Lots of issues; fails TransArmor PCI security tests

This is a legacy package which doesnt survive a TransArmor/Clover Security penetration audit. The results of the TransArmor/Clover test resulted in a 45-page document where over 40 vulnerabilities were identified. Many of the vulnerabilities resulted from Apples inclusion of easier-to-administer (yet legacy versions) of PHP and apache. Several issues were big enough to auto-fail the compliance test. I only learned this after believing I had it ready to deploy.

The server comes packaged with Postgresql; so check your software requrements. Many web software packages, including basics (like WordPress) require MySQL. So this server package isnt even compatible to host WordPress.

Custom Config files are a huge issue. We had to dig into config files to completely disable the http service which hijacks port 80. The Server will show a web page to users that the server is "offline"; This message is presented to users; but because the http service is running, you are unable to run any other web server software (with adequate documentation) on port 80. Apple Server takes over port 80 requests.

On the plus side, it has simple-to-install VPN that quickly integrates with iOS phones and iPads. Also, Apple provides Apple-signed SSL certificates for HTTP,Directory, and VPN services. Also emails you when theyre about to expire. Buying it just for SSL certs almost makes it worth the software price alone, but theres a lot of hassles.

Other thoughts-
It may be good for a home file sharing or a small office of 3-to-5 people but not much more than that. Password resets are also a chore; need to be local to the machine. Different passwords can be created for mail, VPN, file sharing. Dont expect it to auto-mount file shares; or if the computer is taken home, expect it to forget login credentials.

I cant recommend it because again, the entire package itself failed penetration testing. Consider MAMP-Pro which has plenty of documentation related to administration, and also, the newer releases of software also solved most issues with penetration testing out-of-the box. For webmail, consider "atMail Pro on-premises". atMail also has email auto-discovery making it compatible with email clients such as iOS, Mac, and Outlook.

Ultimately, we replaced the Mac Server software with several Raspberry Pi devices; each configured to provide a different service like mail, http, SQL (behind a reverse-proxy firewall). Apple combined several server applications into this one software package which presents issues if maintenance has to occur on any single service during work hours.

Finally, we had to turn off auto-updates; leaving the system vulnerable. Software updates would replace custom config files. This resulted in users whom visit the website, and Apple Server software would show the web-page stating that the website was offline. Updates over-wrote config files, and re-enabled HTTP Server (port 80). That again prevented MAMP pro from serving up pages. Eventually, it was uninstalled. Having a reliable Http server with MySQL was a core need and more important than other Apple Server features like email, iOS address book sharing, or VPN services.

JANTTiLA about macOS Server, v5.1.5