Configuring SCCM 2012 for PKI and SSL: Managing Apple Computers

Now that our site is running in HTTPS, we’re ready to setup and enroll our first Mac clients.  This requires some additional infrastructure, as well as another cert, which we’ll walk through here.

Enrollment Point Role

Managing Macs requires the Enrollment point and Enrollment proxy point roles.  That’s pretty easy, just install them same as other roles.  There really aren’t any special configurations that need to be done, so just follow through the wizard.

2014-03-20 -

2014-03-20 -

2014-03-20 -

Mac Authenticated Session Certificate

Now that the role is configured, you’ll need to publish a cert for Macs and set the enrollment client policy.  This cert is different from the ones used by the other Windows clients or by the DPs, this one is for authenticated sessions.

Once again, open the Certificate Authority console, right-click on Certificate Templates, and select Manage.  Right-click the Authenticated Session template and select duplicate template.


Once again, select Server 2003 as the authority and recipient.


Next, under the Subject Name tab, configure the options as follows:


Under the security tab, you’ll probably want to remove permissions so that only a select few can enroll Macs.


Once the new template is created, head back to the CA console and publish it by right-clicking on the Certificate Templates folder.



SCCM Client Settings Configuration

This part is easy.  Now that the proper cert is issued, we’ll configure the client settings to allow enrollment.  In the SCCM console, edit the Default Client Settings.


Scroll down to Enrollment, and allow users to enroll mobile devices and Macs.  Now click Set Profile, and we’ll create a profile.



Here you’ll want to select the site, CA, and cert that will be used, and give the profile a name.


SCCM Client for Apple Computers

OK, now we’re ready to install the SCCM client on our Mac and enroll our first system.  Head over to Microsoft and download the Mac client.  You’ll notice it’s an MSI, which doesn’t install on a Mac.  Run it from a Windows system and it will extract a DMG file that you can copy over to your Mac.


Get the file over to your Mac and extract it.  You’ll find 3 files inside: the ccmsetup executable, the CMClient package (which the executable calls) and a tools folder (which we’ll look at later).

Screen Shot 2014-04-04 at 7.17.50 PM

Now, your Mac will need to be able to contact the FQDN of the SCCM server’s internet facing address.  So you might have to edit the hosts file to make this happen, as I’ve done here:

Screen Shot 2014-04-04 at 7.10.23 PM

Screen Shot 2014-04-04 at 7.11.05 PM

Alternatively, you can manually add an A-record to DNS if your Mac systems are leveraging that, but this is fine for my lab 🙂

Next, install the SCCM client from the terminal, using sudo so that the install runs with administrative priveleges.

You’ll notice the client installs much faster than on Windows systems.  Why?  Lack of prereqs, lack of features, better hardware?  I’m sure they all contribute.

The installer will prompt you to restart.  Go ahead and do that now.  When the system reboots, you’re ready to enroll the system.  This can be done in two ways: using the CMEnroll tool or using the client’s GUI.

To do it with the CMEnroll tool, open a terminal and navigate to the Tools directory.  Using sudo, execute the CMEnroll tool with the appropriate switches:

sudo ./CMEnroll -s sccm.myinternet.fqdn -ignorecertchainvalidation -u DOMAIN\username

Screen Shot 2014-04-04 at 7.41.34 PM

Screen Shot 2014-04-04 at 10.45.37 PM

If you have trouble enrolling your system, you can use the CMDiagnostics tool in the same folder to spit out some log files.  I didn’t have trouble but I ran the tool anyway; the log files looked like usual CM logs you’d expect.  On the site server, you can also look at the log files for the Enrollment point and Enrollment proxy point.  They are on the same drive as SCCM is installed, under Program Files\SMS_CCM\EnrollmentPoint\Logs and Program Files\SMS_CCM\EnrollmentProxyPoint\Logs


To do it from the GUI, go to System Preferences and open the Config Man applet, then click Enroll at the bottom.  Note: if you are using SCCM 2012 SP1, the enroll button is not there and this option is not available to you.

Screen Shot 2014-04-04 at 7.22.24 PM

This opens the enrollment wizard:

Screen Shot 2014-04-04 at 7.31.03 PM

Input your credentials and the internet-facing FQDN of the server running the EPP.

Screen Shot 2014-04-04 at 7.31.29 PM

Screen Shot 2014-04-04 at 10.08.27 PM

Screen Shot 2014-04-14 at 2.22.25 PM

Screen Shot 2014-04-04 at 10.46.18 PM

Congrats!  You’re now managing your first Mac with SCCM.  Flip back to the SCCM console and find the Mac under Devices.  Take a look at the properties.

2014-04-04 23_17_48-SCCM -

Next, let’s make a collection to make management a bit easier.  We can do this quickly with our good friend, PowerShell.  If you’re not using PowerShell for management, you should try it.  Check here to get started:

Once you’ve connected to your site, run the following code to create a collection:

$Refresh = New-CMSchedule -Start "01/01/2014 3:52 AM" -RecurInterval Days -RecurCount 1
$Query = "select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ClientType = 3"
New-CMDeviceCollection -LimitingCollectionId SMS00001 -Name "All Apple Computers" -RefreshSchedule $Refresh
Add-CMDeviceCollectionQueryMembershipRule -CollectionName "All Apple Computers" -RuleName "Client Installed" -QueryExpression $Query

2014-04-04 23_36_01-SCCM -

If you want to create a collection the traditional way, that’s fine to. You just need a simple query where the Client Type is equal to 3. You’ll find client type under system resource.

Create and Deploy SCEP package to Macs

Now that the Mac is communicating with the SCCM server we can start managing it.  We’ll deploy SCEP first, and then Firefox.  For SCEP, you’ll have to download the OS X version from the Microsoft Volume Licensing site.  I was unable to find it on MSDN at all.  On the ISO, you’ll find several DMG files for different languages.  Extract the one you’d like, and copy it down to your Mac; we have to create the installer on the Mac, since SCCM doesn’t do this natively and can’t process the OS X installer.  I put it in the tools folder of the SCCM client.

We’ll need a terminal window again, and administrative credentials.  Navigate to the folder where you have your SCCM tools.  You’ll need to use the CMAppUtil to generate the necessary parameters for SCCM to be able to install the application and determine installation status.  Execute the utility with the -h switch to see the full help; the basic syntax is as follows:

sudo ./CMAppUtil -c DMGfile -o outputlocation

This particular DMG file contains several installers, so we’re prompted to select which one.  This can vary for different applications, so a firm understanding of the application is required.

For this version of SCEP, I selected the installer.pkg file.  After a few moments, the utility had spit out a new .cmmac file.

Next, copy this file, and your SCEP install bits to your SCCM source location.

2014-04-06 20_04_35-SCCM -

2014-04-06 20_05_58-SCCM -

2014-04-06 20_06_20-SCCM -

2014-04-06 20_06_59-SCCM -

2014-04-06 20_07_48-SCCM -

Now, create a deployment for it and watch it go.  Do note, however, that there is no Software Center in the Mac client, and therefore available deployments are not supported at this time.  Be sure to select required for the deployment purpose.

2014-04-06 20_09_37-SCCM -


Screen Shot 2014-04-14 at 3.00.22 PM

Screen Shot 2014-04-14 at 3.00.28 PM

Screen Shot 2014-04-14 at 3.00.57 PM

Screen Shot 2014-04-14 at 3.02.19 PM

Unfortunately, SCEP is not currently managed by SCCM for Macs.  You’ll get reporting from your site’s hardware inventory, but no SCEP reports regarding latest updates, or malware detection.  And no remediation if an end user changes the SCEP policy.  However, this is a good first step, and hopefully Microsoft will be expanding this in the future.








One thought on “Configuring SCCM 2012 for PKI and SSL: Managing Apple Computers

  1. Pingback: Configuring SCCM 2012 for PKI and SSL: Setting up HTTPS communication | danikuci

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s