How to create groups and assign users in Lion Server

Takeaway: The basic steps of creating groups in Mac Lion Server and assigning users based on the groups.

Once user accounts are created in Mac OS X Lion Server, administration is simplified by assigning users to groups. Using groups, permissions and rights can be granted to entire collections of users, such as by department, instead of to individual user accounts.

How to create a group

Mac administrators can create groups by following these steps:

1. Open the Server app.
2. Click Groups.
3. Click the + icon. The New Group window will appear.
4. Provide the group name in the Full Name field.
5. Enter the Account Name.
6. Click the Done button.

Once groups are created, they appear within the Groups window. Groups can be deleted by highlighting the respective group and clicking the - icon.

How to assign a user to a group

With a group or groups created, Mac administrators can follow these steps to assign users to a group:

1. Open the Server app.
2. Click Groups.
3. Double-click a group.
4. Click the + icon.
5. Enter the user name you wish to add to the group.
6. Click the + icon to add additional users.
7. Repeat the process until all appropriate users have been added to the group.
8. Click the Done button.

Another method of adding users to a group is to enter the group selections from the user account. Mac administrators can add individual users to groups by following these steps:

1. Open the Server app.
2. Click Users.
3. Double-click the user account for which group permissions are to be assigned.
4. Click the + icon.
5. Within the Groups window enter the name of the group to which you wish to assign the user.
6. Click the + icon and enter another group name if multiple group selections are required, repeating until done.
7. Click the Done button.

Make a group a member of another group

When necessary, groups can be made members of other groups. For example, maybe separate permissions need to be provided to select executive members of an HR group. To assign a group to another group:

1. Open the Server app.
2. Click Groups.
3. Double-click the group you wish to assign permissions for another group.
4. Click the + icon.
5. Enter the name of the group to which you wish to provide the current group membership.
6. Click the + icon and repeat the process if additional group memberships apply.
7. Click the Done button.

How to create users in Mac OS X Lion Server

 Takeaway: Steps to create user accounts in Mac Lion Server, using both the Server app and Workgroup Manager.

You won’t find the Active Directory Users and Groups console in Mac OS X Lion Server. Instead, Mac administrators typically use the simplified Server app to create and administer user accounts on Lion servers.

For the purposes of this tutorial, I will review creating local user accounts. On Lion systems, local accounts enable a user to log in to the local system to access files, shares, services and other resources present on that system; local accounts cannot be used to log in to another computer upon which the same local user account isn’t already present. However, Lion users can log in to other systems using those systems’ local accounts and leverage local accounts configured on the server to access that server’s resources.

Create user accounts using the new Server app

Within Lion’s Server app, highlight Users in the left-hand console, then click the + icon within the Users window. The New User window will appear. Enter the user’s full name (usually the user’s complete first and last names using proper capitalization and spacing), account name (an abbreviated name), email address and password (which must be entered twice). Check the Allow user to administer this server box only if you wish for the new user account to possess administration privileges, otherwise leave it unchecked.

Because the Account Name is difficult to change, review it carefully before creating the user account. The Account Name is a shortened name that is usually composed of letters, numbers and/or an underscore, hyphen and/or period. Note that, in Mac OS X Lion, users can authenticate or log in using the values supplied either in the Full Name or Account Name fields within the New User window.

Lion administrators can access a user’s additional settings by right-clicking the new user account and selecting Advanced Options. The user account’s User ID, group memberships, Account Name, aliases and login shell and home directory appear. Settings can be modified but errors can prevent users from even logging in, so be sure to administer edits carefully.

Create new user accounts using Workgroup Manager

Lion administrators can also create new users using Workgroup Manager. To do so, open Launchpad, select the Server folder and choose Workgroup Manager. Enter the host name and administrator username and password within the resulting Workgroup Manager Connect window, then click Connect.

Next, click OK to close the directory node message. Then click the Accounts icon, followed by the New User toolbar icon. Click OK to acknowledge that users may not receive services access if service access control lists are in use, in which case services must later be individually configured for users.

Proceed by entering the new user information, leaving other default settings per Apple’s recommendations. Ensure you don’t provide the new user with administrator privileges unless you intend to do so, then click Save.

Note that, when creating new users within Workgroup Manager, new user accounts aren’t automatically added to the Workgroup group. User accounts created using the Server app, however, are automatically added to the Workgroup group.

Securing Mac OS X Lion using Firewall and FileVault 2

Securing Mac OS X Lion using Firewall and FileVault 2

Takeaway: Mac Lion has the features to protect even the most sensitive systems but users should be aware of unintended side effects of both Firewall and FireVault before enabling either.

Apple Mac Lion FileVault

I’d like to show you how to protect your Lion-installed Mac even further via Lion’s Firewall and FileVault software, and explain when it is best to institute these features.

Your users love to feel secure and often times enable features, not knowing what side effects may come of their actions. While their intentions are coming from a good place, doing so can leave a user permanently removed from their files and prevent them from accessing important data on the web. It’s good practice to share these concepts with your users and it will help to prevent future headaches for you, the beloved IT professional.

Lion’s Firewall

Firewalls help prevent unwanted traffic from flowing in and out or your computer systems. The more services you have blocked, the more difficult it is for someone or something to compromise your computer from the outside world. In the workplace, I rarely, if ever, find it necessary to enable the software-based Firewall that Apple ships with its OS. A properly managed network should handle these duties by filtering data at the router level rather than the individual machine. Enabling the Firewall can sometimes have unintended consequences, however, ranging from file-sharing issues, iChat communications not working as expected, not being able to see other machines on the network, and even unexpected disconnects from the Internet are sometimes but not always the result of the Firewall being enabled.

So when is it a good time to use the software-based Firewall? Mobile workers with laptops who frequently attach to remote networks  are the prime candidates. Any machine that can come and go on a managed network is a liability. Portables have a much greater potential to be compromised when away from the mothership and connecting to other public or private networks than they do within the confines of a well-maintained internal network.

FileVault

FileVault is a completely different beast from the Firewall and it’s important to truly appreciate what it is and what it does. Not taking the time to fully understand FileVault before enabling its use can cause a Mac to become unresponsive, prevent users from being able to log into their accounts, even permanently damage and/or lose users’ data. So with that being said, I’ll lay the ground work here for you to consider it’s usefulness, but be sure to further research FileVault fore the particular needs of your environment.

In Lion, Apple has made some significant changes in FileVault 2. Most notably, Apple has changed the policy from encrypting individual users folders to now encrypting the whole drive, removing the standard OS X login and replacing with the EFI login, which is a lower level way of accessing your hardware when logging in, and granting FileVault access rights to a machine on a per user basis. All of this adds up to a faster, more secure way to protect a user’s data using FileVault.

Unlike the Firewall, which has modest repercussions if you enable it, implementing FileVault requires more caution. As discussed before, just enabling FileVault can prevent a user from ever being able to access his data again. Here are a couple of simple questions to determine if FileVault is necessary for users in your organization.

• Is the data on your Mac so sensitive that it must be protected at any cost?
• Is the Mac that you’re considering for FireVault used often for mobile workers?

If your answer is no to either of these questions it’s safe to say that you and FileVault needn’t ever cross paths.

If you answered yes to question one, FileVault should be considered to prevent any from being compromised, especially if there is risk associated with insider threats or physical security in the office is not at the highest level.

Finally, if you answered yes to question two, this is one of the rare times I would consider enabling FileVault even if the answer to question one is no. I say this because it is much more likely for laptops to be compromised, either through loss or theft. In either case, FileVault encryption is there to prevent someone from scouring the data on your machine, and it also makes it very difficult to use and reinstall the OS.

10 things you should know about Mac OS X Lion

10 things you should know about Mac OS X Lion

Mac OS X Lion

Takeaway: Mac OS X Lion has hit the streets, which includes some outstanding enhancements. Here’s a quick rundown of what’s changed and what’s improved.

Apple’s new Mac OS X Lion operating system is much more than just an upgrade to the popular Mac OS X Snow Lion OS. The new server and client operating system boasts hundreds of refinements and improvements. Here are 10 key things to know about Mac OS X Lion.

1: System requirements

Following release, Mac OS X Lion is included on new Macs. The $29.99 ($49.99 for server) Mac OS X Lion upgrade runs on a wide variety of older Macs, too. To run Lion, one of the following processors is required: an Intel Core 2 Duo, Core i3, Core i5, Core i7, or Xeon. A Mac being upgraded to Lion must also have Snow Leopard patched to Software Update version 10.6.8.

2: Mac App Store

The Mac App Store is included by default within Mac OS X Lion. Apple’s iPhone and iPad have changed the way users research, purchase, download, install, and maintain applications. Now, the integration of the application store directly within the OS marks a paradigm shift that will only grow in importance as IT departments are increasingly removed from the application purchase and deployment process.

3: Mail improvements

Mac OS X Lion introduces a new widescreen two-column email display. Messages are positioned to the left (with the addition of a new compact preview), and a message’s contents are displayed in a right-hand pane. A new toolbar that mimics a browser’s makes it easier to directly access mail folders while reducing onscreen clutter. And for the first time, Mac Mail features Conversations, which helps collect numerous messages within the same thread using a chronological listing that hides redundant text to make messages easier to process.

4: Electronic distribution

Organizations will find Lion an easier OS to install when upgrading older OSes. Because Lion is distributed through the Mac App Store, users can download it on all authorized Mac computers. There’s no need to travel to a retail store for a CD or wait for installation media to arrive via snail mail. Users can leverage their existing iTunes accounts to acquire, purchase, and install the OS.

5: New Server App

The new Mac OS X Lion Server App simplifies server administration and makes it easier even for nontechnical users to deploy and maintain an Apple server-powered network. The Server App includes a Setup Assistant that helps in configuring a server and an easy-to-use interface for administering everything from users and groups to file sharing and VPN connectivity. The Server App also provides enhanced server performance monitoring features and email alerts when errors or issues arise.

6: Integrated Xsan technology

Xsan, Apple’s cluster file system technology that lets systems share specially configured storage volumes to power high availability, is now integrated within Mac OS X Lion. Because the Xsan Admin application is also included, Xsan administrators can configure Xsan operation from within Lion. With support for a variety of Fibre Channel RAID storage arrays, Lion’s Xsan integration enables even midsize and large organizations to leverage Lion servers to power demanding storage area networks.

7: Mission Control

The iPad’s full-screen app operation is introduced to Macs with Lion. In past Mac OS X releases, Dashboard, Expose, and Spaces provided different ways users could configure their Macs to operate and interact with applications. Lion goes a step further with the introduction of Mission Control, a new feature that consolidates applications, Dashboard, Expose, and Spaces within a single console that includes support for a dedicated three-finger swipe gesture. Viewing all active windows and apps and accessing specific windows has never been easier.

When Mission Control is activated, the Dashboard view appears at the screen’s top, followed by icons representing full-screen apps in the screen’s center, followed by Desktop and standard-size Windows displayed on the screen’s bottom. Adding new work areas is as easy as clicking the + icon that appears in the top-right corner of the Mission Control view.

8: Launchpad

With Mac OS X Lion, users no longer need to scour their hard drives seeking a specific application. Instead, the Launchpad feature, reached by swiping two fingers horizontally across the trackpad, calls a new display window that mimics the menu interface millions of users have become accustomed to on iPhones and iPads. Applications downloaded from the Mac App Store automatically appear within the Launchpad, making it even easier for users to track installed software.

9: AirDrop

AirDrop enables simple file sharing between Macs. Notably, no Wi-Fi network is required. When a user clicks the Finder’s AirDrop icon, Mac OS X Lion automatically locates other AirDrop users located within 30 feet or so (by creating an ad hoc Wi-Fi connection). A user can transfer a file to a colleague’s machine by dragging the file to that colleague’s system (which appears within Finder after clicking the AirDrop icon). Note that the recipient must approve the file transfer before the file is downloaded to his/her Downloads folder.

10: Versions

A new Versions feature makes it easier for Lion users to track historic changes to documents and other files. With Versions, users no longer have to review Time Machine backups to track changes made as part of a development or revision process. Archive snapshot information is now saved within a file itself, enabling users to revert to previous versions by reviewing a file’s own historic timeline from within the file itself. Version changes can be compared and files can be reverted to earlier drafts; yet when a copy is shared with another user, only the current copy is provided