![]() |
---|
The information in this topic applies only to System Center 2012 Configuration Manager SP1. |
Client installation and management for Mac computers in System Center 2012 Configuration Manager requires public key infrastructure (PKI) certificates. Configuration Manager can request and install a user client certificate by using Microsoft Certificate Services with an enterprise certification authority (CA) and the Configuration Manager enrollment point and enrollment proxy point site system roles. Or, you can request and install a computer certificate independently from Configuration Manager if the certificate meets the requirements for Configuration Manager. PKI certificates secure the communication between the Mac computers and the Configuration Manager site by using mutual authentication and encrypted data transfers.
![]() |
---|
Configuration Manager Mac clients always perform certificate revocation checking; unlike Configuration Manager clients that run on Windows, you cannot disable this certificate revocation list (CRL) checking function. If Mac clients cannot confirm the certificate revocation status for a server certificate because they cannot locate the CRL, they will not be able to successfully connect to Configuration Manager site systems, such as management points and distribution points. Especially for Mac clients in a different forest to the issuing certification authority, check your CRL design to ensure that Mac clients can locate and connect to a CRL distribution point (CDP) for connecting site system servers. |
Before you install the Configuration Manager client on a Mac computer, decide how to install the client certificate:
- Use Configuration Manager enrollment by using
the CMEnroll tool and follow the steps in the next section of this
topic. The enrollment process does not support automatic
certificate renewal so you must re-enroll Mac computers before the
installed certificate expires.
- Use a certificate request and installation
method that is independent from Configuration Manager. For this
installation method, see the Use a Certificate Request and
Installation Method that is Independent from Configuration
Manager section in this topic.
![]() |
---|
For more information about the Mac client certificate requirement and other PKI certificates that are required to support Mac computers, see PKI Certificate Requirements for Configuration Manager. |
Mac clients are automatically assigned to the Configuration Manager site that manages them. Mac clients install as Internet-only clients, which means that they will communicate with the site system roles (management points and distribution points) in their assigned site when you configure these site system roles to allow client connections from the Internet. They do not communicate with site system roles outside their assigned site.
Use the following steps and the supplemental procedures to install, configure, and manage Mac computers for Configuration Manager. The steps cover the following:
- Deploy PKI certificates for the site system
servers (web server certificate and client authentication
certificate).
- Prepare the certificate template for the Mac
computer.
- Configure the site system servers to support
Mac computers.
- Configure the enrollment site system
roles.
- Configure client settings for enrollment.
- Download the client source files for Mac
clients.
- Install the client and enroll the client
certificate on the Mac computer.
Steps to Install and Configure the
Client for Mac Computers
Use the following table for the steps, details, and more information about how to install and configure the client for Mac computers.
![]() |
---|
Before you perform these steps, make sure that your Mac computer meets the prerequisites listed in the Client Requirements for Mac Computers section in the Supported Configurations for Configuration Manager topic. |
Steps | Details | More information | ||||
---|---|---|---|---|---|---|
Step 1: Deploy a web server certificate to site system servers. |
These site systems might already have this certificate for other Configuration Manager clients. If not, deploy a web server certificate to the following computers that hold the following site system roles:
|
For an example deployment that creates and installs this web server certificate, see the Deploying the Web Server Certificate for Site Systems that Run IIS section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic.
|
||||
Step 2: Deploy a client authentication certificate to site system servers. |
These site systems might already have this certificate for Configuration Manager functionality. If not, deploy a client authentication certificate to the following computers that hold the following site system roles:
|
For an example deployment that creates and installs the client certificate for management points, see the Deploying the Client Certificate for Computers section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. For an example deployment that creates and installs the client certificate for distribution points, see the Deploying the Client Certificate for Distribution Points section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. |
||||
Step 3: Prepare the client certificate template for Mac computers.
|
The certificate template must have Read and Enroll permissions for the user account that will enroll the certificate on the Mac computer. |
See the Deploying the Client Certificate for Mac Computers section in the Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority topic. |
||||
Step 4: Configure the management point and distribution point. |
Configure management points for the following options:
Although distribution points are not required to install the client on Mac computers, you must configure distribution points to allow client connections from the Internet if you want to deploy software to these Mac computers after the Configuration Manager client is installed. |
See the following procedure in this topic: Step 4: Configuring Management Points and Distribution Points to support Mac Computers. |
||||
Step 5: Configure the enrollment proxy point and the enrollment point. |
You must install both these site system roles in the same site but you do not have to install them on the same site system server, or in the same Active Directory forest. |
For more information about site system role placement and considerations, see the Planning Where to Install Sites System Roles in the Hierarchy section in the Planning for Site Systems in Configuration Manager topic. To configure the enrollment proxy point and the enrollment point, see the following procedure in this topic: Step 5: Installing and Configuring the Enrollment Site Systems. |
||||
Step 6: Optional:
|
Install the reporting services point if you want to run reports for Mac computers. |
For more information about how to install and configure the reporting services point, see Configuring Reporting in Configuration Manager. |
||||
Step 7: Configure client settings for enrollment. |
You must use the default client settings to configure enrollment for Mac computers; you cannot use custom client settings. |
For more information about client settings, see About Client Settings in Configuration Manager. For information about how to configure these client settings, see the following procedure in this topic: Step 7: Configuring the Client Settings for Enrollment. |
||||
Step 8: Download the client source files for Mac clients. |
Download the installation files and then install them on the Mac computer. |
See the following procedure in this topic: Step 8: Download and Install the Mac Client Files. |
||||
Step 9: Install the client and then enroll the client certificate on the Mac computer. |
When you use Configuration Manager enrollment, you must first install the client by using the Ccmsetup application, and then enroll the client certificate by using the CMEnroll tool. |
See the following procedure in this topic: Step 9: Installing the Client and Enrolling the Certificate by using the CMEnroll Tool on the Mac computer. |
Supplemental Procedures to Install
and Configure the Client for Mac Computers
Use the following information when the steps in the preceding table require supplemental procedures.
Step 4: Configuring Management
Points and Distribution Points to support Mac Computers
This procedure configures existing management points and distribution points to support Mac computers. Before you start this procedure, make sure that the site system server that runs the management point and distribution point is configured with an Internet FQDN. In addition, these site system roles must be in a primary site.
To configure management points and
distribution points to support Mac computers
Step 5: Installing and Configuring
the Enrollment Site Systems
These procedures configure the site system roles to support Mac computers. Choose one of these procedures, depending on whether you will install a new site system server to support Mac computers or use an existing site system server:
-
To install and configure the enrollment site systems: New site
system server
-
To install and configure the enrollment site systems: Existing site
system server
To install and configure the
enrollment site systems: New site system server
To install and configure the
enrollment site systems: Existing site system server
Step 7: Configuring the Client
Settings for Enrollment
This step is required for Configuration Manager to request and install the certificate on the Mac computer.
To configure the default client
settings for Configuration Manager to enroll certificates for Mac
computers
Step 8: Download and Install the Mac
Client Files
You must download and install the following programs before you can install and manage the Configuration Manager client on Mac computers:
- Ccmsetup: Use this application to
install the Configuration Manager client on Mac computers in your
organization.
- CMDiagnostics: Use this tool to
collect diagnostic information related to the Configuration Manager
client on Mac computers in your organization.
- CMUninstall: Use this tool to
uninstall the Configuration Manager client from Mac computers in
your organization.
- CMAppUtil: Use this tool to convert
Apple application packages into a format that can be deployed as a
Configuration Manager application.
- CMEnroll: Use this tool to request and
install the client certificate for a Mac computer so that you can
then install the Configuration Manager client.
These programs are contained in a Windows Installer file named ConfigmgrMacClient.msi. This file is not supplied on the Configuration Manager installation media. You can download this file from the Microsoft Download Center.
To download and install the Mac OS X
client files
Step 9: Installing the Client and
Enrolling the Certificate by using the CMEnroll Tool on the Mac
computer
This procedure installs the client and then uses the CMEnroll tool to request and install the client certificate for a Mac computer so that you can then manage this computer by using Configuration Manager.
To install the client and enroll the
certificate by using the CMEnroll tool
Uninstalling the Mac Client
If you want to uninstall the Mac client, use the CMUninstall script that is provided with the Mac client files you downloaded from the web. Use the following procedure to help you uninstall the Configuration Manager client from Mac computers.
To uninstall the Mac client
Renewing the Mac Client
Certificate
A typical validity period for the Mac client certificate is 1 year. Configuration Manager does not automatically renew the user certificate that it requests during enrollment, so you must use the following procedure to renew the certificate.
This procedure removes the SMSID, which is required to request a new certificate for the same Mac computer. After the new certificate is requested, it is automatically used by Configuration Manager.
![]() |
---|
When you remove and replace the client SMSID, any stored client history such as inventory is deleted after you delete the client from the Configuration Manager console. |
To renew the Mac client
certificate
Use a Certificate Request and
Installation Method that is Independent from Configuration
Manager
When you do not use Configuration Manager enrollment but instead, request and install the client certificate independently from Configuration Manager, the configuration steps are slightly different:
- Perform steps 1, 2, 4, 6 (optional), and 8.
- Do not perform steps 3, 5, 7, and 9.
- Install the client by using the following instructions.
To install the client certificate
independently from Configuration Manager and install the client
Renewing the Mac Client
Certificate
Use the following procedure before you renew the computer certificate on Mac computers.
This procedure removes the SMSID, which is required for the client to use a new or renewed certificate on the Mac computer. Because Configuration Manager does not support a certificate selection criteria for Mac computers, either request the new certificate with a different Subject value, or use the same Subject value but delete the original certificate from the keychain store.
![]() |
---|
When you remove and replace the client SMSID, any stored client history such as inventory is deleted after you delete the client from the Configuration Manager console. |