locked
SCCM 2012 SP1 - CMEnroll Mac OSX Password Prompt RRS feed

  • Question

  • Hi,

    is there a way to automate the certificate enrollment on Mac OSX,

    im running cmenroll -s fqdn.of.server -ignorecertchainvalidation -u "Username@domain.com" but im asked for the password for this account.when i put it in, it gets the certificate as it should, but i would like to automcate this task rather than going to every Mac to install sccm.

    I tried specifying the password using -p but it doesnt recognize that as a command. does anyone know of a way around it, or another way of automating the certificate request that people know of?

    Thanks

    Wednesday, June 5, 2013 10:45 AM

Answers

  • Microsoft removed -p switch with ConfigMgr 2012 SP1 CU1, because the switch stored the password in a log in clear text. You can do a scripted enrollment without it.

    Try the following script:

    #!/usr/bin/expect
    spawn CMEnroll -s enrollmentserver -u 'computer\Administrator'
    expect "Please enter your password."
    send "password;\n"
    interact
    

    Panu

    PS. I haven't personally tested the script.

    Thursday, June 6, 2013 5:30 AM

All replies

  • Did you put your password within quotes just as you did with your username. I don't have a os x machine by my side at the moment but if I recall correctly that was one thing. One other thing is that the password can not contain single or dubble quotes (' or ").

    /Tim


    Tim Nilimaa | IT Expert at Knowledge Factory | Please remember to mark this answer as helpful if it helped you.

    Wednesday, June 5, 2013 11:37 AM
  • Hi Tim,

    ive tried it with and without quotes. CMEnroll says that -p is an invalid option.

    so far i've tried

    -u 'user@domain.com' -p PASSWORD

    -u 'user@domain.com' -p 'PASSWORD'

    -u 'user@domain.com'  'PASSWORD'

    Wednesday, June 5, 2013 11:45 AM
  • You might be perfectly correct and I'm mistaken. I'll have to verify if I did enter a password. http://technet.microsoft.com/en-us/library/jj591553.aspx#BKMK_StepsToInstallMacComputers does not note anything about how to enter the password except when prompted.

    Tim Nilimaa | IT Expert at Knowledge Factory | Please remember to mark this answer as helpful if it helped you.

    Wednesday, June 5, 2013 11:50 AM
  • Thanks Tim, ive got a horrible feeling it doesnt accept a password. if you could check your that would be good.

    Thanks

    Wednesday, June 5, 2013 12:46 PM
  • Microsoft removed -p switch with ConfigMgr 2012 SP1 CU1, because the switch stored the password in a log in clear text. You can do a scripted enrollment without it.

    Try the following script:

    #!/usr/bin/expect
    spawn CMEnroll -s enrollmentserver -u 'computer\Administrator'
    expect "Please enter your password."
    send "password;\n"
    interact
    

    Panu

    PS. I haven't personally tested the script.

    Thursday, June 6, 2013 5:30 AM
  • Thanks Panu, this was almost exactly what I was after...

    I found I had to run CMEnroll with "sudo -s ./" in front of it for the script to work. Someone might find this useful!

    Cheers

    Michael

    Thursday, June 13, 2013 3:18 AM
  • HI Panu,

    thanks that was a massive help, i feel like im getting somewhere

    it works fine from the local machine. when i send this command through ARD, it doesnt seem to send the password, the output just sits on Please enter your password.

    Im copying the file then running sudo ./Script.sh -i

    Thanks
    Simon

    • Proposed as answer by Sydadmin Wednesday, September 4, 2013 12:55 AM
    Wednesday, June 19, 2013 9:21 AM
  • Thank you Panu

    For me the script worked using this syntax:

    • Putting CMEnroll from the macclient.dmg Tools to /tmp
    • Using " instead of ' for username
    • Using \\ instead of \ to send a literal backslash
    • Have the enter \n on a line by itself
    • Check EnrollmentServer.log on the SCCM server
    #!/usr/bin/expect
    spawn /tmp/CMEnroll -s hostname -ignorecertchainvalidation -u "domain\\username"
    expect "Please enter your password."
    send "PASSWORD"
    send "\n"
    interact
    

    Successfully tested on SCCM 2012 SP1 CU2 with Mac OS X 10.8.3 CMClient 5.00.7804.1202

    Friday, July 19, 2013 1:20 PM
  • This works for me.. but this will log the pasword to clear text too. Anyone got a link to the official way MS say you should deploy "silently"? Their technet doco is rather vague and hints at scripting something for the end user to enroll themselves using their own AD password which seems ridiculous. I guess if your proxy enrollment account is setup correctly it will only have enroll and read permissions so shouldn't be a big deal and you could securely erase the log file in a post install script if you are really paranoid.
    Tuesday, September 3, 2013 10:00 PM
  • Try it like this, you can then wrap it into a PKG. I think you will find the expect script isn't waiting for the enrollment to finish. If you log it to a text file you will see that without the second expect statement the log will show it stopping when it hits your enrollment server.

    https://github.com/cgerke/pkg/blob/master/input/ccm/root/tmp/ccm/enroll

    • Proposed as answer by Sydadmin Wednesday, September 4, 2013 2:25 AM
    Wednesday, September 4, 2013 2:25 AM
  • This works well, remember to escape any special characters in the password.
    Wednesday, September 17, 2014 2:02 AM