Most customers who want to manage Mac computers using System Center 2012 Configuration Manager SP1 will use the enrollment tool, CMEnroll. This tool allows users with an Active Directory account to install the Configuration Manager client and automatically request and install the required client PKI certificate.
This deployment method scales well and uses your existing infrastructure to secure and automate the certificate deployment. However, it does require the user to have an account in Active Directory, and it requires Active Directory Certificate Services with a customized certificate template (so you must be running an enterprise version of the operating system and an enterprise CA).
If you don’t meet these requirements, or you don’t want an automated certificate deployment mechanism, you can request and install the certificate independently from Configuration Manager, and then install the Configuration Manager client.
Much like native mode in Configuration Manager 2007 and the client-server PKI connections in System Center 2012 Configuration Manager, you can use any PKI deployment to deploy the certificate for Mac computers if it adheres to our documented certificate requirements. For Mac computers, the client certificate requirements are as follows:
There is no single method of deployment for this certificate, and we would always recommend that you consult your own PKI team or get in a PKI consultant to devise the best method to deploy this certificate to Mac computers in a production environment. However, you can use the following steps in this blog if you need to deploy a few certificates for testing and have Active Directory Certificate Services running on a standalone CA or an enterprise CA that lets you duplicate and modify the certificate templates.
Both methods described in this post involve requesting the certificate from a Windows computer on behalf of the Mac computer, exporting the certificate to a file, and then importing it on the Mac computer. This method is not usually recommended in a production environment because it does not scale and has the security risk of exporting the private key.
An alternative that does not require you to export the private key, is to use the Certificate Assistant tool on the Mac computer, from the Keychain Access menu. This lets you save a certificate request to disk and from the contents of this file, you can request the certificate from the issuing CA.
If you are not using the Certificate Assistant tool but want to use a Windows-based computer to request the certificate for the Mac computer, follow the steps in this post that match your issuing CA configuration. Then export the certificate file so that it’s ready to import on the Mac computer. These steps match the UI for any version of Windows Server 2008 and can be easily adapted if your CA is running on Windows Server 2012. Then, import the exported certificate to the Mac computer and configure the Keychain Access to trust the new certificate and (if required) the root certificate.
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
RequestType = PKCS10
OID=22.214.171.124.126.96.36.199.2 ; Client Authentication
certreq –new mac.inf mac.req
certreq –submit mac.req mac.cer
Tip: If you use an issuing CA from a different hierarchy to the one that issues PKI certificates for the Configuration Manager site system roles (such as the management point), you must import the root CA certificate as a Configuration Manager site property. For more information, see the Planning for the PKI Trusted Root Certificates and the Certificate Issuers List section in the Planning for Security in Configuration Manager topic from the Configuration Manager documentation library.
Additional information from the Configuration Manager documentation library:
-- Carol Bailey
This posting is provided "AS IS" with no warranties and confers no rights.