Configmgr 2012 client for Mac OS X Yosemite shows "Certificate has Untrusted root" RRS feed

  • Question

  • I have a Mac OS X Yosemite which has Configmgr 2012 R2 CU3 client version 5.00.7958.1102. I have created a special account with name without spaces and enrolled the certificate for mac. The machine is enrolled and Enrollment Type shows Machine. But when i try to connect to the Configmgr MP using the Mac Client applet i get the error "Certificate has Untrusted root" we have a Root CA and an Issuing CA. Both CA Certs are added to the Keychain->System Category Certificates. Mac Machine is joined to the domain also. 

    Below is the Screen for the same

    Tuesday, January 20, 2015 9:25 AM

All replies

  • Are the CA and intermediate CA trusted by the MP and is the MP properly configured for HTTPS?

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Tuesday, January 20, 2015 2:53 PM
  • I have added the Root CA and Issuing CA's Certificates in the System Store on Mac
    Wednesday, January 21, 2015 7:34 AM
  • The Site is working on HTTPS without any problems, the logs are clean for Mpcontrol, IIS and even the EnrollmentService.log says 

    [6, PID:3480][01/19/2015 02:01:27] :InsertCertificateRecord: 673AE321B7203452F2ED3999FD1FDFFBD4B6961E for IAMERS\s-sccmmactest
    [6, PID:3480][01/19/2015 02:01:27] :Sending status message: ENROLLSRVMSG_SQL_SUCCESS

    Which i assume is successful enrollment. 

    I can paste the ccmclient-log if required

    Wednesday, January 21, 2015 7:38 AM
  • Is the CRL accessible on the Mac client?

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, January 21, 2015 2:48 PM
  • the Mac is connected to the network and is part of the domain, which makes it contact the CDP accessible. 
    Thursday, January 22, 2015 8:10 AM
  • Not necessarily -- that accessibility of the CDP depends on the CDP itself. If your CDP is only available via LDAP, your Macs won't be able to get to it. You need to actually test this.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Thursday, January 22, 2015 2:48 PM
  • our CDP is available on LDAP and HTTP
    Friday, January 23, 2015 6:52 AM
  • First some semantics, those are both CDPs.

    Can you actually reach the CRL using either CDP from a MAC though? Have you actually tested this? Just because it's there doesn't mean it's accessible.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Proposed as answer by Joyce L Tuesday, January 27, 2015 8:54 AM
    • Unproposed as answer by Ashishkumar000666 Wednesday, January 28, 2015 9:09 AM
    Friday, January 23, 2015 6:36 PM
  • The HTTP CDP is accessible, i see the below mentioned download box when i try to open the url in safari
    Wednesday, January 28, 2015 9:14 AM
  • OK, based on some quick research (I don't work with Macs at all), you need to add the trusted root and issuing CA certs to the X509Anchors keychain and not the system keychain.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, January 28, 2015 1:58 PM
  • Even i have seen the same article somewhere, but the problem is i am unable to find the Store X509. Attaching the screenshot of the Keychain Access
    Wednesday, January 28, 2015 2:52 PM
  • You may want to post on a Mac forum somewhere then because is specific to OSX and the knowledge of folks viewing this forum on OSX is limited at best.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, January 28, 2015 3:16 PM
  • Any resolution to this issue? I am having the exact same problem!

    To expand a bit, my certs are trusted in the System Root, but when evaluated in Keychain it returns "Evaluation Status: Bad leaf cert". I can get around the initial HTTPS connection issue to the Proxy Enrollment Server by using -ignorecerchainvalidation for the CMEnroll, but run into the same error when connecting with the SCCM Mac OS X client to the MP. certs are SHA-2 256, OS is Mac OS X 10.10.3. Now the OpenSSL version installed is 0.9.8zd, which does not support SHA-2, but not sure if that is the mechanism that the SCCM Mac Client uses to communicate with the Proxy Enrollment Point Website. Also, I have upgraded to Openssl to 1.0.2d which does support SHA-2, but no change.

    SCCM 2012 R2 (noCUs)

    Mac OS X SCCM Client 5.00.7958.1102

    Mac OS X 10.10.3

    Tuesday, July 14, 2015 3:58 PM
  • More info: the specific error returned from cmenroll without using the -ignorecertchainvalidation is:

    Connect failed with error: valid cert chain, untrusted root

    SSL HandShake Failed: 800B0109

    Unable to connect to enrollment server

    Failed to discover server due to untrusted root cert

    Any thoughts?

    Tuesday, July 14, 2015 5:26 PM
  • Using Mac OS Sierra I was having this issue. My issue was that Sierra (and possibly later releases of Yosemite) don't trust certs with empty subjects (even if you mark them as trusted). 

    I had to re-request my web server certificate, and instead of using a blank Full DN, I used a common name as the subject, and then DNS as the alternative name. My Mac then trusted the cert and I could connect! 
    Wednesday, April 26, 2017 12:51 AM
  • That's not just a MacOS convention, certs with blank subjects should never be trusted. Why were they created this way in the first place?

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, April 26, 2017 2:19 AM
  • We've also been having this issue as well. Our Macs are not bound to our AD domain, however all of our Macs running pre-Sierra OS's have been able to connect. We are getting the same "Certificate has untrusted root".

    It would appear in Keychain under the details for the cert, that it does indeed have the Subject Name information completed. However when I run "evaluate" on that Cert, it does indicate in the evaluation status "no root cert found" and the certificate status is "Untrusted Root".

    Is this something our network guys have to address?

    Wednesday, April 26, 2017 2:21 PM
  • LukeThomas,

    Is the attached pic how you set up yours?

    • Edited by strensnick Wednesday, May 10, 2017 3:32 PM typo
    Wednesday, May 10, 2017 3:31 PM
  • Anyone have a solution? I have the same problem on OS X 10.12.5. Cert evaluates "Success", root cert is trusted  but SCCM client says "Certificate has Untrusted Root". I have this working on an older OS X version.
    Thursday, June 15, 2017 9:26 PM
  • Still looking for a solution as well...any luck with yours?
    Tuesday, July 11, 2017 2:25 PM
  • Friday, July 21, 2017 5:56 PM