPhone and IpPad). iCal sharing from Lion Server works fine on both Lion and iOS devices.

Problem with lion server - profile, wiki , postgresql

I have problem with lion server:
- Profile Manager Error Reading Setting
- Wiki Error Reading Setting
org.postgresql.postgres[3163]: postgres_real cannot access the server configuration file "/var/pgsql/postgresql.conf": No such file or directory

I have problem with lion server:
- Profile Manager Error Reading Setting
- Wiki Error Reading Setting
org.postgresql.postgres[3163]: postgres_real cannot access the server configuration file "/var/pgsql/postgresql.conf": No such file or directory

How To Install A (Almost) Working Lion Server With Profile Management/SSL/OD/Mail/iCal/Address Book/VNC/Web/etc.

I recently installed a fresh version of Lion Server after attempting to fix a broken upgrade. With some help from others, I've managed to get all the new features working and have kept notes, having found that many or most of the necessary installation steps for both the OS and its services are almost entirely undocumented. When you get them working, they work great, but the entire process is very fragile, with simple setup steps causing breaks or even malicious behaviors. In case this is useful to others, here are my notes.
Start with an erased, virgin, single guid partitioned drive. Not an upgrade. Not simply a repartitioned drive. Erased. Clean. Anything else can and probably will break the Lion Server install, as I discovered myself more than once. Before erasing my drive, I already had Lion and made a Lion install DVD from instructions widely available on the web. I suppose you could also boot into the Lion recovery partition and use disk utility to erase the OS X partition then install a new partition, but I cut a DVD. The bottom line is to erase any old OS partitions. And of course to have multiple, independent backups: I use both Time Machine with a modified StdExclusions.plist and Carbon Copy Cloner.
Also, if you will be running your own personal cloud, you will want to know your domain name ahead of time, as this will be propagated everywhere throughout server, and changing anything related to SSL on Lion Server is a nightmare that I haven't figured out. If you don't yet have a domain name, go drop ten dollars at namecheap.com or wherever and reserve one before you start. Soemday someone will document how to change this stuff without breaking Lion Server, but we're not there yet. I'll assume the top-level domain name "domain.com" here.
Given good backups, a Lion Install DVD (or Recovery Partition), and a domain name, here are the steps, apparently all of which must be more-or-less strictly followed in this order.
DVD>Disk Utility>Erase Disk [or Recovery Partition>Disk Utility>Erase Partition]
DVD>Install Lion
Reboot, hopefully Lion install kicks in
Update, update, update Lion (NOT Lion Server yet) until no more updates
System Preferences>Network>Static IP on the LAN (say 10.0.1.2) and Computer name ("server" is a good standbye)
Terminal>$ sudo scutil --set HostName server.domain.com
App Store>Install Lion Server and run through the Setup
Download install Server Admin Tools, then update, update, update until no more updates
Server Admin>DNS>Zones [IF THIS WASN'T AUTOMAGICALLY CREATED (mine wasn't): Add zone domain.com with Nameserver "server.domain.com." (that's a FQDN terminated with a period) and a Mail Exchanger (MX record) "server.domain.com." with priority 10. Add Record>Add Machine (A record) server.domain.com pointing to the server's static IP. You can add fancier DNS aliases and a simpler MX record below after you get through the crucial steps.]
System Prefs>Network>Advanced>Set your DNS server to 127.0.0.1
A few DNS set-up steps and these most important steps:
A. Check that the Unix command "hostname" returns the correct hostname and you can see this hostname in Server.app>Hardware>Network
B. Check that DNS works: the unix commands "host server.domain.com" and "host 10.0.1.2" (assuming that that's your static IP) should point to each other. Do not proceed until DNS works.
C. Get Apple Push Notification Services CA via Server.app>Hardware>Settings><Click toggle, Edit... get a new cert ...>
D. Server.app>Profile Manager>Configure... [Magic script should create OD Master, signed SSL cert]
E. Server.app>Hardware>Settings>SSL Certificate> [Check to make sure it's set to the one just created]
F. Using Server.app, turn on the web, then Server.app>Profile Manager> [Click on hyperlink to get to web page, e.g. server.domain.com/profilemanager] Upper RHS pull-down, install Trust Profile
G. Keychain Access>System>Certificates [Find the automatically generated cert "Domain", the one that is a "Root certificate authority", Highlight and Export as .cer, email to all iOS devices, and click on the authority on the device. It should be entered as a trusted CA on all iOS devices. While you're at it, highlight and Export... as a .cer the certificate "IntermediateCA_SERVER.DOMAIN.COM_1", which is listed an an "Intermediate CA" -- you will use this to establish secure SSL connections with remote browsers hitting your server.]
H. iOS on LAN: browse to server.domain.com/mydevices> [click on LHS Install trust cert, then RHS Enroll device.
I. Test from web browser server.domain.com/mydevices: Lock Device to test
J. ??? Profit
12. Server Admin>DNS>Zones> Add convenient DNS alias records if necessary, e.g., mail.domain.com, smtp.domain.com, www.domain.com. If you want to refer to your box using the convenient shorthand "domain.com", you must enter the A record (NOT alias) "domain.com." FQDN pointing to the server's fixed IP. You can also enter the convenient short MX record "domain.com." with priority 11. This will all work on the LAN -- all these settings must be mirrored on the outside internet using the service from which you registered domain.com.
You are now ready to begin turning on your services. Here are a few important details and gotchas setting up cloud services.
Firewall
Server Admin>Firewall>Services> Open up all ports needed by whichever services you want to run and set up your router (assuming that your server sits behind a router) to port forward these ports to your router's LAN IP. This is most a straightforward exercise in grepping for the correct ports on this page, but there are several jaw-droppingly undocumented omissions of crucial ports for Push Services and Device Enrollment. If you want to enroll your iOS devices, make sure port 1640 is open. If you want Push Notifications to work (you do), then ports 2195, 2196, 5218, and 5223 must be open. The Unix commands "lsof -i :5218" and "nmap -p 5218 server.domain.com" (nmap available from Macports after installing Xcode from the App Store) help show which ports are open.
SSH
Do this with strong security. Server.app to turn on remote logins (open port 22), but edit /etc/sshd_config to turn off root and password logins.
PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
I'm note sure if toggling the Allow remote logins will load this config file or, run "sudo launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist ; sudo launchctl load -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist" to restart the server's ssh daemon.
Then use ssh-keygen on remote client to generate public/private keys that can be used to remotely login to the server.
client$ ssh-keygen -t rsa -b 2048 -C client_name
[Securely copy ~/.ssh/id_rsa.pub from client to server.]
server$ cat id_rsa.pub > ~/.ssh/known_hosts
I also like DenyHosts, which emails detected ssh attacks to [email protected]. It's amazing how many ssh attacks there are on any open port 22. Not really an added security feature if you've turned off password logins, but good to monitor. Here's a Lion Server diff for the config file /usr/share/denyhosts:
$ diff denyhosts.cfg-dist denyhosts.cfg
12c12
< SECURE_LOG = /var/log/secure
> #SECURE_LOG = /var/log/secure
22a23
> SECURE_LOG = /var/log/secure.log
34c35
< HOSTS_DENY = /etc/hosts.deny
> #HOSTS_DENY = /etc/hosts.deny
40a42,44
> #
> # Mac OS X Lion Server
> HOSTS_DENY = /private/etc/hosts.deny
195c199
< LOCK_FILE = /var/lock/subsys/denyhosts
> #LOCK_FILE = /var/lock/subsys/denyhosts
202a207,208
> LOCK_FILE = /var/denyhosts/denyhosts.pid
> #
219c225
< ADMIN_EMAIL =
> ADMIN_EMAIL = [email protected]
286c292
< #SYSLOG_REPORT=YES
> SYSLOG_REPORT=YES
Network Accounts
User Server.app to create your network accounts; do not use Workgroup Manager. If you use Workgroup Manager, as I did, then your accounts will not have email addresses specified and iCal Server WILL NOT COMPLETELY WORK. Well, at least collaboration through network accounts will be handled clunkily through email, not automatically as they should. If you create a network account using Workgroup Manager, then edit that account using Server.app to specify the email to which iCal invitations may be sent. Server.app doesn't say anything about this, but that's one thing that email address entry is used for. This still isn't quite solid on Lion Server, as my Open Directory logs on a freshly installed Lion Server are filled with errors that read:
2011-12-12 15:05:52.425 EST - Module: SystemCache - Misconfiguration detected in hash 'Kerberos':
     User 'uname' (/LDAPv3/127.0.0.1) - ID 1031 - UUID 98B4DF30-09CF-42F1-6C31-9D55FE4A0812 - SID S-0-8-83-8930552043-0845248631-7065481045-9092
Oh well.
Email
Email aliases are handled with the file /private/etc/postfix/aliases. Do something like this
root:           myname
admin:          myname
sysadmin:       myname
certadmin:      myname
webmaster:      myname
my_alternate:   myname
Then run "sudo newaliases". If your ISP is Comcast or some other large provider, you probably must proxy your outgoing mail through their SMTP servers to avoid being blocked as a spammer (a lot of SMTP servers will block email from Comcast/whatever IP addresses that isn't sent by Comcast). Use Server.app>Mail to enter your account information. Even then, the Lion Server default setup may fail using this proxy. I had to do this with the file /private/etc/postfix/main.cf:
cd /etc/postfix
sudo cp ./main.cf ./main.cf.no_smtp_sasl_security_options
sudo echo 'smtp_sasl_security_options = noanonymous' >> ./main.cf
sudo serveradmin stop mail
sudo serveradmin start mail
Finally, make sure that you're running a blacklisting srevice yourself! Server Admin>Mail>Filter> Use spamhaus.org as a blacklister. Finally, set up mail to use strong Kerberos/MD5 settings under on Server Admin>Mail>Advanced. Turn off password and clear logins. The settings should be set to "Use" your SSL cert, NOT "Require". "Require" consistently breaks things for me.
If you already installed the server's Trust Certificate as described above (and opened up the correct ports), email to your account should be pushed out to all clients.
iCal Server
Server.app>Calendar>Turn ON and Allow Email Invitations, Edit... . Whatever you do, do NOT enter your own email account information in this GUI. You must enter the account information for local user com.apple.calendarserver, and the password for this account, which is stored in the System keychain: Keychain Access>System> Item com.apple.servermgr_calendar. Double-click and Show Password, copy and paste into Server.app dialog. This is all described in depth here. If you enter your own account information here (DO NOT!), the iCal Server will delete all Emails in your Inbox just as soon as it reads them, exactly like it works for user com.apple.calendarserver. Believe me, you don't want to discover this "feature", which I expect will be more tightly controlled in some future update.
Web
The functionality of Server.app's Web management is pretty limited and awful, but a few changes to the file /etc/apache2/httpd.conf will give you a pretty capable and flexible web server, just one that you must manage by hand. Here's a diff for httpd.conf:
$ diff httpd.conf.default httpd.conf
95c95
< #LoadModule ssl_module libexec/apache2/mod_ssl.so
> LoadModule ssl_module libexec/apache2/mod_ssl.so
111c111
< #LoadModule php5_module libexec/apache2/libphp5.so
> LoadModule php5_module libexec/apache2/libphp5.so
139,140c139,140
< #LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
< #LoadModule encoding_module libexec/apache2/mod_encoding.so
> LoadModule auth_digest_apple_module libexec/apache2/mod_auth_digest_apple.so
> LoadModule encoding_module libexec/apache2/mod_encoding.so
146c146
< #LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
> LoadModule xsendfile_module libexec/apache2/mod_xsendfile.so
177c177
< ServerAdmin [email protected]
> ServerAdmin [email protected]
186c186
< #ServerName www.example.com:80
> ServerName domain.com:443
677a678,680
> # Server-specific configuration
> # sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart
> Include /etc/apache2/mydomain/*.conf
I did "sudo mkdir /etc/apache2/mydomain" and add specific config files for various web pages to host. For example, here's a config file that will host the entire contents of an EyeTV DVR, all password controlled with htdigest ("htdigest ~uname/.htdigest EyeTV uname"). Browsing to https://server.domain.com/eyetv points to /Users/uname/Sites/EyeTV, in which there's an index.php script that can read and display the EyeTV archive at https://server.domain.com/eyetv_archive. If you want Apache username accounts with twiddles as in https://server.domain.com/~uname, specify "UserDir Sites" in the configuration file.
Alias /eyetv /Users/uname/Sites/EyeTV
<Directory "/Users/uname/Sites/EyeTV">
    AuthType Digest
    AuthName "EyeTV"
    AuthUserFile /Users/uname/.htdigest
    AuthGroupFile /dev/null
    Require user uname
    Options Indexes MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>
Alias /eyetv_archive "/Volumes/Macintosh HD2/Documents/EyeTV Archive"
<Directory "/Volumes/Macintosh HD2/Documents/EyeTV Archive">
    AuthType Digest
    AuthName "EyeTV"
    AuthUserFile /Users/uname/.htdigest
    AuthGroupFile /dev/null
    Require user uname
    Options Indexes MultiViews
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>
I think you can turn Web off/on in Server.app to relaunch apached, or simply "sudo apachectl -D WEBSERVICE_ON -D MACOSXSERVER -k restart".
Securely copy to all desired remote clients the file IntermediateCA_SERVER.DOMAIN.COM_1.cer, which you exported from System Keychain above. Add this certificate to your remote keychain and trust it, allowing secure connections between remote clients and your server. Also on remote clients: Firefox>Advanced>Encryption>View Certificates>Authorities>Import...> Import this certificate into your browser. Now there should be a secure connection to https://server.domain.com without any SSL warnings.
One caveat is that there should be a nice way to establish secure SSL to https://domain.com and https://www.domain.com, but the automagically created SSL certificate only knows about server.domain.com. I attempted to follow this advice when I originally created the cert and add these additional domains (under "Subject Alternate Name Extension"), but the cert creation UI failed when I did this, so I just gave up. I hope that by the time these certs expire, someone posts some documentation on how to manage and change Lion Server SSL scripts AFTER the server has been promoted to an Open Directory Master. In the meantime, it would be much appreciated if anyone can post either how to add these additional domain names to the existing cert, or generate and/or sign a cert with a self-created Keychain Access root certificate authority. In my experience, any attempt to mess with the SSL certs automatically generated just breaks Lion Server.
Finally, if you don't want a little Apple logo as your web page icon, create your own 16×16 PNG and copy it to the file /Library/Server/Web/Data/Sites/Default/favicon.ico. And request that all web-crawling robots go away with the file /Library/Server/Web/Data/Sites/Default/robots.txt:
User-agent: *
Disallow: /
Misc
VNC easily works with iOS devices -- use a good passphrase. Edit /System/Library/LaunchDaemons/org.postgresql.postgres.plist and set "listen_addresses=127.0.0.1" to allow PostgreSQL connections over localhost. I've also downloaded snort/base/swatch to build an intrusion detection system, and used Macports's squid+privoxy to build a privacy-enhanced ad-blocking proxy server.

Privacy Enhancing Filtering Proxy and SSH Tunnel
Lion Server comes with its own web proxy, but chaining Squid and Privoxy together provides a capable and effective web proxy that can block ads and malicious scripts, and conceal information used to track you around the web. I've posted a simple way to build and use a privacy enhancing web proxy here. While you're at it, configure your OS and browsers to block Adobe Flash cookies and block Flash access to your camera, microphone, and peer networks. Read this WSJ article series to understand how this impacts your privacy. If you configure it to allow use for anyone on your LAN, be sure to open up ports 3128, 8118, and 8123 on your firewall.
If you've set up ssh and/or VPN as above, you can securely tunnel in to your proxy from anywhere. The syntax for ssh tunnels is a little obscure, so I wrote a little ssh tunnel script with a simpler flexible syntax. This script also allows secure tunnels to other services like VNC (port 5900). If you save this to a file ./ssht (and chmod a+x ./ssht), example syntax to establish an ssh tunnel through localhost:8080 (or, e.g., localhost:5901 for secure VNC Screen Sharing connects) looks like:
$ ./ssht 8080:[email protected]:3128
$ ./ssht 8080:alice@:
$ ./ssht 8080:
$ ./ssht 8018::8123
$ ./ssht 5901::5900 [Use the address localhost:5901 for secure VNC connects using OS X's Screen Sharing or Chicken of the VNC (sudo port install cotvnc)]
$ vi ./ssht
#!/bin/sh
# SSH tunnel to squid/whatever proxy: ssht [-p ssh_port] [localhost_port:][user_name@][ip_address][:remotehost][:remote_port]
USERNAME_DEFAULT=username
HOSTNAME_DEFAULT=domain.com
SSHPORT_DEFAULT=22
# SSH port forwarding specs, e.g. 8080:localhost:3128
LOCALHOSTPORT_DEFAULT=8080      # Default is http proxy 8080
REMOTEHOST_DEFAULT=localhost    # Default is localhost
REMOTEPORT_DEFAULT=3128         # Default is Squid port
# Parse ssh port and tunnel details if specified
SSHPORT=$SSHPORT_DEFAULT
TUNNEL_DETAILS=$LOCALHOSTPORT_DEFAULT:$USERNAME_DEFAULT@$HOSTNAME_DEFAULT:$REMOT EHOST_DEFAULT:$REMOTEPORT_DEFAULT
while [ "$1" != "" ]
do
case $1
in
    -p) shift;                  # -p option
        SSHPORT=$1;
        shift;;
     *) TUNNEL_DETAILS=$1;      # 1st argument option
        shift;;
esac
done
# Get local and remote ports, username, and hostname from the command line argument: localhost_port:user_name@ip_address:remote_host:remote_port
shopt -s extglob                        # needed for +(pattern) syntax; man sh
LOCALHOSTPORT=$LOCALHOSTPORT_DEFAULT
USERNAME=$USERNAME_DEFAULT
HOSTNAME=$HOSTNAME_DEFAULT
REMOTEHOST=$REMOTEHOST_DEFAULT
REMOTEPORT=$REMOTEPORT_DEFAULT
# LOCALHOSTPORT
CDR=${TUNNEL_DETAILS#+([0-9]):}         # delete shortest leading +([0-9]):
CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
CAR=${CAR%:}                            # delete :
if [ "$CAR" != "" ]                     # leading or trailing port specified
then
    LOCALHOSTPORT=$CAR
fi
TUNNEL_DETAILS=$CDR
# REMOTEPORT
CDR=${TUNNEL_DETAILS%:+([0-9])}         # delete shortest trailing :+([0-9])
CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
CAR=${CAR#:}                            # delete :
if [ "$CAR" != "" ]                     # leading or trailing port specified
then
    REMOTEPORT=$CAR
fi
TUNNEL_DETAILS=$CDR
# REMOTEHOST
CDR=${TUNNEL_DETAILS%:*}                # delete shortest trailing :*
CAR=${TUNNEL_DETAILS##$CDR}             # cut this string from TUNNEL_DETAILS
CAR=${CAR#:}                            # delete :
if [ "$CAR" != "" ]                     # leading or trailing port specified
then
    REMOTEHOST=$CAR
fi
TUNNEL_DETAILS=$CDR
# USERNAME
CDR=${TUNNEL_DETAILS#*@}                # delete shortest leading +([0-9]):
CAR=${TUNNEL_DETAILS%%$CDR}             # cut this string from TUNNEL_DETAILS
CAR=${CAR%@}                            # delete @
if [ "$CAR" != "" ]                     # leading or trailing port specified
then
    USERNAME=$CAR
fi
TUNNEL_DETAILS=$CDR
# HOSTNAME
HOSTNAME=$TUNNEL_DETAILS
if [ "$HOSTNAME" == "" ]                # no hostname given
then
    HOSTNAME=$HOSTNAME_DEFAULT
fi
ssh -p $SSHPORT -L $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT -l $USERNAME $HOSTNAME -f -C -q -N \
    && echo "SSH tunnel established via $LOCALHOSTPORT:$REMOTEHOST:$REMOTEPORT\n\tto $USERNAME@$HOSTNAME:$SSHPORT." \
    || echo "SSH tunnel FAIL."

Lion server printer management.

Similar Messages

Maybe you are looking for