How to deploy clients to Macs. 12 minutes to read. Contributors.

In this article Applies to: System Center Configuration Manager (Current Branch) This topic describes how to deploy and maintain the Configuration Manager client on Mac computers. To learn about what you have to configure before deploying clients to Mac computers, see.

When you install a new client for Mac computers, you might have to also install Configuration Manager updates to reflect the new client information in the Configuration Manager console. In these procedures, you have two options for installing client certificates.

Read more about client certificates for Macs in. Use Configuration Manager enrollment by using the.

The enrollment process does not support automatic certificate renewal so you must re-enroll Mac computers before the installed certificate expires. Important To deploy the client to devices running macOS Sierra, the Subject name of the management point certificate must be configured correctly, for example, by using the FQDN of the management point server.

Configure client settings for enrollment You must use the to configure enrollment for Mac computers; you cannot use custom client settings. This is required for Configuration Manager to request and install the certificate on the Mac. To configure the default client settings for Configuration Manager to enroll certificates for Macs.

In the Configuration Manager console, choose Administration Client Settings Default Client Settings. On the Home tab, in the Properties group, choose Properties. Select the Enrollment section, and then configure these settings:. Allow users to enroll mobile devices and Mac computers:Yes.

Enrollment profile: Choose Set Profile. In the Mobile Device Enrollment Profile dialog box, choose Create. In the Create Enrollment Profile dialog box, enter a name for this enrollment profile, and then configure the Management site code. Select the Configuration Manager primary site that contains the management points that will manage the Mac computers. Note If you cannot select the site, check that at least one management point in the site is configured to support mobile devices.

Choose Add. In the Add Certification Authority for Mobile Devices dialog box, select the certification authority (CA) server that will issue certificates to Mac computers.

In the Create Enrollment Profile dialog box, select the Mac computer certificate template that you created in Step 3. Click OK to close the Enrollment Profile dialog box, and then the Default Client Settings dialog box. Tip If you want to change the client policy interval, use Client policy polling interval in the Client Policy client setting group. All users will be configured with these settings the next time that they download client policy. To initiate policy retrieval for a single client, see.

In addition to the enrollment client settings, ensure that you have configured the following client device settings:. Hardware inventory: Enable and configure this if you want to collect hardware inventory from Mac and Windows client computers.

For more information, see. Compliance settings: Enable and configure this if you want to evaluate and remediate settings on Mac and Windows client computers. For more information, see. Note For more information about Configuration Manager client settings, see.

Download the client source files for Macs. Download the Mac OS X client file package, ConfigmgrMacClient.msi, and save it to a computer that runs Windows. This file is not supplied on the Configuration Manager installation media. You can download this file from the. On the Windows computer, run ConfigmgrMacClient.msi to extract the Mac client package, Macclient.dmg to a folder on the local disk (by default C: Program Files (x86) Microsoft System Center 2012 Configuration Manager Mac Client ). Copy the Macclient.dmg file to a folder on the Mac computer.

On the Mac computer, run the Macclient.dmg file to extract the files to a folder on the local disk. In the folder, ensure that the files Ccmsetup and CMClient.pkg are extracted and that a folder named Tools is created that contains the CMDiagnostics, CMUninstall, CMAppUtil and CMEnroll tools. Ccmsetup: Installs the Configuration Manager client on your Mac computers. CMDiagnostics: Collects diagnostic information related to the Configuration Manager client on your Mac computers. CMUninstall: Uninstalls the client from your Mac computers. CMAppUtil: Converts Apple application packages into a format that can be deployed as a Configuration Manager application.

CMEnroll: Requests and installs the client certificate for a Mac computer so that you can then install the Configuration Manager client. Install the client and then enroll the client certificate on the Mac You can enroll individual clients with the. For automation that enables enrollment of many clients, use the. Enroll the client with the Mac Computer Enrollment Wizard. After you have finished installing the client, the Computer Enrollment wizard opens. If the wizard does not open, or if you accidentally close it, click Enroll from the Configuration Manager preference page to open it. On the second page of the wizard, provide:.

User name - The user name can be in the following formats:. 'domain name'. For example: 'contoso mnorth'. 'user@domain'.

For example: 'mnorth@contoso.com'. Important When you use an email address to populate the User name field, Configuration Manager automatically uses the domain name of the email address and the default name of the enrollment proxy point server to populate the Server name field. If this domain name and server name do not match the name of the enrollment proxy point server, tell your users the correct name to use when enrolling their Mac computers. The user name and corresponding password must match an Active Directory user account that is granted Read and Enroll permissions on the Mac client certificate template. Password - Enter a corresponding password for the user name specified. Server name - Enter the name of the enrollment proxy point server. Client and certificate automation with CMEnroll Use this procedure for automation of client installation and requesting and enrollment of client certificates with the CMEnroll tool.

To run the tool you must have an Active Directory user account. On the Mac computer, navigate to the folder where you extracted the contents of the Macclient.dmg file. Enter the following command-line: sudo./ccmsetup. Wait until you see the Completed installation message. Although the installer displays a message that you must restart now, do not restart, and continue to the next step. From the Tools folder on the Mac computer, type the following: sudo./CMEnroll -s -ignorecertchainvalidation -u After the client installs, the Mac Computer Enrollment wizard opens to help you enroll the Mac computer. Winxound 3.3.0 beta 2 for mac. To enroll the client by this method, see in this topic.

Type the password for the Active Directory user account. When you enter this command, you are asked for two passwords: The first prompt is for the super user account to run the command. The second prompt is for the Active Directory user account. The prompts look identical, so make sure that you specify them in the correct sequence.

The user name can be in the following formats:. 'domain name'.

For example: 'contoso mnorth'. 'user@domain'. For example: 'mnorth@contoso.com' The user name and corresponding password must match an Active Directory user account that is granted Read and Enroll permissions on the Mac client certificate template. Example: If the enrollment proxy point server is named server02.contoso.com, and a user name of contoso mnorth has been granted permissions for the Mac client certificate template, type the following: sudo./CMEnroll -s server02.contoso.com -ignorecertchainvalidation -u 'contoso mnorth'. Note If the username contains any of the characters '+=, enrollment will fail. Obtain an out-of-band certificate with a username that does not contain these characters. For a more seamless user experience, you can script the installation steps and commands so that users only have to supply their user name and password.

Wait until you see the Successfully enrolled message. To limit the enrolled certificate to Configuration Manager, on the Mac computer, open a terminal window and make the following changes: a.

Enter the command sudo /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access b. In the Keychain Access dialog box, in the Keychains section, choose System, and then, in the Category section, choose Keys. Expand the keys to view the client certificates. When you have identified the certificate with a private key that you have just installed, double-click the key. On the Access Control tab, choose Confirm before allowing access. Browse to /Library/Application Support/Microsoft/CCM, select CCMClient, and then choose Add.

Choose Save Changes and close the Keychain Access dialog box. Restart the Mac computer. Verify that the client installation is successful by opening the Configuration Manager item in System Preferences on the Mac computer.

You can also update and view the All Systems collection to confirm that the Mac computer now appears in this collection as a managed client. Tip To help troubleshoot the Mac client, you can use the CMDiagnostics program that is included with the Mac OS X client package to collect the following diagnostic information:.

A list of running processes. The Mac OS X operating system version.

Mac OS X crash reports relating to the Configuration Manager client including CCM.crash and System Preference.crash. The Bill of Materials (BOM) file and property list (.plist) file created by the Configuration Manager client installation. The contents of the folder /Library/Application Support/Microsoft/CCM/Logs. The information collected by CmDiagnostics is added to a zip file that is saved to the desktop of the computer and is named cmdiag-.zip Use a certificate request and installation method that is independent from Configuration Manager First, perform these specific tasks from:. Then, perform these tasks:. Use the instructions that accompany your chosen certificate deployment method to request and install the client certificate on the Mac computer. Navigate to the folder where you extracted the contents of the macclient.dmg file that you downloaded from the Microsoft Download Center.

Enter the following command-line: sudo./ccmsetup -MP -SubjectName. The certificate subject value is case-sensitive, so type it exactly as it appears in the certificate details.

Example: If the Internet FQDN in the site system properties is server03.contoso.com and the Mac client certificate has the FQDN of mac12.contoso.com as a common name in the certificate subject, type: sudo./ccmsetup -MP server03.contoso.com -SubjectName mac12.contoso.com. Wait until you see the Completed installation message and then restart the Mac computer. To make sure that this certificate is accessible to Configuration Manager, on the Mac computer, open a terminal window and make these changes: a. Enter the command sudo /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access b. In the Keychain Access dialog box, in the Keychains section, choose System, and then, in the Category section, choose Keys.

Expand the keys to view the client certificates. When you have identified the certificate with a private key that you have just installed, double-click the key. On the Access Control tab, choose Confirm before allowing access. Browse to /Library/Application Support/Microsoft/CCM, select CCMClient, and then choose Add. Choose Save Changes and close the Keychain Access dialog box. If you have more than one certificate that contains the same subject value, you must specify the certificate serial number to identify the certificate that you want to use for the Configuration Manager client.

To do this, use the following command: sudo defaults write com.microsoft.ccmclient SerialNumber -data '. For example: sudo defaults write com.microsoft.ccmclient SerialNumber -data '17D433DB' Verify that the client installation is successful by opening the Configuration Manager item in System Preferences on the Mac. You can also update and view the All Systems collection to confirm that the Mac appears in this collection as a managed client. Renewing the Mac client certificate Use the following procedure before you renew the computer certificate on Mac computers. This procedure removes the SMSID, which is required for the client to use a new or renewed certificate on the Mac computer. Important When you remove and replace the client SMSID, any stored client history such as inventory is deleted after you delete the client from the Configuration Manager console. To renew the Mac client certificate.

Create and populate a device collection for the Mac computers that must renew the computer certificates. In the Assets and Compliance workspace, start the Create Configuration Item Wizard.

On the General page of the wizard, specify the following information:. Name:Remove SMSID for Mac. Type:Mac OS X. On the Supported Platforms page of the wizard, ensure that all Mac OS X versions are selected. On the Settings page of the wizard, click New and then, in the Create Setting dialog box, specify the following information:. Name:Remove SMSID for Mac. Setting type:Script.

Data type:String. In the Create Setting dialog box, for Discovery script, click Add script to specify a script that discovers Mac computers with an SMSID configured. In the Edit Discovery Script dialog box, enter the following Shell Script: defaults read com.microsoft.ccmclient SMSID. Choose OK to close the Edit Discovery Script dialog box. In the Create Setting dialog box, for Remediation script (optional), choose Add script to specify a script that removes the SMSID when it is found on Mac computers.

Internet Download Manager For Mac

In the Create Remediation Script dialog box, enter the following Shell Script: defaults delete com.microsoft.ccmclient SMSID. Choose OK to close the Create Remediation Script dialog box. On the Compliance Rules page of the wizard, choose New, and then in the Create Rule dialog box, specify the following information:. Name:Remove SMSID for Mac. Selected setting: Choose Browse and then select the discovery script that you specified previously.

In the following values field, enter The domain/default pair of (com.microsoft.ccmclient, SMSID) does not exist. Enable the option Run the specified remediation script when this setting is noncompliant. Complete the Create Configuration Item Wizard. Create a configuration baseline that contains the configuration item that you have just created and deploy this to the device collection that you created in step 1. For more information about how to create and deploy configuration baselines, see. After you have installed a new certificate on Mac computers that have the SMSID removed, run the following command to configure the client to use the new certificate: sudo defaults write com.microsoft.ccmclient SubjectName -string. If you have more than one certificate that contains the same subject value, you must then specify the certificate serial number to identify the certificate that you want to use for the Configuration Manager client.

To do this, use the following command: sudo defaults write com.microsoft.ccmclient SerialNumber -data '. For example: sudo defaults write com.microsoft.ccmclient SerialNumber -data '17D433DB'.

Restart. See also Feedback.

Apple Remote Desktop is the best way to manage the Mac computers on your network. Distribute software, provide real-time online help to end users, create detailed software and hardware reports, and automate routine management tasks—all without leaving your desk. Featuring Automator actions and Remote Spotlight search, Apple Remote Desktop makes your job easier than ever. Apple Remote Desktop is the award-winning OS X desktop management system for software distribution, asset management, and remote assistance. Apple Remote Desktop offers a wide range of high-performance features, including lightning-fast Spotlight searches across multiple systems; more than 40 Automator actions for easy automation of repetitive tasks; and AutoInstall for automatically updating software on mobile systems once they return to the network. First-class upgrades Installing software or updates to your network has never been this easy.

Take an existing package, from either Apple or a third party, and simply use the Install Package to copy and install on your client computers. And it works with custom install packages as well. Apple Remote Desktop will alert your system’s users to upgrades and even restart machines remotely.

AutoInstall allows you to stage software on a Task Server, which then takes care of distributing the packages for installation on client computers. You can even set a schedule for installation to occur at a time that is most convenient for your organization. And if a computer is not on the network, the Task Server will keep track and automatically install the package once the system is online. Automation for your Mac computers Those time-consuming administrative tasks will become a thing of the past, thanks to Automator actions in Apple Remote Desktop. To use Automator actions, all you need to do is drag and drop the actions to construct a workflow.

More than 40 Automator actions are included with Apple Remote Desktop, which you can apply to set desktop pictures, Finder preferences, Energy Saver preferences, default time zones, and more. No need to make house calls The screen-sharing features of Apple Remote Desktop allow you to provide immediate help to remote users, saving time for both of you. Don’t want your admin tasks to be seen?

Turn on Curtain Mode to block the local user’s view of their desktop. This is perfect when you’re updating a public display.

You’ll have full control of the system, but your work will be hidden from view. If you need to move files or folders to a single computer, the easy-to-use Remote Drag and Drop copy function makes the job a snap. You can also copy and paste between local and remote systems — no extra steps necessary. Reporting for duty Remote Spotlight search takes advantage of one of the most powerful features of OS X.

Now you can perform lightning-fast, user-specified searches on remote client systems. Files from the results can be copied to the administrator system for reporting. Apple Remote Desktop also makes it easy to compile reports on application usage, history, inventory, and more. Hardware reports gather more than 200 attributes about networked Mac systems, while software reports collect information on 16 file system attributes.

Inventory reports can be gathered even from mobile systems not connected to the network, and results are stored in the included SQL database for fast access.