Bushel Ships Same Day Support For El Capitan

For the second time this month, Apple has released a major new operating system. Today, OS X 10.11 El Capitan became available in the Mac App Store. We are pleased to announce that, even with the significant changes in the operating system, Bushel extends full compatibility to Macs running this latest release. That means that all of your managed Macs within Bushel can be upgraded to OS X 10.11 and new Macs can be enrolled as well. In other words, your users should take advantage of this free software update! Read More About Bushel’s Same Day Support for OS X El Capitan On The Bushel Blog

Promote an OS X Server 5 Open Directory Replica To An Open Directory Master

You’ve got Open Directory running and humming beautifully in OS X Server 5 (running on OS X Yosemite or OS X El Capitan). You show up to work and the hard drive has died on that perfectly configured Open Directory Master. Luckily, you have a replica and you have an archive of your Master. You can restore or you can promote your Replica to a Master. What to do? Well, I can’t tell you what you should do, but I can tell you that Apple has planned for this. Here, we’re going to look at promoting that Replica to a Master. Because after all, hard drives fail. Let’s look at what all this looks like.

Create An Open Directory Archive
In order to properly restore an Open Directory Master or promote a Replica to a Master, you’ll need the SSL keys. You should also just keep archives of your Open Directory environment around (albeit in a secure location) because you really never know. To create an Open Directory Archive, which has the keys in it as well as data needed to restore a Master, first open the Server app. From within the Server app, click on the Open Directory service.
Screen Shot 2015-09-24 at 10.28.01 PM
Towards the bottom of the screen, click on the cog wheel icon.
Screen Shot 2015-09-24 at 10.28.22 PM
At the menu, click Archive Open Directory Master…
Screen Shot 2015-09-24 at 10.28.49 PM
When prompted, provide the username and password to the Open Directory environment shown in the Server field and then click on the Connect button. At the Archive Open Directory Master screen, choose a location to create your archive. Also, provide a password for the archive. Click the Archive button when you’re ready to proceed. At the Confirm Settings screen, click Archive. The archive is then created. Keep this safe as it has all your base are belong to us in it. You have to do this proactively. Once the hard drive in that Open Directory Master craps out, you’ll need the Archive to put the pieces of Humpty Dumpty back together again.

Promote A Replica To A Master Provided you have a Replica and an Archive, promoting a Replica to a Master couldn’t be easier in OS X Server. To do so, open the Server app from the Replica and then use the cog wheel icon to bring up the menu.
Screen Shot 2015-09-24 at 10.29.40 PM
Here, click Promote Replica to Master.
Screen Shot 2015-09-24 at 10.29.19 PM
At the “Promote Open Directory replica to master” screen, provide an Open Directory username and password (e.g. diradmin with the appropriate password). Also, choose the archive you created previously. Then click Next. The Replica will become an archive. Once finished, remove any other replicas and repromote them.

Stop Open Directory
Another option is to stop Open Directory on the replicas until you can get your Master back up and running. To stop Open Directory, open the Server app and click on the Open Directory service. Click on the OFF button. You’ll then be prompted to verify that you really want to stop directory services on the server. Click OK (which should probably read a bit more ominous, like “OMG, OK”. The server is then stopped. To completely remove Open Directory from the old server, run the slapconfig command, followed by -destroyldapserver:

slapconfig -destroyldapserver

Also, don’t forget to go to the Master and remove any servers from there as well, once they’ve been fully demoted. View the logs using cat for any other weirdness:

cat /Library/Logs/slapconfig.log

Configure the Calendar Server In El Capitan Server

Configuring Calendar Server in OS X Server 5 (running on El Capitan or Yosemite) is a fairly simple and straight forward process. The Calendar Server is a CalDAV Server, leveraging HTTP and HTTPS, running on ports 8008 and 8443 respectively. To enable the Calendar service in OS X Server (Server 5), open the Server application and click on Calendar in the SERVICES section of the sidebar. Screen Shot 2015-09-10 at 8.46.34 AM Once open, click on Enable invitations by email to enable email notifications of invitations in the Calendar Server. Provide the email address and then click on the Next button. Screen Shot 2015-09-10 at 8.47.49 AM At the Configure Server Email Address screen, provide the type of incoming mail service in use, provide the address of the mail server and then the port number used, if not a standard port for HTTPS-based IMAP (or POP if you’d prefer), the user name and the valid password for the account. Then click on the Next button. Screen Shot 2015-09-10 at 8.48.19 AM At the outgoing mail server screen, provide the Outgoing Mail Server address, the port, whether or not SSL is in use (it should be if possible), the password protocol, the user name and the password. Then click on the Next button. Screen Shot 2015-09-10 at 8.48.58 AM At the Mail Account Summary screen, review the settings and if correct, click Finish. Back at the service configuration screen, click on the plus sign (“+”) and provide a type of location, an address, a delegate, a name for the location, whether or not invitations to the resource are accepted and then enter the account name for any accounts that can manage the location’s calendar (they will auto-complete, so there’s no need to remember users and groups exactly). Click Done to complete the setup. Use the Resource setting in type to configure a resource instead of a location. The two are the same, except the Type field. Screen Shot 2015-09-10 at 8.50.07 AM There are a number of settings that can also be configured. But those are exposed only at the command line. To configure them, open the command line and then review the list of Calendar service settings using the list option of the serveradmin command: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings calendar There are a number of settings for the Calendar service, including the following: calendar:DefaultLogLevel = “info” calendar:EnableAPNS = yes calendar:EnableSSL = yes calendar:DirectoryAddressBook:params:queryUserRecords = yes calendar:DirectoryAddressBook:params:queryPeopleRecords = yes calendar:EnableSearchAddressBook = yes calendar:HTTPPort = 80 calendar:AccountingCategories:HTTP = no calendar:AccountingCategories:Implicit Errors = no calendar:AccountingCategories:iTIP = no calendar:AccountingCategories:migration = no calendar:AccountingCategories:AutoScheduling = no calendar:AccountingCategories:iSchedule = no calendar:AccountingCategories:iTIP-VFREEBUSY = no calendar:Authentication:Digest:Enabled = yes calendar:Authentication:Digest:AllowedOverWireUnencrypted = yes calendar:Authentication:Kerberos:Enabled = yes calendar:Authentication:Kerberos:AllowedOverWireUnencrypted = yes calendar:Authentication:Wiki:Enabled = yes calendar:Authentication:Basic:Enabled = yes calendar:Authentication:Basic:AllowedOverWireUnencrypted = no calendar:EnableCardDAV = no calendar:Scheduling:iMIP:Sending:UseSSL = yes calendar:Scheduling:iMIP:Sending:Server = “osxserver.krypted.com” calendar:Scheduling:iMIP:Sending:Address = “com.apple.calendarserver@osxserver.krypted.com” calendar:Scheduling:iMIP:Sending:Username = “com.apple.calendarserver” calendar:Scheduling:iMIP:Sending:Password = “79PreYsZSFfZZC6v” calendar:Scheduling:iMIP:Sending:Port = 587 calendar:Scheduling:iMIP:Enabled = yes calendar:Scheduling:iMIP:Receiving:UseSSL = yes calendar:Scheduling:iMIP:Receiving:Server = “osxserver.krypted.com” calendar:Scheduling:iMIP:Receiving:Type = “imap” calendar:Scheduling:iMIP:Receiving:Username = “com.apple.calendarserver” calendar:Scheduling:iMIP:Receiving:Password = “79PreYsZSFfZZC6v” calendar:Scheduling:iMIP:Receiving:Port = 993 calendar:SSLPrivateKey = “” calendar:LogLevels = _empty_dictionary calendar:DataRoot = “/Library/Server/Calendar and Contacts/Data” calendar:ServerRoot = “/Library/Server/Calendar and Contacts” calendar:SSLCertificate = “” calendar:EnableCalDAV = no calendar:Notifications:Services:APNS:Enabled = yes calendar:SSLPort = 443 calendar:RedirectHTTPToHTTPS = yes calendar:SSLAuthorityChain = “” calendar:ServerHostName = “osxserver.krypted.com” One of the more common settings to configure is the port number that CalDAV runs on. To configure HTTP: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings calendar:HTTPPort = 8008 For HTTPS: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin settings calendar:SSLPort = 8443 You can then start the service using the start option: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin start calendar Or to stop it: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin stop calendar Or to get the status: sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin fullstatus calendar Full status indicates that the three services are running: calendar:readWriteSettingsVersion = 1
calendar:setStateVersion = 1
calendar:state = "RUNNING"
calendar:contactsState = "RUNNING"
calendar:calendarState = "RUNNING" Once the Calendar server is configured, use the Calendar application to communicate with the server. Open the Calendar application and click on the Calendar menu and select Add Account. From the Add Account screen, click on Add CalDAV Account radio button and click Continue. Screen Shot 2015-09-10 at 10.47.30 AM CalDAV from the Account Type menu and then enter the User Name and password configured on the server, and add the address of the server if you don’t have any service records pointing to the server. The User Name is usually the name provided in Server app, followed by @ and then the address of the server. Screen Shot 2015-09-10 at 10.50.48 AM Once the server is configured it appears in the list of accounts in the sidebar of the Calendar app. Create calendars in the account and then to share a calendar, right-click on the calendar and click on Share Calendar… Screen Shot 2015-09-10 at 10.58.02 AM At the Share Calendar screen, provide the name the calendar should appear as to others and anyone with whom you’d like to share your calendar with. Screen Shot 2015-09-10 at 10.59.05 AM Back at the Calendar Settings screen, use the settings to configure Availability and refresh rate of calendars, as seen above. Click on Server Settings to assign custom port numbers. Screen Shot 2015-09-10 at 11.00.46 AM Click on the Delegation tab to view any accounts you’ve been given access to. Screen Shot 2015-09-10 at 11.01.10 AM Use the Edit button to configure who has delegated access to calendars, as opposed to configuring subscriptions. Overall, the Calendar service in El Capitan Server is one of the easiest to configure. Most of the work goes into settings configured on client systems. This, as with Exchange, dedistributes administration, often making administration more complicated than with many other tools. But that’s a good thing; no one wants to access other peoples accounts, for calendars or mail for that matter, without those users knowing that it was done, as will happen when resetting passwords…

Upgrade the OS X Server App To OS X Server 5

OS X Server 5 is now available to be installed. To do so, first backup your server. Then, backup your server again, making sure you have a functional, bootable clone. Once you’re sure you have a solid backup of your server, open the App Store and search for Server. When you find the Server app, click on it. Screen Shot 2015-09-23 at 10.23.26 PM At the OS X Server screen, click on Install. Screen Shot 2015-09-23 at 10.25.51 PM The download will begin. Once complete, you’ll see a notice that the “Server app replacement detected.” Click OK. Then, open the Server app. Screen Shot 2015-09-23 at 10.54.24 PM When the Server app opens, you’ll be prompted to update the server. Click Continue. Screen Shot 2015-09-23 at 10.58.30 PM At the Licensing Agreement screen, click Agree. Screen Shot 2015-09-23 at 10.59.08 PM At the screen to confirm your administrative access, provide a name and password for an account with administrative access and then click on Allow. Screen Shot 2015-09-23 at 11.00.26 PM Services are then upgraded. Once complete, the Server app will open and should have settings consistent with the settings prior to the upgrade. Screen Shot 2015-09-23 at 11.01.04 PM

Manage File Services In OS X Server 5

File Services are perhaps the most important aspect of any server because file servers are often the first server an organization purchases. This has been changing over the past few years, with many a file being hosted by cloud solutions, such as Box, Dropbox, Google Drive, and of course, iCloud. But many still need a terrestrial server and for predominantly Apple environments, a Server app running on OS X El Capitan isn’t exactly a bad idea. There are a number of protocols built into OS X Server dedicated to serving files, including AFP, SMB and WebDAV. These services, combined comprise the File Sharing service in OS X Server running El Capitan or Yosemite. Note: I’ve got another article looking into FTP a little further but those are basically the services that I’ll stick to here. File servers have shares. In OS X Server, Server app 5 (for Yosemite and El Capitan), we refer to these as Share Points. The first step to setting up a file share is to create all of your users and groups (or at least the ones that will get permissions to the shares). This is done in Server app using the Users and Groups entries in the List Pane. Once users and groups are created, open the Server app and then click on the File Sharing service in the SERVICES list in the List Pane. Here, you will see a list of the shares on the server. Screen Shot 2015-09-07 at 10.22.02 PM If you’re just getting started, let’s go ahead and disable any built-in shares by clicking on the share and then clicking on the minus button (-) while the share is highlighted. When prompted to remove the share, click on the Remove button. Screen Shot 2015-09-07 at 10.23.01 PM As mentioned, shares can be shared out using different protocols. Next, we’re going to disable SMB for Public, simply as an example. To do so, double-click on Public and then uncheck the SMB protocol checkbox for the share. Screen Shot 2015-09-07 at 10.24.10 PM When you’ve disabled SMB for the last share, you’ve effectively disabled SMB. Click on the Done button to save the changes to the server. Editing shares is really that easy. Next, we’re going to create a new share for iPads to be able to put their work, above and beyond the WebDAV instance automatically used by the Wiki service. To create the share, first we’re going to create a directory for the share to live in on the computer, in this case in the /Shared Items/iPads directory. Screen Shot 2015-09-07 at 10.37.40 PM Then from the File Sharing pane in Server app, click on the plus sign (“+”). Screen Shot 2015-09-07 at 10.38.28 PM At the browse dialog, browse to the location of your iPad directory and then click on the Choose button. Screen Shot 2015-09-07 at 10.40.16 PM At the File Sharing pane, double-click on the new iPads share. Note that there’s a new checkbox here called “Allow only encrypt connections”. If you check this, you cannot use AFP and WebDAV. Screen Shot 2015-09-07 at 10.40.38 PM At the screen for the iPads share, feel free to edit the name of the share (how it appears to users) as it by default uses the name of the directory for the name of the share. Then, it’s time to configure who has access to what on the share. Here, use the plus sign (“+”) in the Access section of the pane to add groups that should be able to have permission to access the share. Also, change the groups in the list that should have access by double-clicking on the name of the group and providing a new group name or clicking on the plus sign to add a user or group. Screen Shot 2015-09-07 at 10.41.27 PM The permissions available in this screen for users that are added are Read & Write, Read Only/Read and Write. POSIX permissions (the bottom three entries) also have the option for No Access, but ACLs (the top entries comprise an Access Control List) don’t need such an option as if there is no ACE (Access Control Entry) for the object then No Access is assumed. If more granular permissions are required then click on the name of the server in the Server app (the top item in the List Pane) and click on the Storage tab. Here, browse to the directory and click on Edit Permissions. Screen Shot 2015-09-07 at 10.42.14 PM As can be seen, there are a number of other options that more granularly allow you to control permissions to files and directories in this view. If you make a share a home folder, you can use that share to store a home folder for a user account provided the server uses Open Directory. Once a share has been made an option for home folders it appears in both Workgroup Manager and the Server app as an available Home Folder location for users in that directory service. Once you have created all the appropriate shares, deleted all the shares you no longer need and configured the appropriate permissions for the share, click on the ON button to start the File Sharing service. Screen Shot 2015-09-07 at 10.42.41 PM To connect to a share, use the Connect to Server dialog, available by clicking Connect to Server in the Go menu. A change that happened back in Mavericks is that when you enter an address, the client connects over SMB by default (which is even better now that those connections can be encrypted). If you’d like to connect via AFP ‘cause you’re all old school, enter afp:// in front of the address and then click Connect. The File Sharing service can also be controlled from the command line. Mac OS X Server provides the sharing command. You can create, delete and augment information for share points using sharing. To create a share point for AFP you can use the following command: sharing -a <path> -A <share name> So let’s say you have a directory at /Shares/Public and you want to create a share point called PUBLIC. You can use the following command: sharing -a /Shares/Public -A PUBLIC Now, the -a here will create the share for AFP but what if you want to create a share for other protocols? Well, -F does FTP and -S does SMB. Once created you can disable the share using the following command: sharing -r PUBLIC To then get a listing of shares you can use the following command: sharing -l You can also use the serveradmin command to manage file shares as well as the sharing service. To see settings for file shares, use the serveradmin command along with the settings option and then define the sharing service: sudo serveradmin settings sharing Sharing settings include the following: sharing:sharePointList:_array_id:/Shared Items/iPads:dsAttrTypeStandard\:GeneratedUID = “54428C28-793F-4F5B-B070-31630FE045AD” sharing:sharePointList:_array_id:/Shared Items/iPads:smbName = “iPads” sharing:sharePointList:_array_id:/Shared Items/iPads:afpIsGuestAccessEnabled = no sharing:sharePointList:_array_id:/Shared Items/iPads:webDAVName = “iPads” sharing:sharePointList:_array_id:/Shared Items/iPads:smbDirectoryMask = “0755” sharing:sharePointList:_array_id:/Shared Items/iPads:afpName = “iPads” sharing:sharePointList:_array_id:/Shared Items/iPads:smbCreateMask = “0644” sharing:sharePointList:_array_id:/Shared Items/iPads:nfsExportRecord = _empty_array sharing:sharePointList:_array_id:/Shared Items/iPads:path = “/Shared Items/iPads” sharing:sharePointList:_array_id:/Shared Items/iPads:smbUseStrictLocking = yes sharing:sharePointList:_array_id:/Shared Items/iPads:smbIsGuestAccessEnabled = no sharing:sharePointList:_array_id:/Shared Items/iPads:name = “iPads” sharing:sharePointList:_array_id:/Shared Items/iPads:smbInheritPermissions = yes sharing:sharePointList:_array_id:/Shared Items/iPads:ftpName = “iPads” sharing:sharePointList:_array_id:/Shared Items/iPads:serverDocsIsShared = yes sharing:sharePointList:_array_id:/Shared Items/iPads:smbIsShared = yes sharing:sharePointList:_array_id:/Shared Items/iPads:afpIsShared = yes sharing:sharePointList:_array_id:/Shared Items/iPads:smbUseOplocks = yes sharing:sharePointList:_array_id:/Shared Items/iPads:webDAVIsShared = yes sharing:sharePointList:_array_id:/Shared Items/iPads:dsAttrTypeNative\:sharepoint_group_id = “3A1C9DAD-806C-4917-A39F-9317B6F85CCD” sharing:sharePointList:_array_id:/Shared Items/iPads:mountedOnPath = “/” sharing:sharePointList:_array_id:/Shared Items/iPads:isIndexingEnabled = yes sharing:sharePointList:_array_id:/Shares/Public:ftpIsShared = yes sharing:sharePointList:_array_id:/Shares/Public:smbName = “Public-1” sharing:sharePointList:_array_id:/Shares/Public:nfsExportRecord = _empty_array sharing:sharePointList:_array_id:/Shares/Public:afpIsGuestAccessEnabled = no sharing:sharePointList:_array_id:/Shares/Public:isIndexingEnabled = no sharing:sharePointList:_array_id:/Shares/Public:dsAttrTypeStandard\:GeneratedUID = “80197252-1BC6-4391-AB00-C00EE64FD4F2” sharing:sharePointList:_array_id:/Shares/Public:path = “/Shares/Public” sharing:sharePointList:_array_id:/Shares/Public:smbIsShared = yes sharing:sharePointList:_array_id:/Shares/Public:afpUseParentOwner = no sharing:sharePointList:_array_id:/Shares/Public:afpName = “Public-1” sharing:sharePointList:_array_id:/Shares/Public:smbIsGuestAccessEnabled = no sharing:sharePointList:_array_id:/Shares/Public:ftpIsGuestAccessEnabled = no sharing:sharePointList:_array_id:/Shares/Public:afpUseParentPrivs = no sharing:sharePointList:_array_id:/Shares/Public:afpIsShared = yes sharing:sharePointList:_array_id:/Shares/Public:name = “Public-1” sharing:sharePointList:_array_id:/Shares/Public:ftpName = “Public-1” sharing:sharePointList:_array_id:/Users/krypted/Public:dsAttrTypeStandard\:GeneratedUID = “0D6AF0D1-BA70-4DD4-9256-AC1B51A2761F” sharing:sharePointList:_array_id:/Users/krypted/Public:smbName = “Public” sharing:sharePointList:_array_id:/Users/krypted/Public:afpIsGuestAccessEnabled = no sharing:sharePointList:_array_id:/Users/krypted/Public:webDAVName = “Public” sharing:sharePointList:_array_id:/Users/krypted/Public:smbDirectoryMask = “0755” sharing:sharePointList:_array_id:/Users/krypted/Public:afpName = “Public” sharing:sharePointList:_array_id:/Users/krypted/Public:smbCreateMask = “0644” sharing:sharePointList:_array_id:/Users/krypted/Public:nfsExportRecord = _empty_array sharing:sharePointList:_array_id:/Users/krypted/Public:path = “/Users/krypted/Public” sharing:sharePointList:_array_id:/Users/krypted/Public:smbUseStrictLocking = yes sharing:sharePointList:_array_id:/Users/krypted/Public:smbIsGuestAccessEnabled = no sharing:sharePointList:_array_id:/Users/krypted/Public:name = “Public” sharing:sharePointList:_array_id:/Users/krypted/Public:smbInheritPermissions = yes sharing:sharePointList:_array_id:/Users/krypted/Public:ftpName = “Public” sharing:sharePointList:_array_id:/Users/krypted/Public:serverDocsIsShared = yes sharing:sharePointList:_array_id:/Users/krypted/Public:smbIsShared = no sharing:sharePointList:_array_id:/Users/krypted/Public:afpIsShared = yes sharing:sharePointList:_array_id:/Users/krypted/Public:smbUseOplocks = yes sharing:sharePointList:_array_id:/Users/krypted/Public:dsAttrTypeNative\:sharepoint_group_id = “FF1970EF-0789-49C7-80B5-E9FCABDDBB49” sharing:sharePointList:_array_id:/Users/krypted/Public:isIndexingEnabled = yes sharing:sharePointList:_array_id:/Users/krypted/Public:mountedOnPath = “/” To see settings for the services use the serveradmin command with the settings option followed by the services: afp and smb: sudo serveradmin settings afp AFP settings include: afp:maxConnections = -1 afp:kerberosPrincipal = “afpserver/LKDC:SHA1.66D68615726DE922C1D1760BD2DD45B37E73ADD4@LKDC:SHA1.66D68615726DE922C1D1760BD2DD45B37E73ADD4” afp:fullServerMode = yes afp:allowSendMessage = yes afp:maxGuests = -1 afp:activityLog = yes

Xsan Command Line Options

Let’s start out with what’s actually available in the Server Admin CLI: serveradmin. The serveradmin command, followed by settings, followed by san shows a few pieces of information: bash-3.2# serveradmin settings san
san:computers = _empty_array
san:primaryController = "95C99FB1-80F2-5016-B9C3-BE3916E6E5DC"
san:ownerEmail = "krypted@me.com"
san:sanName = "krypted"
san:desiredSearchPolicy:_array_index:0 = ""
san:serialNumbers = _empty_array
san:dsType = 0
san:ownerName = "Charles Edge"
san:managePrivateNetwork = yes
san:metadataNetwork = "10.0.0.0/24"
san:numberOfFibreChannelPorts = 2
san:role = "CONTROLLER" Here, we see the metadata network, the GUID of the primary (active) MDC, the name of the SAN, an array of serial numbers (if applicable – in a purely Mountain Lion/Mavericks SAN they aren’t), the owner info plugged in earlier and the metadata network interface being used. Next, we’ll take a peak at the fsm process for each volume: bash-3.2# ps aux | grep fsm
root 7030 0.7 0.7 2694708 62468 ?? Ss 10:18AM 0:03.08 /System/Library/Filesystems/acfs.fs/Contents/bin/fsm BettyWhite mdm.pretendco.lan 0
root 6834 0.1 0.0 2478548 2940 ?? S 10:10AM 0:01.37 fsmpm -- -- /var/run/fsmpm-sync.6800 1800 Next, we can look at the version rev, which shows that the Server Revision is the same as in Mavericks, but the build number has incremented by 19 commits: bash-3.2# cvversions File System Server: Server Revision 5 Branch Head Created on Tue Sep 13 09:59:14 PDT 2015 Built in /SourceCache/XsanFS/XsanFS-527/buildinfo Host OS Version: Darwin 14.0.0 Darwin Kernel Version 14.0.0: Sat Sep 24 01:15:10 PDT 2015; root:xnu-2738.0.0.0.5~1/RELEASE_X86_64 x86_64 Next, we’ll check out the contents of /Library/Preferences/Xsan. First the volume configuration file: bash-3.2# cat BettyWhite.cfg
# Globals
AllocationStrategy Round
FileLocks Yes
BufferCacheSize 32M
Debug 0x0
CaseInsensitive Yes
EnableSpotlight Yes
EnforceACLs Yes
SpotlightSearchLevel ReadWrite
FsBlockSize 16K
GlobalSuperUser Yes
InodeCacheSize 8K
InodeExpandMin 0
InodeExpandInc 0
InodeExpandMax 0
InodeDeleteMax 0
InodeStripeWidth 0
JournalSize 16M
MaxConnections 139
MaxLogSize 10M
MaxLogs 4
NamedStreams Yes
Quotas Yes
QuotaHistoryDays 7
ThreadPoolSize 256
UnixIdFabricationOnWindows Yes
UnixNobodyUidOnWindows -2
UnixNobodyGidOnWindows -2
WindowsSecurity Yes
# Disk Types
[DiskType LUN2Type]
Sectors 488355807
SectorSize 512
# Disks
[Disk LUN2]
Type LUN2Type
Status UP
# Stripe Groups
[StripeGroup All]
Status Up
StripeBreadth 16
Metadata Yes
Journal Yes
Exclusive No
Read Enabled
Write Enabled
Rtmb 0
Rtios 0
RtmbReserve 0
RtiosReserve 0
RtTokenTimeout 0
MultiPathMethod Rotate
Node LUN2 0
Affinity All The above is not the XML I was thinking we’d see, but the same format and variables previously available. The configuration for the SAN itself is XML though: bash-3.2# cat config.plist


 

computers

desiredSearchPolicy



dsType
0
managePrivateNetwork metadataNetwork
10.0.0.0/24
ownerEmail
krypted@me.com
ownerName
Charles Edge
primaryController
95C99FB1-80F2-5016-B9C3-BE3916E6E5DC
role
CONTROLLER
sanName
krypted
serialNumbers


 The automount file is a plist as well: bash-3.2# cat automount.plist


 

BettyWhite

AutoMount
rw
MountOptions

atimedelay
no
dircachesize
10485760
threads
12



 The aux-data is also a plist: bash-3.2# cat BettyWhite-auxdata.plist


 

Config

ClientDelayAccessTimeUpdates
0
ClientDirCacheSize
10485760
ClientThreadCount
12
StoragePoolIdealLUNCount
4
StoragePoolStripeBreadth
16

FailoverPriorities


controllerUUID
95C99FB1-80F2-5016-B9C3-BE3916E6E5DC
enabled
1



  Next, cvadmin remains basically unchanged, with the addition of restartd/startd/stopd (managing the fem and the removal of : Xsanadmin (BettyWhite) > help
Command summary:
activate, debug, dirquotas, disks, down, fail, filelocks, fsmlist, help, latency-test, multipath, paths, proxy, qos, quit, quotas, quotacheck, quotareset, ras, repfl, repquota, repof, resetrpl, rollrj, select, show, start, stat, stop, up, who, ? activate [ | ] Activate a File System . This command may cause an FSM to activate. If the FSM is already active, no action is taken. debug [ [+/-] ] Get or Set (with ) the FSS Debug Flags. Enter debug with no value to get current setting and bit meanings. Value should be a valid number. Use 0x to indicate hexadecimal. If the ‘+’ or ‘-’ argument is used, only specified flags will be modified. ‘+’ will set and ‘-’ will disable the given flags. dirquotas <create|mark|destroy> The ‘create’ command turns the given directory into the root of a Directory Quota namespace. The command will not return until the current size value of the directory is tallied up. The ‘mark’ command also turns the given directory into the root of a Directory Quota namespace, but the current size value is left uninitialized.  The command ‘quotacheck’ should be run later to initialize it. The ‘destroy’ command destroys the namespace associated with the given directory.  The directory’s contents are left unchanged. disks [refresh] Display the acfs Disk volumes visible to this machine. If the optional “refresh” is used, the volumes will. be re-scanned by the fsmpm. disks [refresh] fsm Display the acfs meta-data Disk volumes in use by the fsm. If the optional “refresh” is used, additional paths to these volumes may be added by the fsm. down Bring down stripe group . fail [ | ] Failover a File System . This command may cause a stand by FSM to activate. If the FSM is already active, the FSM will shut down. A stand-by FSM will take over or the FSM will be re-launched if it is stand-alone. fsmlist [] [on ] Display the state of FSM processes, running or not. Optionally specify a single to display. Optionally specify the host name or IP address of the system to list the FSM process(es) on. help (?)  This message. latency-test [ | all] [] Run an I/O latency test between the FSM process and one client or all clients.  The default test duration is 2 seconds. multipath < balance | cycle | rotate | static | sticky > Change the Multi Path method for stripe group to “balance”, “cycle”, “rotate”, “static”, or “sticky”. paths Display the acfs Disk volumes visible to this machine grouped according to the “controller” identity. proxy [ long ] proxy who Display Disk Proxy Servers, and optionally the disks they serve, for this filesystem The “who” option displays all proxy connections for the specified host. qos       Display per-stripe group QOS statistics. quit      Exit filelocks Query cluster-wide file/record lock enforcement. Enter filelocks with no value to get current setting. Currently Cluster flocks are automatically used on Unix. Windows file/record locks are optional. quotas Get the current state of the quota system quotas get <user|group|dir|dirfiles> Get quota parameters for user, group, or directory . quotas set <user|group|dir|dirfiles> Set current quota parameters for user, group, or directory . can be the name of a user or group or the path to a directory. For users and groups, it can also be an integer interpreted as a uid or gid.  Setting the hardlim, softlim, and timelim to 0 disables quota enforcement for that user, group, or directory. The values for hardlim and softlim are expressed in bytes when setting user, group, or dir values.  When setting dirfiles values, they are numbers of regular file inodes. The value for timelim is expressed in minutes. quotacheck Recalculate the amount of space consumed (the current size field of the quota record) by all users, groups, and directory namespaces in the file system. This command can be run on an active file system although file updates (writes, truncates, etc.) will be delayed until quotacheck has completed. quotareset Like quotacheck, but deletes the quota database before performing the check. All limits and directory namespaces will be lost. Use with extreme caution. ras enq “detail string” Generate an SNFS RAS event.  For internal use only. ras enq “detail string” Generate a generic RAS event.  For internal use only. repquota Generate quota reports for all users, groups, and directory namespaces in the file system. Three files are generated: 1. quota_report.txt – a “pretty” text file report. 2. quota_report.csv – a comma delimited report suitable for Excel spreadsheets. 3. quota_regen.in – a list of cvadmin commands that can be used to set up an identical quota database on another Xsan. repfl Generate a report of currently held locks on all connected acfs clients. repof Generate a report of currently open files on all connected acfs clients. resetrpl [clear] Repopulate Reverse Path Lookup (RPL) information. The optional “clear” argument causes existing RPL data to be cleared before starting repopulation. Note: “resetrpl” is only available when cvadmin is invoked with the -x option.  Running resetrpl may significantly delay FSM activation.  This command is not intended for general use.  Only run “resetrpl” when recommended by Technical Support. restartd [once] Stop and start the process. For internal use only. rollrj Force the FSM to start a new restore journal. This command is only used on a managed file system select [ | | none] Select the active File System . Typing “select none” will de-select the current FSS. If the FSM is inactive (standing by) it cannot be selected. Using this command with no argument shows all active FSSs. show [ ] [ long ] Show all stripe groups or a specific stripe group . Adding the modifier “long” shows more verbose information. start [on] [] Start the File System Service for . When running on an HA MDC, the local service is started and then an attempt is made to start the service on the peer MDC. Optionally specify the hostname or IP address to start the FSM on that MDC only. startd [once] Start the process. For internal use only. stat      Display the general status of the file system. stats [clear] Display read/write statistics for the file system. If clear, zero the stats after printing. stop [on] [] | Stop the File System Services for or . Stopping by name without specifying a hostname will stop all instances of the service, and will cancel any pending restart of the service on the local system. Stopping by name on a particular system will stop or cancel a restart of the service on that system.  Stopping by number only stops the service associated with the index. Indexes are displayed on the left side as “nn>” when. using the “select” command. stopd Stop the process. For internal use only. up Bring up stripe group . If there are no stripe groups that have exclusively numeric names, the stripe group index number shown in the “show” command may be used in place of . who [] [long] List clients attached to file system. In the short form, “who” returns the following information: - acfs I.D.       – Client License Identifier - Type            – Type of client connection FSM              – File System Manager (FSM) connection ADM              – Administrative (cvadmin) connection CLI              – File system client connection. May be followed by a CLI type character: S – Disk Proxy Server C – Disk Proxy Client H – Disk Proxy Hybrid Client - Location        – Client’s hostname or IP address - Up Time         – Total time client has been connected to FSM - License Expires – Date client’s license will expire In the long form, “who” returns network path, build, latency and reconnect information, if available. Administrative and FSM clients return a limited set of information. Xsanadmin (BettyWhite) > select List FSS File System Services (* indicates service is in control of FS): 1>*BettyWhite[0]        located on 10.0.0.1:57724 (pid 7030)

Manage the VPN Service in Mac OS X Server 5

OS X Server has long had a VPN service that can be run. The server is capable of running the two most commonly used VPN protocols: PPTP and L2TP. The L2TP protocol is always in use, but the server can run both concurrently. You should use L2TP when at all possible. Sure, “All the great themes have been used up and turned into theme parks.” But security is a theme that it never hurts to keep in the forefront of your mind. If you were thinking of exposing the other services in OS X Server to the Internet without having users connect to a VPN service then you should think again, because the VPN service is simple to setup and even simpler to manage. Setting Up The VPN Service In OS X Server To setup the VPN service, open the Server app and click on VPN in the Server app sidebar. The VPN Settings  screen has two options available in the “Configure VPN for” field, which has two options:
  • L2TP: Enables only the L2TP protocol
  • L2TP and PPTP: Enables both the L2TP protocol and the PPTP protocol
Screen Shot 2015-09-22 at 10.23.05 PM The VPN Host Name field is used by administrators leveraging profiles. The setting used becomes the address for the VPN service in the Everyone profile. L2TP requires a shared secret or an SSL certificate. In this example, we’ll configure a shared secret by providing a password in the Shared Secret field. Additionally, there are three fields, each with an Edit button that allows for configuration:
  • Client Addresses: The dynamic pool of addresses provided when clients connect to the VPNScreen Shot 2015-09-22 at 10.24.23 PM
  • DNS Settings: The name servers used once a VPN client has connected to the server. As well as the Search Domains configuration.Screen Shot 2015-09-22 at 10.25.11 PM
  • Routes: Select which interface (VPN or default interface of the client system) that a client connects to each IP address and subnet mask over. Screen Shot 2015-09-22 at 10.25.50 PM
  • Save Configuration Profile: Use this button to export configuration profiles to a file, which can then be distributed to client systems (OS X using the profiles command, iOS using Apple Configurator or both using Profile Manager).
Once configured, open incoming ports on the router/firewall. PPTP runs over port 1723. L2TP is a bit more complicated (with keys bigger than a baby’s arm), running over 1701, but also the IP-ESP protocol (IP Protocol 50). Both are configured automatically when using Apple AirPorts as gateway devices. Officially, the ports to forward are listed at http://support.apple.com/kb/TS1629. Using The Command Line I know, I’ve described ways to manage these services from the command line before. But, “tonight we have number twelve of one hundred things to do with your body when you’re all alone.” The serveradmin command can be used to manage the service as well as the Server app. The serveradmin command can start the service, using the default settings, with no further configuration being required: sudo serveradmin start vpn And to stop the service: sudo serveradmin stop vpn And to list the available options: sudo serveradmin settings vpn The output of which shows all of the VPN settings available via serveradmin (which is many more than what you see in the Server app: vpn:vpnHost = "elcapserver.krypted.lan"
vpn:Servers:com.apple.ppp.pptp:Server:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.pptp:Server:VerboseLogging = 1
vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 128
vpn:Servers:com.apple.ppp.pptp:DNS:OfferedSearchDomains = _empty_array
vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses = _empty_array
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:SharedSecret = "1"
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:0:Address = "1.1.1.1"
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:SharedSecret = "2"
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:_array_index:1:Address = "2.2.2.2"
vpn:Servers:com.apple.ppp.pptp:enabled = yes
vpn:Servers:com.apple.ppp.pptp:Interface:SubType = "PPTP"
vpn:Servers:com.apple.ppp.pptp:Interface:Type = "PPP"
vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoFailure = 5
vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdle = 1
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-RSA"
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL"
vpn:Servers:com.apple.ppp.pptp:PPP:CCPEnabled = 1
vpn:Servers:com.apple.ppp.pptp:PPP:IPCPCompressionVJ = 0
vpn:Servers:com.apple.ppp.pptp:PPP:ACSPEnabled = 1
vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoEnabled = 1
vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoInterval = 60
vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize128 = 1
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"
vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize40 = 0
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"
vpn:Servers:com.apple.ppp.pptp:PPP:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.pptp:PPP:VerboseLogging = 1
vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdleTimer = 7200
vpn:Servers:com.apple.ppp.pptp:PPP:CCPProtocols:_array_index:0 = "MPPE"
vpn:Servers:com.apple.ppp.pptp:IPv4:ConfigMethod = "Manual"
vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:0 = "192.168.210.240"
vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:_array_index:1 = "192.168.210.254"
vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteAddresses = _empty_array
vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteTypes = _empty_array
vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteMasks = _empty_array
vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingAddress = "1.2.3.4"
vpn:Servers:com.apple.ppp.l2tp:Server:MaximumSessions = 128
vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingEnabled = 0
vpn:Servers:com.apple.ppp.l2tp:Server:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.l2tp:Server:VerboseLogging = 1
vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedSearchDomains = _empty_array
vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses = _empty_array
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:SharedSecret = "1"
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:0:Address = "1.1.1.1"
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:SharedSecret = "2"
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:_array_index:1:Address = "2.2.2.2"
vpn:Servers:com.apple.ppp.l2tp:enabled = yes
vpn:Servers:com.apple.ppp.l2tp:Interface:SubType = "L2TP"
vpn:Servers:com.apple.ppp.l2tp:Interface:Type = "PPP"
vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoFailure = 5
vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index:0 = "EAP-KRB"
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorACLPlugins:_array_index:0 = "DSACL"
vpn:Servers:com.apple.ppp.l2tp:PPP:VerboseLogging = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:IPCPCompressionVJ = 0
vpn:Servers:com.apple.ppp.l2tp:PPP:ACSPEnabled = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoInterval = 60
vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoEnabled = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "MSCHAP2"
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorPlugins:_array_index:0 = "DSAuth"
vpn:Servers:com.apple.ppp.l2tp:PPP:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdleTimer = 7200
vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecretEncryption = "Keychain"
vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalIdentifier = ""
vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecret = "com.apple.ppp.l2tp"
vpn:Servers:com.apple.ppp.l2tp:IPSec:AuthenticationMethod = "SharedSecret"
vpn:Servers:com.apple.ppp.l2tp:IPSec:RemoteIdentifier = ""
vpn:Servers:com.apple.ppp.l2tp:IPSec:IdentifierVerification = "None"
vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalCertificate = <>
vpn:Servers:com.apple.ppp.l2tp:IPv4:ConfigMethod = "Manual"
vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:0 = "192.168.210.224"
vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:_array_index:1 = "192.168.210.239"
vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteAddresses = _empty_array
vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteTypes = _empty_array
vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteMasks = _empty_array
vpn:Servers:com.apple.ppp.l2tp:L2TP:Transport = "IPSec"
vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue = "yaright" To disable L2TP, set vpn:Servers:com.apple.ppp.l2tp:enabled to no: sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:enabled = no To configure how long a client can be idle prior to being disconnected: sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 10 By default, each protocol has a maximum of 128 sessions, configureable using vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions: sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 200 To see the state of the service, the pid, the time the service was configured, the path to the log files, the number of clients and other information, use the fullstatus option: sudo serveradmin fullstatus vpn Which returns output similar to the following: vpn:servicePortsAreRestricted = "NO"
vpn:readWriteSettingsVersion = 1
vpn:servers:com.apple.ppp.pptp:AuthenticationProtocol = "MSCHAP2"
vpn:servers:com.apple.ppp.pptp:CurrentConnections = 0
vpn:servers:com.apple.ppp.pptp:enabled = yes
vpn:servers:com.apple.ppp.pptp:MPPEKeySize = "MPPEKeySize128"
vpn:servers:com.apple.ppp.pptp:Type = "PPP"
vpn:servers:com.apple.ppp.pptp:SubType = "PPTP"
vpn:servers:com.apple.ppp.pptp:AuthenticatorPlugins = "DSAuth"
vpn:servers:com.apple.ppp.l2tp:AuthenticationProtocol = "MSCHAP2"
vpn:servers:com.apple.ppp.l2tp:Type = "PPP"
vpn:servers:com.apple.ppp.l2tp:enabled = yes
vpn:servers:com.apple.ppp.l2tp:CurrentConnections = 0
vpn:servers:com.apple.ppp.l2tp:SubType = "L2TP"
vpn:servers:com.apple.ppp.l2tp:AuthenticatorPlugins = "DSAuth"
vpn:servicePortsRestrictionInfo = _empty_array
vpn:health = _empty_dictionary
vpn:logPaths:vpnLog = "/var/log/ppp/vpnd.log"
vpn:configured = yes
vpn:state = "STOPPED"
vpn:setStateVersion = 1 Security folk will be stoked to see that the shared secret is shown in the clear using: vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue = "a dirty thought in a nice clean mind" Configuring Users For VPN Access Each account that accesses the VPN server needs a valid account to do so. To configure existing users to use the service, click on Users in the Server app sidebar. Screen Shot 2015-09-22 at 10.28.10 PM At the list of users, click on a user and then click on the cog wheel icon, selecting Edit Access to Services. Screen Shot 2015-09-22 at 10.28.30 PM At the Service Access screen will be a list of services that could be hosted on the server; verify the checkbox for VPN is highlighted for the user. If not, click Manage Service Access, click Manage and then check the VPN box. Screen Shot 2015-09-22 at 10.29.07 PM Setting Up Client Computers As you can see, configuring the VPN service in OS X Server 5 (running on El Capitan and Yosemite) is a simple and straight-forward process – much easier than eating your cereal with a fork and doing your homework in the dark.. Configuring clients is as simple as importing the profile generated by the service. However, you can also configure clients manually. To do so in OS X, open the Network System Preference pane. From here, click on the plus sign (“+”) to add a new network service. Screen Shot 2015-09-22 at 10.30.27 PM At the prompt, select VPN in the Interface field and then either PPTP or L2TP over IPSec in the VPN Type. Then provide a name for the connection in the Service Name field and click on Create. Screen Shot 2015-09-22 at 10.31.01 PM At the list of network interfaces in the Network System Preference pane, provide the hostname or address of the server in the Server Address field and the username that will be connecting to the VPN service in the Account Name field. If using L2TP, click on Authentication Settings. Screen Shot 2015-09-22 at 10.31.35 PM At the prompt, provide the password entered into the Shared Secret field earlier in this article in the Machine Authentication Shared Secret field and the user’s password in the User Authentication Password field. When you’re done, click OK and then provided you’re outside the network and routeable to the server, click on Connect to test the connection. Conclusion Setting Up the VPN service in OS X Server 5 (for Yosemite or El Capitan) is as simple as clicking the ON button. But much more information about using a VPN can be required. The natd binary is still built into OS X at /usr/sbin/natd and can be managed in a number of ways. But it’s likely that the days of using an OS X Server as a gateway device are over, if they ever started. Sure “feeling screwed up at a screwed up time in a screwed up place does not necessarily make you screwed up” but using an OS X Server for NAT when it isn’t even supported any more probably does. So rather than try to use the server as both, use a 3rd party firewall like most everyone else and then use the server as a VPN appliance. Hopefully it can do much more than just that to help justify the cost. And if you’re using an Apple AirPort as a router (hopefully in a very small environment) then the whole process of setting this thing up should be super-simple.

Using the serverinfo Command in OS X Server 5

OS X Server 5 (for El Capitan and Yosemite)  comes with the /usr/sbin/serverinfo command (introduced in Mountain Lion Server). The serverinfo command is useful when programmatically obtaining information about the very basic state of an Apple Server. The first option indicates whether the Server app has been downloaded from the app store, which is the –software option: serverinfo --software When used, this option reports the following if the Server.app can be found:
This system has server software installed.
Or if the software cannot be found, the following is indicated:
This system does NOT have server software installed.
The –productname option determines the name of the software app: serverinfo --productname If you change the name of the app from Server then the server info command won’t work any longer, so the output should always be the following: Server The –shortversion command returns the version of the Server app being used: serverinfo --shortversion The output will not indicate a build number, but instead the version of the app on the computer the command is run on:
5.0.1
To see the build number (which should iterate with each update to the Server app from the Mac App Store, use the –buildversion option: serverinfo --buildversion The output shows the build of server, which doesn’t necessarily match the OS X build number:
15S2235
Just because the Server app has been downloaded doesn’t mean the Server setup assistant has been run. To see if it has, use the –configured option: serverinfo --configured The output indicates whether the system is running as a server or just has the app installed (e.g. if you’re using it to connect to another server:
This system has server software configured.
You can also output all of the information into a single, easy to script against property list using the –plist option: serverinfo --plist The output is a list of each of the other options used: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”> <plist version=”1.0″> <dict> <key>IsOSXServerVolume</key> <true/> <key>IsOSXServerVolumeConfigured</key> <true/> <key>IsServerHardware</key> <false/> <key>LocalizedServerProductName</key> <string>Server</string> <key>MinimumServerVersionAllowed</key> <string>5.0.1</string> <key>ServerBuildVersion</key> <string>15S2235</string> <key>ServerPerformanceModeEnabled</key> <false/> <key>ServerVersion</key> <string>5.0.1</string> </dict> </plist> The Server Root can reside in a number of places. To see the path (useful when scripting commands that are relative to the ServerRoot: serverinfo –prefix By default, the output is as follows, which is basically like a dirname of the ServerRoot:
/Applications/Server.app/Contents/ServerRoot
You can also see whether the system is running on actual hardware desgnated by Apple for servers using the –hardware option: serverinfo --hardware The output simply indicates if the hardware shipped with OS X Server on it from Apple:
This system is NOT running on server hardware.
The –perfmode option indicates whether or not the performance mode has been enabled, dedicating resources to binaries within the Server app: serverinfo --perfmode If the performance mode has not been enabled then the output will be as such:
Server performance mode is NOT enabled.
To enable performance mode, you can also use serverinfo. This is the only task that the command does that can make any changes to the system and as such is the only time you need to elevate privileges: sudo serverinfo —setperfmode 1 Or set the boolean value back to 0 to disable. sudo serverinfo —setperfmode 0

Casper 9.8 and Bushel Now Support El Capitan

JAMF Software has long had 0 day support for new Apple releases. The latest version of Bushel allows you to enroll El Capitan devices. Casper 9.8 also allows you to enroll devices. There are certainly going to be subsequent updates that allow us to do even more. This was a tricky one, as the jamf binary had to be moved and there were some new enrollment policies, to keep your Apple devices as secure as possible! Bushel is SaaS, so it’s available today. Casper should be updated. You can access our installers using your My Assets page on JAMF Nation. Happy updating!