Apple's latest version of Mac OS X, known as Leopard, has been big technology news for the past few weeks as Mac users eagerly awaited the next-generation operating system.
Although not as flashy as the client-side operating system for a general audience, Leopard Server packs its own serious updates for Mac users and systems administrators, multi-platform IT professionals and, if Apple has its way, for small businesses everywhere.
After years of positioning Mac OS X Server primarily with its Xserve high-end server hardware as an enterprise server application, Apple is trying to open Leopard Server to a wider audience. Apple's new focus is on small businesses and small workgroups within a larger corporate network.
As with previous releases, Leopard Server can run on a wide variety of hardware, on anything from a Power PC Mac mini right through the highest-end Xserve. This, combined with the platform's extensive support for Windows PC clients and Windows Server environments, may well mean a broader customer base for Leopard Server.
Leopard Server provides easy-setup servers for many small businesses, and includes a new simplified setup process and systems management interface. This new interface is available in two modes: standard - for single-server use in a small business environment - and workgroup - for use as a workgroup or departmental server in an enterprise infrastructure.
Both sets of tools offer an easy-to-use interface to several of Leopard Server's features and allow users with limited or no server experience to successfully deploy and manage Leopard Server. When used in workgroup mode, Leopard Server can take advantage of network user accounts already being used within the larger corporate network.
The entire range of Leopard Server features is not available in the new simplified setup modes (most likely Apple limited the features to those that it could successfully engineer for automatic configuration and simple management from within Server Admin).
Because of the complex nature of many Leopard Server features, Apple has included only those that could be successfully engineered for the simplified setup modes. Although this may sound limiting, the services included are among the most commonly used by small businesses or by individual departments within a large company or school.
These include file and printer sharing for both Macs and Windows PCs, email, access to Leopard's new collaborative tools, remote access using VPN, internal instant messaging via iChat Server, shared calendars (thanks to the new iCal Server), and the ability to establish server and client backups using Apple's new Time Machine.
For larger organisations that have more robust server needs and can employ a staff of experienced server administrators, Leopard Server continues to provide services for networks of virtually any size and complexity.
When used in advanced administration mode, Leopard Server remains a highly stable and scalable platform for supporting Mac, Windows and Unix/Linux clients, and fully interoperates with Windows Server and Microsoft's Active Directory. For these environments, Leopard Server represents a significant increase in scalability, increased multiplatform support, more flexible administration and new collaborative tools.
Here is a rundown of some of the biggest changes and new features.
One of the biggest features of Leopard Server is simplified setup and management. Apple has built two new administration modes into Leopard Server to make managing the platform as easy as managing local user accounts on a Mac or PC. This new setup asks a series of guided questions to configure a server and then involves a brand new, simplified administration tool called Server Preferences for user and service management.
Server Preferences is modelled after Mac OS X's client-side System Preferences in terms of look, feel and ease-of-use. In fact, Server Preferences' user account management is so similar to that found in the Accounts pane of System Preferences that it would be easy to confuse the two.
Although the initial setup requires some detailed knowledge about the network and Internet configuration of the new server, the actual setup process is deceptively simple. (For any small business that doesn't know its network or Internet information, a call to the Internet service provider should do the trick.)
Making things even easier is that Leopard clients can auto-discover Leopard Server during initial setup (or thereafter) and configure themselves when Leopard Server is implemented using the simplified setup modes. Workgroups or departments in a larger corporate or educational network - including Windows and Active Directory - can import existing network accounts into Leopard Server either during or after the setup process.
An invitation email can be sent to those imported users to allow their Macs to be auto-configured if they happen to be running the client version of Leopard. This allows individual workgroups or departments to deploy their own, easy-to-manage servers without having to assign all their staff members or students a second set of usernames and passwords.
It also frees the person managing the workgroup server from having to create user accounts or to manage password issues.
The new setup isn't entirely perfect. Pre-Leopard Macs and Windows computers cannot be auto-configured. And as described above, only a subset of Leopard Server services is available in the simplified setup modes, though they are among the most popular.
The remaining features are more complex and require advanced administration using Mac OS X Server's more traditional graphical and/or command-line administration tools.
Note that Time Machine for server backup is supported only in the new simplified setup modes. The most logical reason Apple made this choice is because Time Machine is not intended as a company backup application and doesn't offer the array of media choices and other options typical of commercial enterprise and server backup software.
Administrators already comfortable with Leopard Server's advanced options might feel very constrained and limited if they were forced to rely on a simple, end-user-oriented application as Time Machine.
It may not be perfect for everyone, but Apple has delivered a server platform that is easier to configure and manage than many home Internet routers and low-budget network-attached storage devices.
New administration tools
For experienced administrators and other IT professionals who choose to use Leopard Server's advanced mode and larger tool set, Apple has redesigned its server administration tools - Server Admin, Workgroup Manager and System Image Utility. All have received major facelifts and each change seems to have been aimed at making administration simple and more logical.
One of the most notable changes is that file-sharing administration, previously performed in Workgroup Manager, has been moved to Server Admin. Workgroup Manager is now exclusively used for user, group and computer account management and the administration of managed preferences.
This is a logical move that in some ways should have been done sooner because the management of network accounts - whether they are stored in Apple's Open Directory or another LDAP-based directory system - is not specific to a single server. Network account management typically requires connection to the master server for a directory domain.
Meanwhile, file-sharing administration must be done at the level of the server hosting individual share points.
One major change for account management in Workgroup Manager is that the concept of computer lists has been replaced with computer accounts and computer groups. Lists were used to manage preferences and to restrict access in previous versions of Mac OS X Server. Using accounts and groups instead allows individual computers to be managed with greater granularity. For instance, computer groups can be nested within each other for more flexible management options.
Server Admin has undergone a more dramatic redesign than Workgroup Manager. The new interface allows administrators to create groups of servers for easier administration. Categories can include so-called smart groups that are updated in real time and that display only servers meeting specific criteria, including the types of services that are running, a particular IP address and specific network throughput or CPU usage.
In larger environments, these features will greatly simplify server identification and management. Similarly, only the services currently enabled and/or running on a server are displayed in the server's list; services that are running at any given time are indicated by a green dot.
This is very handy for environments where only one or two services are used on each server. Server Admin now also supports tiered administration, so administrators can designate users or groups that are permitted to manage specific services.
Perhaps the administration tool that has experienced the biggest makeover is System Image Utility, used to create image sets - specially pre-configured disk images and supporting files - for Mac OS X Server's NetBoot and NetInstall. The new System Image Utility is completely rebuilt and much more automated than it was in previous versions. Basic image creation can now be done in two or three clicks and involves little more than selecting a source volume.
More advanced setups are created with OS X Automator-style workflows of available actions. Actions include tasks such as enabling automated installation, creating user accounts and partitioning a hard drive in preparation for Apple's Boot Camp.
Without a doubt, this is a huge improvement of ease-of-use, but the approach is so different from previous releases that it will take experienced Mac administrators some time to get used to. The difference, which is largely in interface and not actual functionality, is similar to the hassle of filling out an application form for a passport - with plenty of questions that must be answered in long form - and ordering from a menu where you simply check off what you want.
In Leopard Server, Apple has shipped its first shared calendar. Based on the open CalDAV standard, iCal Server integrates with Leopard's iCal and with any other CalDAV-compliant applications. Currently, this does not include Microsoft Outlook.
Like so many other services in Leopard Server, iCal Server is very easy to manage; users can be configured to access calendar information from one or more servers within a network. This allows load balancing of shared calendars among multiple servers and the distribution of iCal Servers across multiple locations separated by slow network links. It also allows for logical grouping of users attached to specific calendar servers based on department or other resource and access restrictions.
Note that iCal 3, included with the client version of Leopard, is required to access shared calendars on iCal Server. Alternate CalDAV-compliant tools, including OSAF's Chandler, can be used with earlier Mac OS X versions.
From a user perspective, iCal Server is a natural, almost seamless, progression of use from Apple's iCal. When used with iCal Server, users can schedule events with and view free and busy time for each other. Server-based calendars are displayed separately from non-shared calendars and users can choose whether or not to create events on their iCal Server.
Enhanced collaborative tools
In addition to iCal Server, Leopard Server includes Web-based collaborative tools and a new organisational information tool called Directory, explained in more detail below. New Web-based tools include an easy-to-configure wiki and blogs that can be created for any group. Group calendars offer a very slick and polished Web 2.0 interface that both looks and functions excellently, and the choice of several site templates. As with all versions of Mac OS X and Mac OS X Server, Web services are handled by Apache.
The new Directory application included with Leopard gives users access a wide variety of organisational information about users, groups, office/school locations and other types of available resources. It maintains both general user contact information, including address and phone number, as well as organisational information such as who reports to whom.
Location information can include maps, address and descriptions, and can be as granular as a person's desk location within an office. Resources can include anything from copiers to company cars. Resources and locations can even be scheduled, thanks to integration with iCal Server.
Directory offers an option for creating a single-source reference for employee, departmental and organisation-wide information. The option for employees to edit their own information - including photos of themselves - and the breadth of material that can be included are impressive.
If the system could be integrated with other business applications such as payroll or time and attendance systems, Directory could serve as a complete tool for maintaining employee information. Such integration might be able to be performed via LDAP queries, as the Directory information appears to reside mostly in Open Directory.
With the variety of commercial and home-grown tools for employee management, however, it would be impossible for Apple alone to develop this type of integration. Third parties may be able to do so independently or working with Apple.
The downside is that there is no comparable Windows setup, which will limit Directory's ultimate application for many larger organisations that are dealing with a variety of client systems and software.
New managed preferences
Apple has updated its managed preferences architecture to include new built-in preferences and expand several existing options. New preferences include Parental Controls, which mirror the Parental Controls found in Leopard client, and Time Machine, which allows an administrator to define a share point to be used for backing up workstations with Leopard's Time Machine. Options in Time Machine can also be set to define which volumes get backed up, whether system files are backed up and to limit the total storage space for backups.
Managed preferences that have received major updates include Applications, Login and Mobility. With the new Applications setup, administrators can restrict not only which applications may be launched but also restrict the launching of applications in specific folders. Additionally, administrators can define which Dashboard widgets may be run and whether access to Front Row, Apple's media centre, is allowed.
For its part, Login can now automatically set the computer name displayed in the log-in window to that of a Mac's computer record. This is helpful for NetBoot and NetInstall clients, which might otherwise all display the same name, and for ensuring naming consistency across a network.
Also new in Login is an option for external accounts whose home directory resides on an external hard drive that users can carry with them, and the option for a Guest account. A new Access tab allows administrators to restrict which users and groups can log into a computer or all computers in a computer group. The ability to limit access was previously available for computer lists rather than for individual computers.
Also on the Access tab are choices for how multiple managed group settings are applied.
Out of this group of managed preferences, Mobility - the preference that allows mobile accounts for computers that leave a network - has gained the most updates. Administrators can now choose more advanced options for how a user's local home folder on the mobile computer syncs with the user's network home folder. Home folders on mobile computers now support file-vault encryption, a tool for securing business data on mobile computers.
Administrators can also now define the location of the home folders on mobile computers or allow users to decide where their home folders will be stored - including external drives, allowing the aforementioned external accounts. Finally, mobile accounts can now be set for automatic deletion after a period of inactivity - again, a nice security touch.
Enhanced directory services
Open Directory, the native directory service in Mac OS X, has gotten several major updates in Leopard Server as well as some significant under-the-hood changes for Leopard clients. The first of these server updates is two-tiered replication. This replaces the hub-and-spoke system of replication used in previous releases - that's where a single Open Directory master issued updates to one or more replicas.
Note that the biggest under-the-bonnet change in Leopard is that Apple has retired the use of the outdated NetInfo technology as a mechanism for storing local user accounts and related information, and has replaced the NetInfo database with a series of property list (.plist files). We'll have more coverage of this in upcoming stories.
Two-tiered or cascading replication now allows for a single Open Directory master server to have up to 32 replicas that can each have up to 32 replicas of their own. This allows for richer replication topologies and increases performance of the Open Directory master, and as a result, the entire infrastructure in networks with large numbers of replicas. It also means that existing networks with more than 32 replicas will need to be redesigned.
Another important point is that all Open Directory servers within a network will need to be upgraded at the same time because replication between Leopard Server and Tiger Server is not supported.
Open Directory now supports cross-domain authorisation. This allows an Open Directory master to be bound to another LDAP-based directory server, including Active Directory. The Open Directory master can then authorise access to services for users whose accounts reside in the directory system to which it is connected via Kerberos.
This feature allows for enhanced integration with other directory systems within a network, and allows Mac OS X Server to function as a middleman for directory services. This should permit simpler support for Mac OS X in a dual-platform network with Windows Server and Active Directory.
In fact, Active Directory support has been improved on both the client and server side of Leopard. Active Directory authentication now fully supports digital signing and all Windows 2003 Server security options. The process by which Mac OS X discovers Active Directory domain controllers has also been updated so that it behaves more like a Windows client when working with Active Directory site topologies.
The new Directory Utility provides the major client access features for directory services, replacing Directory Access in previous Mac OS X versions. (This is not to be confused with the Directory application mentioned earlier.) It also provides for better automatic configuration when binding computers to either Open Directory or Active Directory.
Directory Utility makes establishing more secure binding with Mac OS X Server simpler as well. When servers are configured in standard or workgroup mode, Directory Utility can automatically discover them and configure access for both Mac OS X and the appropriate applications - such as Mail and iCal - that are being provided by the server.
New network services
Answering a long-standing request, Apple has bundled RADIUS support into Leopard Server. The RADIUS server integrates with Open Directory and allows administrators to configure access to wireless networks based on Open Directory usernames and passwords.
This is a huge security and administrative advantage for any organisation needing secure wireless connectivity. It allows a wireless network be secured but also permits granularity of access based on user accounts rather than on a single global password. Also, the use of existing usernames and passwords provides an easy-to-remember log-in for wireless network users.
Another new feature that seems buried in the DNS service settings is wide-area Bonjour. One of the limitations of Apple's Bonjour zero-configuration networking technology is that it can locate resources only on the same subnet. Wide-area Bonjour allows a server to register Bonjour services across multiple subnets and to identify those services to clients. The effect is similar to that of a WINS server.
Apple's Spotlight search tool is now on the server. Spotlight indexes file metadata for fast searching from the Mac OS X Finder. In Tiger, Spotlight was limited to searching local hard drives. Leopard Server now allows indexing of server volumes. When Leopard clients search with Spotlight, those searches will take advantage of the server-based indexes. But security is also taken care of; Spotlight Server is integrated with file permissions to prevent users from receiving search results for items to which they don't have access.
Podcasts made easy
Podcast Producer, working with the new Podcast Capture utility included with Leopard, leverages Leopard Server and Apple's Xgrid clustering technology to deliver a user-friendly and high-powered podcast creation system. Users can easily capture audio or video content using Podcast Capture, or they can select existing multimedia files. The content is off-loaded to Podcast Producer for processing.
Through a series of administrator-defined workflows, the content is automatically encoded into specified formats and packaged for distribution. Users can distribute their podcasts via a Web link, an RSS feed, as streaming media, in an email and through other modes. Additionally, special effects such as credits, watermarks and introductions can all be added via workflows. The result is a powerful processing application that is easy for administrators to configure and even easier for end users producing content.
The final word
While this article isn't intended as a review, it is hard not to take an overall position on Leopard Server. In initial testing, it appears to be a remarkable step forward. The usability of the administration tools is much improved for experienced users and the new simplified setup makes many of the basic services accessible to less technical users. We hope to bring you more coverage of specific features in the future, but for now it seems a sure thumbs up.