Tiny Deathstars of Foulness

One of the great new features of Snow Leopard Server is the new Mobile Access feature, which is a reverse proxy server. When you enable the Mobile Access service, you will be enabling access for all users of the server. However, in many environments, not all users will be allowed to access collaborative services remotely. Therefore, you can use the Access option to limit who is able to log into the server over each service provided that you have configured the Mobile Access server to leverage your directory server. This Access option is similar to a Service Access Control List (SACL). However, rather than configure in the SACL option for the server, these access controls are configured in the service. To configure Access controls, open Server Admin and click on Mobile Access for your Mobile Access server. Here, click on the Access icon in the Server Admin toolbar. By default, the Allow access to Address Book, iCal, Mail and Web proxies for everyone option will be selected, meaning that all users with accounts on the server will be able to access all of the services proxied using Mobile Access. Click on Allow access to the selected proxies for these users and groups to limit which users will be able to authenticate to these services.  At this point, no users will be able to access the services. Next, click on the plus sign and drag a user who you would like to grant access to. Once you have dragged a user into the list, check the box for each of the services that the selected user will have access to. Drag each user into the list and check the appropriate boxes per user. Then click on Save to commit your changes and test that the authentication is allowed as intended.

November 30th, 2009

Posted In: Mac OS X Server, Mac Security

  • This is cool, I recently implemented Mobile Access server where I work and wrote a blog entry about my configurations, it was tough to get setup initially however its way better than a VPN solution

  • I’ll tend to make a group that goes into the SACL, for instance “iCal Access”. Then I can manage SACLs from Workgroup Manager, rather than Server Admin. Of course I also put the admin group in the SACL directly, so that a slipup doesn’t lock out an admin.