OSX Server Help

giocar64

macrumors newbie
Original poster
Jan 16, 2019
13
4
Hamilton, Ontario
Hi, I apologize if this question has been answered and I could not find it.
I would love it for somebody to even just point me into the right direction, give me a link or anything else of that sort.

I am a teacher and department head and I have a Mac Lab that has 24 iMacs and 1 MacPro (trash can) as a teacher computer (hopefully soon to be server). The iMacs and the MacPro have all been updated to latest Mojave iteration. The Mac Pro has OSX server installed.

Here is what I want to do:
Have the iMacs get a configuration from the MacPro at boot, come to a login screen. I would like to have users configured in the server, so that the students can login from any of the iMacs. I have a 4 Tera external HD connected to the MacPro, with the intention of creating HD quotas for the users, so that they can save their work on to the MacPro server.
the computers are of course all networked and connected mostly to 1 switch and 3 to a different switch.
The school network they are connected to is running DHCP, so all computers get IP and so on from the school DHCP server (the rest of the school is on PCs).

I can't find any info online and can't figure it out if my life depended on it.
I am by no means a newbie, I have used Macs since 1995 and I am a certified Cisco instructor, but have absolutely no experience with the server.
Thank you,
Giovanni
 

hobowankenobi

macrumors 65816
Aug 27, 2015
1,038
298
on the land line mr. smith.
Sadly, Apple does not really provide simple tools these days to do what you want. Apple moved away from that model years ago. The video above is a good overview of Profile Manager, which is about the only tool left. While it is adequate for creating and pushing out profiles (think of them as managed global preferences), you still need to setup and configure Open Directory as a place to create, house, serve and maintain user accounts.

Apple's push is a full-featured service. While impressive, it is a long way from any sort of homebrew, build-your-own, low cost solution.

You said the rest of the school is on PCs. Is there already an Active Directory server running? If so, you can bind the Macs to AD, just like the PCs do, to cover the user accounts. Same for the Mac Server. That way the students use their existing account credentials. You don't have to create, maintain, serve, backup, troubleshoot any accounts.

Beyond controlling user accounts, what else do you want the server to accomplish? Again....Apple has moved away from a traditional server/client model. There are new options to replace the old model, but they are involved, and not really helpful for a small organization or school. Profile Manager is about all there is to configurations, settings, or preferences that Apple still gives us. Most bigger shops have moved to a third party MDM platform....like Jamf and FileWave.

I hear good things about Mosyle, but I have not used it. Looks to be all cloud-based at a reasonable cost.

Besides Server/Profile Manager, there are a handful of free/open-source tools to manage Macs, but you have to know where to dig.

Munki is a great tool to push out new installs, updates, profiles, etc, but is big and fairly complex to setup. Built for managing thousands of Macs (think Google or Disney), not a couple of dozen.

Profile Creator is a bit more simple (and free) stand-alone tool compared to Server/Profile Manager. In it's simplest form, one could use this tool to create Profiles to manage Macs, and install them manually. No server required.

NoMAD lets you connect your Macs to AD servers without being bound. NoMAD Login automates local account creation using AD credentials....so a student walks up to a Mac who has never used it before, and uses their current AD credentials, to log in, and a local account is created on that Mac.

Though I don't know the current status, Cisco Meraki MDM used to be free for up to 100 devices. Outside of managing user accounts, it had some nice features nice reporting and other MDM features.


...Is there any chance the school has or might be moving towards a cross-platform MDM? If they picked something like FileWave that is cross platform....that would be a big win.
 
Last edited:

giocar64

macrumors newbie
Original poster
Jan 16, 2019
13
4
Hamilton, Ontario
Thank you to both of you, sorry for disappearing, I am very busy with this and other stuff.
I will have a look at the video and, hobowankenobi, thank you so much for all those links and suggestions.

To answer your question, our school has 2.2k students and we have 7 PC labs (all @ 24 + teacher cpu, with library one being 30 cpus), plus we have the Mac Lab. While all the stuff is board supplied and driven, the Mac Lab is our pet project and we have been putting money in it to build it and update the iMacs as we go. The board does provide some support, however, they don't like coming here for that and they don't really know what they're doing, to the point that we have "massaged" the iMacs to not be board dependent and we work on them ourselves. Too many restrictions and too long wait time otherwise. To give you an idea, I just redid all the network setup, from running the wires to changing the toy switches they had installed to a cisco managed switch (which is however just running with no particular setup).
I think I need to delve into the Mac OS Server a bit more at this point, but I will look into them allowing these iMacs to bind to their active directory. I tried to fiddle with it, but it is asking for the admin username and password, so I'l have to ask for that.
Thanks again.
 

hobowankenobi

macrumors 65816
Aug 27, 2015
1,038
298
on the land line mr. smith.
Understandable. The old guard did not want anything but Windows on the domain. But it is not the bad old days anymore...hopefully they get the memo.

You might suggest they give you a limited admin account so you can bind Macs.

If that is not possible, you can run your own LDAP/OD server on any Mac, or even another box, like Linux.

The day is coming that we will be able to use a cloud directory, either from Apple or Google.

Oh, and for a room full of Macs, for a part-time tech, ARD is worth the cost ($80) to manage simple tasks on a few rooms full of Macs. Covers most stuff beyond a network account. Less automated or sophisticated than MDM solutions....but you can get a lot done in days...not weeks. A short learning curve, good bang for the buck for the basics. If you are willing to dive into some scripting, it gets very powerful.
 
Last edited:

giocar64

macrumors newbie
Original poster
Jan 16, 2019
13
4
Hamilton, Ontario
Understandable. The old guard did not want anything but Windows on the domain. But it is not the bad old days anymore...hopefully they get the memo.

You might suggest they give you a limited admin account so you can bind Macs.

If that is not possible, you can run your own LDAP/OD server on any Mac, or even another box, like Linux.

The day is coming that we will be able to use a cloud directory, either from Apple or Google.

Oh, and for a room full of Macs, for a part-time tech, ARD is worth the cost ($80) to manage simple tasks on a few rooms full of Macs. Covers most stuff beyond a network account. Less automated or sophisticated than MDM solutions....but you can get a lot done in days...not weeks. A short learning curve, good bang for the buck for the basics. If you are willing to dive into some scripting, it gets very powerful.
Thank you again. I put some of your suggestions to use and I have got to the point where I was able to peruse the profile configuration, create a profile and push it to a computer (to be precise, I created a devices group and included the guinea pig iMac in that group, did all the work to register the device and so on). The iMac has come up and it does have the restrictions set to the profile. So, that is 1 down.

I am now trying to -after creating one student user to learn the process- be able to login to that iMac with the student username/password. But I am being unsuccessful. I will read up some more stuff tomorrow, but if anyone has an idea, I'm all years.
Basically, the iMac does see the changes to the login window, it allows logging in with the locally registered accounts, but if I type the student username and password, it shakes and that is it.
I configured the login to accept network users, but I can't seem to get this part to work.
Thank you in advance.
 

giocar64

macrumors newbie
Original poster
Jan 16, 2019
13
4
Hamilton, Ontario
Did you use the Directory Utility on the iMac? How is it configured?
Hi, I ended up figuring out why I was having a problem. When I started, I had not created the group account as a local network account, but rather as a local account.

Once I re-did that, all worked out.

So, I am tweaking the setup now, but I am fine with the group and all that.
It is actually pretty easy and straight forward if you know where the crap is and so on.
It is mesmerizing to see that there isn't a tutorial for it out there, like a step-by-step type of thing.
- - Post merged: - -

Next problem to resolve: if I want to limit access to applications, I am only given the option of allowing stuff to run. This is a huge problem because I need to use Xcode with my class and if I enable apps restrictions, there is a bunch of little apps/services that need to run in order for Xcode to run, which won't be allowed to star, hence not making it possible for Xcode to actually come on.
I believe that once the server gave the option to configure what should not have run, as opposed to what was allowed to run.
I'll keep searching...
 

hobowankenobi

macrumors 65816
Aug 27, 2015
1,038
298
on the land line mr. smith.
Don't have a quick answer for you. Generally....I have not limited any apps from running for years, for the reason you state: tons of helper apps and services that run in the background.

I have put a few third-party apps in a folder (in the Utilities folder) and locked that folder down via permissions so that students could not open the folder...they could not even see what was in it.
 
Last edited:
  • Like
Reactions: giocar64

Flint Ironstag

macrumors 65816
Dec 1, 2013
1,072
577
Houston, TX USA
I'm late, but search for "magic triangle" and "golden triangle". The essence of it is this:

- configure OD on your mac server
- bind the mac server to AD for authentication
- bind the mac clients to the mac server for management via your preferred mac friendly tool

The basic functionality of binding and authentication has been pretty solid in my experience, as long as your AD schema doesn't have elaborate extensions.

If you have budget and staff (sounds like those are limited), there's always JAMF.
 
  • Like
Reactions: hobowankenobi

giocar64

macrumors newbie
Original poster
Jan 16, 2019
13
4
Hamilton, Ontario
I'm late, but search for "magic triangle" and "golden triangle". The essence of it is this:

- configure OD on your mac server
- bind the mac server to AD for authentication
- bind the mac clients to the mac server for management via your preferred mac friendly tool

The basic functionality of binding and authentication has been pretty solid in my experience, as long as your AD schema doesn't have elaborate extensions.

If you have budget and staff (sounds like those are limited), there's always JAMF.
Thank you for the suggestion, very appreciated.
I've actually run into another problem in the meantime, there is a problem with the certificates and thus a problem for the clients to come up with the network configuration setup at the server.
I'm starting to get discouraged and frustrated.

And sorry for the likely stupid question (I'm tired and I've been in that lab all afternoon), but OD is Open Directory and AD Active Directory?

I will do those searches and thank you again.
 
  • Like
Reactions: Flint Ironstag

Flint Ironstag

macrumors 65816
Dec 1, 2013
1,072
577
Houston, TX USA
Thank you for the suggestion, very appreciated.
I've actually run into another problem in the meantime, there is a problem with the certificates and thus a problem for the clients to come up with the network configuration setup at the server.
I'm starting to get discouraged and frustrated.
Kerberos tickets? 1st thing to check is that the time on all machines is within 5 minutes of the OD server.

Magic triangle at its most basic has been very robust for me integrating up to ~5k MacBooks and a few dozen Xserves into AD. But yes, it can be fiddly if you have to troubleshoot. You'll probably need to get familiar with the Kerberos ticket inspection tool that used to be in system/library/core services.

Good Luck! Probably some good threads on the old afp548.com forum.
 
  • Like
Reactions: flygbuss

giocar64

macrumors newbie
Original poster
Jan 16, 2019
13
4
Hamilton, Ontario
Kerberos tickets? 1st thing to check is that the time on all machines is within 5 minutes of the OD server.

Magic triangle at its most basic has been very robust for me integrating up to ~5k MacBooks and a few dozen Xserves into AD. But yes, it can be fiddly if you have to troubleshoot. You'll probably need to get familiar with the Kerberos ticket inspection tool that used to be in system/library/core services.

Good Luck! Probably some good threads on the old afp548.com forum.
Thank you again, I am home, so I haven't been able to do anything after Friday. As far as binding to AD, I would have to ask IT to come in and "let me in". I'd rather avoid that for a number of reasons.
But if it is necessary, then, I guess we'll do.

I was able at one point to have my iMac Guinea pig to respond to the changes made through users/users groups/devices/devices groups accounts.
But when i tried other iMacs, they would see the server but not allow login from a network user account (just would not show the login screen with the changes implemented in the device group setup), or it would not join the server by neither supplying the server's IP or name.

I'll start again tomorrow.
 

chrfr

macrumors G3
Jul 11, 2009
8,492
2,689
Thank you again, I am home, so I haven't been able to do anything after Friday. As far as binding to AD, I would have to ask IT to come in and "let me in". I'd rather avoid that for a number of reasons.
But if it is necessary, then, I guess we'll do.

I was able at one point to have my iMac Guinea pig to respond to the changes made through users/users groups/devices/devices groups accounts.
But when i tried other iMacs, they would see the server but not allow login from a network user account (just would not show the login screen with the changes implemented in the device group setup), or it would not join the server by neither supplying the server's IP or name.

I'll start again tomorrow.
As someone who once ran a full Open Directory environment and labs that authenticated through it, I would strongly recommend you abandon Open Directory altogether and use the existing Active Directory environment. It’s more stable and much more reliable, and you don’t have to worry about Apple killing it off.
 

giocar64

macrumors newbie
Original poster
Jan 16, 2019
13
4
Hamilton, Ontario
As someone who once ran a full Open Directory environment and labs that authenticated through it, I would strongly recommend you abandon Open Directory altogether and use the existing Active Directory environment. It’s more stable and much more reliable, and you don’t have to worry about Apple killing it off.
Thank you for the suggestion, if I go that route, I have a couple of questions:
1) What is needed to do that? Does IT have to set that up for each and every iMac, or whatever else needs to be done?
2) Would Active directory setup screen, permissions and all that for the iMacs?

Thank you and sorry for the many questions.
 

chrfr

macrumors G3
Jul 11, 2009
8,492
2,689
Thank you for the suggestion, if I go that route, I have a couple of questions:
1) What is needed to do that? Does IT have to set that up for each and every iMac, or whatever else needs to be done?
2) Would Active directory setup screen, permissions and all that for the iMacs?

Thank you and sorry for the many questions.
To answer question #1: Yes, each client station needs to connect to Active Directory. That can be accomplished in several ways.
I‘m not sure I understand question 2, but Active Directory does not configure the Macs. It just provides user access to the computer; any configuration you want to do to the computer needs to be done with a separate tool. Post 3 in this thread provides a good overview.
 

hobowankenobi

macrumors 65816
Aug 27, 2015
1,038
298
on the land line mr. smith.
My experience is that once you bind the iMac to AD, everybody (with an AD account) logs in. You, as the local Mac admin for the room, can bind the machines to AD, so you should not need IT to do anything, other than give your account the ability to bind the client machines.

Or, if they preferred, they could give you a second, separate account to bind with.

If they will not allow you to bind clients (with your existing account or a second one)....then yes, they would have to come bind each iMac. Should take a couple minutes per Mac.

Third option would be to set up the magic triangle, and then you/they would only have to bind one machine: The OD server.

If possible, I would shoot for binding the iMacs to AD. Less for you to do, maintain, troubleshoot.
 

giocar64

macrumors newbie
Original poster
Jan 16, 2019
13
4
Hamilton, Ontario
I'm back...
So, while I was waiting for IT to come in and do the binding of the MacPro, I managed to get this running without doing that.
I don't know if this is going to be a problem, but it seems to be running reliably so far. I edited the Open Directory panel in the login settings in the iMacs and created a service (I forget if that is the correct name at the moment) using the Mac Pro IP address and it all seems to work. I am able to login different users at different iMacs and all configuration profiles created are working.

Now, of course this would be great (at least until one of you guys tells me otherwise, or until I start having problems), but all the users' directories are stored in the Macintosh HD on my Mac Pro "trash can" which has a puny HD and I can't seem to find a way to move them elsewhere. I have an external drive attached to it, however, I have no idea how to do that.

Any feedback is always much appreciated and -once again- thank you for all the support.
 

jayducharme

macrumors 68040
Jun 22, 2006
3,417
2,974
The thick of it
Just my 2¢:

I've been running a suite of Mac labs at our college for nearly two decades. We ran 2008 Mac Pros most of the time. I used a second internal drive as a "projects" drive that the students could write to. The system drive was locked with Deep Freeze. Each semester I would create a master image on a computer, then push it to the computers (usually with Deploy Studio) and lock them down. I never had a problem.

Then our IT decided they had to use Active Directory. I've been jumping through hoops ever since. Pushing preferences to each student account is complicated, but doable in my experience. With Catalina, all bets are off; the Server app doesn't even work.

If you want them, I have detailed instructions on pushing preferences (about four pages) with Active Directory enabled on Mojave.
 
  • Like
Reactions: Flint Ironstag

satcomer

macrumors 603
Feb 19, 2008
6,430
980
The Finger Lakes Region
I found in my work that once the radio station owner decided to Windows 10 Server we should all use this Active Server accounts! A couple of years later and all machines went to Linux (To save Cost) Server and we started using that (and a new Smart NAS! He actually has all the Satellites connections, the master radio server! The on Air mini Linux Machines serve both stations !

The best solution is dumb MicroSoft (cost for subscriptions) and learn Linux Server because of shrinking budgets will kill (along with many past server functions) and many smaller businesses are using Linux for simple long term costs! Microsoft subscription server is killing their once dominance!
 
Last edited:

Flint Ironstag

macrumors 65816
Dec 1, 2013
1,072
577
Houston, TX USA
If you want them, I have detailed instructions on pushing preferences (about four pages) with Active Directory enabled on Mojave.
Jayducharme, I wouldn't mind seeing how you tackled this on Mojave.
The best solution is dumb MicroSoft (cost for subscriptions) and learn Linux Server because of shrinking budgets will kill (along with many past server functions) and many smaller businesses are using Linux fir simple long term costs! Microsoft subscription server is killing their once dominance!
Another alternative is to keep MacOS, and use the free replacements for the stuff Apple removed from server. They have been robust in my experience, usually free or nominal cost, and have a nice GUI for those who don't want to learn Linux.
 

chrfr

macrumors G3
Jul 11, 2009
8,492
2,689
It's really time to stop trying to use master images or disabling SIP to manage Macs. The infrastructure to manage and configure Macs should have nothing to do with the directory system your environment uses. It's really essential to have a functional MDM in place now, and that system will allow you to configure users, your directory, and all the settings you'd need to configure. Profile Manager will do some of this but it's really not something that should be used as a large scale production tool.
 

hobowankenobi

macrumors 65816
Aug 27, 2015
1,038
298
on the land line mr. smith.
It's really time to stop trying to use master images or disabling SIP to manage Macs. The infrastructure to manage and configure Macs should have nothing to do with the directory system your environment uses. It's really essential to have a functional MDM in place now, and that system will allow you to configure users, your directory, and all the settings you'd need to configure. Profile Manager will do some of this but it's really not something that should be used as a large scale production tool.

Agreed overall.

But based on the OP's description, this is not a large scale production environment; it is a single classroom...so Profile Manager and other low cost/free tools seem to be worth considering.

Less than ideal, yes. But with little to no budget, and it sounds like little to no support from the enterprise folks, it sounds like he needs to roll his own.
- - Post merged: - -

I found in my work that once the radio station owner decided to Windows 10 Server we should all use this Active Server accounts! A couple of years later and all machines went to Linux (To save Cost) Server and we started using that (and a new Smart NAS! He actually has all the Satellites connections, the master radio server! The on Air mini Linux Machines serve both stations !

The best solution is dumb MicroSoft (cost for subscriptions) and learn Linux Server because of shrinking budgets will kill (along with many past server functions) and many smaller businesses are using Linux fir simple long term costs! Microsoft subscription server is killing their once dominance!

If the entire org's tech budget is at stake for strategic planning, I would agree.

But in OP's case, it sounds like the school/district is committed to MS/AD...so little chance of that changing. If AD is there and already paid for, I think it makes sense to utilize it, at least for the single sign-on/account management aspect.

Learning Linux server is a steep learning curve for a teacher that is trying to do a bit of part-time tech to manage one classroom as well, no?
- - Post merged: - -

Here you go.
Nice write up, especially for setting specialized defaults via the Default User Template.

Been doing the same for years. Sadly, Apple is removing the ability to do this...without really supplying an elegant replacement.

WARNING TO ALL: Modifying the User Template is more tricky in 10.14, and is likely even worse (harder....perhaps impossible) with 10.15. Netboot/Netinstall seems to be going away too. DeployStudio is essentially dead as Apple has blocked a path forward.

As others have stated, Mac Admins should be moving away from imaging Macs, and towards an MDM to push out profiles and software/updates, etc.
 
Last edited:
  • Like
Reactions: Flint Ironstag