First published on TECHNET on Oct 04, 2014
Authored by Clifton Hughes
I have recently had several requests asking about the support for managing Mac OSx computers in System Center 2012 R2 Configuration Manager, so I went to work in my lab and successfully set this up. There were so many different articles around the needed certificates, roles, client settings, etc... that I felt it would help to have it all documented in a single place. I hope you find this information useful.
I followed this documentation on TechNet to deploy the needed certs and roles in ConfigMgr 2012 R2
https://docs.microsoft.com/en-us/previous-versions/system-center/system-center-2012-R2/gg682023(v=te... and I had to manually configure the Mac computer’s hosts file for resolving the Servername.lab.local FQDN, this would not be needed in a production environment, it was due to my Virtual Lab not being on the same LAN as my MacBook.
First we need to create and issue and request/install the three certificates/templates required for supporting Mac OSx clients with System Center 2012 R2 Configuration Manager:
Deploying the Web Server Certificate for Site Systems that Run IIS
Creating and Issuing the Web Server Certificate Template on the Certification Authority
This procedure creates a certificate template for Configuration Manager site systems and adds it to the certification authority.
To create and issue the web server certificate template on the certification authority
Requesting the Web Server Certificate
This procedure allows you to specify the intranet and Internet FQDN values that will be configured in the site system server properties, and then installs the web server certificate on to the member server that runs IIS.
Configuring IIS to Use the Web Server Certificate
This procedure binds the installed certificate to the IIS Default Web Site.
The member server is now provisioned with a Configuration Manager web server certificate. Important: When you install the Configuration Manager site system server on this computer, make sure that you specify the same FQDNs in the site system properties as you specified when you requested the certificate.
Deploying the Client Certificate for Distribution Points
Creating and Issuing a Custom Workstation Authentication Certificate Template on the Certification Authority
This procedure creates a custom certificate template for Configuration Manager distribution points that allows the private key to be exported, and adds the certificate template to the certification authority.
Note : This procedure uses a different certificate template from the certificate template that you created for client computers, because although both certificates require client authentication capability, the certificate for distribution points requires that the private key is exported. As a security best practice, do not configure certificate templates to allow the private key to be exported unless this configuration is required. The distribution point requires this configuration because you must import the certificate as a file, rather than select it from the certificate store. By creating a new certificate template for this certificate, you can restrict which computers request a certificate that allows the private key to be exported. In our example deployment, this will be the security group that you previously created for Configuration Manager site system servers that run IIS. On a production network that distributes the IIS site system roles, consider creating a new security group for the servers that run distribution points so that you can restrict the certificate to just these site system servers. You might also consider adding the following modifications for this certificate:
• Require approval to install the certificate, for additional security.
• Increase the certificate validity period. Because you must export and import the certificate each time before it expires, increasing the validity period reduces how often you must repeat this procedure. However, when you increase the validity period, it decreases the security of the certificate because it provides more time for an attacker to decrypt the private key and steal the certificate.
• Use a custom value in the certificate Subject field or Subject Alternative Name (SAN) to help identify this certificate from standard client certificates. This can be particularly helpful if you will use the same certificate for multiple distribution points.
To create and issue the custom Workstation Authentication certificate template on the certification authority
Requesting the Custom Workstation Authentication Certificate
This procedure requests and then installs the custom client certificate on to the member server that runs IIS and that will be configured as a distribution point.
Exporting the Client Certificate for Distribution Points
This procedure exports the custom Workstation Authentication certificate to a file, so that it can be imported in the distribution point properties.
Creating and Issuing a Mac Client Certificate Template on the Certification Authority
This procedure creates a custom certificate template for Configuration Manager Mac computers and adds the certificate template to the certification authority. Note: This procedure uses a different certificate template from the certificate template that you might have created for Windows client computers or for distribution points. By creating a new certificate template for this certificate, you can restrict the certificate request to authorized users.
To create and issue the Mac client certificate template on the certification authority
Installing the Roles in Configuration Manager to support the Mac Client Enrollment
I adapted the steps in this section from this article: http://technet.microsoft.com/en-us/library/gg712327.aspx We need to install a total of 4 roles in order to support the Mac OSx Computers as clients and to enroll them in the System Center 2012 R2 Configuration Manager Environment.
Ensure that the new Site Server we are installing these roles on is configured with an Internet FQDN. In addition, these site system roles must be in a primary site. Check the Site System Role properties for this server to ensure it is configured with an Internet FQDN, even if you are configuring it with the same FQDN as the internal server name.
To configure management points and distribution points for supporting Mac Clients
To install and configure the enrollment site systems on a New site system server
Configuring the Client Settings for Mac Computer Enrollment
The first procedure in this step configures the default client settings for mobile device enrollment and will apply to all users in hierarchy. If you want these settings to apply to only some users, create a custom user setting and assign it to a collection that contains users who you will allow to enroll their mobile devices. The second procedure in this step configures the default client settings for the mobile device polling interval and hardware inventory to apply to all mobile devices in the hierarchy that Configuration Manager enrolls. The hardware inventory settings also apply to client computers. If you want these settings to apply to only mobile devices or to selected mobile devices, create a custom device setting and assign it to a collection that contains the enrolled mobile devices that you want to configure with these settings. For more information about how to create custom client settings, see How to Create and Assign Custom Client Settings .
To configure the default client settings for Mac Client enrollment
Installing the SCCM Mac Client
There currently is no automated method for installing Mac Clients in Configuration Manager, you will need to perform these steps to do this on each client or find a scripting method to automate the process if possible. I adapted these steps from this article: https://docs.microsoft.com/en-us/previous-versions/system-center/system-center-2012-R2/jj591553(v=te... and this article:
How to Create Mac Computer Configuration Items in Configuration Manager:
https://docs.microsoft.com/en-us/previous-versions/system-center/system-center-2012-R2/jj687949(v=te... Update this is old information and only works on older Mac OS versions 10.6 or earlier. This is the updated article/blog here: https://configmgrblog.com/2014/06/13/set-user-preferences-mac-os-x-10-x-configmgr-2012-r2/
Deploy OS X Applications With Configuration Manager (should be the same for SCCM 2012/R2 and Current Branch):
You can download the System Center Endpoint Protection Agent for Mac from your Volume License site from Microsoft, and use the blog above to create and deploy this as an Application for your Mac Clients.
Compliance Settings can be used with Detection and Remediation Scripts to configure settings such as turning the firewall on or off automatically by using these scripts to read and change settings in plist files on the Mac Clients. https://configmgrblog.com/2014/06/13/set-user-preferences-mac-os-x-10-x-configmgr-2012-r2/
Troubleshooting and Certificate Revocation List publishing.
After some time, my Mac client stopped connecting to the Management Point and found that in the MPControl.log I was getting 443 errors. This was related to the Certificate Revocation List (CRL) not being published in my lab and I followed this article to disable this feature since my certs will not expire for 10 years, and you may do the same, although it is not really a best practice it is a workaround I found here: http://blogs.msdn.com/b/kaushal/archive/2012/10/15/disable-client-certificate-revocation-check-on-...
After following this on the HTTPS SCCM Server, and restarting IIS, my Mac Client was able to connect again.
I recommend following up with Microsoft Support for assistance with the Certificate Authority Configuration in order to properly publish the Certificate Revocation List as part of your certificate template in order to ensure your clients can access the CRL URL. Here is an article to get you started:
The SCCM Https Server has some logs that can be helpful in troubleshooting Mac Clients in Configuration Manager. X:\SMS_CCM\Logs folder this is the Management Point logs of the HTTPS Management Point.
DMPRP.log is for Mac Client Policy actions.
MP_Location.log will show Mac Client activity for Application Deployment Content location requests to help troubleshooting Application Deployments to Mac Computers.
On the Mac Client under ~Library/Logs and User/Library/Application Support/Microsoft/CCM/Logs are the logs for the CCMClient on the Mac Client.
I updated my SCCM to 1706 this past August 21st, and on Sept 4th 2017 I got a MacBook Pro Sierra 10.12.6 working as an SCCM Client. I have disabled CRL Checking in my Lab in SCCM and in IIS per this for the IIS part:
Also after having trouble with the client not being able to communicate with the MP with the Certificate has untrusted root, I found this info:
This led me to the adding the common name to the Subject Name field in the ConfigMgr Web Server Certificate request, once I provided both the common name and the DNS name, the Mac Client was able to communicate with the HTTPS MP.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.