How to install SCCM client agent on Mac Computers

7024

In this post we will see the steps on how to install SCCM client agent on Mac computers. In my previous post we saw how to deploy client certificate for Mac Computers. Before you start to deploy configuration manager client agent for Mac, I would suggest you to take a look at step by step guide for deploying PKI with SCCM. Client installation and management for Mac computers in System Center 2012 R2 Configuration Manager requires public key infrastructure (PKI) certificates.

I will brief the steps that are required to install and configure client agent on Mac computer.

1) Deploy a web server certificate to site system servers. (we have done this in previous post, click on the link to know more)

2) Deploy a client authentication certificate to site system servers. (we have done this in previous post, click on the link to know more)

3)  Prepare the client certificate template for Mac computers. (we have done this in previous post, click on the link to know more)

4) Configure the enrollment proxy point and the enrollment point.

5) Configure client settings for enrollment.

6) Download the client source files for Mac clients.

7) Install the client and then enroll the client certificate on the Mac computer.

Before you start this procedure, make sure that the site system server that runs the management point and distribution point is configured with an Internet FQDN. If these site system servers will not support Internet-based client management, you can specify the intranet FQDN as the Internet FQDN value. In addition, these site system roles must be in a primary site.

To do that right-click Management point, click Role Properties, and in the Management Point Properties dialog box, configure the following options, and then click OK:

a) Select HTTPS.

b) Select Allow Internet-only client connections or Allow intranet and Internet client connections. These options require that an Internet FQDN is specified in the site system properties, even if the site system server will not be accessible from the Internet.

c) Select Allow mobile devices and Mac computers to use this management point. This is very important one. Do not forget to enable this setting.

How to install SCCM client agent on Mac Computers

In the Configuration Manager console, click Administration, expand Site Configuration, select Servers and Site System Roles, and then select the server that you want to use to support Mac computers. Right click on the server and click Add Site System Roles. On the General page, specify the general settings for the site system, and then click Next. On the System Role Selection page, select Enrollment proxy point and Enrollment point from the list of available roles, and then click Next.

How to install SCCM client agent on Mac Computers

On the Enrollment Point Settings page, review the settings and make any changes that you require, and then click Next.

How to install SCCM client agent on Mac Computers

On the Enrollment Proxy Point page, review the settings and make any changes that you require, and then click Next.

How to install SCCM client agent on Mac Computers

Complete the wizard.

How to install SCCM client agent on Mac Computers

Configuring the Client Settings for Enrollment

This step is required for Configuration Manager to request and install the certificate on the Mac computer. You must use the default client settings to configure enrollment for Mac computers, you cannot use custom client settings. Right click Default Client settings and click Properties.

Select the Enrollment section, and then configure the following user settings:

Allow users to enroll mobile devices and Mac computers: Yes

Enrollment profile: Click Set Profile.

How to install SCCM client agent on Mac Computers

In the Mobile Device Enrollment Profile dialog box, click Create. In the Create Enrollment Profile dialog box, enter a name for this enrollment profile (for example Mac Enrollment), and then select the Management site code. In the Add Certification Authority for Mobile Devices dialog box, select the certification authority (CA) server that will issue certificates to Mac computers, and then click OK. Click OK to close the Enrollment Profile dialog box, and then click OK to close the Default Client Settings dialog box.

In the Create Enrollment Profile dialog box, select the Mac computer certificate template that you created and click OK. To know how I did it, click on the link How to deploy Client Certificate for Mac Computers.

How to install SCCM client agent on Mac Computers

Once you do the above changes, all users will be configured with these settings when they next download client policy. To see the results quickly, change the Client policy polling interval client setting in the Client Policy client setting group. In addition to the enrollment client settings, also enable and configure Hardware inventory (to collect hardware inventory from Mac and Windows client computers) and Compliance settings (to evaluate and remediate settings on Mac and Windows client computer) in the client settings.

Download and Install the Mac Client Files

The next step is to download and install the Mac client files. Click on the below link to download the Mac client for SCCM 2012 R2.

Download Mac Client for SCCM 2012 R2

Download the Mac OS X client file package on your windows computer, file name is ConfigmgrMacClient.msi, and save it to a computer. Run the msi file and in turn the Macclient.dmg is extracted to a folder on the local disk (by default C:\Program Files (x86)\Microsoft\System Center 2012 Configuration Manager Mac Client)

Next step, copy the Macclient.dmg file to a folder on the Mac computer. Run the Macclient.dmg file that you just downloaded to extract the files to a folder on the local disk. In the folder, ensure that the files Ccmsetup and CMClient.pkg are extracted and that a folder named Tools is created that contains the CMDiagnostics, CMUninstall, CMAppUtil and CMEnroll tools. In order to make it easy for installation, I will have moved the extracted files to the same folder where macclient.dmg is present.

 

How to install SCCM client agent on Mac ComputersOn the Mac computer, navigate to the folder where you extracted the contents of the Macclient.dmg. To install the client agent use the below command.
sudo ./ccmsetup

Wait until you see the message “The install was successful“. Although the installer displays a message that you must restart now, do not restart now but continue to the next step.

How to install SCCM client agent on Mac Computers

Change the path to Tools folder. From the Tools folder on the Mac computer, type the following command:

sudo ./CMEnroll -s <enrollment_proxy_server_name> -ignorecertchainvalidation -u <‘user name’>

Important – The user name and corresponding password must match an Active Directory user account that is granted Read and Enroll permissions on the Mac client certificate template.

How to install SCCM client agent on Mac Computers

Something confusing here, when you enter this command, you are actually prompted for two passwords. The first prompt is for the super user account to run the command. The second prompt is for the Active Directory user account. Enter the passwords as per the correct sequence. You should see the message Successfully enrolled.

How to install SCCM client agent on Mac Computers

Restart the mac computer. Verify that the client installation is successful by opening the Configuration Manager item in System Preferences on the Mac computer. You can also update and view the All Systems collection to confirm that the Mac computer now appears in this collection as a managed client (please see the last screenshot of this post).

To verify that the certificate has been installed correctly, go to Utilities > Keychain Access. Under Keychains select System, and the under Category select My Certificates. Expand the certificate and it should be linked to a Private Key named SCCM.  Double-click on the private key and then select Access Control. Under Always allow access by these applications you should find two entries CCMClient and CMEnroll.

How to install SCCM client agent on Mac Computers

When you open the Configuration Manager item in System Preferences on the Mac computer you will see the client properties. The Enrollment status should be Enrolled.

How to install SCCM client agent on Mac Computers

In the Configuration Manager console, under Devices > All Systems the Mac OS X system should appear. In my case the client activity was blank for sometime but later it was Active. Initially the system icon will be a mobile device, but once hardware and software inventory have been run the icon will switch to that of a standard workstation. When you install a new client for Mac computers, you might have to also install Configuration Manager updates to reflect the new client information in the Configuration Manager console.

How to install SCCM client agent on Mac Computers

  • Kenneth Dean

    Hi Prajwal, so I went through all your articles to setup the PKI certs and installed the MAC ConfigMgr Client and it worked, i could see the macs getting enrolled and popping up under Assets, however after setting this up my Management Point has had all kinds of errors, including imaging machines etc. The 2 main errors I saw after reviewing all the logs under site & component status are MP detected that clients are unable to communicate over HTTP and SQL server errors. They all started around the same time I started enrolling MACs. Ever seen this error? I didn’t do the CU5 update maybe that is part of the issue. I am reinstalling and running the CU5 update before proceeding.

    • I have to take a look at errors to understand this issue.

      • Kenneth Dean

        I already wiped the server… but here’s a couple off the top of my head, Under the SMS_MP_Control Manager or Monitor I got this error “MP detects that clients are unable to communicate with the MP via http 500 error”. I started looking through all the logs and I saw and error with the SQL database also not being able to communicate with SCCM via http. I switched the management point back to http or https unchecked the pki cert box etc and then tried to image, I was able to PXE into the boot image, I enter my password to image the machine and it states 08000×4005 error or something like that. I researched that error but it is just a general error.

        • I would recommend these options to be configured under site properties.

          1) Site system settings – HTTPS or HTTP – This allows the site system roles to use either HTTP or HTTPS communication.

          2) Client Computer settings – Use PKI client cert when available – This check box allows clients that are PKI-enabled or not PKI-enabled to co-exist and be managed in the same site at the same time.

          This provides a safe opportunity to check whether the site system roles and clients work with the HTTPS configuration. Because the site system roles still accept HTTP connections, all the clients remain managed. If a client has a valid PKI certificate and there are HTTPS site system roles available, these clients communicate over HTTPS. If a client does not have a valid PKI certificate, the client falls back to HTTP communication.

      • Kenneth Dean

        Well I reinstalled and did the CU2 update as I am already on SP2. It seemed very buggy before, I am going to try and enroll the MACs one more time and if it breaks I will send you the logs this time. So far everything is all green under component status. I will make sure to save the logs after I enroll the MACs. I have a stand-alone primary site. Can I create another primary site and have the MACs enroll to that site and push it to another server with SCCM 2012 R2 admin console installed?

  • Kenneth Dean

    As a workaround, could I set up another server (on a separate machine) and have my MAC clients enroll to that site? So for Silicon Valley I use SVL as my site code. Can I create a brand new SCCM 2012 R2 server and have the MACs enrolled there. So it would be two environments so to speak? Not sure if I am explaining this right. Thanks!!!

    • If you are creating new site, the site codes changes and a configuration manager client can have only one site at one time. So my suggestion is have only one configuration manager deployed in one site and not 2.

  • Mikey

    Hello Prajwal,

    I followed the steps above along with setting up the PKI environment. I am able to enroll the Mac Clients and see them in System Center. However I saw this message in terminal:

    No Preferences found for Key – ‘SignedSMSID’, Domain – ‘com.microsoft.ccmclient’.
    No Preferences found for Key – ‘CCMAuthHeaderType’, Domain – ‘com.microsoft.ccmclient’.
    No Preferences found for Key – ‘SignedCCMAuthHeaderType’, Domain – ‘com.microsoft.ccmclient’.
    No Preferences found for Key – ‘ClientTimeStamp’, Domain – ‘com.microsoft.ccmclient’.
    No Preferences found for Key – ‘SignedClientTimeStamp’, Domain – ‘com.microsoft.ccmclient’.

    8470 bytes available:
    4374 bytes available:
    278 bytes available:

    Importing trusted root certificate
    Root certificate already added

    Importing client auth certificate
    Modifying ccmclient preferences…

    Successfully enrolled.
    In addition, the Mac Client is not able to connect via the “Connect Now” button. It will stay on the processing… for a very long time.

  • Mikey

    In addition, here the CCMClient logs from the Mac client from the time I open the client and submitting “Connect Now”.

    Marker – Oct 4, 2016, 1:32:17 PM

    <![LOG[Preferences : Sending Notification to UI : ServiceCCM_PreferencesInitiate<?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt;

    <plist version="1.0">

    <dict>

    <key>CCMAuthHeaderType</key>

    <string></string>

    <key>CertExpDate</key>

    <string>10/04/2017 12:34PM</string>

    <key>CertType</key>

    <string>Machine</string>

    <key>ClientTimeStamp</key>

    <string></string>

    <key>EnrollmentError</key>

    <string></string>

    <key>EnrollmentServerName</key>

    <string>https://memberserver.test.local/EnrollmentServer/DeviceEnrollmentWebService.svc</string&gt;

    <key>EnrollmentStatus</key>

    <string>1</string>

    <key>EnrollmentType</key>

    <string>User</string>

    <key>EnrollmentUILaunched</key>

    <string>1</string>

    <key>EnrollmentUserName</key>

    <string>macuser@test.local</string>

    <key>MP</key>

    <string>https://memberserver.test.local:443/omadm/cimhandler.ashx</string&gt;

    <key>MgmtAuthorityName</key>

    <string>SCCM</string>

    <key>MgmtServerList</key>

    <string></string>

    <key>OMALastConnectTime</key>

    <string>10/04/2016 12:44PM</string>

    <key>PolicyConnectIntervalInSec</key>

    <string>3600</string>

    <key>SMSID</key>

    <string>GUID:FA583985-71D2-43F4-A037-F1CCAB0350B0</string>

    <key>SerialNumber</key>

    <data>

    FQAAABE7sNtLVk9JtAAAAAAAEQ==

    </data>

    <key>SignedCCMAuthHeaderType</key>

    <string></string>

    <key>SignedClientTimeStamp</key>

    <string></string>

    <key>SignedSMSID</key>

    <string></string>

    <key>SubjectName</key>

    <string>MacUser</string>

    <key>Version</key>

    <string>5.00.7958.1102</string>

    </dict>

    </plist>

    ]LOG]!>

    <![LOG[CCMClient – Broadcasting Msg to UI : ServiceCCM_PreferencesInitiate<?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt;

    <plist version="1.0">

    <dict>

    <key>CCMAuthHeaderType</key>

    <string></string>

    <key>CertExpDate</key>

    <string>10/04/2017 12:34PM</string>

    <key>CertType</key>

    <string>Machine</string>

    <key>ClientTimeStamp</key>

    <string></string>

    <key>EnrollmentError</key>

    <string></string>

    <key>EnrollmentServerName</key>

    <string>https://memberserver.test.local/EnrollmentServer/DeviceEnrollmentWebService.svc</string&gt;

    <key>EnrollmentStatus</key>

    <string>1</string>

    <key>EnrollmentType</key>

    <string>User</string>

    <key>EnrollmentUILaunched</key>

    <string>1</string>

    <key>EnrollmentUserName</key>

    <string>macuser@test.local</string>

    <key>MP</key>

    <string>https://memberserver.test.local:443/omadm/cimhandler.ashx</string&gt;

    <key>MgmtAuthorityName</key>

    <string>SCCM</string>

    <key>MgmtServerList</key>

    <string></string>

    <key>OMALastConnectTime</key>

    <string>10/04/2016 12:44PM</string>

    <key>PolicyConnectIntervalInSec</key>

    <string>3600</string>

    <key>SMSID</key>

    <string>GUID:FA583985-71D2-43F4-A037-F1CCAB0350B0</string>

    <key>SerialNumber</key>

    <data>

    FQAAABE7sNtLVk9JtAAAAAAAEQ==

    </data>

    <key>SignedCCMAuthHeaderType</key>

    <string></string>

    <key>SignedClientTimeStamp</key>

    <string></string>

    <key>SignedSMSID</key>

    <string></string>

    <key>SubjectName</key>

    <string>MacUser</string>

    <key>Version</key>

    <string>5.00.7958.1102</string>

    </dict>

    </plist>

    ]LOG]!>

    <![LOG[MaxMessageSize from Config file is

    <![LOG[MaxMessageSize from Config file is

    <![LOG[MaxMessageSize from Config file is

    <![LOG[MaxMessageSize from Config file is

    <![LOG[OMA : Sending Notification to UI : ServiceCCM_OMAProgress]LOG]!>

    <![LOG[CCMClient – Broadcasting Msg to UI : ServiceCCM_OMAProgress]LOG]!>