Lesson 22. Manage Network Services

Current operating systems provide a wide range of network and Internet service options, but all of them share the basic network architecture of client software, which accesses network services, and server software, which provides network services. macOS includes support for many popular network protocols, allowing you to connect and access a wide variety of shared network services.

This lesson first discusses the architecture of network services, in a general sense. Then you will be introduced to the key network service applications built into macOS. You will then learn how macOS can access popular file-sharing services. Finally, this lesson covers techniques for troubleshooting network services when problems arise.

By adhering to such standards, software developers can create unique yet compatible network client and server software. This allows you to choose the software tool that best fits your needs. For instance, you can use the built-in macOS Mail client created by Apple to access mail services provided by Apple, Google, Yahoo, or Microsoft.

On the other side of this relationship is the server software, which is responsible for providing access to the shared resource. Properly setting up server software is usually a much more complicated affair. Server administrators may spend weeks designing, configuring, and administering the software that provides network services. Server-side settings include configuration options, protocol settings, and account information.

A primary feature of both the TCP and UDP transport mechanisms is the ability to handle multiple simultaneous connections and service protocols. This is accomplished by assigning each communication service to a specific port number or port range. Both TCP and UDP connection ports are defined between 0 and 65,535.

For instance, the standard TCP port for web traffic is port 80. When troubleshooting a network service, you must know the port numbers or ranges for that service. Apple maintains a list of commonly used network services and their associated TCP or UDP ports at Apple Support article HT202944, “TCP and UDP ports used by Apple software products.”

Finally, some network services are so popular that macOS includes built-in mechanisms for automatically locating the appropriate network service resources. Services in this last category are mainly configured via the Internet Accounts preferences, also covered later in this lesson.

Once you have located and connected to a network service, you often need to prove your identity to that service provider. This process is called authentication. Successful authentication to a network service is usually the last step in establishing a connection to that service. Once a connection is established, security technologies are normally in place to ensure that you’re allowed to access only certain resources. This process is called authorization. Both of these fundamental network service concepts, authentication and authorization, will be covered throughout this lesson and the next, Lesson 23, “Manage Host Sharing and Personal Firewall.”

Dynamic network service discovery protocols allow you to browse local area and wide area network resources without knowing specific service addresses. In a nutshell, network devices providing services advertise the availability of their services on the network. As available network resources change, or as you move your client to different networks, the service discovery protocols dynamically update the list of available services.

macOS makes ample use of dynamic network service discovery throughout. For example, dynamic network service discovery allows you to browse for available network file shares with the Finder or to locate new network printers from the Printers & Scanners preferences. Other network applications built into macOS use service discovery to locate a variety of shared resources, including Messages, Image Capture, Photos, iTunes, Safari, and the macOS Server application. Third-party network applications also take advantage of dynamic network service discovery.

It is important to remember that the discovery protocol is used only to help you and the system locate available services. Once the discovery protocol provides your computer with a list of available services, its job is done. When you connect to a discovered service, the Mac establishes a connection to the service using the service’s protocol. For example, the Bonjour service discovery protocol can provide the Mac with a list of available screen-sharing systems, but when you select a Mac server from this list, the Mac establishes a screen-sharing connection to the server using the Virtual Network Computing (VNC) protocol.

Bonjour is the primary set of dynamic network service discovery protocols used by macOS native services and applications. Bonjour is preferred because it is based on TCP/IP standards, so it integrates well with other TCP/IP-based network services. macOS also includes support for Wide-Area Bonjour, allowing you to browse WAN resources as well as LAN resources.

Whereas local Bonjour requires no configuration, Wide-Area Bonjour requires that your Mac be configured to use a DNS server and search domain that supports the protocol. Configuring DNS is covered in Lesson 19, “Manage Basic Network Settings,” and Lesson 20, “Manage Advanced Network Settings.”

Despite the preferred status of SMB as the default file-sharing protocol in OS X Yosemite 10.10 and later, the network discovery portion of SMB is still not preferred over Bonjour. However, macOS does support browsing through the legacy NetBIOS and WINS protocols. Details on configuration of NetBIOS and WINS are covered in Lesson 20, “Manage Advanced Network Settings.”

Network host identification methods include:

IP address(es)—The primary network identifier for your Mac, an IP address, can always be used to establish a network connection.

DNS host name—All Mac computers have a host name configured via one of two methods. Traditionally, these names are hosted on a DNS server configured by administration at the DNS server. The Mac attempts to resolve its host name by performing a DNS reverse lookup on its primary IP address. However, many network clients don’t have properly configured DNS host names because of the administrative overhead required to create and update client DNS entries. So if the Mac can’t resolve a host name from the DNS server, it uses the Bonjour name instead.

Computer name—This name is used by other Apple systems to identify your Mac. The computer name is part of the Apple Bonjour implementation and is set in the Sharing preferences. The computer name is also used by AirDrop peer-to-peer file sharing.

Bonjour name—As covered previously, Bonjour is the macOS primary dynamic network discovery protocol; in addition, Bonjour provides a convenient naming system for use on a local network. The Bonjour name is usually similar to the computer name, but it differs in that it conforms to DNS naming standards and ends with .local. This allows the Bonjour name to be supported by more network devices than the standard computer name, which is generally recognized only by Apple systems. This name is also set in the Sharing preferences.

NetBIOS/WINS name—This name is used for the legacy Windows dynamic network discovery protocols as part of the SMB service. This name is set in either the Sharing or Network preferences.

Generally, little additional network configuration is required to use web services. You only need to provide the web browser with the Uniform Resource Locator (URL) or web address of the resource to which you want to connect. In macOS Sierra, Safari defaults to the most secure TLS communication even if you don’t specify HTTPS in the URL. The only exception is if you have to configure web proxies, as described in Lesson 20, “Manage Advanced Network Settings.”

Through the Internet Accounts preferences, macOS can be configured to use network service accounts for Apple iCloud, Microsoft Exchange, Google, Twitter, Facebook, LinkedIn, Yahoo, AOL, Vimeo, Flickr, and other common network service protocols, including those hosted from a system running macOS Server.

Each different service type includes varying levels of support for built-in macOS applications and services. For example, signing in with a Twitter account configures the system so that you can tweet from Notification Center or any supported application—whereas signing in to a service that provides multiple features, like Google or Yahoo, in turn configures multiple applications, including Mail, Notes, Calendar, Reminders, Contacts, and Messages. Apple iCloud includes support for even more features, including iCloud Drive, Photos, Safari, iCloud Keychain, Back to My Mac, Find My Mac, and FaceTime.

If you are signing in to a service with multiple features, after you successfully authenticate, you will be allowed to enable any available options for the service. You can also return to the Internet Accounts preferences at any point to enable or disable a service feature. Additionally, from there you can verify or reenter account information by clicking the Details button.

If you need to configure an Internet service that’s not listed in the Internet Accounts preferences, or you need to configure a local service provided by your organization, click Add Other Account at the bottom of the services list. This reveals a dialog allowing you to manually configure services for Mail, Notes, Calendar, Reminders, Contacts, and Messages. In many cases, if you add a service this way you will likely have to define additional configuration information. This information should be provided to you by an administrator of the service.

If you choose “Server account,” the following dialog searches the local network for an OS X Server 10.7 or later system that provides compatible services.

You can select your server from the list or enter the host name of a server that’s not on your local network. Because macOS can automatically detect macOS Server services, you’ll only need to enter network account authentication to complete the setup.

macOS can also accept a configuration profile for automatic configuration of network service accounts settings. A network administrator would provide a configuration profile containing all the necessary settings to properly configure the macOS network applications for a specific network service account. These settings can be deployed by simply double-clicking a local copy of a configuration profile or by having the Mac managed by a mobile device management (MDM) solution.

With this many service options, properly configuring mail service settings can be quite daunting. Ideally, Mail is configured automatically via the Internet Accounts preferences or via a configuration profile. In fact, in the Mail application, selecting the menu option Mail > Accounts will redirect you to the Internet Accounts preferences.

Mail also includes its own account setup assistant that will walk you through the process of configuring mail account settings. This assistant starts automatically if no account has been set when Mail is opened, but you can start it at any time by selecting Mail > Add Account. The assistant first presents an interface similar to that found in the Internet Accounts preferences.

When you select one of these default mail account types, the assistant attempts to automatically determine the appropriate mail protocol, security, and authentication settings. This includes support for the Autodiscovery feature of Microsoft Exchange Server. Further, when you set up a mail account here, the system will automatically attempt to configure Notes, Calendar, Reminders, and Contacts as well.

If you need to configure Mail for an account type not listed in the defaults, select the Other Mail Account option. After entering basic mail account information, the assistant attempts to automatically determine the appropriate mail settings. If your mail service uses a nonstandard configuration or is unreachable, you may have to manually enter the mail service settings here. This means you may need to work with the service administrator to obtain the appropriate configuration settings.

In summary, macOS Mail support the following email services:

Standard mailbox access protocols—The standard protocol used between mail clients and mail servers for receiving mail is either Post Office Protocol (POP) on TCP port 110 or Internet Message Access Protocol (IMAP) on TCP port 143. Both protocols can also be encrypted with an SSL connection. By default, encrypted POP uses TCP port 995 and encrypted IMAP uses TCP port 993. Finally, iCloud defaults to secure IMAP.

Standard mail-sending protocols—The standard protocol used for sending mail from clients to servers and from server to server is Simple Mail Transfer Protocol (SMTP) on TCP port 25. Again, SMTP can be encrypted with an SSL connection on port 25, 465, or 587. The port used for secure SMTP varies by mail server function and administrator preference. Finally, iCloud defaults to secure SMTP.

Exchange-based mail service—Although popular, these services do not use mail standards for client communication. Instead, Mail communicates using the EWS protocol. EWS uses the standard ports for web traffic: TCP port 80 for standard transport and TCP port 443 for secure transport.

The ability for Notes to contain media beyond simple text also required a significant change to how notes are saved via a network service. Notes in macOS Sierra defaults to saving via iCloud. This change was necessary to support the rich media that the new Notes application allows.

The legacy network service method for Notes is still available but only supports simple text notes. This legacy method utilizes EWS (Exchange Web Services) or IMAP mail services as the mechanism for saving the notes. In this case, the Notes application creates a special Notes mailbox on your mail service and automatically manages this mailbox; thus, the Mail application ignores this mailbox. However, you may notice this mailbox when using older versions of Mail or third-party mail clients.

Accepting this one-way upgrade will move your existing notes to iCloud, which allows for all the features in Notes for OS X El Capitan 10.11 or later. Obviously, this upgrade requires that the user be signed in to iCloud. This also means that your upgraded notes are compatible only with the Notes application on iOS 9 or later. For this reason, if you still use Notes on devices with previous systems, you may not wish to upgrade immediately. If you plan to wait initially, at any point later you can upgrade by clicking the Upgrade button at the top of the notes listing.

Ideally, Calendar will already have been configured automatically along with Mail via the Internet Accounts preferences or a configuration profile. In fact, in the Calendar application, selecting the menu option Calendar > Accounts redirects you to the Internet Accounts preferences.

Calendar also includes its own account setup assistant, which will walk you through the process of configuring mail account settings. This assistant doesn’t start automatically when the Calendar application is opened, but you can start it at any time by selecting Calendar > Add Account.

When you select one of these default calendar account types, the assistant attempts to automatically determine the appropriate calendar service security and authentication settings. This includes support for the Autodiscovery feature of Microsoft Exchange Server. Further, when you set up a calendar account here, the system will automatically attempt to configure Mail, Notes, Reminders, and Contacts as well.

If you need to configure Calendar for an account type not listed in the defaults, select the option Other CalDAV Account. After entering the user mail address and account password, the assistant attempts to automatically determine the appropriate CalDAV settings. If your mail service uses a nonstandard configuration or is unreachable, you may have to manually enter the CalDAV service settings here. This means you may need to work with the service administrator to obtain the appropriate configuration settings.

Closely related to Calendar is the Reminders application, which allows you to maintain a personal to-do list. Reminders enables to-do lists to be saved on the local system, but you can also have to-do lists available on multiple devices when the Reminders application is configured for access to calendar services. This is because Reminders utilizes EWS or CalDAV network calendar services as the mechanism for saving the notes. Reminders creates to-do calendar events and automatically manages these events. Thus, the Calendar application ignores to-do events. However, many third-party calendar applications support to-do events within their interface; this includes previous versions of OS X iCal.

Ideally, Reminders will have been configured automatically along with other services via the Internet Accounts preferences or via a configuration profile. In fact, in the Reminders application, selecting the menu option Reminders > Accounts redirects you to the Internet Accounts preferences. As an option, the Internet Accounts preferences allow you to configure Reminders without also configuring Calendar. However, the Reminders application still requires use of an EWS or CalDAV calendar service from a network service provider.

Also like the Calendar application, Reminders includes its own account setup assistant, which will walk you through the process of configuring mail account settings. This assistant doesn’t start automatically when the Reminders application is opened, but you can start it at any time by selecting Reminders > Add Account. The assistant presents an interface similar to the Calendar Setup Assistant because again, Reminders only connects to EWS or CalDAV services. As of this writing, Reminders doesn’t support Facebook or Google calendar services.

In summary, Calendar and Reminders support the following network calendar services:

CalDAV collaborative calendaring—Calendar supports a network calendar standard known as CalDAV. This standard uses WebDAV as a transport mechanism on TCP port 8008 or 8443 for encrypted communication, but CalDAV adds the administrative processes required to facilitate calendar and scheduling collaboration. The macOS Server Calendar service is based on CalDAV. Furthermore, CalDAV is being developed as an open standard, so any vendor can create software that provides or connects to CalDAV services.

Internet-based calendar services—Calendar and Reminders can use a variety of Internet-based calendar services, including iCloud, Yahoo, and Google calendar services. All three of these services are based on CalDAV and use the encrypted HTTPS protocol over TCP port 443.

Exchange-based calendaring service—Calendar includes support for this popular calendar service. Again, the macOS Exchange integration relies on EWS, which uses TCP port 80 for standard transport and TCP port 443 for secure transport.

Calendar web publishing and subscription—Calendar allows you to share your calendar information by publishing iCalendar files to WebDAV-enabled web servers. Because, as mentioned, WebDAV is an extension to the HTTP protocol, it runs over TCP port 80, or TCP port 443 if encrypted. You can also subscribe to iCalendar files, identified by the filename extension .ics, hosted on WebDAV servers. Configuration is fairly easy—accessing a shared calendar is identical to accessing a webpage. Simply provide the Calendar application with the URL of the iCalendar file. Although calendar publishing enables you to easily share calendars one way over the web, it doesn’t provide a true collaborative calendaring environment.

Calendar email invitation—Calendar, again using iCalendar files, is integrated with Mail to automatically send and receive calendar invitations as email attachments. In this case the transport mechanism is whatever your primary mail account is configured to use. Although this method isn’t a calendaring standard, most popular mail and calendar clients can use this method.

Again, ideally Contacts is configured automatically via Internet Accounts preferences or a configuration profile. However, Contacts also features an easy-to-use setup assistant for configuring specific contact or directory network service accounts. You can start it at any time by selecting Contacts > Add Account. The assistant first presents an interface similar to that found in the Internet Accounts preferences.

When you select one of these default contacts account types, the assistant attempts to automatically determine the appropriate account settings. This includes support for the Autodiscovery feature of Microsoft Exchange Server. Further, when you set up a contacts account here, the system will automatically attempt to configure Mail, Notes, Calendar, and Reminders as well.

If you need to configure Contacts for an account type not listed in the defaults, select the last option, Other Contacts Account. The only two other account types supported by the Contacts application are CardDAV and LDAP. Select the account type from the pop-up menu, and then provide the server and authentication information. You may need to work with the service administrator to obtain the appropriate configuration settings.

In summary, Contacts supports the following network contact services:

CardDAV contacts service—Contacts supports a network contacts service standard known as CardDAV. Here again, as the name implies, this standard uses WebDAV as a transport mechanism on TCP port 8800 or 8843 for encrypted communication. The macOS Server Contacts service is based on CardDAV. Furthermore, CardDAV is being developed as an open standard, so any vendor can create software that provides or connects to CardDAV services.

Internet-based contact services—Contacts can use a variety of Internet-based contact services, including iCloud, Google, Facebook, LinkedIn, and Yahoo contact services. All of these services are based on CardDAV and use the encrypted HTTPS protocol over TCP port 443.

Exchange-based contact service—Contacts includes support for this popular contact sharing service. Again, the macOS Exchange integration relies on EWS, which uses TCP port 80 for standard transport and TCP port 443 for secure transport.

Directory service contacts—Contacts can search contact databases via LDAP, the standard for network directory services, which uses TCP port 389 for standard transport and TCP port 636 for secure transport. Contacts can be configured for LDAP services either directly from its account setup assistant or via integration with the macOS systemwide directory service, as configured in the Users & Groups preferences.

Again, ideally Messages will have been configured automatically when you signed in to iCloud or via a configuration profile. However, Messages also includes its own account setup assistant that will walk you through the process of configuring messaging account settings. This assistant starts automatically if no account has been set when Messages is opened, but you can start it at any time by selecting Messages > Add Account.

You can enter any valid Apple ID to configure iMessage. After authentication, you may be prompted to choose additional iMessage identifiers that can be used to reach you, like other email accounts or mobile numbers. If you choose to skip configuration of iMessage, the Messages Setup Assistant then presents an interface similar to that found in the Internet Accounts preferences. You can also start this assistant at any time by selecting the menu option Messages > Add Account.

When you select one of these default messaging account types, the assistant attempts to automatically determine the appropriate account settings. If you need to configure Messages for an account type not listed in the defaults, select the last option, Other Messages Account. The only other account type supported by Messages is a manually configured Jabber service. Curiously, you can also choose to configure the three account types seen from the default list.

Select the account type from the pop-up menu and then provide the server and authentication information. You may need to work with the service administrator to obtain the appropriate configuration settings.

In summary, Messages supports the following categories of chat services:

Internet messaging services—Messages supports AOL Instant Messenger (AIM), Google Talk, and Yahoo chat accounts. Assuming you have already registered for an account through one of these service providers, configuring Messages simply entails entering your account name and password.

iMessage—The iMessage service is unique to Apple and can also be configured via Internet Accounts preferences or iCloud preferences. The iMessage protocol is facilitated via the Apple Push Notification service (APNs), which uses TCP port 5223, and fallback on Wi-Fi only to port 443. APNs is highly efficient for devices that rely on battery power and may occasionally lose network connectivity. This makes the iMessage service ideal for messaging with mobile Mac computers and iOS devices. However, Messages is limited to a single iMessage account per computer user account.

Short Message Service (SMS)—If you are signed in to the iMessage service using the same Apple ID on both your Mac and an iPhone running iOS 8 or later, you can send and receive SMS messages via the iMessage protocol through an iPhone cellular connection. You must manually enable this feature on your iPhone in Settings > Messages before SMS messaging will be available to your Mac. For more information, see Apple Support article HT204681, “Use Continuity to connect your Mac, iPhone, iPad, iPod touch, and Apple Watch.”

Privately hosted messaging services—Messages works with open source Jabber servers, including the OS X Server Messages service. Jabber servers are based on the Extensible Messaging and Presence Protocol (XMPP), which uses TCP port 5222 or 5223 for encrypted communication.

Ad hoc messaging—Messages can use the Bonjour network discovery protocol to automatically find other Messages or iChat users. No configuration is necessary to access Bonjour messaging. Bonjour details are covered in Lesson 23, “Manage Host Sharing and Personal Firewall.”

Messages is compatible with a wide variety of messaging features and instant messaging protocols—which means it uses far too many TCP and UDP ports to list here. However, if you are having trouble with the iMessages service specifically, you should verify availability of APNs via Apple Support article HT202078, “If you use FaceTime and iMessage behind a firewall.”

To use FaceTime your Mac must also be connected to a compatible camera and microphone. All macOS Sierra–compatible iMac and MacBook computers feature built-in cameras and microphones that are FaceTime compatible.

Again, ideally FaceTime will have been configured automatically when you signed in to iCloud. However, Messages also includes its own account setup assistant that will walk you through the process of configuring messaging account settings. This assistant starts automatically if no account has been set when Messages is opened.

You can enter any valid Apple ID to configure FaceTime. After authentication, you may be prompted to choose additional FaceTime identifiers that can be used to reach you, like other email accounts or, if you have FaceTime on your iPhone, other mobile numbers. Unlike other network service client applications, you must sign in to use FaceTime and you can only sign in to one account per local user account.

To handle phone calls on your Mac via FaceTime, you will need to be signed in to FaceTime on both your Mac and iPhone with iOS 8 or later. You will have to sign in to FaceTime on your iPhone first to enable FaceTime cellular phone calls. You should also check to ensure your iPhone cellular number is enabled in the FaceTime preferences on your Mac, which you can access by selecting the menu option FaceTime > Preferences.

Once signed in to FaceTime, the service is always ready to send and receive FaceTime calls, even when you quit the FaceTime application. If you wish to turn off FaceTime calls, you can do so from within the FaceTime application by selecting the menu option FaceTime > Turn FaceTime Off or by using the Command-K keyboard shortcut. To start receiving FaceTime calls again, use the same keyboard shortcut or choose Turn FaceTime On from the same menu. Finally, you can permanently halt all calls to your Mac by signing out of your account from the FaceTime preferences.

FaceTime uses a variety of standard and non-reserved TCP and UDP ports to facilitate calls. Specifically, you should verify availability of the ports in Apple Support article HT202078, “If you use FaceTime and iMessage behind a firewall.”

Client software built into the macOS Finder can mount a network file service much as it would mount a locally connected storage volume. Once a network file service is mounted to the Mac, you can read, write, and manipulate files and folders as if you were accessing a local file system.

Additionally, access privileges to network file services are defined by the same ownership and permissions architecture used by local file systems. Details on file systems, ownership, and permissions are covered in Lesson 11, “Manage Permissions and Sharing.”

macOS provides built-in support for these network file service protocols:

Server Message Block version 3 (SMB 3) on TCP ports 139 and 445—This is the default (and preferred) file-sharing protocol for OS X Yosemite 10.10 and later. Historically, the SMB protocol was mainly used by Windows systems, but many other platforms have adopted support for some version of this protocol. The SMB 3 implementation in macOS works with advanced SMB features such as end-to-end encryption (if enabled on the server), per-packet signatures and validation, Distributed File Service (DFS) architecture, resource compounding, large maximum transmission unit (MTU) support, and aggressive performance caching. Finally, macOS maintains backward compatibility with older SMB standards.

Apple Filing Protocol (AFP) version 3 on TCP port 548 or encrypted over Secure Shell (SSH) on TCP port 22—This is the traditional Apple native network file service. The current version of AFP is compatible with all the features of the Apple native file system, Mac OS Extended. Further, AFP is still the default for backup systems that are based on Time Machine.

Network File System (NFS) version 4, which may use a variety of TCP or UDP ports—Used primarily by UNIX systems, NFS supports many advanced file-system features used by macOS.

WebDAV on TCP port 80 (HTTP) or encrypted on TCP port 443 (HTTPS)—As mentioned earlier, this protocol is an extension to the common HTTP service and provides basic read/write file services.

File Transfer Protocol (FTP) on TCP ports 20 and 21 or encrypted on TCP port 989 and 990 (FTPS)—This protocol is in many ways the lowest common denominator of file systems. FTP is supported by nearly every computing platform, but it provides only the most basic file-system functionality. Further, the Finder supports only read capability for FTP or FTPS shares.

The Finder Network folder is a special place in macOS. The Network folder is not a standard folder at all; it’s an amalgamation of all dynamically discovered network file services and all currently mounted file systems, including manually mounted ones. Obviously, the Network folder is constantly changing based on information gathered from the two dynamic network service discovery protocols compatible with macOS—Bonjour and SMB/NetBIOS/WINS—so you can browse only SMB or AFP file services from the Network folder.

Smaller networks may have only one level of network services. Conversely, if you have a larger network that features multiple service discovery domains, they appear as subfolders inside the Network folder. Each subfolder is named by the domain it represents. Items inside the domain subfolders represent shared resources configured for that specific network area.

To browse and connect to an SMB or AFP file service from the Finder sidebar, select the computer you want to connect to from the Shared list, or select a computer from the Finder Network folder. In the Finder, the quickest route to the Network folder is either to choose Go > Network from the menu bar or to press Shift-Command-K. Selecting a computer from either the Shared list or the Network folder yields similar results.

If you are using Kerberos single sign-on authentication, the Mac attempts to authenticate to the selected computer using your Kerberos credentials.

If you are using non-Kerberos authentication but you have connected to the selected computer before and chosen to save the authentication information to your keychain, the Mac attempts to use the saved information.

The Mac attempts to authenticate as a guest user. Keep in mind that guest access is a file service option that many administrators disable.

If the Mac succeeds in authenticating to the selected computer, the Finder shows you the account name it connected with and also lists the shared volumes available to this account. Selecting a shared volume connects and mounts its file system.

You can authenticate to a sharing service using one of three methods:

Selecting the Guest radio button, if available, indicates that you wish to connect anonymously to the file service.

Selecting the Registered User radio button enables you to authenticate using a local or network account known by the computer providing the shared items. Optionally, you can select the checkbox that saves this authentication information to your login keychain.

Selecting the “Using an Apple ID” radio button enables you to authenticate to an SMB or AFP share using an Apple ID. For this option to appear, both the local Mac and the computer hosting the share must be running macOS. Further, the local accounts on both systems must be tied to an Apple ID, as covered in Lesson 5, “Manage User Accounts.”

Click the Connect button, and the Mac authenticates and shows you a new list of shared volumes available to the account. Each available share appears as a folder. Click once on a shared item to connect and mount its file system.

If you don’t specify a protocol prefix, the “Connect to Server” dialog will attempt to pick the appropriate file-sharing protocol. Again, the preferred default file-sharing protocol for OS X Yosemite 10.10 and later is SMB 3. Optionally, after the server address, you can enter another slash and then the name of a specific shared item. This bypasses the dialog for selecting a specific file share.

If automatic file service authentication is available, as covered earlier in this lesson, you do not have to enter authentication information. If it isn’t available, a dialog appears requiring you to enter authentication information. Likewise, this authentication dialog is identical to the one covered earlier in this lesson.

Once you have authenticated to the file service, you are presented with the list of shared volumes that your account is allowed to access. Select the shared item you want to mount. Optionally, you can hold down the Command key to select multiple shared items from the list.

In the Server Address field, enter one of the following:

nfs://, followed by the server address, another slash, and then the absolute file path of the shared items.

http:// for WebDAV (or https:// for WebDAV encrypted via SSL), followed by the server address. Each WebDAV site has only one mountable share, but you can optionally enter another slash and then specify a folder inside the WebDAV share.

ftp:// (or ftps:// for FTP encrypted via SSL), followed by the server address. FTP servers also have only one mountable root share, but you can optionally enter another slash and then specify a folder inside the FTP share.

Depending on the protocol settings, you may be presented with an authentication dialog. Specifically, NFS connections never display an authentication dialog. The NFS protocol uses the local user that you’re already logged in as for authorization purposes or Kerberos single sign-on authentication.

If you are presented with an authentication dialog, enter the appropriate authentication information there. Optionally, you can select the checkbox that saves this authentication information to your login keychain. When connecting to NFS, WebDAV, or FTP file services, the share mounts immediately after authentication.

Manually entering server information every time you connect to a server is a hassle. Two features in the “Connect to Server” dialog make this process efficient for your users. The dialog maintains a history of your past server connections. You can access this history by clicking the small clock icon to the right of the Server Address field. Also, you can create a list of favorite servers by clicking the Add (+) button to the right of the Server Address field.

In practice, though, it’s difficult for users to remember they have network shares mounted, since there is no locally attached hardware device to remind them. Further, laptop users often roam out of wireless network range without even thinking about what network shares they may have mounted.

If a network change or problem disconnects the Mac from a mounted network share, the Mac spends several minutes attempting to reconnect to the server hosting the shared items. If after several minutes the Mac cannot reconnect to the server, the system will fully disconnect from the share.

Alternatively, you can create easy-to-use shortcuts to often-used network shares. One method involves creating Dock shortcuts by dragging network shares or their enclosed items to the right side of the Dock. You can also create aliases on the user’s desktop that link to often-used network shares or even specific items inside a network share. (Creating aliases is covered in Lesson 12, “Use Hidden Items, Shortcuts, and File Archives.”) Either method you use automatically connects to the network share when the item is selected.

However, before digging too deep into troubleshooting the specific network service, quickly check for general network issues. First, check to see whether other network services are working. Opening a web browser and navigating to a few different local and Internet websites is always a good general network connectivity test.

To be thorough, also test other network services, or test from other computers on the same network. If you’re experiencing problems connecting to a file server but you can connect to web servers, chances are your TCP/IP configuration is fine, and you should concentrate on the specifics of the file server. If you’re only experiencing problems with one particular service, you probably don’t have local or network issues, and you should focus your efforts on troubleshooting just that service.

If other network clients or services aren’t working either, your issue is likely related to local or network issues. Double-check local network settings to ensure proper configuration from both the Network preferences and Network Utility. If you find that other computers aren’t working, you might have a widespread network issue that goes beyond troubleshooting the client computers. For more information on general network troubleshooting, see Lesson 21, “Troubleshoot Network Issues.”

As covered earlier in this lesson, network service protocols are tied to specific TCP and UDP network ports. Network devices providing a service must leave the appropriate network ports open to accept incoming connections from other network clients. Port Scan reveals whether the required ports are indeed open. If the ports aren’t open, that device either is not providing the expected service or is configured to provide the service in a nonstandard method. Either way, this indicates that the issue lies with the device providing the service, not with your Mac.

To verify network service availability, start by opening Network Utility and clicking the Ping tab at the top. Before scanning the ports, check for basic network connectivity by attempting to ping the device that is supposed to be providing the service. Enter the device’s network address or host name and click the Ping button.

If the ping is successful, it returns with the amount of time it took for the ping to travel to the network device and then return. Assuming you have network connectivity to the other device, continue with the port scan.

To scan for a network service, start by clicking the Port Scan tab. Again, enter the network address or host name of the device that is supposed to be providing the service. If you’re only troubleshooting a specific service, limit the scan to just that service’s default ports by selecting the appropriate checkbox and entering a beginning and ending port range.

There are 65,535 available TCP and UDP network ports, so scanning all of them is unnecessary and overly time intensive. Even if you don’t know the specific port, most common ports are between 0 and 1024. Further, network administrators view repeated network pings and broad port scans as a threat. Thus, some network devices are configured not to respond even when working properly. In general, you should avoid excessive network pinging and scanning an unnecessarily broad range of ports when testing others’ servers.

Once you have defined the port range, you’re ready to click the Scan button to initiate the scan process. Depending on the scan range you choose, it may take several minutes to complete the scan. Any open ports discovered are listed along with the associated network protocol, if known.

Be aware of these specifics when troubleshooting network applications:

Safari—Safari is a good web browser, but webpages aren’t always perfect. You may find that some websites do not render properly or work correctly with Safari. To provide the most secure web experience, Safari may disable third-party plug-ins. You can verify the status of third-party plug-ins from the Security tab of the Safari preferences. You might also want to try a third-party web browser. Several are available for the Mac, including Google Chrome, Firefox, OmniWeb, and Opera. Alternatively, for deeper inspection of problematic webpages you can enable the Safari Develop menu from the Advanced tab of Safari preferences. With this menu enabled, you can dig into the details of a webpage or try advanced troubleshooting methods, including emptying Safari’s caches and requesting the website with a different user agent.

Mail—Improper mail account configuration settings are the most common cause of Mail application issues. Fortunately, the Mail application includes a built-in account diagnostic tool, Mail Connection Doctor, that attempts to establish a connection with all configured incoming and outgoing mail servers. To open Mail Connection Doctor, choose Window > Connection Doctor within the Mail application. If a problem is found, a suggested resolution is offered, but for a more detailed diagnostic view, click the Show Detail button to reveal the progress log, and then click the Check Again button to rerun the tests.

With this practice, commonly known as AppleDouble, the data retains the original name, but the metadata is saved with a period and underscore before the original name. The Finder recognizes these split files and shows only a single file to the user. However, users on other operating systems see two separate files and may have trouble accessing the appropriate one.

Many known performance issues exist with AFP 2, so you should avoid it at all costs. Ideally, you should use a system running macOS Server to provide AFP services for your network. However, if you must keep the Windows file server, you can add AFP 3.1 support by installing Acronis Access Connect (formerly ExtremeZ-IP) (www.acronis.com). Also remember that macOS clients include a robust SMB client that natively connects to your Windows server with a high degree of reliability and performance.

The client applications built into macOS can use a wide variety of network services, and the Internet Accounts pane in System Preferences makes setting up suites of services easy. You have already set up iCloud-based services on your computer. In this exercise, you will also configure your computer to use services provided by a macOS server.

2 Open the Contacts application.

3 Open Contacts preferences by choosing Contacts menu > Preferences (Command-Comma).

4 Click the Accounts button to see the accounts your Contacts application is configured to use.

If you have configured iCloud services for the Chris Johnson account, you will see the iCloud account listed here.

You could use this pane of Contacts preferences to view and add network accounts for Contacts, but often you have accounts that are used for groups of related services.

5 Close the Contacts preferences window, and quit Contacts.

6 Open System Preferences, and select the Internet Accounts pane.

If you are signed in to iCloud, your iCloud account information is listed on the left side of the window. You can manage iCloud settings here, as well as in iCloud preferences. You may also see a Game Center account listed.

7 If your iCloud account is listed on the left, select it, and then deselect the Mail service on the right.

Not having iCloud mail mixed with the new account will simplify testing later in the exercise.

2 Scroll to the bottom of the list, and click Add Other Account.

More account types appear at the bottom of the list.

3 Click “Server account.”

Mainserver is available in the server list.

Note that the server’s domain name (shown on the right) might be either Mainserver.local or mainserver.pretendco.com.

4 Select Mainserver, and click Next.

You are prompted for the server account you want to use. If you are performing these exercises in a class, your account name will include your student number or seat number. If you are performing these exercises on your own, use 1 as your student number.

5 Enter the following for your account information:

User Name: studentn (where n is your student number)

Password: student

6 Click “Sign in.” If you receive an error message, check the settings and try again.

A dialog may appear indicating that Internet Accounts can’t verify the identity of the server; if it does not, you have already configured your computer to trust the server, and you can skip to step 10.

Again, the server’s domain name may be listed as either “mainserver.local” or “mainserver.pretendco.com.”

This appears because Internet Accounts is attempting to make a secure connection using SSL but the SSL certificate the server presents has not been signed by a trusted certificate authority (CA). The host name listed in the certificate may also not match the host name Internet Accounts is using to connect to the server. Thus, Internet Accounts cannot tell whether the server is the one you intend to connect to or an impostor.

This problem can occur because the server is not properly configured but also might indicate that you have reached a malicious fake. Unfortunately, there is often no reliable way to tell whether or not there is a real problem. In this case, it is occurring because Mainserver is not run by the legitimate owner of pretendco.com; it is a fake, but it is a harmless fake.

7 Click Show Certificate.

The dialog expands and displays more details about the server’s SSL certificate.

8 Select “Always trust,” and then click Continue.

This adds the certificate to your keychain and creates a trust policy so that this server certificate will automatically be trusted in the future. Note that if you had been connected to an external server on the Internet (especially one that handles sensitive information, such as your bank’s web server), it would have been safer to cancel the connection.

9 Authenticate as Chris Johnson to confirm the new trust policy.

10 In the “Select the apps...” dialog, deselect VPN, and click Done.

Setting up the VPN service would make changes to the Mac computer’s network configuration, which would require administrator authentication. Also, you may have already configured the VPN service using a configuration profile in Exercise 20.3, “Configure VPN Settings.”

11 When the account setup finishes, quit System Preferences.

2 Open Contacts preferences (choose Contacts menu > Preferences, or press Command-Comma).

3 Click the Accounts button, and select the Server account.

Since this account is being managed by Internet Accounts preferences, not many configuration options appear here.

4 Close the Contacts preferences window, and quit Contacts.

5 Open the Mail application.

6 If a warning appears indicating that Mail can’t verify the identity of the server, repeat the process of showing the certificate and marking it as always trusted.

Mail checks for new messages in your macOS Server account. You should have a welcome message from the server team.

If you also had iCloud messages, you may have missed the step to turn off iCloud mail; return to Internet Accounts preferences, select your iCloud account, and turn off its mail service.

7 Open Mail preferences (choose Mail menu > Preferences, or press Command-Comma).

8 Click the Accounts button.

9 Select the macOS Server account.

10 Close the Mail preferences window, and quit Mail.

1 Open Network Utility (remember that you can press Command–Space bar and use Spotlight to find it).

2 Click the Port Scan tab.

The port scan tool scans a server or other IP address to see what network ports are accepting connections. This is explored in more detail in Exercise 22.3, “Troubleshoot Network Services.”

3 Enter the server address mainserver.local in the IP address field.

4 Select the “Only test ports between” option, and set the range to 1 through 1024.

5 Click Scan.

6 Wait for it to finish scanning, and then expand the Network Utility window until all the results are visible.

Your results may not exactly match those shown here. To record your results, you will take a screenshot of the Network Utility window. For more about taking screenshots in macOS, see Exercise 6.1, “Restore a Deleted User Account.”

7 Press Command-Shift-4; then release those keys, and press the Space bar.

The cursor changes to a camera icon, and the region of the screen it is over is highlighted in blue.

8 Move the pointer over the Network Utility window, and then click to record its contents.

The image is saved to your desktop with the name “Screen Shot” followed by the date and time it was taken.

9 Quit Network Utility.

Many protocols can be used to transfer files across networks and over the Internet, but some of the most efficient are designed specifically to share file systems, such as AFP and SMB. In this exercise, you will use a Finder window and the “Connect to Server” command from the Finder Go menu to connect to shared AFP and SMB volumes on another computer, copy a file from the server to your desktop, and copy the file back to the server.

1 If necessary, log in as Chris Johnson.

2 In the Finder window, select Mainserver in the Shared section of the sidebar.

If Mainserver is not shown, click All in the sidebar, and then double-click Mainserver in the network view.

Your Mac contacts Mainserver and logs in automatically as a guest.

3 Click the Connect As button.

4 When prompted to authenticate, select Registered User, enter the name student and the password student, select “Remember this password in my keychain,” and click Connect.

You are now connected to Mainserver with the “student” account. The Finder window shows that you now have access to more shared folders than you did as a guest. The SMB Shared folder is available only over the SMB protocol, so its appearance here indicates that this is the protocol being used to connect to Mainserver.

Now you will take a look at what you can see in the Public folder on the server.

5 Open Finder preferences (choose Finder menu > Preferences, or press Command-comma), click General, and select “Connected servers,” if it is not already selected.

This shows mounted server volumes on the desktop. Since you have not mounted any shared folders yet, nothing new appears on the desktop at this point.

6 Close the Finder Preferences window.

7 Open the shared folder named Public.

The folder displays in the Finder, and a new network volume icon appears on the desktop.

In the Public folder you see a file (copy.rtf), along with the StudentMaterials folder.

1 Drag copy.rtf to your desktop. Since you are dragging from one volume to another, this copies the file rather than moving it.

2 Rename your copy of copy.rtf to Student n.rtf (where n is your student number if you are in a class or 1 if you are performing these exercises on your own).

You can rename a file by selecting it and pressing Return or by clicking the filename and waiting a moment.

3 Select Mainserver in the Finder sidebar. This returns you to the view of available shared folders.

4 Open the SMB Shared folder. Its icon will appear on your desktop.

5 Drag the renamed file from your desktop onto the SMB Shared folder.

1 Open System Preferences, and select the Users & Groups preferences.

2 With Chris Johnson selected in the user list, click the Login Items tab.

Note that you do not need to authenticate as an administrator to access your login items; they are a personal preference, so standard users can manage their own login items.

3 Drag the SMB Shared icon from your desktop to the login items list.

Anything in your login items list will be automatically opened every time you log in. It can include applications, documents, folders, and so on. By adding a shared folder, you have configured it to mount every time you log in. Since you also memorized the server account name and password when you connected, the connection should be fully automatic.

4 Quit System Preferences.

5 Disconnect from Mainserver by clicking the Eject button next to Mainserver in the Finder sidebar.

Disconnecting from the server automatically unmounts both the Public and SMB Shared folders. You can also unmount them individually if you prefer.

6 Log out and back in as Chris Johnson.

7 If a connect dialog appears, click Connect to confirm. Note that the password will be filled automatically from your keychain.

The SMB Shared folder is remounted and opened in the Finder. Note that if you are connecting via Wi-Fi, it may take a minute or so to reconnect.

8 Reopen the Users & Groups preferences.

9 Click Login Items.

10 Remove SMB Shared from the login items list by selecting it and then clicking the Delete (–) button under the list.

11 Quit System Preferences.

12 Disconnect from Mainserver again.

1 In the Finder, choose Go menu > Connect to Server (Command-K).

2 In the Server Address field, enter afp://mainserver.local to connect using the AFP protocol.

3 Before you click Connect, click the Add (+) button to the right of the Server Address field.

This adds the server URL to your Favorite Servers list. This is another way to allow easy access to a shared folder.

4 Click Connect.

5 Use the same credentials you used when connecting over SMB, and select “Remember this password in my keychain.” Click Connect.

Note that although you have already memorized the SMB password for the server, this is a different file service, and you must also memorize its password.

Since you entered a connection URL that did not specify a shared folder to mount, you will be asked which folders you want to mount. Note that this time you do not see the SMB Shared folder, but you do see the AFP Shared folder.

6 Select the Public and AFP Shared folders, and click OK.

The volumes mount, and you see the same files in Public that you saw when connecting using SMB. You have connected to the same folder on the server, so this is not surprising.

7 Drag the Student n.rtf file from your desktop to the AFP Shared folder.

8 Disconnect from the server, either by dragging the volume icons to the Trash or by clicking the Eject button in the Finder sidebar.

In this exercise, the mail service will fail, and you will use several network service troubleshooting tools to investigate the problem.

If you are performing these exercises on your own, follow these steps on your server computer to turn off the mail service:

1 On your server computer, log in as Local Admin.

2 Open the Server application.

3 Select Mail from the sidebar.

4 Turn the service off.

5 Quit the Server application, and return to your regular exercise computer.

2 Open the Mail application.

Mail displays an Account Error alert.

3 Click the Account Error alert.

A dialog appears with more information about the problem.

Note that depending on your network setup, the error you see may refer to “mainserver.local” instead of “mainserver.pretendco.com.”

The Mail application has a built-in Connection Doctor that can do basic service diagnostics.

4 Click Open Connection Doctor in the dialog.

The Connection Doctor opens and runs a series of tests to see which parts of your mail service are working. In this case, it detects that your Internet connection is working (the green Connection Status indicator at the top) but that neither the mail sending service (SMTP) nor the receiving service (IMAP) is working because it cannot connect to either service.

Note that an iCloud IMAP service may be listed. The Connection Doctor may test it even though the service is turned off.

If this were a minor glitch, the Mail Connection Doctor might be able to point you to a solution. In this case, it indicates that it “Could not connect...” to the macOS Server over either the SMTP or the IMAP protocol. Because the server appears to be completely unreachable, you will now turn to Network Utility for further troubleshooting.

5 Close the Mail Connection Doctor window.

6 Quit Mail.

Since Mail is unable to reach the server, you should first test to make sure the network connections between your computer and the server are working.

2 Click the Ping tab.

3 In the “Enter the network address to ping” field, enter mainserver.local.

4 Click Ping.

The ping probes are able to reach the server. This tells you that the network connection between your computer and the server is working, so you need to move on to the services you are trying to use.

5 Click the Port Scan tab.

The port scan tool can scan a server to see what TCP port numbers it has services running on; usually, you can tell what services are available based on the port numbers.

6 If necessary, enter the server address mainserver.local in the IP address field.

7 If necessary, select the “Only test ports between” option, and set the range to 1 through 1024.

8 Click Scan.

9 Watch the scan as it identifies the open ports.

The port scan lists the open ports it finds, along with the names of the services usually associated with them. For example, port 80 is the standard (or “well-known”) port for web services (the HTTP protocol), and port 548 is the standard port for the Apple Filing Protocol (“afpovertcp”). These well-known ports are commonly used in the industry and facilitate interoperability across different vendors’ implementations of the same protocols. To test whether a computer has an HTTP (web) server, you would run a port scan on it and test whether TCP port 80 is open. HTTPS (an SSL-secured web service) normally uses TCP port 443, so if HTTPS requests are not working, port 443 might be blocked or inactive.

For a listing of many ports used by Apple products, see Apple Support article HT202944, “TCP and UDP ports used by Apple software products.”

10 Open the screenshot you took in Exercise 22.1, “Configure a Network Service Account,” showing which ports were open when the services were working, and compare it with the current scan.

In this case, you are trying to troubleshoot the mail service, which normally involves TCP ports 25 (SMTP), 110 (POP3), 143 (IMAP), 587 (message submission), 933 (IMAPS), and 995 (POP3S). Note that mail servers that use proprietary protocols such as Exchange provide access to those protocols over other port numbers.

All of those ports are listed in the earlier scan but not in the current scan. This indicates either that the server does not offer mail service (which is true here since the service is switched off) or that a firewall is blocking access to the service.

This is as far as you can resolve this problem from the client side; further troubleshooting would mean looking in detail at the server and network firewalls, which is beyond the scope of this exercise.

11 Quit all open applications.