How to Install Clients on Linux and UNIX Computers in Configuration Manager

 

Updated: May 14, 2015

Applies To: System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1

Note

The information in this topic applies to System Center 2012 Configuration Manager SP1 or later, and System Center 2012 R2 Configuration Manager or later.

Before you can manage a Linux or UNIX server with Configuration Manager, you must install the Configuration Manager client for Linux and UNIX on each Linux or UNIX computer. You can accomplish the installation of the client manually on each computer, or use a shell script that installs the client remotely. Configuration Manager does not support the use of client push installation for Linux or UNIX servers. Optionally you can configure a Runbook for System Center 2012 Orchestrator to automate the install of the client on the Linux or UNIX server.

Regardless of the installation method you use, the install process requires the use of a script named install to manage the install process. This script is included when you download the Client for Linux and UNIX.

The install script for the Configuration Manager client for Linux and UNIX supports command line properties. Some command line properties are required, while others are optional. For example, when you install the client, you must specify a management point from the site that is used by the Linux or UNIX server for its initial contact with the site. For the complete list of command line properties, see Command Line Properties for Installing the Client on Linux and UNIX Servers.

After you install the client, you specify Client Settings in the Configuration Manager console to configure the client agent in the same way you would windows-based clients. For more information, see the Client Settings for Linux and UNIX Servers section in the How to Manage Linux and UNIX Clients in Configuration Manager topic.

Use the following sections to help you install the client for Linux and UNIX:

  • About Client Installation Packages and the Universal Agent

  • Install the Client on Linux and UNIX Servers

    • To install the Configuration Manager Client on Linux and UNIX servers

    • Command Line Properties for Installing the Client on Linux and UNIX Servers

    • Upgrade the Client on Linux and UNIX Servers

    • Uninstalling the Client from Linux and UNIX Servers

  • Configure Request Ports for the Client for Linux and UNIX

  • Configure the Client for Linux and UNIX to Locate Management Points

About Client Installation Packages and the Universal Agent

To install the client for Linux and UNIX on a specific platform, you must use the applicable client installation package for the computer where you install the client. Applicable client installation packages are included as part of each client download from the Microsoft Download Center. In addition to client installation packages, the client download includes the install script that manages the installation of the client on each computer.

  • Prior to cumulative update 1, each operating system and platform requires the use of an operating system and platform specific client installation package. The operating system and platform are identified in the name of each client installation package.

  • Beginning with cumulative update 1, the installation packages from the Universal Agent replace the separate client installation packages for several Linux operating systems. However, not all supported operating systems are supported by the Universal Agent. Versions of Linux that are not supported by the Universal Agent and all versions of UNIX continue to require the use of client installation packages that are specific to each operating system and platform.

When you install a client, you can use the same process and command line properties regardless of the client installation package you use.

For information about the operating systems, platforms, and client installation packages that are supported by each release of the Configuration Manager client for Linux and UNIX, see the Client Requirements for Linux and UNIX Servers section in the Supported Configurations for Configuration Manager topic.

Install the Client on Linux and UNIX Servers

To install the client for Linux and UNIX, you run a script on each Linux or UNIX computer. The script is named install and supports command line properties that modify the installation behavior and reference the client installation package. The install script and client installation package must be located on the client. The client installation package contains the Configuration Manager client files for a specific Linux or UNIX operating system and platform.

Each client installation package contains all the necessary files to complete the client installation and unlike Windows-based computers, does not download additional files from a management point or other source location.

After you install the Configuration Manager client for Linux and UNIX, you do not need to reboot the computer. As soon as the software installation is complete, the client is operational. If you reboot the computer, the Configuration Manager client restarts automatically.

The installed client runs with root credentials. Root credentials are required to collect hardware inventory and perform software deployments.

Following is the command format: ./install -mp <computer> -sitecode <sitecode> <property #1> <property #2> <client installation package>

Command line

Actions

./install –mp smsmp.contoso.com -sitecode S01 ccm-Universal-x64.<build>.tar

  • install is the name of the script file that installs the client for Linux and UNIX. This file is provided with the client software.

  • -mp smsmp.contoso.com specifies the initial management point that is used by the client.

  • -sitecode S01 specifies the client is assigned to the site with the site code of S01.

  • ccm-Universal-x64.<build>.tar is the name of the client installation .tar package for this computer operating system, version, and CPU architecture.

You can insert additional command line properties before the command line property that specifies the client installation .tar file. The client installation .tar file must be specified last.

For a list of command line options, see Command Line Properties for Installing the Client on Linux and UNIX Servers.

Use the following procedure as an example of how to install the client for Linux and UNIX.

Note

The following example procedure installs the client from the cumulative update 1 release of the client for Linux and UNIX on a Red Hat Enterprise Linux 5 (RHEL5) x64 computer. To adjust this procedure for the operating systems that you use, replace the client installation file (ccm-Universal-x64.<build>.tar) with the applicable package for the computer where you are installing the client. Also plan to use additional command line properties to meet your requirements.

To install the Configuration Manager Client on Linux and UNIX servers

  1. Copy the install script and the client installation .tar file to a folder on the RHEL 5 x64 based computer.

  2. On the RHEL5 computer, run the following command to enable the script to run as a program: chmod +x install

    Important

    You must use root credentials to install the client.

  3. Next, run the following command to install the Configuration Manager client: ./install –mp <hostname> -sitecode <code> ccm-Universal-x64.<build>.tar

    When you enter this command, use additional command-line properties you require.

  4. After the script runs, validate the install by reviewing the /var/opt/microsoft/scxcm.log file. Additionally, you can confirm that the client is installed and communicating with the site by viewing details for the client in the Devices node of the Assets and Compliance workspace in the Configuration Manager console.

Command Line Properties for Installing the Client on Linux and UNIX Servers

When you install the client for Linux and UNIX on a Linux or UNIX computer, you run the install script with command-line properties that specify the following:

  • The client’s assigned site.

  • The management point with which the client initially communicates

  • The client installation .tar file for the computer’s operating system

  • Additional configurations you require

The properties described in the following table are available to modify the installation behavior.

Note

Use the property -h to display this list of supported properties.

Property

Required or optional

More information

-mp <server FQDN>

Required

Specifies by FQDN, the management point server that the client will use as an initial point of contact.

Important

This property does not specify the management point to which the client will become assigned after installation.

Note

When you use the -mp property to specify a management point that is configured to accept only HTTPS client connections, you must also use the -UsePKICert property.

Specify the management point by FQDN.

-sitecode <sitecode>

Required

Specifies the Configuration Manager primary site to assign the Configuration Manager client to.

Example: -sitecode S01

-fsp <server_FQDN>

Optional

Note

Beginning with cumulative update 1, the Configuration Manager client for Linux and UNIX supports the use of fallback status points.

Specifies by FQDN, the fallback status point server that the client uses to submit state messages.

For more information about the fallback status point, see the Determine Whether You Require a Fallback Status Point section in the Determine the Site System Roles for Client Deployment in Configuration Manager topic.

-dir <directory>

Optional

Specifies an alternate location to install the Configuration Manager client files.

By default, the client installs to the following location: /opt/microsoft.

-nostart

Optional

Prevents the automatic start of the Configuration Manager client service, ccmexec.bin, after the client installation completes.

After the client installs, you must start the client service manually.

By default, the client service starts after the client installation completes, and each time the computer restarts.

-clean

Optional

Specifies the removal of all client files and data from a previously installed client for Linux and UNIX, before the new installation starts. This removes the client’s database and certificate store.

-keepdb

Optional

Specifies that the local client database is retained, and reused when you reinstall a client. By default, when you reinstall a client this database is deleted.

-UsePKICert <parameter>

Optional

Specifies the full path and file name to a X.509 PKI certificate in the Public Key Certificate Standard (PKCS#12) format. This certificate is used for client authentication. If a certificate is not specified during installation and you need to add or change a certificate, use the certutil utility. See HYPERLINK "https://technet.microsoft.com/en-us/library/jj573941.aspx" \l "BKMK_ManageLinuxCerts" How to Manage Certificates on the Client for Linux and UNIX for information on certutil.

When you use -UsePKICert, you must also supply the password associated with the PKCS#12 file by use of the -certpw command line parameter.

If you do not use this property to specify a PKI certificate, the client uses a self-signed certificate and all communications to site systems are over HTTP.

If you specify an invalid certificate on the client install command line, no errors are returned. This is because certificate validation occurs after the client installs. When the client starts, certificates are validated with the management point and if a certificate fails validation the following message appears in scxcm.log, the Unix and Linux Configuration Manager client log file: Failed validate the certificate for Management Point. The default log file location is: /var/opt/microsoft/scxcm.log.

Note

You must specify this property when you install a client and use the -mp property to specify a management point that is configured to accept only HTTPS client connections.

Example: -UsePKICert <Full path and filename> -certpw <password>

-certpw <parameter>

Optional

Specifies the password associated with the PKCS#12 file that you specified by use of the -UsePKICert property.

Example: -UsePKICert <Full path and filename> -certpw <password>

-NoCRLCheck

Optional

Specifies that a client should not check the certificate revocation list (CRL) when it communicates over HTTPS by use of a PKI certificate. When this option is not specified, the client checks the CRL before establishing an HTTPS connection by use of PKI certificates. For more information about client CRL checking, see Planning for PKI Certificate Revocation.

Example: -UsePKICert <Full path and filename> -certpw <password> -NoCRLCheck

-rootkeypath <file location>

Optional

Specifies the full path and file name to the Configuration Manager trusted root key. The Configuration Manager trusted root key provides a mechanism that Linux and UNIX clients use to verify that they are connected to a site system that belongs to the correct hierarchy.

If you do not specify the trusted root key on the command line, the client will trust the first management point it communicates with and will automatically retrieve the trusted root key from that management point.

For more information, see Planning for the Trusted Root Key.

Example: -rootkeypath <Full path and filename>

-httpport

Optional

Specifies the port that is configured on management points that the client uses when communicating to management points over HTTP. If the port is not specified, the default value of 80 is used.

Example: -httpport 80

-httpsport

Optional

Specifies the port that is configured on management points that the client uses when communicating to management points over HTTPS. If the port is not specified, the default value of 443 is used.

Example: -UsePKICert <Full path and certificate name> -httpsport 443

-ignoreSHA256validation

Optional

Specifies that client installation skips SHA-256 validation. Use this option when installing the client on operating systems that did not release with a version of OpenSSL that supports SHA-256. For more information, see the About Linux and UNIX Operating Systems That do not Support SHA-256 section in the Planning for Client Deployment for Linux and UNIX Servers topic.

-signcertpath <file location>

Optional

Specifies the full path and .cer file name of the exported self-signed certificate on the site server. If PKI certificates are not available, the Configuration Manager site server automatically generates self-signed certificates.

These certificates are used to validate that the client policies downloaded from the management point were sent from the intended site. If a self-signed certificate is not specified during installation, or you need to change the certificate, use the certutil utility. See HYPERLINK "https://technet.microsoft.com/en-us/library/jj573941.aspx" \l "BKMK_ManageLinuxCerts" How to Manage Certificates on the Client for Linux and UNIX for information on certutil.

This certificate can be retrieved through the SMS certificate store and has the Subject name Site Server and the friendly name Site Server Signing Certificate.

If this option is not specified during installation, Linux and UNIX clients will trust the first management point they communicate with and will automatically retrieve the signing certificate from that management point.

Example: -signcertpath <Full path and file name>

-rootcerts

Optional

Specifies additional PKI certificates to import that are not part of a management points certification authority (CA) hierarchy. If you specify multiple certificates in the command line, they should be comma delimited.

Use this option if you use PKI client certificates that do not chain to a root CA certificate that is trusted by your sites management points. Management points will reject the client if the client certificate does not chain to a trusted root certificate in the site’s certificate issuers list.

If you do not use this option, the Linux and UNIX client will verify the trust hierarchy using only the certificate in the -UsePKICert option.

Example: -rootcerts <Full path and file name>,<Full path and file name>

Upgrade the Client on Linux and UNIX Servers

You can upgrade the version of the client for Linux and UNIX on a computer to a newer client version without first uninstalling the current client. To do so, install the new client installation package on the computer while using the -keepdb command line property. When the client for Linux and UNIX installs, it overwrites existing client data with the new client files. However, the –keepdb command line property directs the install process to retain the clients unique identifier (GUID), local database of information, and certificate store. This information is then used by the new client installation.

For example, you have a RHEL5 x64 computer that runs the client from the original release of the Configuration Manager client for Linux and UNIX. To upgrade this client to the client version from cumulative update 1, you manually run the install script to install the applicable client package from cumulative update 1, with the addition of the –keepdb command line switch. The command line you use resembles the following: ./install –mp <hostname> -sitecode <code> -keepdb ccm-Universal-x64.<build>.tar

How to use a Software Deployment to Upgrade the Client on Linux and UNIX Servers

You can use a software deployment to upgrade the client for Linux and UNIX to a new client version. However, the Configuration Manager client cannot directly run the installation script to install the new client because the installation of a new client must first uninstall the current client. This would end the Configuration Manager client process that runs the installation script before the installation of the new client begins. To successfully use a software deployment to install the new client, you must schedule the installation to start at a future time and to be run by the operating system’s built-in scheduling capabilities.

To accomplish this, use a software deployment to first copy the files for the new client installation package to the client computer, and then deploy and run a script to schedule the client installation process. The script uses the operating system’s built-in at command to delay its start. Then, when the script runs, its operation is managed by the client operating system and not the Configuration Manager client on the computer. This allows the command line called by the script to first uninstall the Configuration Manager client and then install the new client, completing the process of upgrade of the client on the Linux or UNIX computer. After the upgrade completes, the upgraded client remains managed by Configuration Manager.

Use the following procedure to help you configure a software deployment to upgrade the client for Linux and UNIX. The following steps and examples upgrade a RHEL5 x64 computer that runs the initial release of the client to the cumulative update 1 client version.

To use a software deployment to upgrade the client on Linux and UNIX servers

  1. Copy the new client installation package file to the computer that runs the Configuration Manager client that you plan to upgrade.

    For example, you might place the client installation package and install script for cumulative update 1 in the following location on the client computer: /tmp/PATCH

  2. Create a script to manage the upgrade of the Configuration Manager client, and then place a copy of the script in the same folder on the client computer as the client installation files from step 1.

    The script does not require a specific name, but must contain command lines sufficient to use the client installation files from a local folder on the client computer, and to install the client installation package by using the –keepdb command line property. You use the –keepdb command line property to maintain the unique identifier of the current client for use by the new client you are installing.

    For example, you create a script named upgrade.sh that contains the following lines, and then copy it to the /tmp/PATCH folder on the client computer:

      #!/bin/sh
      /tmp/PATCH/install -sitecode <code> -mp <hostname> -keepdb /tmp/PATCH/ccm-Universal-x64.<build>.tar
    
  3. Use software deployment to have each client use the computers built-in at command to run the upgrade.sh script with a short delay before the script runs.

    For example, use the following command line to run the script: at –f /tmp/upgrade.sh –m now + 5 minutes

After the client successfully schedules the upgrade.sh script to run, the client submits a status message indicating the software deployment completed successfully. However, the actual client installation is then managed by the computer, after the delay. After the client upgrade completes, validate the install by reviewing the /var/opt/microsoft/scxcm.log file on the client computer. Additionally, you can confirm that the client is installed and communicating with the site by viewing details for the client in the Devices node of the Assets and Compliance workspace in the Configuration Manager console.

Uninstalling the Client from Linux and UNIX Servers

To uninstall the Configuration Manager client for Linux and UNIX you use the uninstall utility, uninstall. By default, this file is located in the /opt/microsoft/configmgr/bin/ folder on the client computer. This uninstall command does not support any command line parameters and will remove all files related to the client software from the server.

To uninstall the client, use the following command line: /opt/microsoft/configmgr/bin/uninstall 

You do not have to reboot the computer after you uninstall the Configuration Manager client for Linux and UNIX.

Configure Request Ports for the Client for Linux and UNIX

Similar to Windows-based clients, the Configuration Manager client for Linux and UNIX uses HTTP and HTTPS to communicate with Configuration Manager site systems. The ports that the Configuration Manager client uses to communicate are referred to as a request ports.

When you install the Configuration Manager client for Linux and UNIX, you can change the clients default request ports by specifying the -httpport and -httpsport installation properties. When you do not specify the installation property and a custom value, the client uses the default values. The default values are 80 for HTTP traffic and 443 for HTTPS traffic.

After you install the client, you cannot change its request port configuration. Instead, to change the port configuration you must reinstall the client and specify the new port configuration. When you reinstall the client to change the request port numbers, run the install command similar to the new client install, but use the additional command line property of -keepdb. This switch instructs the installation to retain the client database and files including the clients GUID and certificate store.

For more information about client communication port numbers, see How to Configure Client Communication Port Numbers in Configuration Manager.

Configure the Client for Linux and UNIX to Locate Management Points

When you install the Configuration Manager client for Linux and UNIX, you must specify a management point to use as an initial point of contact.

The Configuration Manager client for Linux and UNIX contacts this management point at the time the client installs. If the client fails to contact the management point, the client software continues to retry until successful.

For more information about how clients locate management points, see the section Locating Management Points section in the How to Assign Clients to a Site in Configuration Manager topic.