Monthly Archives: July 2012

cloud iPhone Mac OS X Mac OS X Server Mass Deployment MobileMe

iWork Public Beta Goes Bye-Bye Today :: Last Call

I’m sure you’ve heard by now. But just in case you hadn’t logged into iWork.com in awhile or let the to-do lapse, it’s just worth a reminder that iWork Public Beta, the site that you could upload Pages, Numbers and Keynotes to, is being deprecated. The end comes on today.

In other words, if you have documents up on the site, you should download them immediately or you won’t be able to come August. Apple has even provided a document explaining how.

The service that was being provided by the iWork public beta is replaced by iCloud. Using iCloud, you can sync your documents between all of your devices. When you configure iCloud in System Preferences, you are prompted to sync contacts, calendars and bookmarks, but iCloud also gets configured for file synchronization as well at that time. While iCloud doesn’t allow you to edit documents online, you can access them through the iCloud web portal and download them from any computer you like. The new iCloud integration also allows for seeing all your documents in each supported app, when first opened:

Mac OS X Mac OS X Server Mac Security Mass Deployment Network Infrastructure

Installing the Mountain Lion Server VPN Server

OS X Server has long had a VPN service that can be run. The server is capable of running the two most commonly used VPN protocols: PPTP and L2TP. The L2TP protocol is always in use, but the server can run both concurrently. You should use L2TP when at all possible.

Sure, “All the great themes have been used up and turned into theme parks.” But security is a theme that it never hurts to keep in the forefront of your mind. If you were thinking of exposing the other services in Mountain Lion Server to the Internet without having users connect to a VPN service then you should think again, because the VPN service is simple to setup and even simpler to manage.

Setting Up The VPN Service In Mountain Lion

To setup the VPN service, open the Server app and click on VPN in the Server app sidebar. The VPN Settings  screen has two options available in the “Configure VPN for” field, which has two options:

  • L2TP: Enables only the L2TP protocol
  • L2TP and PPTP: Enables both the L2TP protocol and the PPTP protocol

The VPN Host Name field is used by administrators leveraging profiles. The setting used becomes the address for the VPN service in the Everyone profile. L2TP requires a shared secret or an SSL certificate. In this example, we’ll configure a shared secret by providing a password in the Shared Secret field. Additionally, there are three fields, each with an Edit button that allows for configuration:

  • Client Addresses: The dynamic pool of addresses provided when clients connect to the VPN 
  • DNS Settings: The name servers used once a VPN client has connected to the server. As well as the Search Domains configuration.
  • Routes: Select which interface (VPN or default interface of the client system) that a client connects to each IP address and subnet mask over.
  • Save Configuration Profile: Use this button to export configuration profiles to a file, which can then be distributed to client systems (OS X using the profiles command, iOS using Apple Configurator or both using Profile Manager).

Once configured, open incoming ports on the router/firewall. PPTP runs over port 1723. L2TP is a bit more complicated (with keys bigger than a baby’s arm), running over 1701, but also the IP-ESP protocol (IP Protocol 50). Both are configured automatically when using Apple AirPorts as gateway devices. Officially, the ports to forward are listed at http://support.apple.com/kb/TS1629.

Using The Command Line

I know, I’ve described ways to manage these services from the command line before. But, “tonight we have number twelve of one hundred things to do with your body when you’re all alone.” The serveradmin command can be used to manage the service as well as the Server app. The serveradmin command can start the service, using the default settings, with no further configuration being required:

sudo serveradmin start vpn

And to stop the service:

sudo serveradmin stop vpn

And to list the available options:

sudo serveradmin settings vpn

To disable L2TP, set vpn:Servers:com.apple.ppp.l2tp:enabled to no:

sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:enabled = no

To configure how long a client can be idle prior to being disconnected:

sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 10

By default, each protocol has a maximum of 128 sessions, configureable using vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions:

sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 200

To see the state of the service, the pid, the time the service was configured, the path to the log files, the number of clients and other information, use the fullstatus option:

sudo serveradmin fullstatus vpn

Which returns output similar to the following:

vpn:servicePortsAreRestricted = "NO"
vpn:readWriteSettingsVersion = 1
vpn:servers:com.apple.ppp.pptp:AuthenticationProtocol = "MSCHAP2"
vpn:servers:com.apple.ppp.pptp:CurrentConnections = 0
vpn:servers:com.apple.ppp.pptp:enabled = yes
vpn:servers:com.apple.ppp.pptp:MPPEKeySize = "MPPEKeySize128"
vpn:servers:com.apple.ppp.pptp:startedTime = "2012-07-31 02:05:38 +0000"
vpn:servers:com.apple.ppp.pptp:Type = "PPP"
vpn:servers:com.apple.ppp.pptp:SubType = "PPTP"
vpn:servers:com.apple.ppp.pptp:AuthenticatorPlugins = "DSAuth"
vpn:servers:com.apple.ppp.pptp:pid = 97849
vpn:servers:com.apple.ppp.l2tp:AuthenticationProtocol = "MSCHAP2"
vpn:servers:com.apple.ppp.l2tp:CurrentConnections = 0
vpn:servers:com.apple.ppp.l2tp:enabled = yes
vpn:servers:com.apple.ppp.l2tp:startedTime = "2012-07-31 02:05:39 +0000"
vpn:servers:com.apple.ppp.l2tp:Type = "PPP"
vpn:servers:com.apple.ppp.l2tp:SubType = "L2TP"
vpn:servers:com.apple.ppp.l2tp:AuthenticatorPlugins = "DSAuth"
vpn:servers:com.apple.ppp.l2tp:pid = 97852
vpn:servicePortsRestrictionInfo = _empty_array
vpn:health = _empty_dictionary
vpn:logPaths:vpnLog = "/var/log/ppp/vpnd.log"
vpn:configured = yes
vpn:state = "RUNNING"
vpn:setStateVersion = 1

Security folk will be stoked to see that the shared secret is shown in the clear using:

vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue = "a dirty thought in a nice clean mind"

Configuring Users For VPN Access

Each account that accesses the VPN server needs a valid account to do so. To configure existing users to use the service, click on Users in the Server app sidebar.

At the list of users, click on a user and then click on the cog wheel icon, selecting Edit Access to Services.

At the Service Access screen will be a list of services that could be hosted on the server; verify the checkbox for VPN is highlighted for the user.

Setting Up Client Computers

As you can see, configuring the VPN service in Mountain Lion Server is a simple and straight-forward process – much easier than eating your cereal with a fork and doing your homework in the dark.. Configuring clients is as simple as importing the profile generated by the service. However, you can also configure clients manually. To do so in OS X, open the Network System Preference pane. From here, click on the plus sign (“+”) to add a new network service.

At the prompt, select VPN in the Interface field and then either PPTP or L2TP over IPSec in the VPN Type. Then provide a name for the connection in the Service Name field and click on Create.

At the list of network interfaces in the Network System Preference pane, provide the hostname or address of the server in the Server Address field and the username that will be connecting to the VPN service in the Account Name field. If using L2TP, click on Authentication Settings.

At the prompt, provide the password entered into the Shared Secret field earlier in this article in the Machine Authentication Shared Secret field and the user’s password in the User Authentication Password field. When you’re done, click OK and then provided you’re outside the network and routeable to the server, click on Connect to test the connection.

Conclusion

Setting Up the VPN service in OS X Mountain Lion Server is as simple as clicking the ON button. But much more information about using a VPN can be required. The natd binary is still built into Mountain Lion at /usr/sbin/natd and can be managed in a number of ways. But it’s likely that the days of using an OS X Server as a gateway device are over, if they ever started. Sure “feeling screwed up at a screwed up time in a screwed up place does not necessarily make you screwed up” but using an OS X Server for NAT when it isn’t even supported any more probably does. So rather than try to use the server as both, use a 3rd party firewall like most everyone else and then use the server as a VPN appliance. Hopefully it can do much more than just that to help justify the cost. And if you’re using an Apple AirPort as a router (hopefully in a very small environment) then the whole process of setting this thing up should be super-simple.

Mac OS X Mac OS X Server Mac Security

Setting Up The Mail Service in Mountain Lion Server

Mail is one of the hardest services to manage. Actually, mail is pretty simple in and of itself: there’s protocols people use to access their mail (such as IMAP and POP), protocols used to communicate between mail servers and send mail (SMTP, SMTPS)  and then there’s a database of mail and user information. In Mount Lion Server, all of these are represented by a single ON button, so it really couldn’t be easier. But then there’s the ecoysystem and the evil spammers.

As a systems administrator of a large number of mail servers, I firmly believe that there is a special kind of hell where only spam is served at every meal for spammers. Here, the evil spammers must also read every piece of spam ever sent for eternity. By the end (aka Ragnarok), they should be fairly well hung, have chemically induced stamina of a 16 year old with the latest Sports Illustrated Swimsuit issue, enough pills of other types to not be able to use that stamina, plenty of African princes looking to donate large sums of money if only they can be helped out of their country (which should cost about 100,000 compared to a 5,000,000 payout, not a bad ROI, right?!?!?), have their conflicting stamina situation at the top of the search engines and of course, have lost all of the money made from their African princes due to getting their credit card hijacked by about 9,000 phishing scams. All in all, a special kind of hell…

But back to the point of the article, setting up mail… The things that mail administrators need to focus on to keep that mail server flowing mail to and from everyone else in the world:

  • Static IP address. The WAN (and LAN probably) address should be static.
  • Port Forwards. Port forwards need to be configured on the gateway for the SMTP port at a minimum and more than likely other ports used to access mail on client devices (25, 143, etc)
  • DNS records. An MX record and some kind of mail.domain.com type of record should definitely be configured for the DNS servers that are authoritative for the domain. There should also be reverse records for the address of the server, usually created by the Internet Services Provider, or ISP, that match that record.
  • Check the RBLs. If you have a new IP address you’ll be putting a DNS server on, check all the major Realtime BlackLists to make sure that some evil spammer hasn’t squatted on the IP before you got to it. This is true whether you’re in a colo, hosted on an IP you own or moving into space formerly occupied by a very standup company. A lot of IP addresses are blocked, as are blocks of IPs, so before moving mail to an IP, check it.
  • Mail filtration (message hygiene). OS X Server has a number of mail filters built in, including clam for viruses, the ability to leverage RBLs, block specific addresses and of course RBL checking. However, this is often not enough. Third party services such as MXLogic help to keep mail from coming into your network. You also end up with an external IP to send mail that can cache mail in the event the server is down and keep mail off your network in the event that it’s spam.
  • Backup. I am firmly of the belief that I’d rather not have data than not have that data backed up…

Once all of that is taken care of (I’ll add more as I think about it) then it’s time to enable the mail service. Actually, first let’s setup our SSL certificates. To do so, open the Server app and click on the name of the server in the HARDWARE section of the sidebar. Then click on the Settings tab and then the Edit button beside the SSL Certificate entry. Here, use the Certificate drop-down list for each protocol to select the appropriate certificate to be used for the service.

Click OK when they’re all configure. Now let’s enable the mail service (or outsource mail). To do so, open the Server app and click on Mail in the SERVICES list in the sidebar.

At the configuration screen is a sparse number of settings:

  • Provide mail for: Configures all of the domains the mail server will listen for mail for. Each account on the server has a short name and each domain name will be available for each short name. For example, an account with a shortname of charles will be available for email addresses of charles@pretendco.com and charles@krypted.com per the Domain Name listing below.
  • Authentication: Click Edit for a list of sources that accounts can authenticate against (e.g. Active Directory, Open Directory, Custom, Local, etc) and in some cases the specific password algorithms used for mail.
  • Relay outgoing mail through ISP: Provide a server that all mail will get routed through from the server. For example, this might be an account with your Internet Services Provider (ISP), an account on an appliance that you own (such as a Barracuda) or with an external filtering service (such as MXLogic).
  • Limit mail to: Configure the total amount of mail a user can have in the mail store, in Megabytes.
  • Edit Filtering Settings: Configure antivirus, spam assassin and junk mail filters. The “Enable virus filtering” checkbox enables clam. The “Enable blacklist filtering” checks the RBL (or RBLs) of your choice to check whether a given server is a “known” spammer and the “Enable junk mail filtering” option enables spam assassin on the host, configuring it to block based on a score as selected using the slider.

Once you’ve configured the settings for the Mail service, click on the ON slider to enable the service. At this point, you should be able to telnet into port 25 of the host to verify that SMTP is listening, preferably from another mail server:

telnet mail.krypted.com 25

You can also check that the mail services are running using the serveradmin command along with the fullstatus option for the mail service:

sudo serveradmin fullstatus mail

Which returns with some pretty verbose information about the service, including state, connections, running protocols and the rest of the following:

mail:setStateVersion = 1
mail:readWriteSettingsVersion = 1
mail:connectionCount = 0
mail:servicePortsRestrictionInfo = _empty_array
mail:protocolsArray:_array_index:0:status = "ON"
mail:protocolsArray:_array_index:0:kind = "INCOMING"
mail:protocolsArray:_array_index:0:protocol = "IMAP"
mail:protocolsArray:_array_index:0:state = "RUNNING"
mail:protocolsArray:_array_index:0:error = ""
mail:protocolsArray:_array_index:1:status = "ON"
mail:protocolsArray:_array_index:1:kind = "INCOMING"
mail:protocolsArray:_array_index:1:protocol = "POP3"
mail:protocolsArray:_array_index:1:state = "RUNNING"
mail:protocolsArray:_array_index:1:error = ""
mail:protocolsArray:_array_index:2:status = "ON"
mail:protocolsArray:_array_index:2:kind = "INCOMING"
mail:protocolsArray:_array_index:2:protocol = "SMTP"
mail:protocolsArray:_array_index:2:state = "RUNNING"
mail:protocolsArray:_array_index:2:error = ""
mail:protocolsArray:_array_index:3:status = "ON"
mail:protocolsArray:_array_index:3:kind = "OUTGOING"
mail:protocolsArray:_array_index:3:protocol = "SMTP"
mail:protocolsArray:_array_index:3:state = "RUNNING"
mail:protocolsArray:_array_index:3:error = ""
mail:protocolsArray:_array_index:4:status = "ON"
mail:protocolsArray:_array_index:4:kind = "INCOMING"
mail:protocolsArray:_array_index:4:protocol = "Junk_mail_filter"
mail:protocolsArray:_array_index:4:state = "STOPPED"
mail:protocolsArray:_array_index:4:error = ""
mail:protocolsArray:_array_index:5:status = "ON"
mail:protocolsArray:_array_index:5:kind = "INCOMING"
mail:protocolsArray:_array_index:5:protocol = "Virus_scanner"
mail:protocolsArray:_array_index:5:state = "STOPPED"
mail:protocolsArray:_array_index:5:error = ""
mail:startedTime = "2012-07-30 18:14:26 +0000"
mail:logPaths:IMAP Log = "/Library/Logs/Mail/mailaccess.log"
mail:logPaths:Server Log = "/Library/Logs/Mail/mailaccess.log"
mail:logPaths:POP Log = "/Library/Logs/Mail/mailaccess.log"
mail:logPaths:SMTP Log = "/var/log/mail.log"
mail:logPaths:Migration Log = "/Library/Logs/MailMigration.log"
mail:logPaths:Virus Log = "/Library/Logs/Mail/clamav.log"
mail:logPaths:Amavisd Log = "/Library/Logs/Mail/amavis.log"
mail:logPaths:Virus DB Log = "/Library/Logs/Mail/freshclam.log"
mail:imapStartedTime = "2012-07-30 18:14:26 +0000"
mail:servicePortsAreRestricted = "NO"
mail:state = "RUNNING"
mail:postfixStartedTime = "2012-07-30 18:14:49 +0000"

To stop the service:

sudo serveradmin stop mail

And to start it back up:

sudo serveradmin start mail

To configure some of the settings no longer in the GUI from previous versions, let’s look at the full list of options:

sudo serveradmin settings mail

One that is commonly changed is the subject line added to messages that are marked as spam by spam assassin. This is stored in mail:postfix:spam_subject_tag, so changing would be:

sudo serveradmin settings mail:postfix:spam_subject_tag = "***DIEEVILSPAMMERSDIE*** "

A number of admins also choose to disable greylisting, done using the mail:postfix:greylist_disable option:

sudo serveradmin settings mail:postfix:greylist_disable = no

To configure an email address for quarantined mail to go, use mail:postfix:virus_quarantine:

sudo serveradmin settings mail:postfix:virus_quarantine = "diespammersdie@krypted.com"

The administrator, by default, doesn’t get an email when an email containing a file infected with a virus is sent through the server. To enable this option:

sudo serveradmin settings mail:postfix:virus_notify_admin = yes

I also find a lot of Mac environments want to accept email of pretty much any size. By default, message size limits are enabled. To disable:

sudo serveradmin settings mail:postfix:message_size_limit_enabled = yes

Or even better, just set new limit:

sudo serveradmin settings mail:postfix:message_size_limit = 10485760

And to configure the percentage of someone’s quota that kicks an alert (soft quota):

sudo serveradmin settings mail:imap:quotawarn = 75

Additionally, the following arrays are pretty helpful, which used to have GUI options:

  • mail:postfix:mynetworks:_array_index:0 = “127.0.0.0/8″ – Add entries to this one to add “local” clients
  • mail:postfix:host_whitelist = _empty_array – Add whitelisted hosts
  • mail:postfix:blacklist_from = _empty_array – Add blacklisted hosts
  • mail:postfix:black_hole_domains:_array_index:0 = “zen.spamhaus.org” – Add additional RBL Servers

The client side of the mail service is straight forward enough. If you are wondering where in this article we discuss using webmail, er, that’s not installed by default any longer. But the open source project previously used, roundcube, is still available for download and easily installed (the pre-reqs are all there, already). Check out the roundcube wiki installation page here for more info on that. Also, mail groups. I hope to have a post about that soon enough. Unless, of course, I get sidetracked with having a life. Which is arguably not very likely…

Articles and Books Mac OS X Mac OS X Server Mac Security public speaking

Macworld Call for Speakers Now Open

I won’t be able to make it to Macworld this year for a number of reasons, most notably that the scheduling gods (unrelated to the Norse pantheon, but similar to that of the Greeks) have me booked on a job that week. However, it’s an event that I wholeheartedly believe in. I think the more of these types of conferences there are, the better off we, as a community, are. My absence is not without my desire to be there, that is for sure.

For those who haven’t been involved in the community of Mac Engineers, but who have a compelling narrative to tell, I’d recommend submitting a presentation. As such, the Call for Speakers is now open. If you’ve never spoken at this event, or attended then going as a speaker would be a really great experience. Nothing against the people who go and speak on an annual basis, but I think every community needs infusions of new blood on an annual basis (visions of Keith Richards with a MacBook are dancing through my head right now). I think it is healthy and keeps the heterogenous nature of the community at a maximum. I am sure that the people who pick the speakers would love to take some presentations from people they’ve maybe never met and don’t know – and even possibly help develop the proposed sessions into a more flushed out experience for the audience. Maybe you just did a large deployment that you can talk about, or even a small deployment that’s very unique. Maybe you wrote a script or just found a new workflow that requires fewer manual steps to achieve a common goal. To me, the goal is to be excited about something new with regards to technology and communicate both the excitement and the technology in a way that others can understand. I’ve not always been the best at this, as such a skill for most people is a work in progress. But you can’t get to working on it until you actually propose something!

Good luck and please feel free to ask me if you need any help working out the kinks of one of these. I’ve been a speaker a number of times in the past few years and would love to help in any way I can!

And of course, for those who still don’t want to speak at Macworld, I’d still strongly recommend going. I’ve learned so much over my years attending, I can’t imagine not having done so. From the nights at Dave’s to the mornings at some random diner in I’m still not sure what part of San Francisco (or that one time at the diner in Sacramento the next morning). I’ve shared many great times there and look forward to doing so next year. Hopefully you’ll be an old vet by then, if not already!

Mac OS X Mac OS X Server Microsoft Exchange Server

Configuring Calendar Server in Mountain Lion Server

Configuring Calendar Server in Mountain Lion Server is a fairly simple and straight forward process. The Calendar Server is a CalDAV Server, leveraging HTTP and HTTPS, running on ports 8008 and 8443 respectively. To enable the Calendar service in Mountain Lion Server, open the Server application and click on Calendar in the SERVICES section of the sidebar.

Enabling the Calendar Server in Mountain Lion Server

Enabling the Calendar Server in Mountain Lion Server

Once open, click on Edit to enable email notifications of invitations in the Calendar Server. Provide the email address and then click on the Next button.

Mountain Lion Server :: Configuring Email Notifications in Calendar Server

Mountain Lion Server :: Configuring Email Notifications in Calendar Server

At the Configure Server Email Address screen, provide the type of incoming mail service in use, provide the address of the mail server and then the port number used, if not a standard port for HTTPS-based IMAP (or POP if you’d prefer), the user name and the valid password for the account. Then click on the Next button.

Mountain Lion Calendar Server :: Configuring IMAP

Mountain Lion Calendar Server :: Configuring IMAP

At the outgoing mail server screen, provide the Outgoing Mail Server address, the port, whether or not SSL is in use (it should be if possible), the password protocol, the user name and the password. Then click on the Next button.

Mountain Lion Calendar Server :: Verify Settings

Mountain Lion Calendar Server :: Verify Settings

At the Mail Account Summary screen, review the settings and if correct, click Finish. Back at the service configuration screen, click on the plus sign (“+”) and provide a type of location, a name for the location, whether or not invitations to the resource are accepted and then enter the account name for any accounts that can manage the location’s calendar (they will auto-complete, so there’s no need to remember users and groups exactly). Click Done to complete the setup. Use the Resource setting in type to configure a resource instead of a location. The two are the same, except the Type field.

Creating Locations in the Calendar Service of Mountain Lion Server

Creating Locations in the Calendar Service of Mountain Lion Server

There are a number of settings that can also be configured. But those are exposed only at the command line. To configure them, open the command line and then review the list of Calendar service settings using the list option of the serveradmin command:

sudo serveradmin settings calendar

One of the more common settings to configure is the port number that CalDAV runs on. To configure HTTP:

sudo serveradmin settings calendar:HTTPPort = 8008

For HTTPS:

sudo serveradmin settings calendar:SSLPort = 8443

You can then start the service using the start option:

sudo serveradmin start calendar

Or to stop it:

sudo serveradmin stop calendar

Or to get the status:

sudo serveradmin fullstatus calendar

Once the Calendar server is configured, use the Calendar application to communicate with the server. Open the Calendar application and click on the Calendar menu and select Preferences. From the Preferences screen, click on Accounts to bring up a list of accounts. Here, click on the plus sign (“+”) to bring up the “Add an Account” screen.

Adding An Account In Mountain Lion's Calendar App

Adding An Account In Mountain Lion’s Calendar App

At the “Add an Account” screen, select CalDAV from the Account Type menu and then enter the User Name and password configured on the server, as well as the address of the server. The User Name is usually the name provided in Server app, followed by @ and then the address of the server.

Account Settings In Mountain Lion's Calendar App

Account Settings In Mountain Lion’s Calendar App

Once the server is configured it appears in the list of accounts in the sidebar of the Calendar app. Create calendars in the account and then to share a calendar, right-click on the calendar and click on Share Calendar…

Sharing a CalDAV Calendar

Sharing a CalDAV Calendar

At the Share Calendar screen, provide the name the calendar should appear as to others and click on the plus sign (“+”) and enter any accounts to delegate administration to.

Mountain Lion Calendar Settings

Mountain Lion Calendar Settings

Back at the Calendar Settings screen, use the settings to configure Availability and refresh rate of calendars, as seen above. Click on Server Settings to assign custom port numbers.

Mountain Lion Calendar Address Screen

Mountain Lion Calendar Address Screen

Click on the Delegation tab to view any accounts you’ve been given access to.

Account Delegation In Mountain Lion's Calendar Server

Account Delegation In Mountain Lion’s Calendar Server

Use the Edit button to configure who has delegated access to calendars, as opposed to configuring subscriptions.

Overall, the Calendar service in Mountain Lion Server is one of the easiest to configure. Most of the work goes into settings configured on client systems. This, as with Exchange, dedistributes administration, often making administration more complicated than with many other tools. But that’s a good thing; no one wants to access other peoples accounts, for calendars or mail for that matter, without those users knowing that it was done, as will happen when resetting passwords…

certifications iPhone

iOS Development Test Now Available

I’ve been involved with Brainbench for some time. There is now a new iOS development test available at http://www.brainbench.com/xml/bb/common/testcenter/taketest.xml?testId=2973.

Also, we’re currently working on a Mountain Lion test and could use some reviewers if anyone is interested.  Let me know if you’d like to be involved with that.

Mac OS X

Showing iTunes Track & Song Titles In The Dock

When I’m writing, I like to listen to music in the background. When writing, I also like to have everything minimized so I can quickly grab a screenshot of the desktop where needed. This means that when I run into a track that doesn’t work with whatever I’m writing that I would need to unminimize iTunes, click the next button and then re-minimize iTunes. Awhile back I found a better way but can’t remember where for attribution. So, part of my default user template and imaging framework now includes setting the iTunes Dock icon to show the track that I’m playing so I can easily go to the next song, filing away the current song to remove from whatever playlist at a later date in case I’ve forgotten who the artist was. By default the iTunes Dock icon doesn’t show the current playing track. To tell it to:

defaults write com.apple.dock itunes-notifications -bool TRUE

Then killall Dock:

killall Dock

Now when you click on iTunes in the dock and hold the mouse down, you’ll see the following:

If you later decide you don’t like this:

defaults write com.apple.dock itunes-notifications -bool FALSE

And then killall Dock:

killall Dock

iPhone Mac OS X Mac OS X Server Mac Security

What Happens When An iPhone Overheats

I know I’ve mentioned before that when the temperature drops below -10 the heat from my hands is sometimes not enough to keep my phone working and that it can stop running. Officially, the iPhone needs to run between -4º to 113º F. I learned this the hard way (I tend to learn most things the hard way, I like to think of it as a trait, or something like that) when I left my phone sitting in my car. Not only does it get cold as all getout in Minneapolis, but it can get pretty hot as well. And as with any location in mid-summer, if you leave your car with windows up and sitting in the sun, it can get really hot.

So recently, when I remembered I needed to go grab my phone to jump on a conference call, I was greeted with this:

iPhone Overheating Message

iPhone Overheating Message

So ya, if I missed a conference call with you in the past week, that’s my excuse. I am now going to put this post on repeat/autopilot for the remainder of the summer so I can sleep in from time to time… If you would like more information as to why I’m not on calls, please see Apple’s KB regarding the subject.

Mac OS X Mac OS X Server Mac Security Mass Deployment

Upgrading to Mountain Lion Server

Now that we’ve looked at what you get and what you don’t get in Mountain Lion Server, let’s take a little while to look at what the upgrade path itself looks like. Before we start, let’s just say that upgrading to Mountain Lion Server is probably one of the fastest, easiest and most boring upgrades you’ll ever get to do. And I say this more to the credit of the engineers that made the process so simple. Apparently there are bonuses to your Server just being an app. There is a catch, some of the services are gone. Another catch, you’re gonna’ need to have a system that meets the following specs:

  • Capable of booting a 64-bit kernel, means a 64-bit Intel Core 2 Duo or better
  • The graphics just keep getting better, so you’ll need an Advanced GPU chipset
  • The more memory the better, although 2GB is the bare minimum
  • The more CPU the better, although 8GB of space is required
  • An Internet connection, or a cached Install Mac OS X Mountain Lion, Server app and Server package – much easier to just have a connection to the Internet…
  • You should plan on using an Apple ID, although if you don’t supply it at install time, the server can still run
  • The source computer needs 10.6.8 or 10.7.x

Apple’s official specs are here, outlining the models that Mountain Lion can run on. If Mountain Lion can run, OS X Server can run on it. Next, make a clone of your computer. I use Carbon Copy Cloner, like most sane people, but YMMV with other tools that you may be in love with. Once your clone is done, I personally like to do both an archive and an export of user accounts from Workgroup Manager as a final safety net. You should also have a book. Preferably one of mine, although given that the merging of two such boring topics can create a black hole of boringness (which is similar to turning a bag of holding inside out, btw), you might choose to bring something a bit livelier than either of the two, like some Dostoyevsky or the Chem 111 textbook I used in college.

Next, let’s go to the App Store. Search for Mountain Lion or OS X and then click the Install button for the Mountain Lion app. The button will then say Downloading, as follows:

Buy OS X Mountain Lion from the App Store

Buy OS X Mountain Lion from the App Store

Once downloaded, make sure your users won’t chase after you with pitchforks for being down for a couple of hours and then run the installer, following the defaults until the download begins and the system reboots. The installation will take a little while. From the time you start the download to the time that the files are unpacked and replaced on the system can be about an hour or two. This is a good time to grab that book, a bag of Doritos and a Dr. Pepper. Once the Doritos are gone, wash your hands and check the progress of the installation. Read some more. Once that’s done, check the progress again. If you think about a second bag of Doritos, stop – it’s not worth it… A second Dr. Pepper is fine though, I hear it helps you write articles about upgrading to Mountain Lion Server in a way that makes optimal sense.

Once the system reboots again, you should be ready to open Server app. Except for the fact that it isn’t there, which is obvious by the fact that it’s got a big annoying white circle over it in the Dock. Remove the Server app (and Workgroup Manager or Server Admin if they’re in there) and then it’s time to install Server itself.

Go back to the App Store and search for & buy Mountain Lion Server (or install these from Purchases if you’ve already purchased them). Once installed, Server appears in the Dock. Use the following command to verify that the IP address and hostname match:

sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/changeip -checkhostname

Provided that the name of the server checks out clean, click on the Server app in the Dock to be guided through the installation process.

Set Up Your Server Screen When Installing Mountain Lion Server

Set Up Your Server Screen When Installing Mountain Lion Server

At the Setup Your Server screen, click on Continue.

Agree to the Mountain Lion Server Licensing Agreement

Agree to the Mountain Lion Server Licensing Agreement

Agree to the licensing terms (assuming you do agree) by clicking on the Agree button.

Provide Administrative Credentials When Installing Mountain Lion Server

Provide Administrative Credentials When Installing Mountain Lion Server

Provide the administrative username and password to give Server and services permission upon installation and then click on the Allow button.

Configure The AppleID for Push Notifications

Configure The AppleID for Push Notifications

At the Apple Push Notifications screen, provide the Apple ID and password for a valid Apple ID and then click on the Continue button.

Congrats, You're A SysAdmin!

Congrats, You’re A SysAdmin!

After a time, you should see a Congratulations screen. Click on Finish and the Server app should automatically open (or the process fails but Server opens anyway, just without some of the stuff working out of the gate).

At this point, you should see the services that were running prior to the upgrade running. Check the logs to verify that there’s nothing out of the ordinary. If you were running a firewall then the rules will be migrated and continue running. To disable if you’re going to move your rules to pf, then use the following command to disable the rules and reboot:

sudo mv /etc/ipfilter /etc/ipfilter.OLD

You don’t need to disable these immediately, although a lack of control over them might cause you to want to… Next, install Workgroup Manager, available at http://support.apple.com/kb/DL1567. You’ve now got a functional server, provided that the entire process went smoothly. In my experience so far (there hasn’t been a ton of this at this point), the service migration is far smoother than from within the Lion Server point releases (e.g. 10.7.2 to 10.7.3, etc). Profile Manager, for example, worked like a charm on upgrade, as did Calendar and Contacts services, which had been a bit persnickety at times previously.

Now, you can get back to that book and instead of a 3rd Dr. Pepper, switch to Jägermeister!

Articles and Books Mac OS X Mac OS X Server Mac Security sites

More Visitors Than Ever

The past 3 days have netted between 15,000 and 20,000 unique visitors per day, with each day seeing a bit more traffic than the previous. Given that most of my readers are at work (according to the stats at least), I’m guessing that will slow down as usual come Saturday. But that’s still 2 of the 3 top days ever for krypted.com, so thanks for caring and I hope you’re enjoying the articles! Bandwidth overages for krypted.com are one of those things I find myself always happy to pay! :)