Enrol Mac OS X Clients in Configuration Manager 2012 SP1

UPDATE: 08-12-2015. I’ve noticed that this blog post still gets a reasonable amount of traffic and comments. While that’s really gratifying, the content is horribly out-of-date, and a number of the comments relate to the fact that the functionality which was available when I wrote this post has changed quite a bit, and doesn’t really match up to what you’re going to see in an up-to-date build or ConfigMgr. If/when I get my hands on another Mac I can look at updating the content (although I’m really working with Azure and Chef these days), so I strongly recommend that you take a look at the work my colleague Peter Daalmans has been doing with ConfigMgr and Mac management. He blogs over at ConfigMgrBlog.com and he’s keeping up with all the latest developments in Mac management using Configuration Manager.


 

One of the (many) big changes in Configuration Manager 2012 SP1 is the ability to enrol and manage Mac OS X clients using a native agent.

As you’d expect with any sort of cross-platform, non-Windows management story, you won’t be able to do all the same things with Configuration Manager that you can do with a Windows platform.  Functionality in SP1 for Mac OS X will consist of:

  1. Hardware inventory
  2. Software inventory
  3. Application deployment
  4. Configuration deployment and compliance

And that’s not a bad list to be starting with 🙂

So how do you set this up and get Macs enrolled?  Microsoft has a step-by-step guide here which contains all the information you’ll need, and it’s what I used to get my lab environment up and operational.  So here’s my take on the whole process.

Requirements:

  1. Mac OS X clients running either Snow Leopard (10.6) or Lion (10.7).  At the time of writing SP1 Beta was used (Build 7782) which does not support Mountain Lion (10.8);
  2. Configuration Manager hierarchy running Configuration Manager 2012 SP1 Beta (Build 7782) or greater;
  3. Configuration Manager 2012 SP1 site server should be running on Windows Server 2008 R2 SP1.  Build 7782 does work on Windows Server 2012, but it’s slightly buggy and I lost a huge amount of time in troubleshooting.  Stick with W2K8R2 for the moment and save yourself a headache;
  4. Configuration Manager hierarchy needs to be configured to support HTTPS communications, so you’ll need to go through setting up PKI.  The reason for this is that Mac OS X clients are treated as internet clients at all times.  This means that they are manageable regardless of where they are (assuming your site server is externally-accessible) but also that they don’t need to be joined to the domain.  Check out this post for PKI certificate requirements in CM12;
  5. A PKI certificate template for enrolment on Mac clients. Full information on the process is here.

Site Server Configuration

  1. In the Site System role for the primary site server (and every server which will service Mac clients), tick the option “Specify an FQDN for this site server to use on the Internet” and enter the FQDN.  For the purpose of lab testing, this can be the internal FQDN of the site server – it doesn’t HAVE to be accessible externally;

    Internet-enabled Site System server role

  2. In the Distribution Point role on the primary site server (or wherever Mac clients will get content from) make sure that the DP is configured for HTTPS and from the drop-down menu, select “Allow intranet and Internet connections”.  Also import a CA-signed certificate for use on the DP;

    DP enabled for Internet access

  3. In the Management Point role ensure that the role is configured for HTTPS, select “Allow intranet and Internet connections” from the drop-down list and tick the option “Allow mobile devices to use this management point”;

    Management point enabled for Internet access and mobile devices

  4. Install the server roles Enrollment Point and Enrollment Proxy Point.  Both should be configured for HTTPS, but need no further configuration.
  5. Edit the Default Client Settings policy. Ensure that Hardware Inventory, Software Inventory and Compliance Settings policies are enabled.  Then, go to the Mobile Devices policy and change the option “Allow users to enrol mobile devices” to Yes, then click on Set Profile to create a new enrolment profile;
  6. In the Enrollment Profile screen click “Create”.  Give the new profile a name like “Mac Enrollment”, select an internet-enabled management site code, add the relevant CA and select the certificate template created earlier for Mac enrolment.

    Mobile device profile for enrolling Mac clients

Quick Summary

What we’ve now got in an SCCM 2012 SP1 hierarchy configured with HTTPS, supported by a CA and with all the necessary server roles installed and configured for an “external” client to request enrolment.  That client is our Mac system, so now we’re heading over there to continue 🙂

 

Mac Client Installation and Enrollment

  1. Ensure that the Mac system can resolve the “external” FQDN of the site server.  If you need to edit the hosts file to fudge it, from Terminal run “sudo nano /etc/hosts” and add an entry.  Open Safari and navigate to https://fqdn.siteserver and ensure that you get the IIS welcome page;
  2. Copy across the Mac client – macclient.dmg – which is located in the SMSSETUPMacOSClient folder within the Configuration Manager 2012 SP1 media;
  3. Open the macclient.dmg package and extract the contents somewhere – I created a folder called “MacCMClient” on the Desktop. You should have the following files: ccmsetup and CMClient.pkg, and a Tools folder containing CMAppUtil, CMDiagnostics, CMEnroll and CMUninstall;

    Contents of the CM client package for OS X

  4. Open Terminal and navigate to the extracted files, then type in “sudo ./ccmsetup“.  This installs the client and will prompt for a reboot once complete – do NOT reboot at this point in time!
  5. Next, navigate to the Tools folder in Terminal where the CMEnroll utility is, and enter the following: “sudo ./CMEnroll -s fqdn.siteserver -ignorecertchainvalidation -u ‘DOMAINUsername’” where DOMAINUsername is an account which is authorised to enrol the Mac certificate;
  6. The utility will contact the enrolment point on the site server, request a certificate and will (all being well) retrieve it and install it on OS X.  Watch the EnrollmentService.log file in the SMS_CCMEnrollmentPointLogs folder on the site server to see the request being received and processed.  Now you can reboot the Mac;

    Enrollment process captured in EnrollmentService.log

  7. On restart, go to System Preferences, Configuration Manager.  The Preference pane should show that the certificate has been installed and that the system is talking to the CM management point via HTTPS;

    Configuration Manager Preferences Pane in OS X Lion

  8. To verify that the certificate has been installed correctly, go to Utilities, Keychain Access.  Under Keychains select “System”, and the under Category select “My Certificates”.  In the main panel should be a certificate registered with the same name as the Mac system.  Expand the certificate and it should be linked to a Private Key named “SCCM”.  Double-click on the private key and then select “Access Control”.  Under “Always allow access by these applications” should be CCMClient and CMEnroll.  The CCMClient and CCMAgent applications can be found under /Library/Application Support/Microsoft/CCM, along with the Logs folder;

    CM Certificate and Private Key enrolled in Keychain Access

  9. Now, check the CM console.  Under Devices the Mac OS X system should appear, active and Approved.  Initially the system icon will be a mobile device, but once hardware and software inventory have been run the icon will switch to that of a standard workstation.  Right-click the device and go Start –> Resource Explorer to see the results of the hardware and software inventories.

    Resource Explorer of an OS X client

And that’s about it – your Mac is enrolled and chatting away happily 🙂

Stay tuned – the next step is to look under the covers into how to actively manage and troubleshoot Mac clients, how to deploy software to Macs and how to generate and enforce compliance settings.

61 comments to Enrol Mac OS X Clients in Configuration Manager 2012 SP1

  • Olivier

    Nice nice nice..

    I probably have missed something in the whole chain.
    Client installation on my test mac is OK, enroll log on my test SCCM is also OK but I get Unknown certificate error.
    Also, my domain is xxx.yyy.internal and on the Mac’s Pref Pane it ends by xxx.yyy.local?!?

    Any idea??

    Olivier

  • Looking forward for this!!!!!

    Kostas

    ACSA, ACT, ACMT, MCTS

  • Olivier

    Hello James,

    Can you tell me what version of OS X you are using?
    Still have that ‘Unknown certificate error’.
    Could it be that it is because I have my OS X (10.7.2) in a VMware Fusion?

    Also, does the cimhandler.ashx exist on you lab env?
    In the log I can see this:

    ![LOG[SSL Connection failed. HTTP Response code is 500 and reason is Internal Server Error]LOG]!>

    Any idea?

    Olivier

  • James Bannan

    Hi Olivier – I am using OS X Lion 10.7.5 – using a virtual machine on Fusion shouldn’t be a problem. Does the CA actually receive and process the certificate request?

    • Olivier

      Hello James,

      Yes, the CA receive and process the request without problems.
      In can see the Issued Certificate on my CA.

      On my test OS X, in the keychain, I can see my root cert, the machine cert with his sub key called SCCM.

      I have exactly what you got in your post.

      Probably sure that I did something stupid in my config… but what.

      I use an account that only can enroll MAC machines. I mean for the cert.

      If you want the mac ccm log, let me know.

  • Ricardo Soares

    Hello
    I’m facing the same issue. I’m using MACOSX 10.7.5.
    On the EnrollmentService.log, all it’s ok.

    [7, PID:3476][11/07/2012 13:32:21] :InsertCertificateRecord: 6789CFC07290DA2F0C44D602C9A517835A415951 for TRIALSCSCCMADMIN
    [7, PID:3476][11/07/2012 13:32:21] :Sending status message: ENROLLSRVMSG_SQL_SUCCESS

    Have any clue!?

  • John Martin

    Hey JAmes, I am building out SCCM 2012 in our dev lab and just got to the point of adding MACs to the Mix. we have the PKI server up and all the certs in place yet everytime i run the commands in your document above, the cert comes in as the user account used to get the cert not the machine i am installing it on. for example i built a SCCMMACClient accout for Dev and the system name is Macintosh on the 24″ imac I am testing with. and everytime I run the CMEnroll cmd line it installs the certificate as the SCCMMACClient Cert not as Macintosh Cert? I Know i’m missing something somewhere any quick ideas?

  • Richa

    Hi James, I have followed the same steps as mentioned in this article to enroll MAC OSx 10.7.4.
    ccmsetup ran successfully.
    Certificate enrolled and on the EnrollmentService.log, all successful.
    Verified certificate from KeyChain.
    I didn’t found ‘Microsoft/CCM/’ under /Library/Application Support/ directory.
    When I open Configuration Manager under system preferences, it says ‘Certificate not found’ but it displays the primary site url.
    Please suggest?

  • Richa

    I just resolved the issue by recreating a certificate 🙂

  • Jason Chang

    Does anyone know if these MAC clients need to be joined to the Domain in order to be managed by SCCM 2012 SP1?

  • Richa

    Hi James, My MAC clients are showing up as inactive in SCCM 2012 SP1. Any suggesstions?

    • James Bannan

      Hi Richa – they need to be able to communicate to the management point in order for SCCM to detect them as active. Is the management point up and running and configured correctly?

    • Olivier

      Same for iOS. I can enroll via InTune by example but client stay as inactive.
      So, no way to push a baseline :-s

  • Onder

    Hi;

    i install SCCM 2012 SP1 on my system and working no problem. But my problem is Mac Client.

    i install the mac client agent in macclient.dmg flie which is downloaded from Microsoft Download Center. and then i tried to steps which is writing in thecnet site. http://technet.microsoft.com/en-us/library/jj591553.aspx . but when i to sudo ./CMEnroll -s -ignorecertchainvalidation -u [-p ] command it gave me error.

    the error is :

    Server connection failed. HTTP responce code is 500 and reason is Internal Server.

    bytheway i installed and configured my MP,DP and Enrollment point like writing in technet site…

    and my EnrollmentService.Log is:

    [7, PID:6932][01/17/2013 15:02:55] :WindowsIdentity is created for domain: domain user: sccm2007user
    [7, PID:6932][01/17/2013 15:02:55] :validated user credentials
    [7, PID:6932][01/17/2013 15:02:55] :Handling RequestSecurityToken
    [7, PID:6932][01/17/2013 15:02:55] :claim identity name: DOMAINSCCM2007User
    [7, PID:6932][01/17/2013 15:02:55] :EnrollmentServiceProfile: GetDBCAs retrieved Template information:
    [7, PID:6932][01/17/2013 15:02:55] :Template: ConfigMgrMacClientCertificate
    [7, PID:6932][01/17/2013 15:02:55] :CA: System.Collections.Generic.List`1[System.String]
    [7, PID:6932][01/17/2013 15:02:55] :The CA eca3401.domain.entp.tgc is in forest entp.tgc
    [7, PID:6932][01/17/2013 15:02:55] :ConfigManager: RefreshCache: Enrollment Profile 16777217 requires update
    [7, PID:6932][01/17/2013 15:02:55] :Impersonating caller: DOMAINSCCM2007User
    [7, PID:6932][01/17/2013 15:02:55] :Revert back to self: NT AUTHORITYNETWORK SERVICE
    [7, PID:6932][01/17/2013 15:02:55] :ConfigManager: Sending CA Success Status – ENROLLSRVMSG_CA_SUCCESS
    [7, PID:6932][01/17/2013 15:02:55] :ConfigManager: CA Chains count: 2
    [7, PID:6932][01/17/2013 15:02:55] :ConfigManager: Subject name: CN=DOMAIN Enterprise CA 1, DC=domain, DC=entp, DC=tgc
    [7, PID:6932][01/17/2013 15:02:55] :ConfigManager: Issuer Name: CN=domain Root CA
    [7, PID:6932][01/17/2013 15:02:55] :ConfigManager: CA Chains 2 thumprint: EBEB8D4C7D095A21131B3E52CB67F0DE798B2F59
    [7, PID:6932][01/17/2013 15:02:55] :ConfigManager: Subject name: CN=Domain Root CA
    [7, PID:6932][01/17/2013 15:02:55] :ConfigManager: Issuer Name: CN=Domain Root CA
    [7, PID:6932][01/17/2013 15:02:55] :ConfigManager: CA Chains 1 thumprint: CAF1C7E2F475F749BB7A0754F3FA0D4455D56B50
    [7, PID:6932][01/17/2013 15:02:55] :ConfigManager: Got root CA hash: CAF1C7E2F475F749BB7A0754F3FA0D4455D56B50
    [7, PID:6932][01/17/2013 15:02:55] :ConfigManager: Got CA chain hash: EBEB8D4C7D095A21131B3E52CB67F0DE798B2F59
    [7, PID:6932][01/17/2013 15:02:55] :ConfigManager: CAStoreXML:

    [7, PID:6932][01/17/2013 15:02:55] :Impersonating caller: DOMAINSCCM2007User
    [7, PID:6932][01/17/2013 15:02:56] :Revert back to self: NT AUTHORITYNETWORK SERVICE
    [7, PID:6932][01/17/2013 15:02:56] :EnrollmentRequestController: entering State: Start
    [7, PID:6932][01/17/2013 15:02:56] :EnrollmentRequestController: exiting state: Start, Result: Succeed
    [7, PID:6932][01/17/2013 15:02:56] :EnrollmentRequestController: entering State: AuthenticationApproved
    [7, PID:6932][01/17/2013 15:02:56] :EnrollmentRequestController: exiting state: AuthenticationApproved, Result: Failover
    [7, PID:6932][01/17/2013 15:02:56] :EnrollmentRequestController: entering State: CertNotInADAccount
    [7, PID:6932][01/17/2013 15:02:56] :Impersonating caller: DOMAINSCCM2007User
    [7, PID:6932][01/17/2013 15:02:57] :Revert back to self: NT AUTHORITYNETWORK SERVICE
    [7, PID:6932][01/17/2013 15:02:57] :CALayer: Sending CA failure status – ENROLLSRVMSG_CA_FAILURE
    [7, PID:6932][01/17/2013 15:02:57] :CALayer: SubmitRequest CA: eca3401.domain.entp.tgcDomain Enterprise CA 1 Errormessage: Error Parsing Request Invalid algorithm specified. 0x80090008 (-2146893816) 2 ErrorCode: 2
    [7, PID:6932][01/17/2013 15:02:57] :Only one CA is specified in profile. Failed to enroll with the specified CA: eca3401.domain.entp.tgcDomain Enterprise CA 1
    [7, PID:6932][01/17/2013 15:02:57] :EnrollmentRequestController: Enrollment exception Error Code:FailedToIssueCert Message: Submitting cert request and issuing cert failed
    [7, PID:6932][01/17/2013 15:02:57] :Microsoft.ConfigurationManagement.Enrollment.EnrollmentServerException: Submitting cert request and issuing cert failed
    at Microsoft.ConfigurationManagement.Enrollment.CALayer.SubmitRequest(EnrollmentRequestState enrollRequest)
    at Microsoft.ConfigurationManagement.Enrollment.EnrollmentRequestController.Execute()
    at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.ProcessRequestSecurityToken(RequestSecurityTokenType request, WindowsIdentity caller, ActionEnum action)
    at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.EnrollDevice(Message messageRequest)
    at Microsoft.ConfigurationManagement.Enrollment.DeviceEnrollmentService.RequestSecurityToken(Message messageRequest)
    [7, PID:6932][01/17/2013 15:02:57] :FaultCode is: CertificateRequest and reason is: Failed certificate operations FailedToIssueCert

    any idea???

  • Richa

    Yes James, MP is running healthy and configured correctly and no errors in mpcontrol.log. I feel the issue is related to the client certificate which I enrolled in MAC machine. I have followed the MS article to create client cert for MAC clients. But in your above snapshot, certificate registered with MAC system name under keychains. In my case, it is registering with domain account which I used to enroll certificate using CMEnroll tool. Please suggest.Thanks!!

    • Michael Mueller

      Hi Richa,

      we had the same problem with the certificate name showing the Domain user Name which was used to enroll the mac machine. The error message about the missing certificate was shown in the System Preferences / Configuration Manager UI.

      I found a hint about a problem with spaces in certificate Display names (which was no problem as Long as the certificate Name was the machine Name). We created a new Active Directory Account “enrollment” and tried to enroll the certificate again.

      This time it works and the configuration Manager UI in System Preferences had real info to show.

      But we are not finished now, because if we try to connect to config Manager, we get an error during Connection (error message is in German, so I don’t type the correct words here).

      Any ideas?

      Mac OS X 10.7
      Client Version 5.00.7804.1000

      • James Bannan

        OK – I’ve finally got around to registering my Mac with my lab SCCM 2012 SP1 environment. I get the same issue with the certificate registering with the username rather than the machine name. However, the system shows up in the SCCM console using the machine name. So, there’s a behavioural change from SCCM 2012 SP1 Beta to RTM, but it doesn’t look like a major issue. The Mac can connect to the site server and communicate properly. I’ve flagged the behaviour change with MSFT to try and get an idea of what has changed.

  • KC

    Thanks for the very useful information. However, I’m stuck with something. When I open the Configuration Manager on Mac Client – the certificate name is shown as the user name that I used for the request the certificate instead of the Mac hostname. Any advice? Thanks

  • Richa

    My MAC clients are still showing inactive on sccm console. But I am not getting any error while opening system preferences->Configuration Manager. Also, certificate is successfuly registered for mac machine and I verified it from MP_RegistrationManager.log on server.

  • Omar van der Hoeven

    Hi James, i’m encountering the issues as some contributors earlier described: certificate subject name being the user who enrolled the certificate and no explicit mentioning of CMEnroll and CCMclient as part of the access control application list in the keychain. When i hit the “connect now”, processing goes on endlessly. No errors on logs of MP or other components that might be involved. Could it be the HTTP certificate?

  • Omar van der Hoeven

    It seems I had some kind of a compatibilty issue with running virtual OS X lion machines on VMware Fusion 4. I created some Lion vm’s on Parallels and all three are now in SCCM.

    Cheers Omar

  • WSU

    Will setting this enviroment up this way require me to have all my Windows machines using the HTTPS? I am wanting only the MAC clients to use HTTPS and leave the rest of my enviroment the same. Also are there any step by step instructions of creating the CA signed certificate? I am stuck on that step.

    • James Bannan

      Hi Darrin. You don’t have to have your entire CM environment working with HTTPS. However, the management point and distribution point for OS X has to be HTTPS-enabled, so if you want to keep your Windows machines working in HTTP, then you will need a separate MP/DP. As for PKI, check out some of my earlier blog posts, or have a look through TechNet – most of the information is contained there. Cheers, James

      • Darrin

        Hey James, While trying to create a site system server to add the MP/DP roles I get the error “The site system name you specified already exists. Specify a different name”. I am typing in the name of the SCCM 2012 server that has SCCM installed on it. Do I need to choose a different server since the primary instantce is using the SCCM 2012 server or do I need a second server to host the MP/DP roles?

      • WSU

        Hey James, I am trying to add the MP/DP roles on under create site system server wizard. I am getting the error “The site system name you specified already exists. Specify a different name”. I am choosing the SCCM 2012 server that has the management console for the name. Do I need to have a secondary server for the name to have the MP/DP roles installed?

  • Paul

    It looks like everything installed and enrolled correctly but when I open CM from System Preference it shows Cert subject name and has the proper Management point Client version and policy refresh interval, but when I click on Connect Now I get “Certificate not found” any thoughts?

    Thanks

  • Jason

    I’m getting the following error message in my EnrollmentService.log when I perform the “sudo ./CMEnroll -s fqdn.siteserver -ignorecertchainvalidation -u ‘DOMAINUsername’” step. Has anyone else come across this?

    [7, PID:7968][05/02/2013 13:43:00] CALayer: SubmitRequest CA: [FQDN of CA][CA] Errormessage: Denied by Policy Module 2 ErrorCode: 2
    [7, PID:7968][05/02/2013 13:43:00] Only one CA is specified in profile. Failed to enroll with the specified CA: [FQDN of CA][CA]
    [7, PID:7968][05/02/2013 13:43:00] EnrollmentRequestController: Enrollment exception Error Code:FailedToIssueCert Message: Submitting cert request and issuing cert failed

  • Jon W

    Not sure if it’s because I’m using a 2008 CA or not, but I’ve found that the enrollment process only prompts once for a password (for SUDO), then attempts to pass that as the user’s password. So if the passwords aren’t the same, you get an Error 500 when you attempt to enroll.

  • Hi James,

    all works fine in my lab setup with SP1 CU2. But the icon dosen´t change from mobile to Workstation. My mac still appears as an Mobile Device ?!?

    regards

    Chris

  • William

    Hi Guys,

    Just a few questions regarding SCCM 2012 SP1’s MAC support…

    I have one primary server and 3 regional secondary servers with a lot of DPs.

    I was asked to reconfigure the system to support MAC machines from now on. What would be the best approach here?

    If I’m planning to serve those MACs from the 3 secondary site servers (and possibly from the DPs connected to them), what do I need to do? Should I reconfigure the primary as well and then the secondary servers and the already existing DPs or do I need to install new ones to accomplish this? Until now only intranet clients were served. I’m not sure in the whole thing. Do I need to put any MPs or DPs configured in the current environment in DMZ and register DNS on the internet so they can be reached from the internet as well? Sorry, but I’m not that familiar yet with the new SCCM 2012 so I’m a bit in the dark with that and would need really urgent advice on the above!

    Thanks to everyone in advance!

    William

  • Neeraj

    Hi Guys,

    I am working on Mac enrollment(10.7) and facing issue during enrollment. Below is the error message when we try to run the enrollment command on Mac :

    “Server connection failed. HTTP Response code is 500 and reason is Internal Server Error”

    Below are Log info:

    Enrollsrv.log : No error message is highlighted.

    Enrollweb.log: No error message is highlighted.

    Enrollservice.log:

    [7, PID:7304][10/28/2013 16:40:03] :ConfigManager: ChainStatus error: RevocationStatusUnknown,The revocation function was unable to check revocation for the certificate.

    ;OfflineRevocation,The revocation function was unable to check revocation because the revocation server was offline.

    at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.SplitCACertChain(String base64cert)
    at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.setCAChain(EnrollmentServiceProfile profile, WindowsIdentity requester)
    at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.RefreshCache(Int32 enrollmentProfileId, EnrollmentRecordType type, String template, WindowsIdentity requester)
    at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.ProcessRequestSecurityToken(RequestSecurityTokenType request, WindowsIdentity caller, ActionEnum action)
    at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.EnrollDevice(Message messageRequest)
    at Microsoft.ConfigurationManagement.Enrollment.DeviceEnrollmentService.RequestSecurityToken(Message messageRequest)
    [7, PID:7304][10/28/2013 16:40:03] :FaultCode is: EnrollmentServer and reason is: EnrollmentServerException InitializeFailed

    [13, PID:7304][10/28/2013 17:11:01] :EnrollmentService application stop …
    [3, PID:956][10/28/2013 17:45:37] :EnrollmentService application start …
    [3, PID:956][10/28/2013 18:06:38] :EnrollmentService application stop …
    [3, PID:4700][10/28/2013 18:45:39] :EnrollmentService application start …
    [7, PID:4700][10/28/2013 19:06:40] :EnrollmentService application stop …
    [3, PID:5872][10/28/2013 19:45:42] :EnrollmentService application start …
    [13, PID:5872][10/28/2013 20:06:42] :EnrollmentService application stop …

    Can someone shed info on resolution of the above issue?

    Also, is there any means by which we can troubleshoot the Mac enrollment issue step by step?
    Also what entries needs to be checked in all logs for successful enrollment?

  • JasonMeyer

    Hi guys, I see I am not the only one having the “Server connection failed.” issue. And from the looks of things a Windows 2008 CA is needed. My trouble is that my CA can’t quite be upgraded to 2008 at the moment. I was wondering can I add a 2008 CA as a subordinate to my 2003 root CA?

  • HelgeS20

    Hi,
    I think I have the same problem as Neeraj.
    When I try to run sudo ./CMEnroll -s fqdn.siteserver -ignorecertchainvalidation -u ‘DOMAINUsername’

    I get: Server connection failed. HTTP Response code is 500 and reason is Internal Server Error”

    and I find this in the EnrollmentService.log at the Enrollment point:

    D:3928][11/11/2013 12:50:27] :Revert back to self: NT AUTHORITYNETWORK SERVICE
    [8, PID:3928][11/11/2013 12:50:27] :ConfigManager: Sending CA Success Status – ENROLLSRVMSG_CA_SUCCESS
    [8, PID:3928][11/11/2013 12:50:42] :ConfigManager: CA Chains count: 2
    [8, PID:3928][11/11/2013 12:50:42] :ConfigManager: ChainStatus error: RevocationStatusUnknown,Unknown error.;
    [8, PID:3928][11/11/2013 12:50:42] :ConfigManager: ChainStatus error: RevocationStatusUnknown,Unknown error.;OfflineRevocation,Unknown error.;
    [8, PID:3928][11/11/2013 12:50:42] :Microsoft.ConfigurationManagement.Enrollment.EnrollmentServerException: RevocationStatusUnknown,Unknown error.;OfflineRevocation,Unknown error.;
    at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.SplitCACertChain(String base64cert)
    at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.setCAChain(EnrollmentServiceProfile profile, WindowsIdentity requester)

    Have anyone found the reason for this ?

    I’m running SCCM2012 SP1 R2 on a Windows 2012 server

  • Eric

    If you’re receiving the error “HTTP Response code is 500 and reason is Internal Server Error” it might be because of the username you’re using. Try using a double “” as “” is a special character. So the format of “domainusername” rather than “domainusername”

    Eric

  • Raman

    Hi James,

    I have same problem as Richa and couple of others and Mac OSx version is 10.9.1

    Is SCCM 2012 SP1 supports 10.9.1 version? If yes do I need to install any updates?

    When I open Configuration Manager under system preferences, it says ‘Certificate not found’ and CCMClient log in Mac machine says…
    Certificate not found in store. Bailing Out! Default 12/26/2013 2:52:42 AM 2954526720 (0xB01A8000)
    Failed to GetProperty Mode from Configuration Provider : 80070490 Default 12/26/2013 2:52:42 AM 2954526720 (0xB01A8000)
    Requested certificates not available in store Default 12/26/2013 2:52:42 AM 2954526720 (0xB01A8000)
    Certificate not found in store. Bailing Out! Default 12/26/2013 2:52:42 AM 2954526720 (0xB01A8000)
    Failed to validate certificate Default 12/26/2013 2:52:42 AM 2954526720 (0xB01A8000)
    OMA : Sending Notification to UI : ServiceCCM_OMAError-2016344009 Default 12/26/2013 2:52:42 AM 2954526720 (0xB01A8000)
    No Preferences found for Key – ‘OMAFailureRetryDelayInSec’, Domain – ‘com.microsoft.ccmclient’. Default 12/26/2013 2:52:42 AM 2954526720 (0xB01A8000)

    and to resolve the above issue need a AD account without space in between (thats what I read in blogs). In this case do I need to uninstall client and certificate? if yes could you please let me know how to unregister certificate from Mac OSX machine.

    Thank you,
    Ramana

  • KevinDunn

    Another issue for those receiving the “HTTP Response code is 500 and reason is Internal Server Error”, you have to make sure the SCCM server also has a client certificate. As described in Step 2 of http://technet.microsoft.com/en-us/library/jj591553.aspx#BKMK_ConfigureMPDP_Mac. It is not enough just to create the Distribution Point certificate.

  • Jon

    Hello James,

    I’ve just followed your explanation to enroll mac devices on SCCM 2012. I have an issue of certificate not found after the enrollment. I explain myself : I did the enrollment, I have the message “successfully enrolled” on my Mac Client but the problem is with the Configuration Manager window after, when I try to connect it says Certificate not found. The strange fact is that the certificate on my Mac Client shows a name as the username of the account which launched the terminal command to enroll. Is it normal ? Shouldn’t I have the machine name in the certificate instead of the user name ? How can I solve the problem ? Thanks

  • Damien Sweeney

    Hey!

    “Server connection failed. HTTP Response code is 500 and reason is Internal Server Error”.

    Was having an issue enrolling Mac OSX clients initially and traced it back to the above DMP weirdness in the log.

    Registered asp.net 4 with IIS as described in below link and everything started working!!!

    http://heinrichandsccm.blogspot.co.uk/2013/05/sccm-2012-sp1-management-point-error.html

  • John Capehart

    This guide was exactly what we needed to enroll Macs in every detail

  • Huge

    Hey James, how’d you get the certificate type to enrol as machine? i can only get a user cert to load. nothing else works!

  • Mayur

    Hi, resolved the issue with “Server connection failed. HTTP Response code is 500 and reason is Internal Server Error” after the Enrollment roles (both) were moved from site server to another site system.
    Is there any limitation to install all roles on single site server? If anyone aware, kindly let know. Thanks.

  • Lance

    For us the certificate showed up as belonging to the user which was surprising.

    Why would the certificate be listed under the user used for the CMEnroll instead of the Macbook name?

  • […] Enrol Mac OS X Clients in Configuration Manager 2012 … – Quick Summary. What we’ve now got in an SCCM 2012 SP1 hierarchy configured with HTTPS, supported by a CA and with all the necessary server roles installed and …… […]

  • […] good to go. When I was setting up the Macs to use this, I found a very good blog post by James Bannan which goes into a lot more […]

  • Frank

    Hi, any suggestion on that issue with my certificate? Can’t enroll a Mac client:

    After running the CMEnroll on the Mac i get the following error:
    Connect failed with error: bad certificate format
    SSL HandShake Failed: 80004005

    Thanks!

    Frank

  • Mike

    Hi, does the Mac need a domain join for the enrollment to work?

  • David

    Hi,

    In this post, you indicate on point 8:
    “To verify that the certificate has been installed correctly, go to Utilities, Keychain Access. Under Keychains select “System”, and the under Category select “My Certificates”. In the main panel should be a certificate registered with the same name as the Mac system.”
    I don’t understand a thing because the command line to Enroll Mac use an account “user” and this user is the name of certificate. No the same name as the Mac system. Why?

  • James

    Hi all – just updated the blog entry as it seems a number of people are struggling with the content, given that it is somewhat out-of-date. If/when I get another Mac I can update the content, but for now check out Peter Daalmans – http://configmgrblog.com/tag/mac-os-x/

  • Ricky

    Hey guys,

    I tried everything listed on everyone’s response and the links regarding the Internal Server Error 500 and couldn’t get it to work… but today, I FINALLYYYYYYYYYYYYYYYYYYYYYYYY got it to work!!!!

    I have an SCCM 2012 R2 SP1 CU2 enrivonment installed on Server 2012 R2. The CA is 2012R2 as well. The CU2 was a necessity for Yosemite and El Capitan machines. I was successfully able to enroll both Yosemite and El Capitan Machines.

    I had everything setup correctly including going to the FQDN on a browser on the Mac client and the site SSL is trusted by the enterprise CA. The problem was with the Config Manager Mac certificate template. On the security pane for the certificate template, I was trying all kinds of things like domain computers, domain users, the individual user, all with read and enroll permissions but none of those worked. I still kept getting the 500 error. The config manager site system status was showing error and the log stated that the user trying to enroll wasn’t able to authenticate with the CA.

    After reading through the step by step certificate setup on https://technet.microsoft.com/en-us/library/gg682023.aspx, I realized the instruction said to add an admin user that will perform the enrollment. So I used an admin account (non-domain admin but local admin to all machines and has AD read permissions) with read and enroll permissions instead of the individual users or a group that contained all mac users/computers. After changing this, I was able to enroll the Macs.

    This might be a bit stupid on my part as some of the tutorials out there shows that they are using sccmadmin as the enrolling account. But I figured a user with read and enroll permission would be fine but that was not the case.

    I see tons of posts out there where people are having issues with this so I hope it helps someone!

    Ricky

  • Steve

    We have SCCM 2012, and the Macs are enrolled, and connect without any issues. But only some of them appear (saying client is installed, etc), and the rest even though the client is installed, enrolled, etc; dont. We have numerous VLAN.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>