In this post we will see how to deploy client certificate for Mac computers. If you are looking to install SCCM client agents on Mac computers and manage Mac computers in System Center 2012 Configuration Manager, it requires public key infrastructure (PKI) certificates. When you have PKI in place, then Configuration Manager can request and install a user client certificate by using Microsoft Certificate Services with an enterprise certification authority (CA) and the Configuration Manager enrollment point and enrollment proxy point site system roles. If you don’t have PKI in place, you can request and install a computer certificate independently from Configuration Manager if the certificate meets the requirements for Configuration Manager. The whole idea of deploying PKI certificates is to secure the communication between the Mac computers and the Configuration Manager.
How to deploy Client Certificate for Mac Computers
If you are looking for PKI step by step guide for SCCM 2012 r2, then click on the below button. You must have PKI configured before you proceed any further.
Note that the certificate that we create and issue basically authenticates the Mac client computer to the site system servers that it communicates with, such as management points and distribution points.
Before you create a certificate template, create a security group (for example Mac Users) that contains user accounts for administrative users who will enroll the certificate on the Mac computer by using Configuration Manager.
On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.
In the results pane, right-click the entry that displays Authenticated Session in the column Template Display Name, and then click Duplicate Template.
NOTE – If you are not using PKI, for certificate installation independent from Configuration Manager always use Workstation Authentication template.
In the Duplicate Template dialog box, ensure that Windows 2003 Server is selected. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the Mac client certificate, such as Mac Client Certificate.
Click the Subject Name tab, make sure that Build from this Active Directory information is selected, select Common name for the Subject name format: and clear User principal name (UPN) from Include this information in alternate subject name.
Click the Security tab, and remove the Enroll permission from the Domain Admins and Enterprise Admins security groups.
Click Add, specify the security group that you created for users who will enroll the certificate on the Mac computer by using Configuration Manager, and then click OK. Select the Enroll permission for this group, and do not clear the Read permission.
In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
In the Enable Certificate Templates dialog box, select the new template that you have just created, Mac Client Certificate, and then click OK.
The Mac client certificate template is now ready to be selected when you configure client settings for enrollment. In the upcoming posts, we will see more about installing client agents on mac computers and managing them via Configuration Manager.