Messaging and Groupware

  • Charles S. EdgeJr.
  • William Smith


Groupware is one of the most important communication vehicles in the modern enterprise. Tracking what people are doing in shared calendars, and whom your organization does business with in shared contacts, and communicating with them all via e-mail are requirements today for any large organization. In fact, it goes a step further in that you need to extend the same functionality you have at the desktop onto mobile devices, including, of course, the iPad, iPhone, and iPod Touch.


Exchange Server Exchange Account Simple Object Access Protocol Account Setting Message Header 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Groupware is one of the most important communication vehicles in the modern enterprise. Tracking what people are doing in shared calendars, and whom your organization does business with in shared contacts, and communicating with them all via e-mail are requirements today for any large organization. In fact, it goes a step further in that you need to extend the same functionality you have at the desktop onto mobile devices, including, of course, the iPad, iPhone, and iPod Touch.

For the purpose of this chapter, we will include messaging solutions as part of the overall groupware ecosystem. We do so because every conversation about shared contacts and calendars includes e-mail. Some even include instant messaging frameworks. Over the course of this chapter, we will cover the various solutions that have become common on the OS X platform, starting with Microsoft Exchange.

There are a number of groupware platforms, each with varying degrees of compatibility with the Mac. Microsoft Exchange is clearly the most prevalent, so we’ll spend more time in this chapter covering Exchange than any other solution. However, Exchange isn’t the only solution. Lotus Notes, GroupWise, and a few others have become fairly common in enterprise organizations, so these are included as well.

But what if you want to be in a purely OS X environment? Well, you can. We’re not going to say that this will come with the same level of scalability, application functionality, cross-pollination among applications, and maturity that some of the other solutions (especially Microsoft Exchange) can provide, because it can’t. The pure-Mac solution is just not there yet. However, OS X has some groupware features that certainly bring a first-party solution much closer to reality. Moreover, the Mac solution is worth exploring on a service-by-service basis, considering that licensing and complexity can cause many of the other solutions to come in at a much higher total cost of ownership for Mac clients than for their Windows counterparts.

Exchange Integration

OS X can communicate with Microsoft Exchange in a variety of ways; most notable is its support for Outlook Web Access (OWA) from a web browser. But if you use Microsoft Exchange 2012 or earlier, you need to consider Entourage, an e-mail client and personal information manager from Microsoft. You can use POP or IMAP mail accounts with other solutions, or you can use Mail, Calendar, and Contacts in an Exchange environment that you may already be leveraging. While not the only option, Outlook is a mature product for Exchange integration and the most widely adopted for such environments.

Exchange consists of a number of roles, each controlling the functionality that a server is able to offer to clients and to other Exchange servers. Most of the integration that will be done with Exchange will be done through the Client Access Server (CAS) role. For the most part, the technologies included in the CAS role existed in Exchange 2003 and earlier, but the idea of breaking Exchange into predefined roles, and the CAS role specifically, was new as of Exchange Server 2007. One component of Exchange that does not exist in versions prior to 2007 is the Exchange Web Services (EWS) API, which opens up a number of options, including using Entourage for Exchange EWS (an Exchange 2007/EWS-optimized Entourage app) or using Mail to interface with Exchange. However, as yet, adoption of Exchange has been relatively limited. In an Exchange 2003 environment, in many cases you will be able to leverage WebDAV, an extension to the HTTP protocol, when connecting from an OS X client.


Microsoft Outlook is part of the Microsoft Office family of products that most environments have already deployed. Microsoft Outlook client licensing is not necessarily bundled with Exchange or Office 365. Exchange 2003 and earlier do provide a license for a stand-alone Microsoft Outlook client.

If licensing is not an issue (for example, you already own Microsoft Office for your Mac clients), then you should consider Outlook as an option for your clients to connect to Exchange. Outlook has a look and feel that is fairly similar to Microsoft Outlook for Windows, and it has many of the same features (although not all), so a user coming to a Mac from a PC will find it easy to use.


One of the first tasks to undertake when integrating OS X into Microsoft Exchange is to log into Outlook Web Access. If you can log into OWA without issue, you should also be able to set up Outlook integration or even configure an iPad, iPhone, or iPod Touch.

To authenticate into WebDAV, you should be able to access the server over HTTP or HTTPS. These are the same general paths (often dubbed virtual paths) you will use with Outlook. You can follow the paths with usernames in the form of fully qualified e-mail addresses if you’re receiving errors that you can’t authenticate when you haven’t yet been prompted for a password. The following are paths you may need to use to access OWA. In this example, we are accessing an Exchange server at the address
In Exchange 2007 and newer, there can be even more paths, because Exchange 2007 has a lot more features. This is not to say that the paths mentioned previously have been deprecated; in most cases, they have not. Exchange provides support for these using legacy virtual directories (made possible by davex.dll) that should be able to handle Exchange WebDAV requests. However, the following are the mailbox-access URLs you may run into:
Overall, WebDAV integration is a safe bet, but there is a newer and better way: EWS. EWS leverages Simple Object Access Protocol (SOAP) to exchange data through XML, allowing for more developers to interact with Exchange. EWS is faster and chews through less bandwidth, adding synchronization support for categories and tasks (not otherwise provided by WebDAV). If you will be using Entourage for EWS or Mail, you will instead want to check for EWS connectivity, which is different from the paths previously mentioned. The following are possible URLs that you will see:

Once you have confirmed your paths, you can set up the client application.


Paths may also be followed by a colon and then the port number that the service is running on if a custom port has been used ( ).

Troubleshooting Exchange Virtual Directories

In a number of deployments, Entourage simply will not work, even though Outlook Web Access will authenticate users. To resolve this, you can use a series of Windows PowerShell commands. PowerShell is the command-line scripting language used for Windows Server 2008 and newer and Exchange Server 2007 and newer environments. To start, you can get a list of all the virtual directories using the Get-OwaVirtualDirectory cmdlet without any operators, as shown here:


If you are having an issue with a specific virtual directory, you can delete it using this command:

Remove-OwaVirtualDirectory "owa (Default Web Site)"

The preceding command uses the owa virtual directory, but it could have used Exchange, Public, Exchweb, or Exadmin as well. To re-create the directory, use the following command (again replacing owa in the quoted portion of the command with the specified virtual directory you are re-creating):

New-OwaVirtualDirectory -OwaVersion "Exchange2007" -Name "owa (Default Web Site)"

Because a virtual directory is just that, virtual, you will not encounter any problems from deleting it, except that while it is offline your clients who use it will not be able to connect to the server. Note that when you re-create the virtual directory, you will need to go into IIS and customize the permissions as defined by your organization’s security policy before using the virtual directory again. The ability to delete virtual directories (or, more importantly, to create new ones) is a great help when troubleshooting connectivity issues. After you’ve created a new virtual directory, before you customize permissions, test Entourage. Then, after you customize the permissions, test Outlook again. Or, you may want to create an entirely new virtual directory without deleting the existing one during testing.

Because Exchange, Public, Exchweb, and Exadmin are not native to Exchange 2007, you would actually replace Exchange2007 with Exchange2003or2000 for those directories. So if you wanted to re-create Exadmin, for example, you would use the following command:

New-OwaVirtualDirectory -OwaVersion "Exchange2003or2000"-Name "Exadmin (Default Web Site)"

Outlook Setup

First, install Outlook, and feel free to accept the default values during installation. Once the application has been fully installed, proceed to Updates, an option available through the Outlook Help menu, until the software is running the latest revision. If you will be automating the installation, read further for more information on doing so.

With the software installed, you can set up your first account. Though there is an account setup wizard that launches when you first open Entourage, we will walk you through configuring an account manually (without having Entourage “locate” the server). If you do run the Outlook wizard, you will have to provide your domain. Note that Outlook does not automatically supply all the different settings. Microsoft can attempt to autopopulate all the data it wants, but the fact is that in real-world environments, few DNS servers have the perfect records to do this. It’s nothing that Microsoft has done wrong, just that some Active Directory environments have years of cruft hiding in their bowels. In some cases, you might see no other symptoms in your environment except that Outlook will not automatically complete setup (that is, until you go to prep your domain for the 2010 server).

To manually set up an account, click the Tools menu and select Accounts to bring up the Accounts window, shown in Figure 5-1. Now click Exchange or Office 365.
Figure 5-1.

The Outlook Accounts pane

You will see the screen to provide your Exchange or Office 365 account information. If Autodiscover is set up correctly, you should need only an e-mail address and password; however, if you need to provide more information, you can uncheck the “Configure automatically” check box, shown in Figure 5-2. Instead, in this case, we will allow the automatic configuration process to authenticate the account and configure Outlook.
Figure 5-2.

Entourage Exchange account settings

Here, you can provide the most important Exchange account settings, which configure basic access to the server, as follows:
  • E-mail Address: Here you specify the “reply-to” e-mail address used in the message headers.

  • Authentication: Here you configure account settings for an account on the Exchange Server using information entered into Outlook.
    • Method: You can leave this as User Name and Password, unless you will be locally in an environment that supports Kerberos or supports certificates via the Client Certificate Authentication option.

    • User name: Here you specify the e-mail address or the domain\userid.

    • Password: Here you specify the Active Directory or Office 365 password for the account ID that resides on the domain.

    • Configure Automatically: This configures the server and other settings automatically so that users don’t have to remember them. If the domain has a properly configured Autodiscover record, you can leave this check box selected.

If your environment has a self-signed certificate, you will then be prompted to install the certificate. You may also be prompted that DNS is being redirected to Microsoft if that’s the case. Otherwise, you will see the same settings in the Accounts screen. Click the Advanced button to bring up the Server settings. Here, as you can see in Figure 5-3, you will see the settings for the Exchange server environment, as well as an Active Directory global catalog server.
Figure 5-3.

Outlook Exchange account settings

  • Server: This is the URL to the server. This is usually more than just a server name but also includes the path to the EWS site from IIS.
    • Override default port: This setting allows you to configure another port, if needed, such as port 8080.

    • Use SSL to connect (recommended): This connects using SSL, the default, but if you connect without a certificate, you can uncheck this box.

    • Download headers only: This downloads only message headers.

    You will also be able to configure Active Directory global catalog server settings in the “Directory service” section of the screen. Here, if needed, you can obtain the following information:

  • Server: This is the IP address or host name of the server. LDAP is used for global address list (GAL) lookups. In some cases, you can use the Exchange server, although you may need to use a domain controller instead. If lookups are slow for branch offices, consider using a localized global catalog server for that office.

  • Override default LDAP Port: Use a custom port number for LDAP access.

  • Use SSL to connect (recommended): The server requires communication over an SSL port.

  • Log in with my Exchange account credentials: If checked, Outlook will authenticate to the LDAP servers when performing lookups against the LDAP database.

  • Maximum number of results to return: This is the maximum number of results for a given LDAP query. This is similar to how the Active Directory plug-in returns a maximum number of objects, as described in  Chapter 3. If you increase this number, lookups for addresses in the GAL could take longer, but you may need to increase it in large organizations if users have search issues.

  • Search base: This is the search base of the domain. For most environments, this is not required. If the search base is needed, you should be able to obtain it from Active Directory. You can usually determine this value by performing an LDAP search against one of your global catalogs.

    ldapsearch -h -x -a never -s base namingContexts

One of the great features of Exchange is that users can configure who has access to their information and rights to perform actions on their behalf. This is called delegation, which Outlook supports. Once you have configured the initial account settings, as required by your organization, you can go ahead and configure delegation. This is where you can configure Outlook to allow you to send e-mail as another user of the organization or provide other users with access to send mail as the account being configured. To configure access, as shown in Figure 5-4, click the Add button and then select each user for whom access should be provided (or added to your “send as” options).
Figure 5-4.

Entourage account delegation user selection

Finally, click the Security tab to configure the digital signing and encryption options of Outlook (see Figure 5-5). Be sure to have any digital signatures you need (whether supplied by a public certificate authority or by your own signing environment). Digitally signing objects allows for nonrepudiation (the objects definitely came from you because only you have your private key). Encryption lets you encrypt all mail, so users who receive your mail will need a predefined web of trust with your e-mail to be able to view the contents of the message.
Figure 5-5.

Outlook Exchange account security options

Automatic Client Configuration

In a large organization, you need to automate as much of the installation process as possible. Part of this automation might involve deploying the actual software, another part might be to customize the settings for the software, and finally you may want to automate the account configuration for a user. These three tasks need to be viewed as three separate automations.

Deploying the Package

Microsoft Office comes with a built-in package installer. The installer is a package that contains a number of other packages. All of these packages can be installed automatically using the following command (assuming that the package is stored in the hidden /private/tmp directory on your computer):

sudo installer –pkg "/private/tmp/Microsoft_Office_2016_Volume_Installer.pkg" –target /

Apple’s installer tool supports using a choices XML file to omit or change parts of an installation. These are usually the options you see when double-clicking an installer and clicking the Customize button to select or deselect choices. For example, an administrator may choose to install the full Office 2016 for Mac suite without installing Microsoft OneNote or Microsoft AutoUpdate. Rather than dissecting the installer package and creating a new package without the applications, the –applyChoiceChangesXML option brings in an answer file. This file responds with which of the packages within the metapackage that you want to install or not install. To see the choices that you can use to make an answer file, use the –showChoicesXML option, along with the path to the package file (using the –pkg option), as follows:

installer –showChoicesXML –pkg "∼/Desktop/ Microsoft_Office_2016_Volume_Installer.pkg"

If your environment doesn’t use OneNote or AutoUpdate, then you could make the attributeSetting key false (or zero) for both and they would not be installed.

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" " ">

<plist version="1.0">




















Save this file with a name such as choices.plist and deploy it along with the Office 2016 installer package. Then apply the choices XML plist file as part of the command.

sudo installer –pkg "/private/tmp/Microsoft_Office_2016_Volume_Installer.pkg" –target /

\-applyChoiceChangesXML "/private/tmp/choices.plist"

Once installed, open Office, and you will be prompted to activate Office using an Office 365 account, unless you’re using a volume license key for your deployment.

Outlook Account Setup

You can also automate the setup of the actual Exchange account by leveraging AppleScript. To do so, you could have a launch agent that checks whether the AppleScript should run. However you choose to push out the AppleScript, it is worth noting that you can control Outlook to a large degree using AppleScript events. To get started, open the AppleScript editor of your preference and enter the following:

tell application "Microsoft Outlook"

        make new exchange account with properties {name:"My Exchange Account", user name:"jdoe", full name:"John Doe", email address:"", server:"", use ssl:true, port:443, ldap server:"", ldap needs authentication:true, ldap use ssl:true, ldap max entries:1000, ldap search base:"dc=myco,dc=com"}

end tell

This AppleScript could be set up to launch when a user logs in and then to self-destruct. You can even add some code to pull data from the environment using the shell command id -un or continue with AppleScript using the following:

set userShortName to short user name of (system info)

set userFullName to long user name of (system info)

Using these values, you can then properly set the display name for the account, set the user’s short name (used for authentication), and populate the user’s Full Name record, which is used for displaying a friendly From name when sending e-mails (such as John Doe rather than Instead of a login item, you can also call the AppleScript using the osascript command. However, because this AppleScript is configuring a Userland application, it requires an active user session to run. Because of this, a launch agent item is generally the best avenue for this type of deployment.

Postflight Tasks

Assuming the serial number was deployed with the initial package, there should be only a few things remaining to complete your Office for Mac deployment and allow you to use Outlook effectively. The first is to suppress the Microsoft first-run dialog windows displayed when launching each application the first time (and usually causing a great number of calls to support teams unless suppressed).

To suppress them, you will need to add keys and values to the preferences plist for each application. Here, we’ll provide a key of kSubUIAppCompletedFirstRunSetup1507 with a value of true, which indicates that the user has seen the first-run setup window. To do so, we’ll use the defaults command and write the key information into the plists as follows:

defaults write "kSubUIAppCompletedFirstRunSetup1507" -bool true

defaults write "kSubUIAppCompletedFirstRunSetup1507" -bool true

defaults write "kSubUIAppCompletedFirstRunSetup1507" -bool true

defaults write "kSubUIAppCompletedFirstRunSetup1507" -bool true

We could also have uploaded the plists into Apple’s Profile Manager or other MDM to create a configuration profile. Once done, profiles can be pushed out to these property lists quickly and easily from the centralized management server. These plists are located in the Containers folder for sandboxed applications. For example, Microsoft Word’s preferences plist is located in the user’s home folder.



Microsoft Office includes Microsoft AutoUpdate, which runs independently of Apple’s Software Update. Many environments will control patch deployment to users to proactively keep help-desk calls from rolling in as patches are applied (user questions about why Office is asking for an update, plus potential support issues arising from a deployed update, can be lethal). Additionally, all Microsoft patches for Office for Mac are cumulative, which means an administrator needs to install only the latest update rather than all prior updates in a row.

If you have another vehicle to deploy the Microsoft patches (such as JAMF Software’s Casper or Apple Remote Desktop), you can disable AutoUpdate using the defaults command to write the HowToCheck key into the file as follows:

defaults write HowToCheck -string "Manual"

Similarly, you can push out the domain preferences using Profile Manager, Apple’s built-in client management system (discussed in  Chapter 7). Microsoft AutoUpdate is not sandboxed like the rest of the Office 2016 applications, so you’ll find this preferences file in the user’s home folder in the Preferences folder:


Native Groupware Support

OS X traditionally has not had a strong first-party groupware presence. Traditionally groupware-inherent apps, such as Apple’s earlier Address Book, iCal, and Mail, were largely consumer-oriented and, as such, did not participate well in groupware-oriented environments. This statement is a little less true for Apple’s Mail app, which does support prominent e-mail protocols. Apple servers address groupware with Calendar server and Contact server.

Let’s face it, though, when talking about groupware, the 800-pound gorilla in the room is Microsoft Exchange, and in OS X you might be using Outlook to address Exchange support. But Apple’s native toolset is another great way to address Mac support for OS X. Native Exchange support in OS X includes full support for Exchange e-mail, calendaring, contact, and GAL access. Each respective function in OS X is provided via a dedicated app: Mail, Calendar, and Contacts. Each application leverages Exchange Web Service for integration, which provides excellent feature compatibility.

Manual Setup

The Mail app includes support for, well, e-mail and does the job adequately. There is also a Contacts app and a Calendar app, which provide access to contacts and calendars from Exchange, respectively. To configure the Mail app to connect to an Exchange server, start the app and open its preferences, found under the Mail menu. With the Preferences window open, select the Accounts tab and click the plus button in the bottom-left corner of the Internet Accounts preferences pane to create a new account, as shown in Figure 5-6.
Figure 5-6.

Adding an account in

As shown in Figure 5-7, in the resulting window, enter the full name, e-mail address, and password for the desired account. Then click Sign In in the Exchange screen.
Figure 5-7.

Configuring Exchange in

Provided that Autodiscover worked correctly, you will then be able to select which services will automatically be set up to work with Exchange, as you can see in Figure 5-8.
Figure 5-8.

Select which apps you want to use

Once the account has been set up, it will be listed in the Internet Accounts list. From here, you can highlight the account and edit the same settings, as shown in Figure 5-9.
Figure 5-9.

Configuring service access in Internet Accounts


Though Exchange contacts and GAL access are provided via the Contacts app, Mail will search both when entering e-mail recipients.

Calendar support for Exchange is provided using the aptly named Calendar app (see Figure 5-10), which sports decent capabilities, including support for free/busy schedules, to-dos, invitations, file attachments, and delegation.
Figure 5-10.

Exchange support in the Calendar app

The Contacts app provides support for Exchange contacts and allows users to search the Exchange GAL. When an Exchange account is configured in Address Book, the account will be listed in the left pane. Additionally, the configured account will have a new entry placed under the Directory group, which allows for searching of the GAL, as shown in Figure 5-11.
Figure 5-11.

Viewing a contact in the GAL in the Contacts app

As mentioned, it is possible to configure Exchange accounts both in Calendar and in Contacts without configuring a mail account. To perform this operation in either program, open the preferences from the application’s menu (the Calendar and Contacts menus, respectively) and select the Accounts tab. Here, you can deselect the Exchange account from within the app.

Deploy Exchange Accounts Using Profiles

Now that you’ve seen how to set up an Exchange account using Outlook and the native tools for OS X, let’s look at automating the account setup in environments that have decided to leverage the native tools. To do so, you’ll create a profile. Using that profile, you can automatically install the profile on systems to complete the Exchange account setup process on client Mac computers. We will cover doing so first through Profile Manager and then through Apple Configurator.

To set up your Exchange profile using Profile Manager, first set up Profile Manager, as described in  Chapter 7. Once set up, open the web interface for Profile Manager and then click a group that you’d like to deploy settings for. Once selected, click the Settings tab and then click Edit. From the Settings screen, provide the settings for your Exchange environment. These include the following (Figure 5-12):
  • Account Name: This is the name that will appear on a device when you open the account in Settings.

  • Connection Type: This setting allows you to select EWS for Mac clients and ActiveSync for iOS clients.

  • User: You can enter a user’s short name, or you can leave this setting blank to prompt the user for a username when the profile is installed.

  • E-mail Address: You can’t leave this setting blank in Profile Manager.

  • Password: You can leave this setting blank to prompt the user for the password on the device when the profile is installed.

  • Internal Exchange Host: This is the name of the Exchange server when connecting over the LAN.

  • Internal Server Path: This is the path within IIS when connecting to the Exchange server over the LAN.

  • Use SSL for Internal Exchange Host: You can enable or disable the SSL connection.

  • External Exchange Host: This is the name of the Exchange server when connecting over the WAN.

  • External Server Path: This is the path within IIS when connecting to the Exchange server over the WAN.

Figure 5-12.

Creating an Exchange profile using Profile Manager

Now that you’ve looked at creating a profile using Profile Manager, let’s look at doing so using Apple Configurator. To get started, first open Apple Configurator 2 and then click the File menu and select New Profile. At the new, untitled profile, provide a name and identifier in the General section of the profile (this is mandatory) and then click Exchange ActiveSync in the left sidebar of the screen.

As you can see in Figure 5-13, you’ll see the same settings that were provided in Profile Manager. Here, you will provide a server, user, e-mail address, and password. You can optionally provide a few other settings, but for most environments where you were able to manually configure an account, you shouldn’t need to do so.
Figure 5-13.

Creating an Exchange profile using Apple Configurator

Once you have provided all the necessary settings, close the screen, and you will be prompted to save the profile. Here, select where you’d like to save the profile to, and you will then be left with a .mobileconfig file at that location.

Once you have created your profile, you can install the profile using the Profiles preference pane or by double-clicking the profile. The account will then be set up in Internet Accounts. Profile management (installation, removal, and so on) is covered in much further detail in  Chapter 7.


In this chapter, you learned how OS X clients can interact with various groupware solutions, most notably Microsoft Exchange. This provides access to the most common groupware platform on the planet. Connecting to many other services, such as Google Apps, is similar.

In the next chapter, we’ll discuss the various technologies and tools involved with efficiently deploying software and operating systems en masse to your entire fleet.

Further Reading

For an understanding of the various Microsoft Exchange roles, their interaction, and the services they provide, see the Microsoft TechNet article on Exchange 2007 and newer at .

Copyright information

© Charles S. Edge Jr. and William Smith 2015

Authors and Affiliations

  • Charles S. EdgeJr.
    • 1
  • William Smith
    • 1
  1. 1.MNUS

Personalised recommendations