Prepare to deploy client software to Macs
Applies to: Configuration Manager (current branch)
Important
Starting in January 2022, this feature of Configuration Manager is deprecated. For more information, see Mac computers.
Follow these steps to make sure that you're ready to deploy the Configuration Manager client to Mac computers.
For the list of supported versions, see Supported operating systems for clients and devices.
Certificate requirements
Client installation and management for Mac computers requires public key infrastructure (PKI) certificates. PKI certificates secure the communication between the Mac computers and the Configuration Manager site by using mutual authentication and encrypted data transfers. Configuration Manager can request and install a user client certificate. It uses Certificate Services with an enterprise certification authority, and the Configuration Manager enrollment point and enrollment proxy point. You can also request and install a computer certificate independently from Configuration Manager. This certificate must meet the Configuration Manager certificate requirements.
Configuration Manager Mac clients always check for certificate revocation. You can't disable this function.
If Mac clients can't locate the certificate revocation list (CRL), they can't connect to Configuration Manager site systems. Especially for Mac clients in a different forest to the issuing certification authority, check your CRL design. Make sure that Mac clients can locate and download a CRL.
Before you install the Configuration Manager client on a Mac computer, decide how to install the client certificate:
Use Configuration Manager enrollment by using the CMEnroll tool. The enrollment process doesn't support automatic certificate renewal. Re-enroll Mac computers before the certificate expires.
Use a certificate request and installation method that's independent from Configuration Manager.
For more information about Mac client certificate requirements, see PKI certificate requirements for Configuration Manager.
Mac clients are automatically assigned to the Configuration Manager site that manages them. Mac clients install as internet-only clients, even if communication is restricted to the intranet. This configuration means that they communicate with internet-enabled management points and distribution points in their assigned site. Mac computers don't communicate with site systems outside their assigned site.
Important
The Configuration Manager client for macOS can't be used to connect to a management point that's configured to use a database replica.
Deploy a web server certificate to site system servers
If these site systems don't have it, deploy a web server certificate to the computers that have these site system roles:
Management point
Distribution point
Enrollment point
Enrollment proxy point
The web server certificate must include the internet FQDN that's specified in the site system properties. The server doesn't have to be accessible from the internet to support Mac computers. If you don't require internet-based client management, you can specify the intranet FQDN value for the internet FQDN.
Specify the site system's internet FQDN value in the web server certificate for the management point, the distribution point, and the enrollment proxy point.
For more information of an example deployment, see Deploying the web server certificate for site systems that run IIS.
Deploy a client authentication certificate to site system servers
If these site systems don't have it, deploy a client authentication certificate to the computers that host these site system roles:
Management point
Distribution point
For an example deployment that creates and installs the client certificate for management points, see the Deploying the client certificate for Windows computers.
For an example deployment that creates and installs the client certificate for distribution points, see the Deploying the client certificate for distribution points.
Important
To deploy the client to devices running macOS Sierra, the subject name of the management point certificate must be configured correctly. For example, use the FQDN of the management point server.
Prepare the client certificate template for Macs
The certificate template must have Read and Enroll permissions for the user account that enrolls the certificate on the Mac computer.
For more information, see Deploying the client certificate for Mac computers.
Configure the management point and distribution point
Configure management points for the following options:
HTTPS
Allow client connections from the internet. This configuration value is required to manage Mac computers. However, it doesn't mean that site system servers must be accessible from the internet.
Allow mobile devices and Mac computers to use this management point
Distribution points aren't required to install the client for Mac. If you want to deploy software to these computers after you install the client, configure distribution points to allow client connections from the internet.
To configure management points and distribution points to support Macs
Before you start this procedure, make sure to configure the management point and distribution point with an internet FQDN. If these servers don't support internet-based client management, specify the intranet FQDN as the internet FQDN value.
The site system roles must be in a primary site.
In the Configuration Manager console, go to the Administration workspace, expand Site Configuration, and select the Servers and Site System Roles node. Then select the server that has the right site system roles.
In the details pane, select the Management point role, and select Properties in the ribbon. In the Management point Properties window, configure these options:
Choose HTTPS.
Choose Allow internet-only client connections or Allow intranet and internet client connections. These options require an internet or intranet FQDN.
Choose Allow mobile devices and Mac computers to use this management point.
Select OK to save this configuration.
In the details pane of the Server and Site System Roles node, select the Distribution point role, and select Properties in the ribbon. In the Distribution point Properties window, configure these options:
Choose HTTPS.
Choose Allow internet-only client connections or Allow intranet and internet client connections. These options require an internet or intranet FQDN.
Choose Import certificate, browse to the exported client distribution point certificate file, and then specify the password.
Repeat this procedure for all management points and distribution points in primary sites that manage Mac computers.
Configure the enrollment proxy point and the enrollment point
Install both roles in the same site. You don't have to install them on the same site system server, or in the same Active Directory forest.
For more information about site system role placement and considerations, see Site system roles.
To add the site system roles to support Mac computers, see Install site system roles.
On the System Role Selection page, select Enrollment proxy point and Enrollment point from the list of available roles.
Install the reporting services point
For more information, see Install the reporting services point.
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for