1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, expand Site Configuration, select Servers and Site System Roles, and then select the server that holds the site system roles to configure.

3. In the details pane, right-click Management point, click Role Properties, and in the Management Point Properties dialog box, configure the following options, and then click OK:

   1. Select HTTPS.
      
      
   2. Select Allow Internet-only client connections or Allow intranet and Internet client connections. These options require that an Internet FQDN is specified in the site system properties.
      
      
   3. Select Allow mobile devices and Mac computers to use this management point.
      
      

4. In the details pane, right-click Distribution point, click Role Properties, and in the Distribution Point Properties dialog box, configure the following options, and then click OK:

   • Select HTTPS.
     
     
   • Select Allow Internet-only client connections or Allow intranet and Internet client connections. These options require that an Internet FQDN is specified in the site system properties.
     
     
   • Click Import certificate, browse to the exported client distribution point certificate file, and then specify the password.
     
     

5. Repeat steps 2 through 4 in this procedure for all management points and distribution points in primary sites that you will use with Mac computers.

1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, expand Site Configuration, and click Servers and Site System Roles

3. On the Home tab, in the Create group, click Create Site System Server.

4. On the General page, specify the general settings for the site system, and then click Next.

   Important
   Make sure that you specify the Internet FQDN, even if it is the same value as the intranet FQDN. Mac computers always connect to the Internet FQDN, even when they are on the intranet.

5. On the System Role Selection page, select Enrollment proxy point and Enrollment point from the list of available roles, and then click Next.

6. On the Enrollment Proxy Point page, review the settings and make any changes that you require, and then click Next.

7. On the Enrollment Point Settings page, review the settings and make any changes that you require, and then click Next.

8. Complete the wizard.

1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, expand Site Configuration, select Servers and Site System Roles, and then select the server that you want to use to support Mac computers.

3. On the Home tab, in the Create group, click Add Site System Roles.

4. On the General page, specify the general settings for the site system, and then click Next.

   Important
   Make sure that you specify the Internet FQDN, even if it is the same value as the intranet FQDN. Mac computers always connect to the Internet FQDN, even when they are on the intranet.

5. On the System Role Selection page, select Enrollment proxy point and Enrollment point from the list of available roles, and then click Next.

6. On the Enrollment Proxy Point page, review the settings and make any changes that you require, and then click Next.

7. On the Enrollment Point Settings page, review the settings and make any changes that you require, and then click Next.

8. Complete the wizard.

1. In the Configuration Manager console, click Administration.

2. In the Administration workspace, click Client Settings.

3. Click Default Client Settings.

   Important
   You cannot use a custom client setting for the enrollment configuration; you must use the default client settings.

4. On the Home tab, in the Properties group, click Properties.

5. Select the Enrollment section, and then configure the following user settings:

   1. Allow users to enroll mobile devices and Mac computers:Yes
      
      
   2. Enrollment profile: Click Set Profile.
      
      

6. In the Mobile Device Enrollment Profile dialog box, click Create.

7. In the Create Enrollment Profile dialog box, enter a name for this enrollment profile, and then configure the Management site code. Select the Configuration Manager SP1 primary site that contains the management points that will manage the Mac computers.

   Note
   If you cannot select the site, check that at least one management point in the site is configured to support mobile devices.

8. Click Add.

9. In the Add Certification Authority for Mobile Devices dialog box, select the certification authority (CA) server that will issue certificates to Mac computers, and then click OK.

10. In the Create Enrollment Profile dialog box, select the Mac computer certificate template that you created in Step 3, and then click OK.

11. Click OK to close the Enrollment Profile dialog box, and then click OK to close the Default Client Settings dialog box.

    Tip
    If you want to change the client policy interval, use the Client policy polling interval client setting in the Client Policy client setting group.

All users will be configured with these settings when they next download client policy. To initiate policy retrieval for a single client, see the Initiate Policy Retrieval for a Configuration Manager Client section in the How to Manage Clients in Configuration Manager topic.

In addition to the enrollment client settings, ensure that you have configured the following Configuration Manager client device settings:

• Hardware inventory: Enable and configure this client setting if you want to collect hardware inventory from Mac and Windows client computers. For more information, see How to Configure Hardware Inventory in Configuration Manager.
  
  
• Compliance settings: Enable and configure this client setting if you want to evaluate and remediate settings on Mac and Windows client computers. For more information, see Configuring Compliance Settings in Configuration Manager.
  
  

Note
For more information about Configuration Manager client settings, see How to Configure Client Settings in Configuration Manager.

1. Download the Mac OS X client file package, ConfigmgrMacClient.msi from the Microsoft Download Center and save this file to a computer that runs Windows.

2. On the Windows computer, run the ConfigmgrMacClient.msi file that you just downloaded to extract the Mac client package, Macclient.dmg to a folder on the local disk (by default C:\Program Files (x86)\Microsoft\System Center 2012 Configuration Manager Mac Client\).

3. Copy the Macclient.dmg file to a folder on the Mac computer.

4. On the Mac computer, run the Macclient.dmg file that you just downloaded to extract the files to a folder on the local disk.

5. In the folder, ensure that the files Ccmsetup and CMClient.pkg are extracted and that a folder named Tools is created that contains the CMDiagnostics, CMUninstall, CMAppUtil and CMEnroll tools.

1. On the Mac computer, navigate to the folder where you extracted the contents of the Macclient.dmg file that you downloaded from the Microsoft Download Center.

2. Enter the following command-line: sudo ./ccmsetup

3. Wait until you see the Completed installation message. Although the installer displays a message that you must restart now, do not restart now but continue to the next step.

4. From the Tools folder on the Mac computer, type the following: sudo ./CMEnroll -s <enrollment_proxy_server_name> -ignorecertchainvalidation -u <'user name'> [-p <password>]

   If you do not specify the optional -p <password>, you are then prompted to type the password.

   The user name can be in the following formats:

   • 'domain\name’. For example: 'contoso\mnorth'
     
     
   • 'user@domain'. For example: 'mnorth@contoso.com'
     
     

   The user name and corresponding password must match an Active Directory user account that is granted Read and Enroll permissions on the Mac client certificate template.

   Example: If the enrollment proxy point server is named server02.contoso.com, and a user name of contoso\mnorth with a password of Passw0rd! has been granted permissions for the Mac client certificate template, type the following: sudo ./CMEnroll -s server02.contoso.com –ignorecertchainvalidation -u 'contoso\mnorth' -p Passw0rd!

   Note
   For a more seamless user experience, you can script the installation steps and commands so that users only have to supply their user name and password.

5. Wait until you see the Successfully enrolled message.

6. Restart the Mac computer.

Verify that the client installation is successful by opening the Configuration Manager item in System Preferences on the Mac computer. You can also update and view the All Systems collection to confirm that the Mac computer now appears in this collection as a managed client.

Tip

To help troubleshoot any problems with the Mac client, you can use the CMDiagnostics program that is included with the Mac OS X client package to collect the following diagnostic information: A list of running processes The Mac OS X operating system version Mac OS X crash reports relating to the Configuration Manager client including CCM*.crash and System Preference.crash. The Bill of Materials (BOM) file and property list (.plist) file created by the Configuration Manager client installation. The contents of the folder /Library/Application Support/Microsoft/CCM/Logs. The information collected by CmDiagnostics is added to a zip file that is saved to the desktop of the computer and is named cmdiag-<hostname>-<date and time>.zip.

If you want to uninstall the Mac client, use the CMUninstall script that is provided with the Mac client files you downloaded from the web. Use the following procedure to help you uninstall the Configuration Manager client from Mac computers.

To uninstall the Mac client

A typical validity period for the Mac client certificate is 1 year. Configuration Manager does not automatically renew the user certificate that it requests during enrollment, so you must use the following procedure to renew the certificate.

This procedure removes the SMSID, which is required to request a new certificate for the same Mac computer. After the new certificate is requested, it is automatically used by Configuration Manager.

Important
When you remove and replace the client SMSID, any stored client history such as inventory is deleted after you delete the client from the Configuration Manager console.

To renew the Mac client certificate

1. Create a device collection for the Mac computers that must renew the computer certificates, and then add the Mac computers to the collection.

2. In the Assets and Compliance workspace, start the Create Configuration Item Wizard.

3. On the General page of the wizard, specify the following information:

   • Name:Remove SMSID for Mac
     
     
   • Type:Mac OS X
     
     

4. On the Supported Platforms page of the wizard, ensure that all Mac OS X versions are selected.

5. On the Settings page of the wizard, click New and then, in the Create Setting dialog box, specify the following information:

   • Name:Remove SMSID for Mac
     
     
   • Setting type:Script
     
     
   • Data type:String
     
     

6. In the Create Setting dialog box, for Discovery script, click Add script to specify a script that discovers Mac computers with an SMSID configured.

7. In the Edit Discovery Script dialog box, enter the following Shell Script:

   	Copy Code
   defaults read com.microsoft.ccmclient SMSID

8. Click OK to close the Edit Discovery Script dialog box.

9. In the Create Setting dialog box, for Remediation script (optional), click Add script to specify a script that removes the SMSID when it is found on Mac computers.

10. In the Create Remediation Script dialog box, enter the following Shell Script:

    	Copy Code
    defaults delete com.microsoft.ccmclient SMSID

11. Click OK to close the Create Remediation Script dialog box.

12. On the Compliance Rules page of the wizard, click New, and then in the Create Rule dialog box, specify the following information:

    • Name:Remove SMSID for Mac
      
      
    • Selected setting: Click Browse and then select the discovery script that you specified previously.
      
      
    • In the following values field, enter The domain/default pair of (com.microsoft.ccmclient, SMSID) does not exist.
      
      
    • Enable the option Run the specified remediation script when this setting is noncompliant.
      
      

13. Complete the Create Configuration Item Wizard.

14. Create a configuration baseline that contains the configuration item that you have just created and deploy this to the device collection that you created in step 1.

    For more information about how to create and deploy configuration baselines, see How to Create Configuration Baselines for Compliance Settings in Configuration Manager and How to Deploy Configuration Baselines in Configuration Manager.

15. After you have installed a new certificate on Mac computers that have the SMSID removed, run the following command to configure the client to use the new certificate:

    	Copy Code
    sudo defaults write com.microsoft.ccmclient SubjectName –string <Subject_Name_of_New_Certificate>

16. Restart the Mac computer.