One of the (many) big changes in Configuration Manager 2012 SP1 is the ability to enrol and manage Mac OS X clients using a native agent.
As you’d expect with any sort of cross-platform, non-Windows management story, you won’t be able to do all the same things with Configuration Manager that you can do with a Windows platform. Functionality in SP1 for Mac OS X will consist of:
- Hardware inventory
- Software inventory
- Application deployment
- Configuration deployment and compliance
And that’s not a bad list to be starting with 
So how do you set this up and get Macs enrolled? Microsoft has a step-by-step guide here which contains all the information you’ll need, and it’s what I used to get my lab environment up and operational. So here’s my take on the whole process.
Requirements:
- Mac OS X clients running either Snow Leopard (10.6) or Lion (10.7). At the time of writing SP1 Beta was used (Build 7782) which does not support Mountain Lion (10.8);
- Configuration Manager hierarchy running Configuration Manager 2012 SP1 Beta (Build 7782) or greater;
- Configuration Manager 2012 SP1 site server should be running on Windows Server 2008 R2 SP1. Build 7782 does work on Windows Server 2012, but it’s slightly buggy and I lost a huge amount of time in troubleshooting. Stick with W2K8R2 for the moment and save yourself a headache;
- Configuration Manager hierarchy needs to be configured to support HTTPS communications, so you’ll need to go through setting up PKI. The reason for this is that Mac OS X clients are treated as internet clients at all times. This means that they are manageable regardless of where they are (assuming your site server is externally-accessible) but also that they don’t need to be joined to the domain. Check out this post for PKI certificate requirements in CM12;
- A PKI certificate template for enrolment on Mac clients. Full information on the process is here.
Site Server Configuration
- In the Site System role for the primary site server (and every server which will service Mac clients), tick the option “Specify an FQDN for this site server to use on the Internet” and enter the FQDN. For the purpose of lab testing, this can be the internal FQDN of the site server – it doesn’t HAVE to be accessible externally;
Internet-enabled Site System server role
- In the Distribution Point role on the primary site server (or wherever Mac clients will get content from) make sure that the DP is configured for HTTPS and from the drop-down menu, select “Allow intranet and Internet connections”. Also import a CA-signed certificate for use on the DP;
DP enabled for Internet access
- In the Management Point role ensure that the role is configured for HTTPS, select “Allow intranet and Internet connections” from the drop-down list and tick the option “Allow mobile devices to use this management point”;
Management point enabled for Internet access and mobile devices
- Install the server roles Enrollment Point and Enrollment Proxy Point. Both should be configured for HTTPS, but need no further configuration.
- Edit the Default Client Settings policy. Ensure that Hardware Inventory, Software Inventory and Compliance Settings policies are enabled. Then, go to the Mobile Devices policy and change the option “Allow users to enrol mobile devices” to Yes, then click on Set Profile to create a new enrolment profile;
- In the Enrollment Profile screen click “Create”. Give the new profile a name like “Mac Enrollment”, select an internet-enabled management site code, add the relevant CA and select the certificate template created earlier for Mac enrolment.
Mobile device profile for enrolling Mac clients
Quick Summary
What we’ve now got in an SCCM 2012 SP1 hierarchy configured with HTTPS, supported by a CA and with all the necessary server roles installed and configured for an “external” client to request enrolment. That client is our Mac system, so now we’re heading over there to continue
Mac Client Installation and Enrollment
- Ensure that the Mac system can resolve the “external” FQDN of the site server. If you need to edit the hosts file to fudge it, from Terminal run “sudo nano /etc/hosts” and add an entry. Open Safari and navigate to https://fqdn.siteserver and ensure that you get the IIS welcome page;
- Copy across the Mac client – macclient.dmg - which is located in the SMSSETUP\MacOSClient folder within the Configuration Manager 2012 SP1 media;
- Open the macclient.dmg package and extract the contents somewhere – I created a folder called “MacCMClient” on the Desktop. You should have the following files: ccmsetup and CMClient.pkg, and a Tools folder containing CMAppUtil, CMDiagnostics, CMEnroll and CMUninstall;
Contents of the CM client package for OS X
- Open Terminal and navigate to the extracted files, then type in “sudo ./ccmsetup“. This installs the client and will prompt for a reboot once complete – do NOT reboot at this point in time!
- Next, navigate to the Tools folder in Terminal where the CMEnroll utility is, and enter the following: “sudo ./CMEnroll -s fqdn.siteserver -ignorecertchainvalidation -u ‘DOMAIN\Username’” where DOMAIN\Username is an account which is authorised to enrol the Mac certificate;
- The utility will contact the enrolment point on the site server, request a certificate and will (all being well) retrieve it and install it on OS X. Watch the EnrollmentService.log file in the SMS_CCM\EnrollmentPoint\Logs folder on the site server to see the request being received and processed. Now you can reboot the Mac;
Enrollment process captured in EnrollmentService.log
- On restart, go to System Preferences, Configuration Manager. The Preference pane should show that the certificate has been installed and that the system is talking to the CM management point via HTTPS;
Configuration Manager Preferences Pane in OS X Lion
- To verify that the certificate has been installed correctly, go to Utilities, Keychain Access. Under Keychains select “System”, and the under Category select “My Certificates”. In the main panel should be a certificate registered with the same name as the Mac system. Expand the certificate and it should be linked to a Private Key named “SCCM”. Double-click on the private key and then select “Access Control”. Under “Always allow access by these applications” should be CCMClient and CMEnroll. The CCMClient and CCMAgent applications can be found under /Library/Application Support/Microsoft/CCM, along with the Logs folder;
CM Certificate and Private Key enrolled in Keychain Access
- Now, check the CM console. Under Devices the Mac OS X system should appear, active and Approved. Initially the system icon will be a mobile device, but once hardware and software inventory have been run the icon will switch to that of a standard workstation. Right-click the device and go Start –> Resource Explorer to see the results of the hardware and software inventories.
Resource Explorer of an OS X client
And that’s about it – your Mac is enrolled and chatting away happily
Stay tuned – the next step is to look under the covers into how to actively manage and troubleshoot Mac clients, how to deploy software to Macs and how to generate and enforce compliance settings.
Nice nice nice..
I probably have missed something in the whole chain.
Client installation on my test mac is OK, enroll log on my test SCCM is also OK but I get Unknown certificate error.
Also, my domain is xxx.yyy.internal and on the Mac’s Pref Pane it ends by xxx.yyy.local?!?
Any idea??
Olivier
Looking forward for this!!!!!
Kostas
ACSA, ACT, ACMT, MCTS
Hello James,
Can you tell me what version of OS X you are using?
Still have that ‘Unknown certificate error’.
Could it be that it is because I have my OS X (10.7.2) in a VMware Fusion?
Also, does the cimhandler.ashx exist on you lab env?
In the log I can see this:
![LOG[SSL Connection failed. HTTP Response code is 500 and reason is Internal Server Error]LOG]!>
Any idea?
Olivier
Hi Olivier – I am using OS X Lion 10.7.5 – using a virtual machine on Fusion shouldn’t be a problem. Does the CA actually receive and process the certificate request?
Hello James,
Yes, the CA receive and process the request without problems.
In can see the Issued Certificate on my CA.
On my test OS X, in the keychain, I can see my root cert, the machine cert with his sub key called SCCM.
I have exactly what you got in your post.
Probably sure that I did something stupid in my config… but what.
I use an account that only can enroll MAC machines. I mean for the cert.
If you want the mac ccm log, let me know.
Hello
I’m facing the same issue. I’m using MACOSX 10.7.5.
On the EnrollmentService.log, all it’s ok.
[7, PID:3476][11/07/2012 13:32:21] :InsertCertificateRecord: 6789CFC07290DA2F0C44D602C9A517835A415951 for TRIALSC\SCCMADMIN
[7, PID:3476][11/07/2012 13:32:21] :Sending status message: ENROLLSRVMSG_SQL_SUCCESS
Have any clue!?
Hey JAmes, I am building out SCCM 2012 in our dev lab and just got to the point of adding MACs to the Mix. we have the PKI server up and all the certs in place yet everytime i run the commands in your document above, the cert comes in as the user account used to get the cert not the machine i am installing it on. for example i built a SCCMMACClient accout for Dev and the system name is Macintosh on the 24″ imac I am testing with. and everytime I run the CMEnroll cmd line it installs the certificate as the SCCMMACClient Cert not as Macintosh Cert? I Know i’m missing something somewhere any quick ideas?
Hi James, I have followed the same steps as mentioned in this article to enroll MAC OSx 10.7.4.
ccmsetup ran successfully.
Certificate enrolled and on the EnrollmentService.log, all successful.
Verified certificate from KeyChain.
I didn’t found ‘Microsoft/CCM/’ under /Library/Application Support/ directory.
When I open Configuration Manager under system preferences, it says ‘Certificate not found’ but it displays the primary site url.
Please suggest?
I just resolved the issue by recreating a certificate
Does anyone know if these MAC clients need to be joined to the Domain in order to be managed by SCCM 2012 SP1?
Hi Jason – no, it’s not a requirement.
Hi James, My MAC clients are showing up as inactive in SCCM 2012 SP1. Any suggesstions?
Hi Richa – they need to be able to communicate to the management point in order for SCCM to detect them as active. Is the management point up and running and configured correctly?
Same for iOS. I can enroll via InTune by example but client stay as inactive.
So, no way to push a baseline :-s
Hi;
i install SCCM 2012 SP1 on my system and working no problem. But my problem is Mac Client.
i install the mac client agent in macclient.dmg flie which is downloaded from Microsoft Download Center. and then i tried to steps which is writing in thecnet site. http://technet.microsoft.com/en-us/library/jj591553.aspx . but when i to sudo ./CMEnroll -s -ignorecertchainvalidation -u [-p ] command it gave me error.
the error is :
Server connection failed. HTTP responce code is 500 and reason is Internal Server.
bytheway i installed and configured my MP,DP and Enrollment point like writing in technet site…
and my EnrollmentService.Log is:
[7, PID:6932][01/17/2013 15:02:55] :WindowsIdentity is created for domain: domain user: sccm2007user
[7, PID:6932][01/17/2013 15:02:55] :validated user credentials
[7, PID:6932][01/17/2013 15:02:55] :Handling RequestSecurityToken
[7, PID:6932][01/17/2013 15:02:55] :claim identity name: DOMAIN\SCCM2007User
[7, PID:6932][01/17/2013 15:02:55] :EnrollmentServiceProfile: GetDBCAs retrieved Template information:
[7, PID:6932][01/17/2013 15:02:55] :Template: ConfigMgrMacClientCertificate
[7, PID:6932][01/17/2013 15:02:55] :CA: System.Collections.Generic.List`1[System.String]
[7, PID:6932][01/17/2013 15:02:55] :The CA eca3401.domain.entp.tgc is in forest entp.tgc
[7, PID:6932][01/17/2013 15:02:55] :ConfigManager: RefreshCache: Enrollment Profile 16777217 requires update
[7, PID:6932][01/17/2013 15:02:55] :Impersonating caller: DOMAIN\SCCM2007User
[7, PID:6932][01/17/2013 15:02:55] :Revert back to self: NT AUTHORITY\NETWORK SERVICE
[7, PID:6932][01/17/2013 15:02:55] :ConfigManager: Sending CA Success Status – ENROLLSRVMSG_CA_SUCCESS
[7, PID:6932][01/17/2013 15:02:55] :ConfigManager: CA Chains count: 2
[7, PID:6932][01/17/2013 15:02:55] :ConfigManager: Subject name: CN=DOMAIN Enterprise CA 1, DC=domain, DC=entp, DC=tgc
[7, PID:6932][01/17/2013 15:02:55] :ConfigManager: Issuer Name: CN=domain Root CA
[7, PID:6932][01/17/2013 15:02:55] :ConfigManager: CA Chains 2 thumprint: EBEB8D4C7D095A21131B3E52CB67F0DE798B2F59
[7, PID:6932][01/17/2013 15:02:55] :ConfigManager: Subject name: CN=Domain Root CA
[7, PID:6932][01/17/2013 15:02:55] :ConfigManager: Issuer Name: CN=Domain Root CA
[7, PID:6932][01/17/2013 15:02:55] :ConfigManager: CA Chains 1 thumprint: CAF1C7E2F475F749BB7A0754F3FA0D4455D56B50
[7, PID:6932][01/17/2013 15:02:55] :ConfigManager: Got root CA hash: CAF1C7E2F475F749BB7A0754F3FA0D4455D56B50
[7, PID:6932][01/17/2013 15:02:55] :ConfigManager: Got CA chain hash: EBEB8D4C7D095A21131B3E52CB67F0DE798B2F59
[7, PID:6932][01/17/2013 15:02:55] :ConfigManager: CAStoreXML:
[7, PID:6932][01/17/2013 15:02:55] :Impersonating caller: DOMAIN\SCCM2007User
[7, PID:6932][01/17/2013 15:02:56] :Revert back to self: NT AUTHORITY\NETWORK SERVICE
[7, PID:6932][01/17/2013 15:02:56] :EnrollmentRequestController: entering State: Start
[7, PID:6932][01/17/2013 15:02:56] :EnrollmentRequestController: exiting state: Start, Result: Succeed
[7, PID:6932][01/17/2013 15:02:56] :EnrollmentRequestController: entering State: AuthenticationApproved
[7, PID:6932][01/17/2013 15:02:56] :EnrollmentRequestController: exiting state: AuthenticationApproved, Result: Failover
[7, PID:6932][01/17/2013 15:02:56] :EnrollmentRequestController: entering State: CertNotInADAccount
[7, PID:6932][01/17/2013 15:02:56] :Impersonating caller: DOMAIN\SCCM2007User
[7, PID:6932][01/17/2013 15:02:57] :Revert back to self: NT AUTHORITY\NETWORK SERVICE
[7, PID:6932][01/17/2013 15:02:57] :CALayer: Sending CA failure status – ENROLLSRVMSG_CA_FAILURE
[7, PID:6932][01/17/2013 15:02:57] :CALayer: SubmitRequest CA: eca3401.domain.entp.tgc\Domain Enterprise CA 1 Errormessage: Error Parsing Request Invalid algorithm specified. 0×80090008 (-2146893816) 2 ErrorCode: 2
[7, PID:6932][01/17/2013 15:02:57] :Only one CA is specified in profile. Failed to enroll with the specified CA: eca3401.domain.entp.tgc\Domain Enterprise CA 1
[7, PID:6932][01/17/2013 15:02:57] :EnrollmentRequestController: Enrollment exception Error Code:FailedToIssueCert Message: Submitting cert request and issuing cert failed
[7, PID:6932][01/17/2013 15:02:57] :Microsoft.ConfigurationManagement.Enrollment.EnrollmentServerException: Submitting cert request and issuing cert failed
at Microsoft.ConfigurationManagement.Enrollment.CALayer.SubmitRequest(EnrollmentRequestState enrollRequest)
at Microsoft.ConfigurationManagement.Enrollment.EnrollmentRequestController.Execute()
at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.ProcessRequestSecurityToken(RequestSecurityTokenType request, WindowsIdentity caller, ActionEnum action)
at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.EnrollDevice(Message messageRequest)
at Microsoft.ConfigurationManagement.Enrollment.DeviceEnrollmentService.RequestSecurityToken(Message messageRequest)
[7, PID:6932][01/17/2013 15:02:57] :FaultCode is: CertificateRequest and reason is: Failed certificate operations FailedToIssueCert
any idea???
Hi Onder, any update on this issue? I’m dealing with the same issue with Mac Enrollment
Hi Francesco,
I resolved this issue. My CA Server was Windows Server 2003 and i upgrated it to Windows Server 2008 R2. After that Mac Enrollment done..
Yes James, MP is running healthy and configured correctly and no errors in mpcontrol.log. I feel the issue is related to the client certificate which I enrolled in MAC machine. I have followed the MS article to create client cert for MAC clients. But in your above snapshot, certificate registered with MAC system name under keychains. In my case, it is registering with domain account which I used to enroll certificate using CMEnroll tool. Please suggest.Thanks!!
Hi Richa,
we had the same problem with the certificate name showing the Domain user Name which was used to enroll the mac machine. The error message about the missing certificate was shown in the System Preferences / Configuration Manager UI.
I found a hint about a problem with spaces in certificate Display names (which was no problem as Long as the certificate Name was the machine Name). We created a new Active Directory Account “enrollment” and tried to enroll the certificate again.
This time it works and the configuration Manager UI in System Preferences had real info to show.
But we are not finished now, because if we try to connect to config Manager, we get an error during Connection (error message is in German, so I don’t type the correct words here).
Any ideas?
Mac OS X 10.7
Client Version 5.00.7804.1000
OK – I’ve finally got around to registering my Mac with my lab SCCM 2012 SP1 environment. I get the same issue with the certificate registering with the username rather than the machine name. However, the system shows up in the SCCM console using the machine name. So, there’s a behavioural change from SCCM 2012 SP1 Beta to RTM, but it doesn’t look like a major issue. The Mac can connect to the site server and communicate properly. I’ve flagged the behaviour change with MSFT to try and get an idea of what has changed.
Thanks for the very useful information. However, I’m stuck with something. When I open the Configuration Manager on Mac Client – the certificate name is shown as the user name that I used for the request the certificate instead of the Mac hostname. Any advice? Thanks
A couple of people have reported that – it’s not something I’ve encountered so far. I’m about to enrol my Mac on an SP1 RTM system, so I’ll report back if I see the same behaviour.
Hi James,
Thanks. I even build the SP1 RTM with the difference configuration (CA on 2008, CA on 2012) and stuck with the same problem.
KC & James, I also have this issue. Were you able to find a resolution?
Thanks,
L
My MAC clients are still showing inactive on sccm console. But I am not getting any error while opening system preferences->Configuration Manager. Also, certificate is successfuly registered for mac machine and I verified it from MP_RegistrationManager.log on server.
I am having the same issue. I get errors in the CCMCLIENT.log. See my post on TechNet forums for the details. http://social.technet.microsoft.com/Forums/en-US/configmanagergeneral/thread/64b97749-05d8-4935-a521-2b9591d32c71/#64b97749-05d8-4935-a521-2b9591d32c71
Seem like there is something wrong with the DM Proxy or not allowing communication through it.
Has anyone got this working in RTM?
[...] http://www.jamesbannanit.com/2012/10/enrol-mac-os-x-clients-in-configuration-manager-2012-sp1/ [...]
Hi James, i’m encountering the issues as some contributors earlier described: certificate subject name being the user who enrolled the certificate and no explicit mentioning of CMEnroll and CCMclient as part of the access control application list in the keychain. When i hit the “connect now”, processing goes on endlessly. No errors on logs of MP or other components that might be involved. Could it be the HTTP certificate?
It seems I had some kind of a compatibilty issue with running virtual OS X lion machines on VMware Fusion 4. I created some Lion vm’s on Parallels and all three are now in SCCM.
Cheers Omar
Will setting this enviroment up this way require me to have all my Windows machines using the HTTPS? I am wanting only the MAC clients to use HTTPS and leave the rest of my enviroment the same. Also are there any step by step instructions of creating the CA signed certificate? I am stuck on that step.
Hi Darrin. You don’t have to have your entire CM environment working with HTTPS. However, the management point and distribution point for OS X has to be HTTPS-enabled, so if you want to keep your Windows machines working in HTTP, then you will need a separate MP/DP. As for PKI, check out some of my earlier blog posts, or have a look through TechNet – most of the information is contained there. Cheers, James
Hey James, While trying to create a site system server to add the MP/DP roles I get the error “The site system name you specified already exists. Specify a different name”. I am typing in the name of the SCCM 2012 server that has SCCM installed on it. Do I need to choose a different server since the primary instantce is using the SCCM 2012 server or do I need a second server to host the MP/DP roles?
Hey James, I am trying to add the MP/DP roles on under create site system server wizard. I am getting the error “The site system name you specified already exists. Specify a different name”. I am choosing the SCCM 2012 server that has the management console for the name. Do I need to have a secondary server for the name to have the MP/DP roles installed?
It looks like everything installed and enrolled correctly but when I open CM from System Preference it shows Cert subject name and has the proper Management point Client version and policy refresh interval, but when I click on Connect Now I get “Certificate not found” any thoughts?
Thanks
I’m getting the following error message in my EnrollmentService.log when I perform the “sudo ./CMEnroll -s fqdn.siteserver -ignorecertchainvalidation -u ‘DOMAIN\Username’” step. Has anyone else come across this?
[7, PID:7968][05/02/2013 13:43:00] CALayer: SubmitRequest CA: [FQDN of CA]\[CA] Errormessage: Denied by Policy Module 2 ErrorCode: 2
[7, PID:7968][05/02/2013 13:43:00] Only one CA is specified in profile. Failed to enroll with the specified CA: [FQDN of CA]\[CA]
[7, PID:7968][05/02/2013 13:43:00] EnrollmentRequestController: Enrollment exception Error Code:FailedToIssueCert Message: Submitting cert request and issuing cert failed
Not sure if it’s because I’m using a 2008 CA or not, but I’ve found that the enrollment process only prompts once for a password (for SUDO), then attempts to pass that as the user’s password. So if the passwords aren’t the same, you get an Error 500 when you attempt to enroll.