Configuring SCCM 2012 for PKI and SSL: Managing Apple Computers

Now that our site is running in HTTPS, we’re ready to setup and enroll our first Mac clients.  This requires some additional infrastructure, as well as another cert, which we’ll walk through here.

Enrollment Point Role

Managing Macs requires the Enrollment point and Enrollment proxy point roles.  That’s pretty easy, just install them same as other roles.  There really aren’t any special configurations that need to be done, so just follow through the wizard.

2014-03-20 11_53_08-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

2014-03-20 11_53_32-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

2014-03-20 11_54_12-sunsetlabs.no-ip.biz - sunsetlabs.no-ip.biz

Mac Authenticated Session Certificate

Now that the role is configured, you’ll need to publish a cert for Macs and set the enrollment client policy.  This cert is different from the ones used by the other Windows clients or by the DPs, this one is for authenticated sessions.

Once again, open the Certificate Authority console, right-click on Certificate Templates, and select Manage.  Right-click the Authenticated Session template and select duplicate template.

Image

Once again, select Server 2003 as the authority and recipient.

Image

Next, under the Subject Name tab, configure the options as follows:

Image

Under the security tab, you’ll probably want to remove permissions so that only a select few can enroll Macs.

Image

Once the new template is created, head back to the CA console and publish it by right-clicking on the Certificate Templates folder.

Image

Image

SCCM Client Settings Configuration

This part is easy.  Now that the proper cert is issued, we’ll configure the client settings to allow enrollment.  In the SCCM console, edit the Default Client Settings.

Image

Scroll down to Enrollment, and allow users to enroll mobile devices and Macs.  Now click Set Profile, and we’ll create a profile.

Image

Image

Here you’ll want to select the site, CA, and cert that will be used, and give the profile a name.

Image

SCCM Client for Apple Computers

OK, now we’re ready to install the SCCM client on our Mac and enroll our first system.  Head over to Microsoft and download the Mac client.  You’ll notice it’s an MSI, which doesn’t install on a Mac.  Run it from a Windows system and it will extract a DMG file that you can copy over to your Mac.

Image

Get the file over to your Mac and extract it.  You’ll find 3 files inside: the ccmsetup executable, the CMClient package (which the executable calls) and a tools folder (which we’ll look at later).

Screen Shot 2014-04-04 at 7.17.50 PM

Now, your Mac will need to be able to contact the FQDN of the SCCM server’s internet facing address.  So you might have to edit the hosts file to make this happen, as I’ve done here:

Screen Shot 2014-04-04 at 7.10.23 PM

Screen Shot 2014-04-04 at 7.11.05 PM

Alternatively, you can manually add an A-record to DNS if your Mac systems are leveraging that, but this is fine for my lab 🙂

Next, install the SCCM client from the terminal, using sudo so that the install runs with administrative priveleges.

You’ll notice the client installs much faster than on Windows systems.  Why?  Lack of prereqs, lack of features, better hardware?  I’m sure they all contribute.

The installer will prompt you to restart.  Go ahead and do that now.  When the system reboots, you’re ready to enroll the system.  This can be done in two ways: using the CMEnroll tool or using the client’s GUI.

To do it with the CMEnroll tool, open a terminal and navigate to the Tools directory.  Using sudo, execute the CMEnroll tool with the appropriate switches:

sudo ./CMEnroll -s sccm.myinternet.fqdn -ignorecertchainvalidation -u DOMAIN\username

Screen Shot 2014-04-04 at 7.41.34 PM

Screen Shot 2014-04-04 at 10.45.37 PM

If you have trouble enrolling your system, you can use the CMDiagnostics tool in the same folder to spit out some log files.  I didn’t have trouble but I ran the tool anyway; the log files looked like usual CM logs you’d expect.  On the site server, you can also look at the log files for the Enrollment point and Enrollment proxy point.  They are on the same drive as SCCM is installed, under Program Files\SMS_CCM\EnrollmentPoint\Logs and Program Files\SMS_CCM\EnrollmentProxyPoint\Logs

EPPlogs

To do it from the GUI, go to System Preferences and open the Config Man applet, then click Enroll at the bottom.  Note: if you are using SCCM 2012 SP1, the enroll button is not there and this option is not available to you.

Screen Shot 2014-04-04 at 7.22.24 PM

This opens the enrollment wizard:

Screen Shot 2014-04-04 at 7.31.03 PM

Input your credentials and the internet-facing FQDN of the server running the EPP.

Screen Shot 2014-04-04 at 7.31.29 PM

Screen Shot 2014-04-04 at 10.08.27 PM

Screen Shot 2014-04-14 at 2.22.25 PM

Screen Shot 2014-04-04 at 10.46.18 PM

Congrats!  You’re now managing your first Mac with SCCM.  Flip back to the SCCM console and find the Mac under Devices.  Take a look at the properties.

2014-04-04 23_17_48-SCCM - 10.0.0.214

Next, let’s make a collection to make management a bit easier.  We can do this quickly with our good friend, PowerShell.  If you’re not using PowerShell for management, you should try it.  Check here to get started:  http://myitforum.com/myitforumwp/2012/10/22/configmgr-2012-sp1-powershell-module-getting-started/

Once you’ve connected to your site, run the following code to create a collection:

$Refresh = New-CMSchedule -Start "01/01/2014 3:52 AM" -RecurInterval Days -RecurCount 1
$Query = "select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ClientType = 3"
New-CMDeviceCollection -LimitingCollectionId SMS00001 -Name "All Apple Computers" -RefreshSchedule $Refresh
Add-CMDeviceCollectionQueryMembershipRule -CollectionName "All Apple Computers" -RuleName "Client Installed" -QueryExpression $Query

2014-04-04 23_36_01-SCCM - 10.0.0.214

If you want to create a collection the traditional way, that’s fine to. You just need a simple query where the Client Type is equal to 3. You’ll find client type under system resource.

Create and Deploy SCEP package to Macs

Now that the Mac is communicating with the SCCM server we can start managing it.  We’ll deploy SCEP first, and then Firefox.  For SCEP, you’ll have to download the OS X version from the Microsoft Volume Licensing site.  I was unable to find it on MSDN at all.  On the ISO, you’ll find several DMG files for different languages.  Extract the one you’d like, and copy it down to your Mac; we have to create the installer on the Mac, since SCCM doesn’t do this natively and can’t process the OS X installer.  I put it in the tools folder of the SCCM client.

We’ll need a terminal window again, and administrative credentials.  Navigate to the folder where you have your SCCM tools.  You’ll need to use the CMAppUtil to generate the necessary parameters for SCCM to be able to install the application and determine installation status.  Execute the utility with the -h switch to see the full help; the basic syntax is as follows:

sudo ./CMAppUtil -c DMGfile -o outputlocation

This particular DMG file contains several installers, so we’re prompted to select which one.  This can vary for different applications, so a firm understanding of the application is required.

For this version of SCEP, I selected the installer.pkg file.  After a few moments, the utility had spit out a new .cmmac file.

Next, copy this file, and your SCEP install bits to your SCCM source location.

2014-04-06 20_04_35-SCCM - 10.0.0.214

2014-04-06 20_05_58-SCCM - 10.0.0.214

2014-04-06 20_06_20-SCCM - 10.0.0.214

2014-04-06 20_06_59-SCCM - 10.0.0.214

2014-04-06 20_07_48-SCCM - 10.0.0.214

Now, create a deployment for it and watch it go.  Do note, however, that there is no Software Center in the Mac client, and therefore available deployments are not supported at this time.  Be sure to select required for the deployment purpose.

2014-04-06 20_09_37-SCCM - 10.0.0.214

 

Screen Shot 2014-04-14 at 3.00.22 PM

Screen Shot 2014-04-14 at 3.00.28 PM

Screen Shot 2014-04-14 at 3.00.57 PM

Screen Shot 2014-04-14 at 3.02.19 PM

Unfortunately, SCEP is not currently managed by SCCM for Macs.  You’ll get reporting from your site’s hardware inventory, but no SCEP reports regarding latest updates, or malware detection.  And no remediation if an end user changes the SCEP policy.  However, this is a good first step, and hopefully Microsoft will be expanding this in the future.

 

 

 

 

 

 

Advertisements

One thought on “Configuring SCCM 2012 for PKI and SSL: Managing Apple Computers

  1. Pingback: Configuring SCCM 2012 for PKI and SSL: Setting up HTTPS communication | danikuci

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s