How to install SCCM client agent on Mac Computers
In this post we will see the steps on how to install SCCM client agent on Mac computers. In my previous post we saw how to deploy client certificate for Mac Computers. Before you start to deploy configuration manager client agent for Mac, I would suggest you to take a look at step by step guide for deploying PKI with SCCM. Client installation and management for Mac computers in System Center 2012 R2 Configuration Manager requires public key infrastructure (PKI) certificates.
I will brief the steps that are required to install and configure client agent on Mac computer.
1) Deploy a web server certificate to site system servers. (we have done this in previous post, click on the link to know more)
2) Deploy a client authentication certificate to site system servers. (we have done this in previous post, click on the link to know more)
3) Prepare the client certificate template for Mac computers. (we have done this in previous post, click on the link to know more)
4) Configure the enrollment proxy point and the enrollment point.
5) Configure client settings for enrollment.
6) Download the client source files for Mac clients.
7) Install the client and then enroll the client certificate on the Mac computer.
Before you start this procedure, make sure that the site system server that runs the management point and distribution point is configured with an Internet FQDN. If these site system servers will not support Internet-based client management, you can specify the intranet FQDN as the Internet FQDN value. In addition, these site system roles must be in a primary site.
To do that right-click Management point, click Role Properties, and in the Management Point Properties dialog box, configure the following options, and then click OK:
a) Select HTTPS.
b) Select Allow Internet-only client connections or Allow intranet and Internet client connections. These options require that an Internet FQDN is specified in the site system properties, even if the site system server will not be accessible from the Internet.
c) Select Allow mobile devices and Mac computers to use this management point. This is very important one. Do not forget to enable this setting.
How to install SCCM client agent on Mac Computers
In the Configuration Manager console, click Administration, expand Site Configuration, select Servers and Site System Roles, and then select the server that you want to use to support Mac computers. Right click on the server and click Add Site System Roles. On the General page, specify the general settings for the site system, and then click Next. On the System Role Selection page, select Enrollment proxy point and Enrollment point from the list of available roles, and then click Next.
On the Enrollment Point Settings page, review the settings and make any changes that you require, and then click Next.
On the Enrollment Proxy Point page, review the settings and make any changes that you require, and then click Next.
Complete the wizard.
Configuring the Client Settings for Enrollment
This step is required for Configuration Manager to request and install the certificate on the Mac computer. You must use the default client settings to configure enrollment for Mac computers, you cannot use custom client settings. Right click Default Client settings and click Properties.
Select the Enrollment section, and then configure the following user settings:
Allow users to enroll mobile devices and Mac computers: Yes
Enrollment profile: Click Set Profile.
In the Mobile Device Enrollment Profile dialog box, click Create. In the Create Enrollment Profile dialog box, enter a name for this enrollment profile (for example Mac Enrollment), and then select the Management site code. In the Add Certification Authority for Mobile Devices dialog box, select the certification authority (CA) server that will issue certificates to Mac computers, and then click OK. Click OK to close the Enrollment Profile dialog box, and then click OK to close the Default Client Settings dialog box.
In the Create Enrollment Profile dialog box, select the Mac computer certificate template that you created and click OK. To know how I did it, click on the link How to deploy Client Certificate for Mac Computers.
Once you do the above changes, all users will be configured with these settings when they next download client policy. To see the results quickly, change the Client policy polling interval client setting in the Client Policy client setting group. In addition to the enrollment client settings, also enable and configure Hardware inventory (to collect hardware inventory from Mac and Windows client computers) and Compliance settings (to evaluate and remediate settings on Mac and Windows client computer) in the client settings.
Download and Install the Mac Client Files
The next step is to download and install the Mac client files.
Download the Mac OS X client file package on your windows computer, file name is ConfigmgrMacClient.msi, and save it to a computer. Run the msi file and in turn the Macclient.dmg is extracted to a folder on the local disk (by default C:Program Files (x86)MicrosoftSystem Center 2012 Configuration Manager Mac Client)
Next step, copy the Macclient.dmg file to a folder on the Mac computer. Run the Macclient.dmg file that you just downloaded to extract the files to a folder on the local disk. In the folder, ensure that the files Ccmsetup and CMClient.pkg are extracted and that a folder named Tools is created that contains the CMDiagnostics, CMUninstall, CMAppUtil and CMEnroll tools. In order to make it easy for installation, I will have moved the extracted files to the same folder where macclient.dmg is present.
On the Mac computer, navigate to the folder where you extracted the contents of the Macclient.dmg. To install the client agent use the below command.
sudo ./ccmsetup
Wait until you see the message “The install was successful“. Although the installer displays a message that you must restart now, do not restart now but continue to the next step.
Change the path to Tools folder. From the Tools folder on the Mac computer, type the following command:
sudo ./CMEnroll -s <enrollment_proxy_server_name> -ignorecertchainvalidation -u <‘user name’>
Important – The user name and corresponding password must match an Active Directory user account that is granted Read and Enroll permissions on the Mac client certificate template.
Something confusing here, when you enter this command, you are actually prompted for two passwords. The first prompt is for the super user account to run the command. The second prompt is for the Active Directory user account. Enter the passwords as per the correct sequence. You should see the message Successfully enrolled.
Restart the mac computer. Verify that the client installation is successful by opening the Configuration Manager item in System Preferences on the Mac computer. You can also update and view the All Systems collection to confirm that the Mac computer now appears in this collection as a managed client (please see the last screenshot of this post).
To verify that the certificate has been installed correctly, go to Utilities > Keychain Access. Under Keychains select System, and the under Category select My Certificates. Expand the certificate and it should be linked to a Private Key named SCCM. Double-click on the private key and then select Access Control. Under Always allow access by these applications you should find two entries CCMClient and CMEnroll.
When you open the Configuration Manager item in System Preferences on the Mac computer you will see the client properties. The Enrollment status should be Enrolled.
In the Configuration Manager console, under Devices > All Systems the Mac OS X system should appear. In my case the client activity was blank for sometime but later it was Active. Initially the system icon will be a mobile device, but once hardware and software inventory have been run the icon will switch to that of a standard workstation. When you install a new client for Mac computers, you might have to also install Configuration Manager updates to reflect the new client information in the Configuration Manager console.
Need more help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.