locked
Enrolled Mac OS X 10.9 to 10.10 clients do not appear in Configuration Manager Console RRS feed

  • Question

  • Well I'm stumped. I followed everything in the TechNet guide for preparing for and installing Mac clients. Setup notes:

    Primary Standalone server is running non-Internet roles (MP, DP, App Catalog roles, Asset Int, SUP), and I installed a new server (VM) yesterday to serve as the server for "Internet"-facing roles: DP, MP, Enrollment Point, Enrollment Proxy Point. Certs have been issued and configured for IIS and the DP on the "Internet" server. At this stage, I do not plan to have the roles serving "Internet" clients actually available to the Internet yet - I'm mainly interested in managing Macs we own that on our network. All servers are 2008 R2, including the root CA.

    EDIT: I forgot to mention this. On the IIS cert issued for the "Internet Client" server, I specified both the internal FQDN and the external FQDN (both DNS=) for this server in the SAN. That should be ok...right?

    On the Primary Site System Server, all has been well for quite some time - I'm in this server daily and I'm fairly confident that the issue lies with me having done something wrong on either the "Internet client" server, or I've failed to do something on the Mac OS X clients themselves.

    I seem to have successfully installed 2 Mac OS X clients, one is 10.9.3, the other is 10.10. I've used the latest client for mac os x which resolved that issue with needing to disable USB_Device in Hardware Inventory, and such devices are enabled for hw inv collection in my Default Client Policy. Enrollment went fine and the wizard succeeded. I also confirmed that CMEnroll worked fine and reported success on both as well. However, when I go to Connect via the System Pref item for Config Mgr, it states "Certificate Not Found" on the UI, and client log files on both macs basically report the same issue. I will try to post some log snippets when I get back to the office later in the evening. Both the root cert and the cert I got for my user (via the wizard) are present in the System Keychain and I even manually marked them as trusted (same behavior before and after doing this).

    I've tried enrolling both again (to no avail), just to see if that would do anything. Here's a blip from EnrollmentService.log:

    [7, PID:3600][12/03/2014 15:04:21] :WindowsIdentity is created for domain: bpsd user: amalcolm_ad
    [7, PID:3600][12/03/2014 15:04:21] :validated user credentials
    [7, PID:3600][12/03/2014 15:04:21] :Handling RequestSecurityToken
    [7, PID:3600][12/03/2014 15:04:21] :claim identity name: BPSD\amalcolm_AD
    [7, PID:3600][12/03/2014 15:04:21] :ConfigManager: RefreshCache: Creating Enrollment Profile 16777217
    [7, PID:3600][12/03/2014 15:04:21] :EnrollmentServiceProfile: GetDBCAs retrieved Template information:  
    [7, PID:3600][12/03/2014 15:04:21] :Template: SCCMClientMac
    [7, PID:3600][12/03/2014 15:04:21] :CA: System.Collections.Generic.List`1[System.String]
    [7, PID:3600][12/03/2014 15:04:21] :The CA BPSDCORE1.BPSD.BRYANTSCHOOLS.ORG is in forest BPSD.BRYANTSCHOOLS.ORG
    [7, PID:3600][12/03/2014 15:04:21] :Impersonating caller: BPSD\amalcolm_AD
    [7, PID:3600][12/03/2014 15:04:21] :Revert back to self: NT AUTHORITY\NETWORK SERVICE
    [7, PID:3600][12/03/2014 15:04:21] :ConfigManager: Sending CA Success Status - ENROLLSRVMSG_CA_SUCCESS
    [7, PID:3600][12/03/2014 15:04:21] :ConfigManager: CA Chains count: 1
    [7, PID:3600][12/03/2014 15:04:21] :ConfigManager: Subject name: CN=BPSD-BPSDCORE1-CA, DC=BPSD, DC=BRYANTSCHOOLS, DC=ORG
    [7, PID:3600][12/03/2014 15:04:21] :ConfigManager: Issuer Name: CN=BPSD-BPSDCORE1-CA, DC=BPSD, DC=BRYANTSCHOOLS, DC=ORG
    [7, PID:3600][12/03/2014 15:04:21] :ConfigManager: CA Chains 1 thumprint: 0FF35C1367A6A094AD9E12D5FB8C3F6FEE85657D
    [7, PID:3600][12/03/2014 15:04:21] :ConfigManager: Got root CA hash: 0FF35C1367A6A094AD9E12D5FB8C3F6FEE85657D
    [7, PID:3600][12/03/2014 15:04:21] :Impersonating caller: BPSD\amalcolm_AD
    [7, PID:3600][12/03/2014 15:04:21] :Revert back to self: NT AUTHORITY\NETWORK SERVICE
    [7, PID:3600][12/03/2014 15:04:21] :EnrollmentRequestController: entering State: Start
    [7, PID:3600][12/03/2014 15:04:21] :EnrollmentRequestController: exiting state: Start, Result: Succeed
    [7, PID:3600][12/03/2014 15:04:21] :EnrollmentRequestController: entering State: AuthenticationApproved
    [7, PID:3600][12/03/2014 15:04:21] :EnrollmentRequestController: exiting state: AuthenticationApproved, Result: Failover
    [7, PID:3600][12/03/2014 15:04:21] :EnrollmentRequestController: entering State: CertNotInADAccount
    [7, PID:3600][12/03/2014 15:04:21] :Impersonating caller: BPSD\amalcolm_AD
    [7, PID:3600][12/03/2014 15:04:21] :Revert back to self: NT AUTHORITY\NETWORK SERVICE
    [7, PID:3600][12/03/2014 15:04:21] :CALayer: Sending CA Success status - ENROLLSRVMSG_CA_SUCCESS
    [7, PID:3600][12/03/2014 15:04:21] :EnrollmentRequestController: exiting state: CertNotInADAccount, Result: Succeed
    [7, PID:3600][12/03/2014 15:04:21] :EnrollmentRequestController: entering State: ProcessCertificate
    [7, PID:3600][12/03/2014 15:04:21] :Converted expiration date to UTC.
    [7, PID:3600][12/03/2014 15:04:21] :EnrollmentRequestController: exiting state: ProcessCertificate, Result: Succeed
    [7, PID:3600][12/03/2014 15:04:21] :EnrollmentRequestController: entering State: PrepareProvisioning
    [7, PID:3600][12/03/2014 15:04:21] :ConfigManager: GetDBMPName: ConfigMgrIBCM.BRYANTSCHOOLS.ORG:443
    [7, PID:3600][12/03/2014 15:04:21] :PrepareProvisioning: ProvisioningXML prepared successfully. Length:8010
    [7, PID:3600][12/03/2014 15:04:21] :EnrollmentRequestController: exiting state: PrepareProvisioning, Result: Succeed
    [7, PID:3600][12/03/2014 15:04:21] :The ES is in forest BPSD.BRYANTSCHOOLS.ORG
    [7, PID:3600][12/03/2014 15:04:21] :InsertCertificateRecord: AC1151AFFB7910E7102AC461E47AE5297F2CBB3A for BPSD\amalcolm_AD
    [7, PID:3600][12/03/2014 15:04:21] :Sending status message: ENROLLSRVMSG_SQL_SUCCESS

    I do want to note that I was getting a 500 service error previously, but that seems to have been resolved with aspnet_iisreg (v4*) and an iisreset. All components on my Internet-facing server are green and I'm not really seeing any error messages anywhere.

    Over in EnrollmentWeb.log, everything seems OK...

    Found user credential in the message header for bpsd\amalcolm_ad    Enrollment    12/3/2014 3:04:20 PM    7 (0x0007)
    Forward client request    Enrollment    12/3/2014 3:04:20 PM    7 (0x0007)
    Forward server response    Enrollment    12/3/2014 3:04:21 PM    7 (0x0007)

    So ultimately, the agents seem to be working - client log files record screen lock / user logon activity and generally seem OK from the skimpy logs that are created by mac clients, but it's been hours and these devices still haven't shown up in Config Mgr - not as a Mobile Device or in devices or... anywhere. Both our bound to our AD Domain, and the Mac OS X 10.10 client - which has a computer account present in an OU that I have System Discovery configured to check - does appear in the console, but it shows 'No Client'.

    So...I'm a little stumped here. Do Mac clients not record policy activity in a log somewhere? Can someone offer me some leads on where I should be looking for a problem?


    born to learn!



    • Edited by AJM Admin Thursday, December 4, 2014 12:22 AM forgot to mention a potential important fact about the IIS cert's SAN
    Wednesday, December 3, 2014 11:44 PM

Answers

  • Bumping an ancient topic - but I finally got this to work on the latest revisit! So two things:

    1. Apple added support for OS X 8.5+ enrolling for certs from AD CS - so they can enroll and automatically re-renroll for the config mgr mac client certificate template on their own. We accomplished this with Profile Manager.
    2. Mac clients don't accept anything but the Common Name format for the Subject, it seems. Once I switched my cert template's subject name format to Common Name, everything got a jump start. I have now enrolled several macs both in PoC and our live environment and it is a very exciting time.

    born to learn!

    • Marked as answer by AJM Admin Friday, October 30, 2015 3:35 AM
    Tuesday, June 16, 2015 2:16 PM

All replies

  • Update: wow are you kidding? Is it because the cert subject name has a space in it?

    See: https://social.technet.microsoft.com/Forums/en-US/d4fa29b7-b75a-4e75-9592-e0ea0b713b8a/mac-client-certificate-not-found?forum=configmanagerdeployment

    As this issue seem unresolved and no MS person ever responded, I sure hope this isn't the issue. I will try out enrolling with an account with no space in the Name attribute and see if that makes any difference. I will be upset if that's the trouble I burned a whole day on.


    born to learn!

    Thursday, December 4, 2014 12:13 AM
  • following advice from post marked as answer from this technet post. Everything deinstalled and reinstalled OK judging from status messages. I find it interesting that status messages indeed indicate mp_mdm is being reinstalled - rather than simply stating it is being installed.

    born to learn!

    Thursday, December 4, 2014 12:49 PM
  • Yup the name of the account that is used to enrol the mac cannot have a space in the name.
    • Proposed as answer by TemplarIT Tuesday, June 16, 2015 5:52 AM
    Thursday, December 4, 2014 1:53 PM
  • Some hours later...

    1. tried to enroll/connect on mac 10.10 client with no luck, actually getting an enrollment error which I haven't got before
    2. removed MP / DP roles from the server that will be talking to Mac OS X clients, henceforth referred to as 'Ibcm'. Revoked all its certs on CA, made sure they were blocked in Config Mgr console. I've done this because I came to find that TechNet actually says that Intra/Internet servers need to have their certs' SAN configured as 'DNS=IntranetName.AD.Corp.Com&InternetName.Corp.Com' (as I interpret this).
    3. Issued certs for IIS / DP to Ibcm with the SAN format mentioned in #2.
    4. Reinstalled MP/DP on Ibcm and specified the new DP cert in the install wizard.
    5. once status messages said everything was complete, aspnet_iisreg (v4*) and iisreset just to be sure asp iis components are in a consistent state
    6. restart Ibcm
    7. Review status messages and confirm Ibcm is acting happy
    8. Install client on mac 10.10 system, restart after wizard is done, start enrollment wizard, use the SccmMacEnroller account (no spaces in the name attribute) to enroll; receive Enrollment error (0x8018002a).
    9. Try sudo ./CMEnroll -s IntranetFQDNOfIbcmServer -IgnoreCertChaInvalidation -u 'SccmMacEnroller@IntranetUPN'; I get SSL Connection failed. HTTP response code is 500 and reason is Internal Server Error. I also tried using the Internet FQDN of the Ibcm server (same syntax as above otherwise) and got the same result.

    Ibcm's \SMS_CCM\EnrollmentProxyPoint\Logs\EnrollmentWeb.log says:

    ValidateServerCert - certificate error: RemoteCertificateNameMismatch    Enrollment    12/4/2014 9:15:54 AM    9 (0x0009)
    System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'IntranetFQDNForIbcmServer'. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
       at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
       at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
       at System.Threading.ExecutionContext.runTryCode(Object userData)
       at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
       at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
       at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
       at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
       at System.Net.ConnectStream.WriteHeaders(Boolean async)
       --- End of inner exception stack trace ---
       at System.Net.HttpWebRequest.GetResponse()
       at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
       --- End of inner exception stack trace ---

    Server stack trace:
       at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
       at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
       at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
       at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
       at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]:
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at IDeviceEnrollmentService.RequestSecurityToken(Message request)
       at DeviceEnrollmentServiceClient.RequestSecurityToken(Message request)
       at Microsoft.ConfigurationManagement.Enrollment.DeviceEnrollmentWebService.RequestSecurityToken(Message requestMessage)    Enrollment    12/4/2014 9:15:55 AM    9 (0x0009)

    I'm guessing it doesn't like 'DNS=IntranetFQDN&InternetFQDN' on the SAN on the certs, but I don't know what else to do now since the TechNet doc says to do that (see the table\specific requirements entry for Management Points/DP's/etc. If I am misinterpreting what the TechNet link says, please correct me... :-/


    born to learn!

    Thursday, December 4, 2014 3:36 PM
  • I ended up removing all roles from the Ibcm server, redid everything as Internet only using Intranet FQDN and using an account to enroll that has no spaces in the Name attribute. It successfully enrolls and \SMS_CCM\EnrollmentProxyPoint\Logs\EnrollmentWeb.log reports

    Found user credential in the message header for domain\SccmMacEnroller    Enrollment    12/4/2014 4:06:32 PM    7 (0x0007)
    Forward client request    Enrollment    12/4/2014 4:06:33 PM    7 (0x0007)
    Forward server response    Enrollment    12/4/2014 4:07:01 PM    7 (0x0007)

    and the client UI on this mac (10.9.5) reported successful enrollment. However, clicking Connect Now still results in a 'Certificate not found' error on the config mgr preference item UI. My CA's root cert is in the System Keychain, and the cert issued to the user I enrolled with evaluated successfully so it is trusted.

    Here are the zipped client log files from this mac; I don't know what the heck else to do.


    born to learn!

    Thursday, December 4, 2014 10:32 PM
  • I guess I'll check back in a year. Never could get it working nor get any help so we went with Filewave.

    born to learn!

    Monday, December 15, 2014 11:24 PM
  • I know this is bumping an old topic, but I wanted to add:

    config mgr client logging on iOS and OS X devices completely sucks. Whereas config mgr client logs on Windows platforms are gloriously verbose and actually help me troubleshoot things, client logs on apple devices really don't say anything more than 'something failed'. Shame on you! That is not a problem with Apple, it's a problem with you not being verbose enough in logs about what your client operations are doing!


    born to learn!

    Thursday, February 12, 2015 2:54 PM
  • Bumping an ancient topic - but I finally got this to work on the latest revisit! So two things:

    1. Apple added support for OS X 8.5+ enrolling for certs from AD CS - so they can enroll and automatically re-renroll for the config mgr mac client certificate template on their own. We accomplished this with Profile Manager.
    2. Mac clients don't accept anything but the Common Name format for the Subject, it seems. Once I switched my cert template's subject name format to Common Name, everything got a jump start. I have now enrolled several macs both in PoC and our live environment and it is a very exciting time.

    born to learn!

    • Marked as answer by AJM Admin Friday, October 30, 2015 3:35 AM
    Tuesday, June 16, 2015 2:16 PM
  • i'm so close.

    Using Safari I can connect to https://siteserver:443/omadm/cimhandler.ashx, the browser first prompts for the certificate, then the username and password twice. 

    The browser connects and download the cimhandler.ashx file then waits for a response. 

    Second attempt via the browser it actually asked for the password once and then downloaded cimhandler.ashx.

    Third Attempt with always allow set in private key for CMMAgent, Client just downloaded the file cimhandler.ashx. 

    From the browser certificate authentication and windows authentication is working.  


    Monday, October 30, 2017 5:05 PM