How to deploy Client Certificate for Mac Computers

In this post we will see how to deploy client certificate for Mac computers. If you are looking to install SCCM client agents on Mac computers and manage Mac computers in System Center 2012 Configuration Manager, it requires public key infrastructure (PKI) certificates. When you have PKI in place, then Configuration Manager can request and install a user client certificate by using Microsoft Certificate Services with an enterprise certification authority (CA) and the Configuration Manager enrollment point and enrollment proxy point site system roles. If you don’t have PKI in place, you can request and install a computer certificate independently from Configuration Manager if the certificate meets the requirements for Configuration Manager. The whole idea of deploying PKI certificates is to secure the communication between the Mac computers and the Configuration Manager.

How to deploy Client Certificate for Mac Computers

If you are looking for PKI step by step guide for SCCM 2012 r2, then click on the below button. You must have PKI configured before you proceed any further.

Deploy PKI Certificates for SCCM 2012 R2 Step by Step Guide

Note that the certificate that we create and issue basically authenticates the Mac client computer to the site system servers that it communicates with, such as management points and distribution points.

Creating and Issuing a Mac Client Certificate Template on the Certification Authority

Before you create a certificate template, create a security group (for example Mac Users) that contains user accounts for administrative users who will enroll the certificate on the Mac computer by using Configuration Manager.

On the member server that is running the Certification Authority console, right-click Certificate Templates, and then click Manage to load the Certificate Templates management console.

How to deploy Client Certificate for Mac Computers

In the results pane, right-click the entry that displays Authenticated Session in the column Template Display Name, and then click Duplicate Template.

NOTE – If you are not using PKI, for certificate installation independent from Configuration Manager always use Workstation Authentication template.

How to deploy Client Certificate for Mac Computers

In the Duplicate Template dialog box, ensure that Windows 2003 Server is selected. In the Properties of New Template dialog box, on the General tab, enter a template name to generate the Mac client certificate, such as  Mac Client Certificate.

How to deploy Client Certificate for Mac Computers

Click the Subject Name tab, make sure that Build from this Active Directory information is selected, select Common name for the Subject name format: and clear User principal name (UPN) from Include this information in alternate subject name.

How to deploy Client Certificate for Mac Computers

Click the Security tab, and remove the Enroll permission from the Domain Admins and Enterprise Admins security groups.

How to deploy Client Certificate for Mac Computers

Click Add, specify the security group that you created for users who will enroll the certificate on the Mac computer by using Configuration Manager, and then click OK. Select the Enroll permission for this group, and do not clear the Read permission.

How to deploy Client Certificate for Mac Computers

In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

How to deploy Client Certificate for Mac Computers

In the Enable Certificate Templates dialog box, select the new template that you have just created, Mac Client Certificate, and then click OK.

How to deploy Client Certificate for Mac Computers Snap8

The Mac client certificate template is now ready to be selected when you configure client settings for enrollment. In the upcoming posts, we will see more about installing client agents on mac computers and managing them via Configuration Manager.

5 Comments

  1. Avatar photo Nachiket Barve says:

    how i can do this without SCCM. we don’t have SCCM. We have Profile Manager for Mac systems.

  2. Avatar photo Shashank Agarwal says:

    Hi Prajwal,

    I’m a big fan of your blogs. You have taken me out of many problems in SCCM.

    I have received a requirement from customer to manage MAC machines via SCCM. I found everything except patch deployment on MAC machines. Can you please guide me how is that achievable?

    Regards,
    Shashank

    1. To manage Macs we have to use a third party product like Parallels. SCCM cannot deploy the updates to Mac computers.

  3. Hey,
    Quick question, When i try to create the enrollment profile the site code is blank. What could cause this?

Leave a Reply

Your email address will not be published. Required fields are marked *