1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, expand Site Configuration, select Servers and Site System Roles, and then select the server that holds the site system roles to configure.

3. In the details pane, right-click Management point, click Role Properties, and in the Management Point Properties dialog box, configure the following options, and then click OK:

   1. Select HTTPS.
      
      
   2. Select Allow Internet-only client connections or Allow intranet and Internet client connections. These options require that an Internet FQDN is specified in the site system properties, even if the site system server will not be accessible from the Internet.
      
      
   3. Select Allow mobile devices and Mac computers to use this management point.
      
      

4. In the details pane, right-click Distribution point, click Role Properties, and in the Distribution Point Properties dialog box, configure the following options, and then click OK:

   • Select HTTPS.
     
     
   • Select Allow Internet-only client connections or Allow intranet and Internet client connections. These options require that an Internet FQDN is specified in the site system properties, even if the site system server will not be accessible from the Internet.
     
     
   • Click Import certificate, browse to the exported client distribution point certificate file, and then specify the password.
     
     

5. Repeat steps 2 through 4 in this procedure for all management points and distribution points in primary sites that you will use with Mac computers.

1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, expand Site Configuration, and click Servers and Site System Roles

3. On the Home tab, in the Create group, click Create Site System Server.

4. On the General page, specify the general settings for the site system, and then click Next.

   Important
   Make sure that you specify a value for the Internet FQDN, even if the site system server will not be accessible from the Internet. If you do not have an Internet FQDN because the site system server will not be accessible from the Internet, you can specify the intranet FQDN value as the Internet FQDN. Mac computers always connect to the Internet FQDN, even when they are on the intranet.

5. On the System Role Selection page, select Enrollment proxy point and Enrollment point from the list of available roles, and then click Next.

6. On the Enrollment Proxy Point page, review the settings and make any changes that you require, and then click Next.

7. On the Enrollment Point Settings page, review the settings and make any changes that you require, and then click Next.

8. Complete the wizard.

1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, expand Site Configuration, select Servers and Site System Roles, and then select the server that you want to use to support Mac computers.

3. On the Home tab, in the Create group, click Add Site System Roles.

4. On the General page, specify the general settings for the site system, and then click Next.

   Important
   Make sure that you specify a value for the Internet FQDN, even if the site system server will not be accessible from the Internet. If you do not have an Internet FQDN because the site system server will not be accessible from the Internet, you can specify the intranet FQDN value as the Internet FQDN. Mac computers always connect to the Internet FQDN, even when they are on the intranet.

5. On the System Role Selection page, select Enrollment proxy point and Enrollment point from the list of available roles, and then click Next.

6. On the Enrollment Proxy Point page, review the settings and make any changes that you require, and then click Next.

7. On the Enrollment Point Settings page, review the settings and make any changes that you require, and then click Next.

8. Complete the wizard.

1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, click Client Settings.

3. Click Default Client Settings.

   Important
   You cannot use a custom client setting for the enrollment configuration; you must use the default client settings.

4. On the Home tab, in the Properties group, click Properties.

5. Select the Enrollment section, and then configure the following user settings:

   1. Allow users to enroll mobile devices and Mac computers:Yes
      
      
   2. Enrollment profile: Click Set Profile.
      
      

6. In the Mobile Device Enrollment Profile dialog box, click Create.

7. In the Create Enrollment Profile dialog box, enter a name for this enrollment profile, and then configure the Management site code. Select the Configuration Manager SP1 primary site that contains the management points that will manage the Mac computers.

   Note
   If you cannot select the site, check that at least one management point in the site is configured to support mobile devices.

8. Click Add.

9. In the Add Certification Authority for Mobile Devices dialog box, select the certification authority (CA) server that will issue certificates to Mac computers, and then click OK.

10. In the Create Enrollment Profile dialog box, select the Mac computer certificate template that you created in Step 3, and then click OK.

11. Click OK to close the Enrollment Profile dialog box, and then click OK to close the Default Client Settings dialog box.

    Tip
    If you want to change the client policy interval, use the Client policy polling interval client setting in the Client Policy client setting group.

All users will be configured with these settings when they next download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic.

In addition to the enrollment client settings, ensure that you have configured the following Configuration Manager client device settings:

• Hardware inventory: Enable and configure this client setting if you want to collect hardware inventory from Mac and Windows client computers. For more information, see How to Configure Hardware Inventory in Configuration Manager.
  
  
• Compliance settings: Enable and configure this client setting if you want to evaluate and remediate settings on Mac and Windows client computers. For more information, see Configuring Compliance Settings in Configuration Manager.
  
  

Note
For more information about Configuration Manager client settings, see How to Configure Client Settings in Configuration Manager.

1. Download the Mac OS X client file package, ConfigmgrMacClient.msi from the Microsoft Download Center, and save this file to a computer that runs Windows.

2. On the Windows computer, run the ConfigmgrMacClient.msi file that you just downloaded to extract the Mac client package, Macclient.dmg to a folder on the local disk (by default C:\Program Files (x86)\Microsoft\System Center 2012 Configuration Manager Mac Client\).

3. Copy the Macclient.dmg file to a folder on the Mac computer.

4. On the Mac computer, run the Macclient.dmg file that you just downloaded to extract the files to a folder on the local disk.

5. In the folder, ensure that the files Ccmsetup and CMClient.pkg are extracted and that a folder named Tools is created that contains the CMDiagnostics, CMUninstall, CMAppUtil and CMEnroll tools.

1. On the Mac computer, navigate to the folder where you extracted the contents of the Macclient.dmg file that you downloaded from the Microsoft Download Center.

2. Enter the following command-line: sudo ./ccmsetup

3. Wait until you see the Completed installation message. Although the installer displays a message that you must restart now, do not restart now but continue to the next step.

4. From the Tools folder on the Mac computer, type the following: sudo ./CMEnroll -s <enrollment_proxy_server_name> -ignorecertchainvalidation -u <'user name'>

   Note
   In System Center 2012 R2 Configuration Manager, after the client installs, the Mac Computer Enrollment wizard opens to help you enroll the Mac computer. To enroll the client by this method, see To enroll the client by using the Mac Computer Enrollment Wizard (System Center 2012 R2 Configuration Manager only) in this topic.

   You are then prompted to type the password for the Active Directory user account.

   Important
   When you enter this command, you are actually prompted for two passwords: The first prompt is for the super user account to run the command. The second prompt is for the Active Directory user account. The prompts look identical, so make sure that you specify them in the correct sequence.

   The user name can be in the following formats:

   • 'domain\name’. For example: 'contoso\mnorth'
     
     
   • 'user@domain'. For example: 'mnorth@contoso.com'
     
     

   The user name and corresponding password must match an Active Directory user account that is granted Read and Enroll permissions on the Mac client certificate template.

   Example: If the enrollment proxy point server is named server02.contoso.com, and a user name of contoso\mnorth has been granted permissions for the Mac client certificate template, type the following: sudo ./CMEnroll -s server02.contoso.com –ignorecertchainvalidation -u 'contoso\mnorth'

   Note
   For a more seamless user experience, you can script the installation steps and commands so that users only have to supply their user name and password.

5. Wait until you see the Successfully enrolled message.

6. For Configuration Manager SP1 only: To limit the enrolled certificate to Configuration Manager, on the Mac computer, open a terminal window and make the following changes:

   1. Enter the command sudo /Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access
      
      
   2. In the Keychain Access dialog box, in the Keychains section, click System, and then, in the Category section, click Keys.
      
      
   3. Expand the keys to view the client certificates. When you have identified the certificate with a private key that you have just installed, double-click the key.
      
      
   4. On the Access Control tab, select Confirm before allowing access.
      
      
   5. Browse to /Library/Application Support/Microsoft/CCM, select CCMClient, and then click Add.
      
      
   6. Click Save Changes and close the Keychain Access dialog box.
      
      

7. Restart the Mac computer.

Verify that the client installation is successful by opening the Configuration Manager item in System Preferences on the Mac computer. You can also update and view the All Systems collection to confirm that the Mac computer now appears in this collection as a managed client.

Tip

To help troubleshoot any problems with the Mac client, you can use the CMDiagnostics program that is included with the Mac OS X client package to collect the following diagnostic information: A list of running processes The Mac OS X operating system version Mac OS X crash reports relating to the Configuration Manager client including CCM*.crash and System Preference.crash. The Bill of Materials (BOM) file and property list (.plist) file created by the Configuration Manager client installation. The contents of the folder /Library/Application Support/Microsoft/CCM/Logs. The information collected by CmDiagnostics is added to a zip file that is saved to the desktop of the computer and is named cmdiag-<hostname>-<date and time>.zip.

1. After you have finished installing the client the Computer Enrollment wizard opens. Click Next to continue past the welcome page.

   Note
   If the wizard does not open, or if you accidentally close the wizard, click Enroll from the Configuration Manager preference page to open the wizard.

2. On the next page of the wizard, specify the following information:

   • User name - The user name can be in the following formats:
     
     
     • 'domain\name’. For example: 'contoso\mnorth'
       
       
     • 'user@domain'. For example: 'mnorth@contoso.com'
       
       

       Important

       When you use an email address to populate the User name field, Configuration Manager automatically uses the domain name of the email address and the default name of the enrollment proxy point server to populate the Server name field. If this domain name and server name do not match the name of the enrollment proxy point server, you must advise your users of the correct name to use, so that they can enter this when enrolling their Mac computers.

     The user name and corresponding password must match an Active Directory user account that is granted Read and Enroll permissions on the Mac client certificate template.
     
     
   • Password – Enter a corresponding password for the user name specified.
     
     
   • Server name – Enter the name of the enrollment proxy point server.
     
     

3. Click Next to continue, and then complete the wizard.

If you want to uninstall the Mac client, use the CMUninstall script that is provided with the Mac client files you downloaded from the web. Use the following procedure to help you uninstall the Configuration Manager client from Mac computers.

To uninstall the Mac client

Use one of the following methods to renew the Mac client certificate:

• Renewing the Mac Client Certificate by Using the Renew Certificate Wizard (System Center 2012 R2 Configuration Manager only)
  
  
• Renewing the Mac Client Certificate Manually
  
  

Renewing the Mac Client Certificate by Using the Renew Certificate Wizard (System Center 2012 R2 Configuration Manager only)

Renewing the Mac Client Certificate Manually

A typical validity period for the Mac client certificate is 1 year. Configuration Manager does not automatically renew the user certificate that it requests during enrollment, so you must use the following procedure to renew the certificate manually.

Important
If the certificate expires, you must uninstall, reinstall and then re-enroll the Mac client.

This procedure removes the SMSID, which is required to request a new certificate for the same Mac computer. After the new certificate is requested, it is automatically used by Configuration Manager.

Important
When you remove and replace the client SMSID, any stored client history such as inventory is deleted after you delete the client from the Configuration Manager console.

To renew the Mac client certificate manually

1. Create a device collection for the Mac computers that must renew the user certificates, and then add the Mac computers to the collection.

   Warning
   Configuration Manager does not monitor the validity period of the certificate that it enrolls for Mac computers. You must monitor this independently from Configuration Manager to identify the Mac computers to add to this collection.

2. In the Assets and Compliance workspace, start the Create Configuration Item Wizard.

3. On the General page of the wizard, specify the following information:

   • Name:Remove SMSID for Mac
     
     
   • Type:Mac OS X
     
     

4. On the Supported Platforms page of the wizard, ensure that all Mac OS X versions are selected.

5. On the Settings page of the wizard, click New and then, in the Create Setting dialog box, specify the following information:

   • Name:Remove SMSID for Mac
     
     
   • Setting type:Script
     
     
   • Data type:String
     
     

6. In the Create Setting dialog box, for Discovery script, click Add script to specify a script that discovers Mac computers with an SMSID configured.

7. In the Edit Discovery Script dialog box, enter the following Shell Script:

   	Copy Code
   defaults read com.microsoft.ccmclient SMSID

8. Click OK to close the Edit Discovery Script dialog box.

9. In the Create Setting dialog box, for Remediation script (optional), click Add script to specify a script that removes the SMSID when it is found on Mac computers.

10. In the Create Remediation Script dialog box, enter the following Shell Script:

    	Copy Code
    defaults delete com.microsoft.ccmclient SMSID

11. Click OK to close the Create Remediation Script dialog box.

12. On the Compliance Rules page of the wizard, click New, and then in the Create Rule dialog box, specify the following information:

    • Name:Remove SMSID for Mac
      
      
    • Selected setting: Click Browse and then select the discovery script that you specified previously.
      
      
    • In the following values field, enter The domain/default pair of (com.microsoft.ccmclient, SMSID) does not exist.
      
      
    • Enable the option Run the specified remediation script when this setting is noncompliant.
      
      

13. Complete the Create Configuration Item Wizard.

14. Create a configuration baseline that contains the configuration item that you have just created and deploy this to the device collection that you created in step 1.

    For more information about how to create and deploy configuration baselines, see How to Create Configuration Baselines for Compliance Settings in Configuration Manager and How to Deploy Configuration Baselines in Configuration Manager.

15. On Mac computers that have the SMSID removed, run the following command to install a new certificate:

    	Copy Code
    sudo ./CMEnroll -s <enrollment_proxy_server_name> -ignorecertchainvalidation -u <'user name'>

    When prompted, provide the password for the super user account to run the command and then the password for the Active Directory user account.

16. For Configuration Manager SP1 only: To limit the enrolled certificate to Configuration Manager, on the Mac computer, open a terminal window and make the following changes:

    1. Enter the command sudo /Applications/Utilities/Keychain\ Access.app/Contents/MacOS/Keychain\ Access
       
       
    2. In the Keychain Access dialog box, in the Keychains section, click System, and then, in the Category section, click Keys.
       
       
    3. Expand the keys to view the client certificates. When you have identified the certificate with a private key that you have just installed, double-click the key.
       
       
    4. On the Access Control tab, select Confirm before allowing access.
       
       
    5. Browse to /Library/Application Support/Microsoft/CCM, select CCMClient, and then click Add.
       
       
    6. Click Save Changes and close the Keychain Access dialog box.
       
       

17. Restart the Mac computer.