Sccm 2012 R2 MAC Enrollment & HTTPS connections setup

by dakseven, posted in SCCM 2012

Hi this is my first post ,

Nice to meet you all ! my name is Tony and i’m Working on SCCM proyect in Barcelona , Spain

First of  I hope that you’ll enjoy my guides as I did searching info on the Net to Solve all of my Issues that I have everyday in this field called “IT”

So… Done presentations lets try to do some usefull work , are you a SCCM admin and you have to enroll MACS on it?

You are in the right place then , lets DO IT  😀

 

Before Starting , I recommend to try all this features in a TEST Lab first !

I do not take responsibility for any damages that may cause this guide on your productive enviorments 😛

 

This guide is  for enrolling MAC computers we gonna post windows clients enrollment at the end too if you are interested

 

Before Starting … LAB  Software Requeriments 

 

-MAC package Client (Only R2 compatible) -> http://www.microsoft.com/en-us/download/details.aspx?id=36212

– Macintosh machine ( This Test is done with a Maverick compatible 10.9.2 OS  )

-SCCM 2012 R2 server primary site  + Distribution Point

-Active directory domain with CA auth role installed

-Windows 2012 R2 Edition installed on the DP   ( Recommended to avoid ISS  Bug 500)

– One best Practice recommended before starting , is to create a Active directory security group that will contain the SCCM servers that will have the “Distribution point role” installed (see attach)

 

 

What we gonna do?

 

Setup a Sccm2012 LAB enviorment  for testing purproses , that will allow enroll Apple Computers on it & windows  for this purprose we’ll gonna need to change our current connections to HTTPS

Install the MAC client ( R2 client ) and enroll it

Deploy MAC app  (  Firefox )

Create 2 client certificates (Windows computers and mac )

Create 2 Server certificates ( for distribution points )

Create GPO to autoenroll windows computers

 

Differences between Http and Https , Oh I’dont remember the difference (don’t worry)

“HTTPS” stands for “Hyper Text Transfer Protocol Secure.”  It means that information exchanged between you and a web site is encrypted and cannot be hijacked by someone who might want to electronically eavesdrop when you type a credit card number, a password, a social security number, or any other person information.

 

from http://www.truthorfiction.com/rumors/s/secure-web-sites.htm#.U3nY7Pl_t1A

 

 

If you want to enforce HTTPS communications across the board (which is especially useful for internet-facing SCCM services) then an internal PKI cert  is still required. So to enroll Mac computers i’ts a requeriment to encrypt those connections 

 

Usefull Documentation to read before  and Thanks to the people that have made it that allowed me to do this post

 

http://systemcenter2012.com/blogs/vnext/archive/2013/02/15/how-to-install-and-configure-mac-client-on-sccm2012.aspx ( This guide is based on it and is  Easy to follow too  )

 

http://technet.microsoft.com/en-us/library/230dfec0-bddb-4429-a5db-30020e881f1e#BKMK_MacClient_SP1 -> SCCM 2012 R2 technet official Documentation

 

http://esihere.wordpress.com/2012/01/17/a-complete-guide-on-active-directory-certificate-services-in-windows-server-2008-r2/ -> Certification authority Installation & Conf guide ( not official but nice )

 

http://www.jamesbannanit.com/2012/11/deploy-os-x-applications-with-configuration-manager-2012-sp1/ -> ( Deploying MAC apps)

 

Before the process (IMPORTANT) 

 

– Make shure you install on the 2012 R2 DP server Bits backround Transfer , NET FRAMEWORK 2.0/3.5  and ISS full features otherwishe you will fail!! (as I did) 

Capture of the ISS roles needed

 

Step 1 ( Generating The ISS certificate )

 

Before reading just remember this tips:

  • The permissions of the certificate are really very important so dont forget to select the Enroll and READ permission for the SCCM2012 SERVERS  security group , and  NEVER t clear the Read permission for the group
  • Once you duplicate the template and renamed, remember in the CA console right click “new certificate to issue”
  • to acces CA console you can just enter with mmc.msc  command

 

  1. Create a security group named ConfigMgr IIS Servers that contains the member servers to install System Center 2012 Configuration Manager site systems that will run IIS.
  2. On the member server that has Certificate Services installed, in the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console.
  3. In the results pane, right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.
  4. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.
    ImportantImportant
    Do not select Windows 2008 Server, Enterprise Edition.
  5. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the web certificates that will be used on Configuration Manager site systems, such as ConfigMgr Web Server Certificate.
  6. Click the Subject Name tab, and make sure that Supply in the request is selected.
  7. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.
  8. Click Add, enter ConfigMgr IIS Servers in the text box, and then click OK.
  9. Select the Enroll permission for this group, and do not clear the Read permission.(
  10. Click OK, and close the Certificate Templates Console.
  11. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
  12. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Web Server Certificate, and then click OK.
  13. If you do not need to create and issue any more certificate, close Certification Authority

 

Step 2 ( Requesting the certificate to distribution point  )

 

Well done  , once we’ve created the certificate .. now we gonna need to request it on the distribution point so this changes we gonna make on it

Important tip on the step 13

 

( We gonna need to use FQDN and Internet Connections on DP to allow Mac enrollment , this not means that we must configure a FQDN external  this is not really true  , only is needed this specs to

enroll mac as something similar to mobile devices enrollment ) , so if our DP server is named “X”  on the DNS box  when we are requesting the certificate on the mmc.msc console it’s really important to write the FQDN of X

this Case:

X.Domain.com (FQDN)  otherwishe won’t work properly…

 

To request the web server certificate on the distribution point 
  1. Restart the member server that runs IIS, to ensure that the computer can access the certificate template that you created, by using the Read and Enroll permissions that you configured.
  2. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.
  3. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.
  4. In the Certificate snap-in dialog box, select Computer account, and then click Next.
  5. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish.
  6. In the Add or Remove Snap-ins dialog box, click OK.
  7. In the console, expand Certificates (Local Computer), and then click Personal.
  8. Right-click Certificates, click All Tasks, and then click Request New Certificate.
  9. On the Before You Begin page, click Next.
  10. If you see the Select Certificate Enrollment Policy page, click Next.
  11. On the Request Certificates page, identify the ConfigMgr Web Server Certificate from the list of displayed certificates, and then click More information is required to enroll for this certificate. Click here to configure settings.
  12. In the Certificate Properties dialog box, in the Subject tab, do not make any changes to the Subject name. This means that the Value box for the Subject name section remains blank. Instead, from the Alternative name section, click the Typedrop-down list, and then select DNS.
  13. In the Value box, specify the FQDN values that you will specify in the Configuration Manager site system properties, and then click OK to close the Certificate Properties dialog box.Examples:
    • If the site system will only accept client connections from the intranet, and the intranet FQDN of the site system server is server1.internal.contoso.com: Type server1.internal.contoso.com, and then click Add.
    • If the site system will accept client connections from the intranet and the Internet, and the intranet FQDN of the site system server is server1.internal.contoso.com and the Internet FQDN of the site system server is server.contoso.com:
      1. Type server1.internal.contoso.com, and then click Add.
      2. Type server.contoso.com, and then click Add.
      noteNote
      It does not matter in which order you specify the FQDNs for Configuration Manager. However, check that all devices that will use the certificate, such as mobile devices and proxy web servers, can use a certificate SAN and multiple values in the SAN. If devices have limited support for SAN values in certificates, you might have to change the order of the FQDNs or use the Subject value instead.
  14. On the Request Certificates page, select ConfigMgr Web Server Certificate from the list of displayed certificates, and then click Enroll.
  15. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish.
  16. Close Certificates (Local Computer).

 

Step 3  ( BINDING THE CERTIFICATE TO ISS DP  )

 

Here you have a  screenshot , selecting the certificate ( Really important to enroll the certificate on the DP and select the correct one (not another :P)

 

 

This procedure binds the installed certificate to the IIS Default Web Site.

 

To configure IIS to use the web server certificate

  1. On the member server that has IIS installed, click Start, click Programs, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. Expand Sites, right-click Default Web Site, and then select Edit Bindings.
  3. Click the https entry, and then click Edit.
  4. In the Edit Site Binding dialog box, select the certificate that you requested by using the ConfigMgr Web Server Certificates template, and then click OK.
    noteNote
    If you are not sure which is the correct certificate, select one, and then click View. This allows you to compare the selected certificate details with the certificates that are displayed with the Certificates snap-in. For example, the Certificates snap-in displays the certificate template that was used to request the certificate. You can then compare the certificate thumbprint of the certificate that was requested with the ConfigMgr Web Server Certificates template with the certificate thumbprint of the certificate currently selected in the Edit Site Binding dialog box.
  5. Click OK in the Edit Site Binding dialog box, and then click Close.
  6. Close Internet Information Services (IIS) Manager.

The member server is now provisioned with a Configuration Manager web server certificate.

ImportantImportant
When you install the Configuration Manager site system server on this computer, make sure that you specify the same FQDNs in the site system properties as you specified when you requested the certificate.

 

Step 4  ( Changuing TO HTTPS connections on Distribution point  and installing roles if needed   )

 

1. Specify FQDN on The DP server (important)

2. Select the following roles to install

Enrollment Point

Enrollment Proxy point

Management Point

3.Select Https option on client connections and “allow intranet and internet connections” & select the check “allow mobile devices and mac computers to use this management point”

4.Configure Active directory accounts if needed on the role installation , follow the screenshots to configure enrollment proxy point and enrollment point

 

 

 

 

 

STEP 5 Creating Client Certificates ( MAC CERTIFICATE ) 

 

Tips:

Please pay attention to the STEP 6 , configure the right options or it won’t work

Permissions: It’s very important to give “all users” the READ permision and ENROLL  (in my case) we use this to view with “user affinity” who is the machine owner (primare device)

 

 

Creating and Issuing a Mac Client Certificate Template on the Certification Authority

This procedure creates a custom certificate template for Configuration Manager Mac computers and adds the certificate template to the certification authority.

noteNote
This procedure uses a different certificate template from the certificate template that you might have created for Windows client computers or for distribution points. By creating a new certificate template for this certificate, you can restrict the certificate request to authorized users.
To create and issue the Mac client certificate template on the certification authority

  1. Create a security group that contains user accounts for administrative users who will enroll the certificate on the Mac computer by using Configuration Manager. Make sure that this group does not contain user accounts for users who can enroll mobile devices in Configuration Manager.
  2. On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.
  3. In the results pane, right-click the entry that displays Authenticated Session in the column Template Display Name, and then click Duplicate Template.
  4. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.
    ImportantImportant
    Do not select Windows 2008 Server, Enterprise Edition.
  5. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the Mac client certificate, such as ConfigMgr Mac Client Certificate.
  6. Click the Subject Name tab, make sure that Build from this Active Directory information is selected, select Common name for the Subject name format: and clear User principal name (UPN) from Include this information in alternate subject name.
  7. Click the Security tab, and remove the Enroll permission from the Domain Admins and Enterprise Admins security groups.
  8. Click Add, specify the security group that you created in step one, and then click OK.
  9. Select the Enroll permission for this group, and do not clear the Read permission.
  10. Click OK and close Certificate Templates Console.
  11. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
  12. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Mac Client Certificate, and then click OK.
  13. If you do not have to create and issue any more certificates, close Certification Authority.

The Mac client certificate template is now ready to be selected when you configure client settings for enrollment.

 

CONFIGURE THE ROLES PROPERLY ON THE SISTEM (sccm config)  &  THE CLIENT SETTINGS 

 

Please follow this steps on all of your systems that will manage MAC computers

 

  1. In the Configuration Manager console, click Administration.
  2. In the Administration workspace, expand Site Configuration, select Servers and Site System Roles, and then select the server that holds the site system roles to configure.
  3. In the details pane, right-click Management point, click Role Properties, and in the Management Point Properties dialog box, configure the following options, and then click OK:
    1. Select HTTPS.
    2. Select Allow Internet-only client connections or Allow intranet and Internet client connections. These options require that an Internet FQDN is specified in the site system properties.
    3. Select Allow mobile devices and Mac computers to use this management point.
  4. In the details pane, right-click Distribution point, click Role Properties, and in the Distribution Point Properties dialog box, configure the following options, and then click OK:
    • Select HTTPS.
    • Select Allow Internet-only client connections or Allow intranet and Internet client connections. These options require that an Internet FQDN is specified in the site system properties.
    • Click Import certificate, browse to the exported client distribution point certificate file, and then specify the password.
  5. Repeat steps 2 through 4 in this procedure for all management points and distribution points in primary sites that you will use with Mac computers.

 

To configure the default client settings for Configuration Manager to enroll certificates for Mac computers 

  1. In the Configuration Manager console, click Administration.
  2. In the Administration workspace, click Client Settings.
  3. Click Default Client Settings

 

  1. ImportantImportant
    You cannot use a custom client setting for the enrollment configuration; you must use the default client settings.
  2. On the Home tab, in the Properties group, click Properties.
  3. Select the Enrollment section, and then configure the following user settings:
    1. Allow users to enroll mobile devices and Mac computers:Yes
    2. Enrollment profile: Click Set Profile.
  4. In the Mobile Device Enrollment Profile dialog box, click Create.
  5. In the Create Enrollment Profile dialog box, enter a name for this enrollment profile, and then configure the Management site code. Select the Configuration Manager SP1 primary site that contains the management points that will manage the Mac computers.
  6. noteNote
    If you cannot select the site, check that at least one management point in the site is configured to support mobile devices.
  7. Click Add.
  8. In the Add Certification Authority for Mobile Devices dialog box, select the certification authority (CA) server that will issue certificates to Mac computers, and then click OK.
  9. In the Create Enrollment Profile dialog box, select the Mac computer certificate template that you created in Step 3, and then click OK.
  10. Click OK to close the Enrollment Profile dialog box, and then click OK to close the Default Client Settings dialog box.
    TipTip
    If you want to change the client policy interval, use the Client policy polling interval client setting in the Client Policy client setting group.

 

STEP 6 Creating & Deploying Client Certificates ( WINDOWS CLIENT  CERTIFICATE FOR GPO AUTOENROLLMENT  ) 

 

Deploying the Client Certificate for Windows Computers

 

Tips:

Important to pay attention at security step 5 (remember this certificate is for a future autoenrollment policy on active directory so it’s very imporant to check the “autoenroll and read” for all computers in the security tab)

This is not the same “client certificate that we will use for distribution point”

 

Connect on your certificate server and follow the steps under

This certificate deployment has the following procedures:

  • Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority
  • Configuring Autoenrollment of the Workstation Authentication Template by Using Group Policy
  • Automatically Enrolling the Workstation Authentication Certificate and Verifying Its Installation on Computers
Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority

This procedure creates a certificate template for System Center 2012 Configuration Manager client computers and adds it to the certification authority.

To create and issue the Workstation Authentication certificate template on the certification authority

  1. On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.
  2. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.
  3. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.
    ImportantImportant
    Do not select Windows 2008 Server, Enterprise Edition.
  4. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client certificates that will be used on Configuration Manager client computers, such as ConfigMgr Client Certificate.
  5. Click the Security tab, select the Domain Computers group, and select the additional permissions of Read and Autoenroll. Do not clear Enroll.
  6. Click OK and close Certificate Templates Console.
  7. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
  8. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Client Certificate, and then click OK.
  9. If you do not need to create and issue any more certificate, close Certification Authority.

 

To configure autoenrollment of the workstation authentication template by using Group Policy

 

Remember to LINK GPO on the RIGHT container where the user machines with SCCM2012 client resides  otherwhise Windows clients won’t run at HTTPS secure connections

 

  1. On the domain controller, click Start, click Administrative Tools, and then click Group Policy Management.
  2. Navigate to your domain, right-click the domain, and then select Create a GPO in this domain, and Link it here.
    noteNote
    This step uses the best practice of creating a new Group Policy for custom settings rather than editing the Default Domain Policy that is installed with Active Directory Domain Services. By assigning this Group Policy at the domain level, you will apply it to all computers in the domain. However, on a production environment, you can restrict the autoenrollment so that it enrolls on only selected computers by assigning the Group Policy at an organizational unit level, or you can filter the domain Group Policy with a security group so that it applies only to the computers in the group. If you restrict autoenrollment, remember to include the server that is configured as the management point.
  3. In the New GPO dialog box, enter a name for the new Group Policy, such as Autoenroll Certificates, and click OK.
  4. In the results pane, on the Linked Group Policy Objects tab, right-click the new Group Policy, and then click Edit.
  5. In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings / Security Settings / Public Key Policies.
  6. Right-click the object type named Certificate Services Client – Auto-enrollment, and then click Properties.
  7. From the Configuration Model drop-down list, select Enabled, select Renew expired certificates, update pending certificates, and remove revoked certificates, select Update certificates that use certificate templates, and then click OK.
  8. Close Group Policy Management.

 

To Check if all gone wright do this test on the computer target in the right OU with the new GPO that we created & linked :

 

  1. Restart the workstation computer, and wait a few minutes before logging on ( or use Gpupdate /force )
    noteNote
    Restarting a computer is the most reliable method of ensuring success with certificate autoenrollment.
  2. Log on with an account that has administrative privileges.
  3. In the search box, type mmc.exe., and then press Enter.
  4. In the empty management console, click File, and then click Add/Remove Snap-in.
  5. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.
  6. In the Certificate snap-in dialog box, select Computer account, and then click Next.
  7. In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish.
  8. In the Add or Remove Snap-ins dialog box, click OK.
  9. In the console, expand Certificates (Local Computer), expand Personal, and then click Certificates.
  10. In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended Purpose column, and that ConfigMgr Client Certificate is displayed in the Certificate Template column.
  11. Close Certificates (Local Computer).
  12. Repeat steps 1 through 11 for the member server to verify that the server that will be configured as the management point also has a client certificate.

The computer is now provisioned with a Configuration Manager client certificate.

 

 

STEP  7   Deploying the Client Certificate for Distribution Points

 

Pay attention at STEP 5 , because it’s important to make exportable this key we gonna need to configure it on Distribution points

 

Connect on your certificate server and follow the steps under

noteNote
This certificate can also be used for media images that do not use PXE boot, because the certificate requirements are the same.

This certificate deployment has the following procedures:

  • Creating and Issuing a Custom Workstation Authentication Certificate Template on the Certification Authority
  • Requesting the Custom Workstation Authentication Certificate
  • Exporting the Client Certificate for Distribution Points
Creating and Issuing a Custom Workstation Authentication Certificate Template on the Certification Authority

This procedure creates a custom certificate template for Configuration Manager distribution points that allows the private key to be exported, and adds the certificate template to the certification authority.

noteNote
This procedure uses a different certificate template from the certificate template that you created for client computers, because although both certificates require client authentication capability, the certificate for distribution points requires that the private key is exported. As a security best practice, do not configure certificate templates to allow the private key to be exported unless this configuration is required. The distribution point requires this configuration because you must import the certificate as a file, rather than select it from the certificate store. By creating a new certificate template for this certificate, you can restrict which computers request a certificate that allows the private key to be exported. In our example deployment, this will be the security group that you previously created for Configuration Manager site system servers that run IIS. On a production network that distributes the IIS site system roles, consider creating a new security group for the servers that run distribution points so that you can restrict the certificate to just these site system servers. You might also consider adding the following modifications for this certificate:

  • Require approval to install the certificate, for additional security.
  • Increase the certificate validity period. Because you must export and import the certificate each time before it expires, increasing the validity period reduces how often you must repeat this procedure. However, when you increase the validity period, it decreases the security of the certificate because it provides more time for an attacker to decrypt the private key and steal the certificate.
  • Use a custom value in the certificate Subject field or Subject Alternative Name (SAN) to help identify this certificate from standard client certificates. This can be particularly helpful if you will use the same certificate for multiple distribution points.

To create and issue the custom Workstation Authentication certificate template on the certification authority

  1. On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.
  2. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.
  3. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.
    ImportantImportant
    Do not select Windows 2008 Server, Enterprise Edition.
  4. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the client authentication certificate for distribution points, such as ConfigMgr Client Distribution Point Certificate.
  5. Click the Request Handling tab, and select Allow private key to be exported.
  6. Click the Security tab, and remove the Enroll permission from the Enterprise Admins security group.
  7. Click Add, enter ConfigMgr IIS Servers in the text box, and then click OK.
  8. Select the Enroll permission for this group, and do not clear the Read permission.
  9. Click OK and close Certificate Templates Console.
  10. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
  11. In the Enable Certificate Templates dialog box, select the new template that you have just created, ConfigMgr Client Distribution Point Certificate, and then click OK.
  12. If you do not have to create and issue any more certificates, close Certification Authority.

 

To request the custom Workstation Authentication certificate ( THIS STEP IS FOR DISTRIBUTION POINTS ONLY) 

  1. Click Start, click Run, and type mmc.exe. In the empty console, click File, and then click Add/Remove Snap-in.
  2. In the Add or Remove Snap-ins dialog box, select Certificates from the list of Available snap-ins, and then click Add.
  3. In the Certificate snap-in dialog box, select Computer account, and then click Next.
  4. In the Select Computer dialog box, ensure Local computer: (the computer this console is running on) is selected, and then click Finish.
  5. In the Add or Remove Snap-ins dialog box, click OK.
  6. In the console, expand Certificates (Local Computer), and then click Personal.
  7. Right-click Certificates, click All Tasks, and then click Request New Certificate.
  8. On the Before You Begin page, click Next.
  9. If you see the Select Certificate Enrollment Policy page, click Next.
  10. On the Request Certificates page, select the ConfigMgr Client Distribution Point Certificate from the list of displayed certificates, and then click Enroll.
  11. On the Certificates Installation Results page, wait until the certificate is installed, and then click Finish.
  12. In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended Purpose column, and that ConfigMgr Client Distribution Point Certificate is displayed in the Certificate Template column.
  13. Do not close Certificates (Local Computer).

 

Exporting the Client Certificate for Distribution Points

This procedure exports the custom Workstation Authentication certificate to a file, so that it can be imported in the distribution point properties.

To export the client certificate for distribution points

  1. In the Certificates (Local Computer) console, right-click the certificate that you have just installed, select All Tasks, and then click Export.
  2. In the Certificates Export Wizard, click Next.
  3. On the Export Private Key page, select Yes, export the private key, and then click Next.
    noteNote
    If this option is not available, the certificate has been created without the option to export the private key. In this scenario, you cannot export the certificate in the required format. You must reconfigure the certificate template to allow the private key to be exported, and then request the certificate again.
  4. On the Export File Format page, ensure that the option Personal Information Exchange – PKCS #12 (.PFX) is selected.
  5. On the Password page, specify a strong password to protect the exported certificate with its private key, and then click Next.
  6. On the File to Export page, specify the name of the file that you want to export, and then click Next.
  7. To close the wizard, click Finish in the Certificate Export Wizard page, and click OK in the confirmation dialog box.
  8. Close Certificates (Local Computer).
  9. Store the file securely and ensure that you can access it from the Configuration Manager console.

The certificate is now ready to be imported when you configure the distribution point.

 

 

STEP  7  ENROLLING & INSTALLING  MAC CLIENT  SCCM2012 R2

 

First download the client for mac computers ( http://www.microsoft.com/en-us/download/details.aspx?id=36212 )

Once you’ve installed you will find in the installation folder a DMG package needed to the enrollment , you must copy that on the MAC client

 

 

Once you have the DMG file on the Mac  computer you can use the command ( Root password req )  (SUDO ./CCMSETUP) , this will install the client

 

 

A restart is required afer the installation

 

 

TO ENROLL THE CLIENT

This step can be managed with graphic interface also in the dmg includes the CMEnroll command to do it

in any case you must enter the credentials of the user that have “read privileges and enroll privileges” on the template that we created before

 

sudo ./CMEnroll -s <enrollment_proxy_server_name> -ignorecertchainvalidation -u <‘user name’> [-p <password>]

 

Once you’ve enrolled the client will appear in your SCCM console 🙂

 

STEP  8 DEPLOYING MACINTOSH APP 

 

 1 – Repackage the application

Windows doesn’t understand applications designed for OS X, which means that Configuration Manager can’t work with them natively either.  They need to be repackaged into a format which CM can work with.

For this, we’ll need an OS X client which has access to the Configuration Manager agent package as well as the application you want to deploy.

In the Tools folder of the Configuration Manager package (the same location as the CMEnroll utility) is a utility called CMAppUtil.  This is used for repackaging OS X applications to a custom .CMMAC format which can be imported into the Configuration Manager Software Library.

The utility supports conversion from .APP, .PKG, .MPKG and .DMG formats.

Our downloaded Firefox executable is a .DMG (Firefox 16.0.2.dmg, to be precise), so the usage will be (from the Tools folder):

sudo ./CMAppUtil -c /Users/james/Desktop/DMGs/Firefox\ 16.0.2.dmg -o /Users/james/Desktop/cmmac\ Apps

Note that the filepaths are absolute from root, and that the -o switch to specify the output doesn’t require an output filename as this happens automatically.

Step 2 – Import the Application

In the Configuration Manager console, navigate to the Software Library and select Applications.  Right-click, select “Create Application”, select “Mac OS X” from the drop-down list and enter the UNC location of the .cmmac file created in Step 1:

Click though the wizard and manually enter the application details – Configuration Manager can’t extract and pre-populate this information as it can with MSI or App-V applications.

Take a look at the Properties of the newly-created Deployment Type and navigate to the “Detection Method” tab.  As you can see, Configuration Manager understands enough from the package to create a detection method which will allow the agent to discover whether the application has already been installed, or whether it has been successfully installed.  In many ways, this functionality is core to the AppModel in Configuration Manager 2012.

Before deploying the application, distribute the content to an internet-enabled distribution point.

Step 3 – Deploy the Application

Create a new Deployment for the Application.  At present, the only supported Deployment to OS X clients are Required to Device Collections:

Next, to trigger a policy refresh on the OS X client, open System Preferences and then the Configuration Manager pane under “Other”, then click “Connect Now”:

The agent will talk back to the Management Point and download the machine policy, at which point the user should be presented with an alert that there is an active deployment:

 

Click “Install Now” to trigger the deployment immediately.  The content will download and the installation will be triggered…

…and the user will be notified once the installation is complete:

That’s It

Enjoy the manual 🙂

Advertisement

Published by dakseven

74 thoughts on “Sccm 2012 R2 MAC Enrollment & HTTPS connections setup

  1. Hey Tony!

    I ran into something interesting when trying to enroll my first mac into SCCM. The mac I worked with was bound to Active Directory and discovered in SCCM by the “Active Directory System Discovery” process. After I enrolled the Mac via the enrollment process, a second SCCM Mac device was created with the same name as the one that was discovered in Active Directory. Do you know if this is the expected outcome? Do you know why the object discovered in Active Directory was not used for enrollment instead of creating a second object with the exact name?

    P.S. My name is Tony too!

    –Tony

    Reply

    1. hi tony nice to meet u too. yeah its true because you are detecting the machine as ad object or dns name (too) and once you’ve enrolled the device is detected as “movile device” I think the only solution is to filter the active directory scan only to windows OU maybe . Where i work we have the same problem and we have duplicated dns too in this case (mac machine name and mac active directory name) we are searching for a solution… thanks 4 comment

      Reply

  4. Hello there, I found your site by means of Google even as searching for a related topic, your site came up, it seems to be great.
    I’ve bookmarked it in my google bookmarks.
    Hi there, just become aware of your blog thru Google, and found
    that it’s truly informative. I’m gonna watch out for brussels.

    I will be grateful when you continue this in future.
    Numerous people will probably be benefited from your writing.

    Cheers!

    Reply

  6. Hi I am so delighted I found your webpage, I really found you by accident, while I was searching on Bing
    for something else, Regardless I am here now and would just like to say cheers for
    a fantastic post and a all round exciting blog (I also love the theme/design),
    I don’t have time to look over it all at the moment but I have bookmarked it and also
    included your RSS feeds, so when I have time I will be back to read much more, Please
    do keep up the great job.

    Reply

  8. I’ve been surfing online more than three hours these days, yet I
    never discoveredd any fascinating article like yours.
    It is lovely price sufficient for me. Personally, if all webmasters and bloggers made ggood content as you did, the internet will be
    a lot more useful than ever before.

    Reply

  10. Today, I went to the beachfront with my children. I found a sea shell and gave it to my 4 year old daughter and said “You can hear the ocean if you put this to your ear.” She put the shell
    to her ear and screamed. There was a hermit crab inside
    and it pinched her ear. She never wants to go back! LoL I know
    this is totally off topic but I had to tell someone!

    Reply

  14. Hi, Neat post. There is a problem together with your web site in internet explorer, may test this?
    IE still is the market chief and a large element of other folks will miss your excellent writing due to this problem.

    Reply

  16. I’m amazed, I have to admit. Seldom do I encounter a blog that’s equally educative and interesting, and without a doubt, you have hit the nail on the head.
    The issue is an issue that too few folks are speaking intelligently about.

    I’m very happy I came across this in my hunt
    for something relating to this.

    Reply

  17. Great post. I used to be checking continuously this weblog and I’m impressed!
    Extremely helpful information specially the remaining phase :
    ) I handle such info much. I was looking for this certain information for a very lengthy time.
    Thank you and good luck.

    Reply

  20. Hello! This post could not be writtwn any better! Reading this post reminds me of myy previous room mate!
    He always kept chatting about this. I will forward this page to him.
    Fairly certain he will hzve a good read. Many thanks for sharing!

    Reply

  22. They motive that whenever they were to transfer in and get labeled as,
    they could bust out. And for those Captain Planet lovers out
    there, using fewer paper towels will save quite
    a few trees. For example, Anand – Tech offers different types of downloads, including POI database downloads.

    Reply

  23. With the push of a single button, a user will be able to launch a series
    of complicated commands. When discovered, just about every
    golden egg shows the particular purpose, too. Articles of information need
    to be built around keywords in order to bring in the free
    traffic from the search engines.

    Reply

  24. Sometimes, this mode is simply called Close Up and is denoted
    by a flower icon on your camera. Well first off people realize this is Pay – Pal,
    one of the most trusted online banking sites out
    there that people use on the daily basis for all of their personal
    or business needs. Articles of information need
    to be built around keywords in order to bring in the free traffic from the
    search engines.

    Reply

  25. Difficult as it may be to believe, I think she becomes even creepier here.

    Speaking of magic, this episode actually does introduce some elements of
    meta-physical mysticism into the equation. There’s a sub-plot about the STN network getting hacked, but it was surprisingly lackluster.

    Reply

  26. 99% of these websites are offering out dated and old software written in Java.
    And, never, ever wait until your customer leaves or threatens to leave
    and then offer them the world to stay. (OF-COURSE) That process
    is not that easy, simple or legit as people might think because in that same instance you have to purchase something that you don.

    Reply

  27. With the push of a single button, a user will be able to launch a series of complicated commands.
    Well first off people realize this is Pay – Pal, one
    of the most trusted online banking sites out there
    that people use on the daily basis for all of their
    personal or business needs. The game begins to develop throughout popularity through This summer regarding 1986
    it really is hard-wired to the Apple 2 and also Commodore 64.

    Reply

  28. I also believe that as people become aware of the Law of Attraction, they
    will realize that they can influence the world by their belief and will be an agent for positive change for the future.
    ” Where marital vows originated are of no moment, it is clear that these words express an expectation of lifelong bonding. This is all true, but also understand that in the same study, almost 70% of them men felt ‘extreme guilt’ about and were ‘just sick over the affair’ ‘ after it had happened and it was too late to take it back.

    Reply

  29. What types of things will make a person prone to becoming possessed.
    Those gamers that prefer advanced of play and
    so are active in the League of Legends tournament scene, and also those who just take advantage of the spectacle of many
    ongoing tournaments and championships for your game are the ones that number in the side favoring the classic 3-Lane tower
    defense gameplay. This should only be performed by someone who is properly formed and called to do this ministry.

    Reply

  30. With the push of a single button, a user will be able to
    launch a series of complicated commands. This helps water cool more quickly and increases the rate of
    evaporation. This guide will focus on Combat path with some points
    mixed into other two trees to support the main talent.

    Reply

  31. They are usually equipped with seeders, plows and sprayers.
    intelligent, correlating events and identifying true security incidents only so resources can focus on genuine threats and attacks.
    I was prompted to read the book in 1964, because a person, who bragged
    about his ability to crush anyone by the games he played, said he learned
    to be better at his gamesmanship from Games
    People Play.

    Reply

  32. Just want to say your article is as surprising. The clearness
    on your post is just cool and that i could think you are
    knowledgeable on this subject. Well together with your permission allow me to grab your feed to keep updated with imminent post.
    Thanks a million and please keep up the rewarding work.

    Reply

  33. hello!,I love your writing so much! proportion wee keep in touch
    more appdoximately your post on AOL? I require a specialist in this adea
    to resolve my problem. Maybe that’s you! Looking forward tto look you.

    Reply

  35. Simply go to where your Mod is in the Package
    folder, and delete it. These tractors can breakup asphalt, dig large holes, transport materials and aid in demolition. The nudist mod for The Sims
    3 is one of the most used and easy to install.

    Reply

  36. 99% of these websites are offering out dated and old software written in Java.
    Sometimes you may forget to log out safely and
    this can be a very hard thing to do. Articles of information need to be built around keywords in order to bring in the free traffic from the search engines.

    Reply

  37. Although Facebook is a big, notable company it is still a young pup in the internet world.
    It’s not a secret that purchasing share in the
    stock market is really a risky business. We have preventive measures in place to assure that
    problems that arise frequently are kept in check.

    Reply

  39. With the push of a single button, a user will be able to launch a series of complicated commands.
    And, never, ever wait until your customer leaves or threatens to leave and then offer them
    the world to stay. Articles of information need to be built around keywords in order to bring in the free traffic
    from the search engines.

    Reply

  41. I suppose that a later release means more time for the developers to
    polish up their launch offerings and all that, which is always good.
    Most injuries relating to bunk beds are due to falls and would involve mostly young children. It’s all
    conjecture at this point, and likely a far stretch of opinion by opponents of the president.

    Reply

  42. We’re a group of volunteers and starting a new scheme in our community.
    Your site offered us with valuable information to work on. You’ve done a formidable job
    and our whole community wiull be thankful to you.

    Reply

  45. They are usually equipped with seeders, plows and sprayers.
    These tractors can breakup asphalt, dig large holes, transport
    materials and aid in demolition. No Install Required: This type of program is 100% remote.

    Reply

  46. Do you have a spam problem on this site; Ialso amm
    a blogger, aand I was wanting to know your situation; many of
    uss have developed soe nice procedures and wee are looking to
    exchange strategies with other folks, please shoot me an e-mail if interested.

    Reply

  47. Somebody necesarily assist tto make critically articles
    I’d state. This is the first time I frequented your web page and so
    far? I surprised with the research you made to make this
    actual put up incredible. Great process!

    Reply

  50. Search and research all the keywords that have an interest in your site theme.
    This helps water cool more quickly and increases the rate of evaporation. This guide will focus on Combat path with
    some points mixed into other two trees to support the main talent.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.