UPDATE: 08-12-2015. I’ve noticed that this blog post still gets a reasonable amount of traffic and comments. While that’s really gratifying, the content is horribly out-of-date, and a number of the comments relate to the fact that the functionality which was available when I wrote this post has changed quite a bit, and doesn’t really match up to what you’re going to see in an up-to-date build or ConfigMgr. If/when I get my hands on another Mac I can look at updating the content (although I’m really working with Azure and Chef these days), so I strongly recommend that you take a look at the work my colleague Peter Daalmans has been doing with ConfigMgr and Mac management. He blogs over at ConfigMgrBlog.com and he’s keeping up with all the latest developments in Mac management using Configuration Manager.
One of the (many) big changes in Configuration Manager 2012 SP1 is the ability to enrol and manage Mac OS X clients using a native agent.
As you’d expect with any sort of cross-platform, non-Windows management story, you won’t be able to do all the same things with Configuration Manager that you can do with a Windows platform. Functionality in SP1 for Mac OS X will consist of:
- Hardware inventory
- Software inventory
- Application deployment
- Configuration deployment and compliance
And that’s not a bad list to be starting with 🙂
So how do you set this up and get Macs enrolled? Microsoft has a step-by-step guide here which contains all the information you’ll need, and it’s what I used to get my lab environment up and operational. So here’s my take on the whole process.
- Mac OS X clients running either Snow Leopard (10.6) or Lion (10.7). At the time of writing SP1 Beta was used (Build 7782) which does not support Mountain Lion (10.8);
- Configuration Manager hierarchy running Configuration Manager 2012 SP1 Beta (Build 7782) or greater;
- Configuration Manager 2012 SP1 site server should be running on Windows Server 2008 R2 SP1. Build 7782 does work on Windows Server 2012, but it’s slightly buggy and I lost a huge amount of time in troubleshooting. Stick with W2K8R2 for the moment and save yourself a headache;
- Configuration Manager hierarchy needs to be configured to support HTTPS communications, so you’ll need to go through setting up PKI. The reason for this is that Mac OS X clients are treated as internet clients at all times. This means that they are manageable regardless of where they are (assuming your site server is externally-accessible) but also that they don’t need to be joined to the domain. Check out this post for PKI certificate requirements in CM12;
- A PKI certificate template for enrolment on Mac clients. Full information on the process is here.
Site Server Configuration
- In the Site System role for the primary site server (and every server which will service Mac clients), tick the option “Specify an FQDN for this site server to use on the Internet” and enter the FQDN. For the purpose of lab testing, this can be the internal FQDN of the site server – it doesn’t HAVE to be accessible externally;
- In the Distribution Point role on the primary site server (or wherever Mac clients will get content from) make sure that the DP is configured for HTTPS and from the drop-down menu, select “Allow intranet and Internet connections”. Also import a CA-signed certificate for use on the DP;
- In the Management Point role ensure that the role is configured for HTTPS, select “Allow intranet and Internet connections” from the drop-down list and tick the option “Allow mobile devices to use this management point”;
- Install the server roles Enrollment Point and Enrollment Proxy Point. Both should be configured for HTTPS, but need no further configuration.
- Edit the Default Client Settings policy. Ensure that Hardware Inventory, Software Inventory and Compliance Settings policies are enabled. Then, go to the Mobile Devices policy and change the option “Allow users to enrol mobile devices” to Yes, then click on Set Profile to create a new enrolment profile;
- In the Enrollment Profile screen click “Create”. Give the new profile a name like “Mac Enrollment”, select an internet-enabled management site code, add the relevant CA and select the certificate template created earlier for Mac enrolment.
What we’ve now got in an SCCM 2012 SP1 hierarchy configured with HTTPS, supported by a CA and with all the necessary server roles installed and configured for an “external” client to request enrolment. That client is our Mac system, so now we’re heading over there to continue 🙂
Mac Client Installation and Enrollment
- Ensure that the Mac system can resolve the “external” FQDN of the site server. If you need to edit the hosts file to fudge it, from Terminal run “sudo nano /etc/hosts” and add an entry. Open Safari and navigate to //fqdn.siteserver and ensure that you get the IIS welcome page;
- Copy across the Mac client – macclient.dmg – which is located in the SMSSETUPMacOSClient folder within the Configuration Manager 2012 SP1 media;
- Open the macclient.dmg package and extract the contents somewhere – I created a folder called “MacCMClient” on the Desktop. You should have the following files: ccmsetup and CMClient.pkg, and a Tools folder containing CMAppUtil, CMDiagnostics, CMEnroll and CMUninstall;
- Open Terminal and navigate to the extracted files, then type in “sudo ./ccmsetup“. This installs the client and will prompt for a reboot once complete – do NOT reboot at this point in time!
- Next, navigate to the Tools folder in Terminal where the CMEnroll utility is, and enter the following: “sudo ./CMEnroll -s fqdn.siteserver -ignorecertchainvalidation -u ‘DOMAINUsername’” where DOMAINUsername is an account which is authorised to enrol the Mac certificate;
- The utility will contact the enrolment point on the site server, request a certificate and will (all being well) retrieve it and install it on OS X. Watch the EnrollmentService.log file in the SMS_CCMEnrollmentPointLogs folder on the site server to see the request being received and processed. Now you can reboot the Mac;
- On restart, go to System Preferences, Configuration Manager. The Preference pane should show that the certificate has been installed and that the system is talking to the CM management point via HTTPS;
- To verify that the certificate has been installed correctly, go to Utilities, Keychain Access. Under Keychains select “System”, and the under Category select “My Certificates”. In the main panel should be a certificate registered with the same name as the Mac system. Expand the certificate and it should be linked to a Private Key named “SCCM”. Double-click on the private key and then select “Access Control”. Under “Always allow access by these applications” should be CCMClient and CMEnroll. The CCMClient and CCMAgent applications can be found under /Library/Application Support/Microsoft/CCM, along with the Logs folder;
- Now, check the CM console. Under Devices the Mac OS X system should appear, active and Approved. Initially the system icon will be a mobile device, but once hardware and software inventory have been run the icon will switch to that of a standard workstation. Right-click the device and go Start –> Resource Explorer to see the results of the hardware and software inventories.
And that’s about it – your Mac is enrolled and chatting away happily 🙂
Stay tuned – the next step is to look under the covers into how to actively manage and troubleshoot Mac clients, how to deploy software to Macs and how to generate and enforce compliance settings.