In the corporate world most organizations have a pretty clear definition of what devices are allowed to communicate directly to their Exchange servers. Usually this is limited entirely to devices that the company provides. From a support perspective this makes life easy, but is clearly unpopular. In Church IT, as in Small Business, this is very unlikely to be the case. Most mobile devices are owned by individuals, even if they are required to do one’s job.
Solerant has recommended for years that it’s customers limit mobile devices to those that can access over Activesync or use Blackberry devices with a Blackberry Enterprise Server so that users can have full sync’ing capability. While some organizations chose to use Blackberry or other devices without a BES, those devices were capable of obtaining their mail through OWA. We intentionally avoided enabling/opening POP3 due to negative experiences with supporting POP3 as well as the security uncertainty it brings. While we did enable and open IMAP in organizations with Mac users, we did not often use this for mobile devices.
This policy of support was received well by the majority of our customers because, in general, most people had no desire to carry a device around with their email on it. When the original iPhone launched we had a sudden increase in users that wanted to be connected. As organizations requested it we set up IMAP w/SSL and alternative SMTP submit ports for them to use with their new gadgets. While this created some severe support headaches for a while from users that expected full wireless sync comparable to the Blackberry or Treo they just tossed aside, it waned pretty much immediately as users really only needed to send/receive email to be happy.
With the upcoming release of the iPhone Firmware 2.0 as well as the iPhone 3G full Activesync is being brought to the table. Many organizations may be faced with implementing Activesync for the first time to support their users, while many others may have to prepare for a sudden onslaught of requests to switch to iPhones instead of their aging Windows Mobile, Palm, or Blackberry devices. This may be significantly compounded by the more affordable pricing of the 3G iPhone.
How will this affect your individual churches? I have some examples below and I would love to hear some feedback from others on this topic.
- User/executive demand to implement Microsoft Exchange or an alternative that supports Activesync in organizations that have otherwise not had it to date.
- Pressure to standardize on the iPhone 3G as a mobile device of choice.
- Increased mobile device support demands on IT Staff due to the influx of personal iPhones into the organization from people who would have never otherwise needed/wanted mobile email.
Thoughts?
Right out of the gates in the lab this week we had a significant issue trying to access data on our file server. I bound the Mac to AD using the Directory Utility and logged in as a user. When accessing shares on the AD Controller I was fine, but when hitting the file server I ran into some snags. While the AD controller could be mounted by the system name alone I found that to mount the file server share I had to use the Fully Qualified Domain Name. After mounting the share through the FQDN I was unable to write any data to the share and received an Access Denied error when I tried. This morning after updating to 10.5.3 on the test machine I was able to open the share and have been reading/writing data without any further issues. I still have to use the FQDN to hit the shares, but I have a feeling that may be a configuration issue with the DNS search prefixes not working. I’ll deal with that problem seperately.
What Apple Says About It
In Apples release notes for 10.5.3 they have very little to say about the fix/issue. In fact, they sum it up with a single sentance; “Improves Active Directory binding and login.” If anyone has any further details on what has been fixed in 10.5.3 in relation to this please forward it over!
UPDATE – I was able to fix the FQDN issue by setting the machine to static IP. Apparently the Mac ignores the domain suffix search list if you are DHCP, even if you manually enter one.
May was a heavy travel month for me which kept me away from the office and took away my will to blog for a bit so I wanted to give a bit of an update.
At the beginning of May we made the decision to move forward on building our Mac testing lab in order to build out our standards and best practices for Mac integration into the Church IT environment, particularly in working with Active Directory. To accomplish this we purchased a small stable of Mac Minis and several copies of OSX Server 10-user edition. Additionally, I made the decision to convert to running on a Mac full-time and purchased a MacBook Pro. (That will be the subject of a future blog, I’ll focus on the lab for now.)
What will we be testing?
Since our church client-base can vary drastically in size we want to address configurations that will be applicable to all of them. The following scenarios will be built in the lab to document the strengths and weaknesses of each.
- Stand-alone configuration
- Most mac users operate this way already
- Native OSX Active Directory Binding
- Native OSX Binding with Apple Schema Extensions
- Active Directory/Open Directory Integration
- Third-Party integration solutions
Lab Configuration
The current lab configuration consists of 4 Mac Minis and a PowerEdge SC1420. Two of the Minis have been upgraded to 2GB RAM and are running OSX Server 10-User edition to act as our test server environment. The remaining Minis will be used to test client operations both in and out of the office. The SC1420 currently runs VMWare Server on top of CentOS 5.1 x64 and hosts two virtual machines, the Lab DC and the Lab File Server. Additional virtual servers will be brought online as needed during the third-party tools portion of the lab.
Goals
The end result of this experience is to define solid best-practices and a comprehensive solution for the integration of Macs into existing Windows IT infrastructure, specifically in the church environment.