Cyomf Mac OS

Posted on  by
-->

Applies to: Configuration Manager (current branch)

This article describes how to deploy and maintain the Configuration Manager client on Mac computers. To learn about what you have to configure before deploying clients to Mac computers, see Prepare to deploy client software to Macs.

When you install a new client for Mac computers, you might have to also install Configuration Manager updates to reflect the new client information in the Configuration Manager console.

In these procedures, you have two options for installing client certificates. Read more about client certificates for Macs in Prepare to deploy client software to Macs.

  • Use Configuration Manager enrollment by using the CMEnroll tool. The enrollment process doesn't support automatic certificate renewal. Re-enroll the Mac computer before the installed certificate expires.

  • Use a certificate request and installation method that is independent from Configuration Manager.

Important

To deploy the client to devices running macOS Sierra, correctly configure the Subject name of the management point certificate. For example, use the FQDN of the management point server.

Follow the steps below to enable Epson Connect for your Epson printer on a Mac. Important: Your product needs to be set up with a network connection before it can be set up with Epson Connect. If you need to set up the connection, see the Start Here sheet for your product for instructions. Earlier versions of Tux Paint are available, which run on older versions of Mac OS X / OS X / macOS. January 12, 2021 - Tux Paint 0.9.25 is also now available for a variety of Linux distributions via Flatpak.

Configure client settings

Use the default client settings to configure enrollment for Mac computers. You can't use custom client settings. To request and install the certificate, the Configuration Manager client for Mac requires the default client settings.

In addition, I have created this plist to look for the rsyncd.conf in /usr/local/etc/rsyncd, because it is a more unified best practice way of doing things. Besides, like Mac OS X I am a fan of FreeBSD and it’s just the way I roll. The following is an example of a rsyncd.conf file that I have used in the past. Verify access to the installation assets. Upgraded Mac computers are verified by entering the Apple ID used to purchase OS X Mountain Lion. Conversely, verification is automatic for Mac computers that included OS X Mountain Lion. OS X Support Essentials 10.8 Exam Preparation Guide 9. MacOS Configuration Shell scripts for customized macOS machine setup and configuration. This project provides a highly opinionated default configuration built upon the macOS project. Should the configuration provided by this project not be to your liking, feel free to fork and customize for your specific needs.

  1. In the Configuration Manager console, go to the Administration workspace. Select the Client Settings node, and then select Default Client Settings.

  2. On the Home tab of the ribbon, in the Properties group, choose Properties.

  3. Select the Enrollment section, and then configure the following settings:

    1. Allow users to enroll mobile devices and Mac computers: Yes

    2. Enrollment profile: Choose Set Profile.

  4. In the Mobile Device Enrollment Profile dialog box, choose Create.

  5. In the Create Enrollment Profile dialog box, enter a name for this enrollment profile. Then configure the Management site code. Select the Configuration Manager primary site that contains the management points for these Mac computers.

    Note

    If you can't select the site, make sure that you configure at least one management point in the site to support mobile devices.

  6. Choose Add.

  7. In the Add Certification Authority for Mobile Devices window, select the certification authority server that issues certificates to Mac computers.

  8. In the Create Enrollment Profile dialog box, select the Mac computer certificate template that you previously created.

  9. Select OK to close the Enrollment Profile dialog box, and then the Default Client Settings dialog box.

    Tip

    If you want to change the client policy interval, use Client policy polling interval in the Client Policy client setting group.

The next time the devices download client policy, Configuration Manager applies these settings for all users. To initiate policy retrieval for a single client, see Initiate policy retrieval for a Configuration Manager client.

In addition to the enrollment client settings, make sure that you have configured the following client device settings:

  • Hardware inventory: Enable and configure this feature if you want to collect hardware inventory from Mac and Windows client computers. For more information, see How to extend hardware inventory.

  • Compliance settings: Enable and configure this feature if you want to evaluate and remediate settings on Mac and Windows client computers. For more information, see Plan for and configure compliance settings.

For more information, see How to configure client settings.

Download the client for macOS

  1. Download the macOS client file package, Microsoft Endpoint Configuration Manager - macOS Client (64-bit). Save ConfigmgrMacClient.msi to a computer that runs Windows. This file isn't on the Configuration Manager installation media.

  2. Run the installer on the Windows computer. Extract the Mac client package, Macclient.dmg, to a folder on the local disk. The default path is C:Program FilesMicrosoftSystem Center Configuration Manager for Mac client.

  3. Copy the Macclient.dmg file to a folder on the Mac computer.

  4. On the Mac computer, run Macclient.dmg to extract the files to a folder on the local disk.

  5. In the folder, make sure that it contains the following files:

    • Ccmsetup: Installs the Configuration Manager client on your Mac computers using CMClient.pkg

    • CMDiagnostics: Collects diagnostic information related to the Configuration Manager client on your Mac computers

    • CMUninstall: Uninstalls the client from your Mac computers

    • CMAppUtil: Converts Apple application packages into a format that you can deploy as a Configuration Manager application

    • CMEnroll: Requests and installs the client certificate for a Mac computer so that you can then install the Configuration Manager client

Enroll the Mac client

Enroll individual clients with the Mac computer enrollment wizard.

To automate enrollment for many clients, use the CMEnroll tool.

Enroll the client with the Mac computer enrollment wizard

  1. After you install the client, the Computer Enrollment wizard opens. To manually start the wizard, select Enroll from the Configuration Manager preference page.

  2. On the second page of the wizard, provide the following information:

    • User name: The user name can be in the following formats:

      • domainname. For example: contosomnorth

      • user@domain. For example: mnorth@contoso.com

        Important

        When you use an email address to populate the User name field, Configuration Manager automatically populates the Server name field. It uses the default name of the enrollment proxy point server and the domain name of the email address. If these names don't match the name of the enrollment proxy point server, fix the Server name during enrollment.

        The user name and corresponding password must match an Active Directory user account that has Read and Enroll permissions on the Mac client certificate template.

    • Server name: The name of the enrollment proxy point server.

Client and certificate automation with CMEnroll

Use this procedure for automation of client installation and requesting and enrollment of client certificates with the CMEnroll tool. To run the tool, you must have an Active Directory user account.

  1. On the Mac computer, navigate to the folder where you extracted the contents of the Macclient.dmg file.

  2. Enter the following command: sudo ./ccmsetup

  3. Wait until you see the Completed installation message. Although the installer displays a message that you must restart now, don't restart, and continue to the next step.

  4. From the Tools folder on the Mac computer, type the following command: sudo ./CMEnroll -s <enrollment_proxy_server_name> -ignorecertchainvalidation -u '<user_name>'

    After the client installs, the Mac Computer Enrollment wizard opens to help you enroll the Mac computer. For more information, see Enroll the client by using the Mac computer enrollment wizard.

    Example: If the enrollment proxy point server is named server02.contoso.com, and you grant contosomnorth permissions for the Mac client certificate template, type the following command: sudo ./CMEnroll -s server02.contoso.com -ignorecertchainvalidation -u 'contosomnorth'

    Note

    If the user name includes any of the following characters, enrollment fails: <>'+=,. Use an out-of-band certificate with a user name that doesn't include these characters.

    For a more seamless user experience, script the installation steps. Then users only have to supply their user name and password.

  5. Type the password for the Active Directory user account. When you enter this command, it prompts for two passwords. The first password is for the super user account to run the command. The second prompt is for the Active Directory user account. The prompts look identical, so make sure that you specify them in the correct sequence.

  6. Wait until you see the Successfully enrolled message.

  7. To limit the enrolled certificate to Configuration Manager, on the Mac computer, open a terminal window and make the following changes:

    1. Enter the command sudo /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access

    2. In the Keychain Access window, in the Keychains section, choose System. Then in the Category section, choose Keys.

    3. Expand the keys to view the client certificates. Find the certificate with a private key that you installed, and open the key.

    4. On the Access Control tab, choose Confirm before allowing access.

    5. Browse to /Library/Application Support/Microsoft/CCM, select CCMClient, and then choose Add.

    6. Choose Save Changes and close the Keychain Access dialog box.

  8. Restart the Mac computer.

To verify that the client installation is successful, open the Configuration Manager item in System Preferences on the Mac computer. Also update and view the All Systems collection in the Configuration Manager console. Confirm that the Mac computer appears in this collection as a managed client.

Tip

To help troubleshoot the Mac client, use the CMDiagnostics tool included with the Mac client package. Use it to collect the following diagnostic information:

  • A list of running processes
  • The macOS X operating system version
  • macOS X crash reports relating to the Configuration Manager client including CCM*.crash and System Preference.crash.
  • The Bill of Materials (BOM) file and property list (.plist) file created by the Configuration Manager client installation.
  • The contents of the folder /Library/Application Support/Microsoft/CCM/Logs.

The information collected by CmDiagnostics is added to a zip file that is saved to the desktop of the computer and is named cmdiag-<hostname>-<datetime>.zip

Manage certificates external to Configuration Manager

You can use a certificate request and installation method independent from Configuration Manager. Use the same general process, but include the following additional steps:

  • When you install the Configuration Manager client, use the MP and SubjectName command-line options. Enter the following command: sudo ./ccmsetup -MP <management point internet FQDN> -SubjectName <certificate subject name>. The certificate subject name is case-sensitive, so type it exactly as it appears in the certificate details.

    Example: The management point's internet FQDN is server03.contoso.com. The Mac client certificate has the FQDN of mac12.contoso.com as a common name in the certificate subject. Use the following command: sudo ./ccmsetup -MP server03.contoso.com -SubjectName mac12.contoso.com

  • If you have more than one certificate that contains the same subject value, specify the certificate serial number to use for the Configuration Manager client. Use the following command: sudo defaults write com.microsoft.ccmclient SerialNumber -data '<serial number>'.

    For example: sudo defaults write com.microsoft.ccmclient SerialNumber -data '17D4391A00000003DB'

Renew the Mac client certificate

This procedure removes the SMSID. The Configuration Manager client for Mac requires a new ID to use a new or renewed certificate.

Important

After you replace the client SMSID, when you delete the old resource in the Configuration Manager console, you also delete any stored client history. For example, hardware inventory history for that client.

  1. Create and populate a device collection for the Mac computers that must renew the computer certificates.

  2. In the Assets and Compliance workspace, start the Create Configuration Item Wizard.

  3. On the General page of the wizard, specify the following information:

    • Name: Remove SMSID for Mac

    • Type: Mac OS X

  4. On the Supported Platforms page, select all macOS X versions.

  5. On the Settings page, select New. In the Create Setting window, specify the following information:

    • Name: Remove SMSID for Mac

    • Setting type: Script

    • Data type: String

  6. In the Create Setting window, for Discovery script, select Add script. This action specifies a script to discover Mac computers configured with an SMSID.

  7. In the Edit Discovery Script window, enter the following shell script:

  8. Choose OK to close the Edit Discovery Script window.

  9. In the Create Setting window, for Remediation script (optional), choose Add script. This action specifies a script to remove the SMSID when it's found on Mac computers.

  10. In the Create Remediation Script window, enter the following shell script:

  11. Choose OK to close the Create Remediation Script window.

  12. On the Compliance Rules page, choose New. Then in the Create Rule window, specify the following information:

    • Name: Remove SMSID for Mac

    • Selected setting: Choose Browse and then select the discovery script that you previously specified.

    • In the following values field: The domain/default pair of (com.microsoft.ccmclient, SMSID) does not exist.

    • Enable the option to Run the specified remediation script when this setting is noncompliant.

  13. Complete the wizard.

  14. Create a configuration baseline that contains this configuration item. Deploy the baseline to the target collection.

    For more information, see How to create configuration baselines.

  15. After you install a new certificate on Mac computers that have the SMSID removed, run the following command to configure the client to use the new certificate:

See also

NOTE:

Between mid October 2019 and mid February 2020 everyone in the Army was migrated to use their PIV Authentication certificate for Email access. You no longer use the Email certificate for Enterprise Email or any CAC enabled websites

Mac users who choose to upgrade (or already have upgraded) to Mac OS Catalina (10.15.x) or Big Sur (11.xx.x) will need to uninstall all 3rd Party CAC enablers per https://militarycac.com/macuninstall.htm AND reenable the native smart card ability (very bottom of macuninstall link above)

If you purchased your Mac with OS Catalina (10.15.x) or Big Sur (11.xx.x) already installed, you can skip the uninstall part above and follow the instructions below.

6 'high level' steps needed, follow down the page to make this a painless systematic process

1.Is your CAC reader 'Mac friendly'?
2.Can your Mac 'see' the reader?
3.Verify which version of Mac OS you have
4.Figure out which CAC (ID card) you have
5.Install the DoD certificates
5a.Additional DoD certificate installation instructions for Firefox users
6.Decide which CAC enabler you want to use (except for 10.12-.15 & 11)

Step 1: Is your CAC reader Mac friendly?

Visit the USB Readers page to verify the CAC reader you have is Mac friendly.

Visit the USB-C Readers page to verify the CAC reader you have is Mac friendly.

'Some, not all' CAC readers may need to have a driver installed to make it work.

NOTE: Readers such as: SCR-331 & SCR-3500A may need a firmware update (NO OTHER Readers need firmware updates).

Information about these specific readers are in Step 2

Step 2: Can your Mac 'see' the reader?

Plug the CAC reader into an open USB port before proceeding, give it a few moments to install

Step 2a: Click the Apple Icon in the upper left corner of the desktop, select 'About This Mac'

Step 2b: Click 'System Report...' (button)

Step 2c: Verify the CAC reader shows in Hardware, USB, under USB Device Tree. Different readers will show differently, most readers have no problem in this step. See Step 2c1 for specific reader issues.

Step 2c1: Verify firmware version on your SCR-331, SCR-3310 v2.0, GSR-202, 202V, 203, or SCR-3500a reader. If you have a reader other than these 6, Proceed directly to step 3

Step 2c1a-SCR-331 reader

If your reader does not look like this, go to the next step.

In the 'Hardware' drop down, click 'USB.' On the right side of the screen under 'USB Device Tree' the window will display all hardware plugged into the USB ports on your Mac. Look for “SCRx31 USB Smart Card Reader.” If the Smart Card reader is present, look at 'Version' in the lower right corner of this box: If you have a number below 5.25, you need to update your firmware to 5.25. If you are already at 5.25, your reader is installed on your system, and no further hardware changes are required. You can now Quit System Profiler and continue to Step 3.

Step 2c1b-SCR-3310 v2.0 reader

If your reader does not look like this, go to the next step.

In the 'Hardware' drop down, click 'USB.' On the right side of the screen under 'USB Device Tree' the window will display all hardware plugged into the USB ports on your Mac. Look for “SCR3310 v2.0 USB Smart Card Reader.” If the Smart Card reader is present, look at 'Version' in the lower right corner of this box: If you have a number below 6.02, it will not read the 'G+D FIPS 201 SCE 7.0' CAC on Mac OS 11.xx.x or 10.15.7. I contacted HID (the company that makes these readers) on 14 DEC 2020 to find a way to update the firmware to 6.02. They said there is not firmware update for the reader. If your reader is older, you may need a new one. Please look at: https://militarycac.com/usbreaders.htm to find a compatible one. If you are already at version 6.02, your reader should work fine on your Mac and no further hardware changes are required. You can now Quit System Profiler and continue to Step 3.

Step 2c1c-SCR-3500A reader

If you have the SCR3500A P/N:905430-1 CAC reader,you may need to install this driver, as the one that installs automatically will not work on most Macs. Hold the control key [on your keyboard] when clicking the .pkg file [with your mouse], select [the word] Open

Step 3: Verify which version of MacOS you have?

Cyomf Mac Os Download

(You need to know this information for step 6)

Step 3a: Click the Apple Icon in the upper left corner of your desktop and select 'About This Mac'

Step 3b: Look below Mac OS X for: Example: Version 10.X.X, or 11.X

Step 4: Figure out which CAC (ID Card) you have

(You need to know this information for step 6)

Look at the top back of your ID card for these card types. If you have any version other than the seven shown below, you need to visit an ID card office and have it replaced. All CACs [other than these six] were supposed to be replaced prior to 1 October 2012.

Find out how to flip card over video

Step 5: Install the DoD certificates (for Safari and Chrome Users)

Go to Keychain Access

Click: Go (top of screen), Utilities, double click Keychain Access.app

(You can also type: keychain access using Spotlight (this is my preferred method))

Select login (under Keychains),and All Items (under Category).

Download the 5 files via links below (you may need to <ctrl> click, select Download Linked File As... on each link) Save to your downloads folder

Please know... IF You have any DoD certificates already located in your keychain access, you will need to delete them prior to running the AllCerts.p7b file below.

https://militarycac.com/maccerts/AllCerts.p7b,

https://militarycac.com/maccerts/RootCert2.cer,

https://militarycac.com/maccerts/RootCert3.cer,

https://militarycac.com/maccerts/RootCert4.cer, and

Double click each of the files to install certificates into the login section of keychain

Select the Kind column, verify the arrow is pointing up, scroll down to certificate, look for all of the following certificates:

DOD EMAIL CA-33 through DOD EMAIL CA-34,

DOD EMAIL CA-39 through DOD EMAIL CA-44,

DOD EMAIL CA-49 through DOD EMAIL CA-52,

Cyomf Mac Os Downloads

DOD EMAIL CA-59,

DOD ID CA-33 through DOD ID CA-34,

DOD ID CA-39 through DOD ID CA-44,

DOD ID CA-49 through DOD ID CA-52,

DOD ID CA-59

DOD ID SW CA-35 through DOD ID SW CA-38,

DOD ID SW CA-45 through DOD ID SW CA-48,

DoD Root CA 2 through DoD Root CA 5,

DOD SW CA-53 through DOD SW CA-58, and

DOD SW CA-60 through DOD SW CA-61

NOTE: If you are missing any of the above certificates, you have 2 choices,

1. Delete all of them, and re-run the 5 files above, or

2. Download the allcerts.zip file and install each of the certificates you are missing individually.

Errors:

Error 100001 Solution

Error 100013 Solution

You may notice some of the certificates will have a red circle with a white X . This means your computer does not trust those certificates

You need to manually trust the DoD Root CA 2, 3, 4, & 5 certificates

Double click each of the DoD Root CA certificates, select the triangle next to Trust, in the When using this certificate: select Always Trust, repeat until all 4 do not have the red circle with a white X.

You may be prompted to enter computer password when you close the window

Cyomf mac os downloads

Once you select Always Trust, your icon will have a light blue circle with a white + on it.

The 'bad certs' that have caused problems for Windows users may show up in the keychain access section on some Macs. These need to be deleted / moved to trash.

The DoD Root CA 2 & 3 you are removing has a light blue frame, leave the yellow frame version. The icons may or may not have a red circle with the white x

or DoD Interoperability Root CA 1 or CA 2 certificate
DoD Root CA 2 or 3 (light blue frame ONLY) certificate
or Federal Bridge CA 2016 or 2013 certificate
or Federal Common Policy CAcertificate
or or SHA-1 Federal Root CA G2 certificate
or US DoD CCEB Interoperability Root CA 1 certificate

If you have tried accessing CAC enabled sites prior to following these instructions, please go through this page before proceeding

Clearing the keychain (opens a new page)

Please come back to this page to continue installation instructions.

Step 5a: DoD certificate installation instructions for Firefox users

NOTE: Firefox will not work on Catalina (10.15.x), or last 4 versions of Mac OS if using the native Apple smartcard ability

Download AllCerts.zip, [remember where you save it].

double click the allcerts.zip file (it'll automatically extract into a new folder)

Option 1 to install the certificates (semi automated):

From inside the AllCerts extracted folder, select all of the certificates

<control> click (or Right click) the selected certificates, select Open With, Other...

Cyomf Mac Os Catalina

In the Enable (selection box), change to All Applications

Select Firefox, then Open

You will see several dozen browser tabs open up, let it open as many as it wants..

You will eventually start seeing either of the 2 messages shown next

If the certificate is not already in Firefox, a window will pop up stating 'You have been asked to trust a new Certificate Authority (CA).'

Check all three boxes to allow the certificate to: identify websites, identify email users, and identify software developers

or

'Alert This certificate is already installed as a certificate authority.' Click OK

Cyomf Mac Os X

Once you've added all of the certificates...
• Click Firefox (word) (upper left of your screen)
• Preferences
• Advanced (tab)
• Press Network under the Advanced Tab
• In the Cached Web Content section, click Clear Now (button).
• Quit Firefox and restart it

Option 2 to install the certificates (very tedious manual):

Click Firefox (word) (upper left of your screen)

Preferences

Advanced (tab on left side of screen)

Certificates (tab)

View Certificates (button)

Authorities (tab)

Import (button)

Browse to the DoD certificates (AllCerts) extracted folder you downloaded and extracted above.

Note: You have to do this step for every single certificate

Note2: If the certificate is already in Firefox, a window will pop up stating: 'Alert This certificate is already installed as a certificate authority (CA).' Click OK

Note3: If the certificate is not already in Firefox, a window will pop up stating 'You have been asked to trust a new Certificate Authority (CA).'

Check all three boxes to allow the certificate to: identify websites, identify email users, and identify software developers

Once you've added all of the certificates...
• Click Firefox (word) (upper left of your screen)
• Preferences
• Advanced (tab)
• Press Network under the Advanced Tab
• In the Cached Web Content section, click Clear Now (button).
• Quit Firefox and restart it

Step 6: Decide which CAC enabler you can / want to use

Only for Mac El Capitan (10.11.x or older)

After installing the CAC enabler, restart the computer and go to a CAC enabled website

NOTE: Mac OS Sierra (10.12.x), High Sierra (10.13.x), Mojave (10.14.x), Catalina (10.15.x), and Big Sur (11.1) computers no longer need a CAC Enabler.

Try to access the CAC enabled site you need to access now

Mac support provided by: Michael Danberry