MAC OS X Certificates question in SCCM 2012 R2

Similar Messages

• Import certificate in to Firefox certificate store using SCCM 2012 R2

  Hello,
  I'm trying to figure out how to import a certificate in to the Firefox certificate store using SCCM 2012 R2 to push out to 8,000 computers. The only answer I have found was to import the certificate manually on my computer and copy the "cert8.db" file out of my "appdata\Roaming\Mozilla\Firefox\Profiles\******.default\" folder and use this file to copy to all profiles on each computer. I have not tried this since I believe this is not a standard practice. Is there a Firefox certificate scripting tool that I can use to accomplish this or a recommended way?
  Thanks,
  Matt

  Hi,
  It is listed here:http://technet.microsoft.com/en-us/library/gg712298.aspx
  There are a number of limitations to supporting workgroup computers:
  Workgroup clients cannot locate management points from Active Directory Domain Services, and instead must use DNS, WINS, or another management point.
  Global roaming is not supported, because clients cannot query Active Directory Domain Services for site information.
  Active Directory discovery methods cannot discover computers in workgroups.
  You cannot deploy software to users of workgroup computers.
  You cannot use the client push installation method to install the client on workgroup computers.
  Workgroup clients cannot use Kerberos for authentication and so might require manual approval.
  A workgroup client cannot be configured as a distribution point. System Center 2012 Configuration Manager requires that distribution point computers be members of a domain.
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Using a custom certificate store for SCCM 2012 clients and primary site server

  I have read what seems to be all the pki related documentation out there for SCCM 2012. I have a PKI infrastructure up and running issueing certificates with an offline root through group policy autoenrollment. The problem that i'm faced with is we are migrating
  from SCCM 2007 that was in native mode and we chose not to use the CA that we used for the old SCCM environment. When the clients attempt to communicate with the M.P. it runs through all of the different certificates and adds a tremendous amount of overhead
  to the M.P. We will have ten's of thousands of clients by migration end. Could someone please point me to a document that goes over how to leverage a custom certificate store that I could then tell the new 2012 environment to use? I know that it's in there,
  I've seen it in the console. The setup is one primary site server with SQL on box and the pki I just mentioned as well as the old 2007 environment that is still live.
  I read that you can try and use SAN as a method of identifying the new certs but I haven't found a good document covering exactly how that works. Any info you could provide I would be very grateful for. Thanks.

  Jason, thank you for your reply. I'm getting the impression that you have never been in the situation where you had to deal with 2 different PKI environments. Let me state that I understand what your saying about trust. We have to configure the trusted root
  CA via GPO. That simply isn't enough, and I have a valid example to backup this claim. When the new clients got the advertisement and began the ccmsetup process I used the /pki switch among others. What the client end up doing was selecting a certificate that
  had the longest validity period which was issued by our old CA. It checked the authentication chain, found it to be valid and selected it for communication. At that point the installation failed, period, no caveats as you say. The reason the install failed
  because the new PKI infrastructure is integrated into the new environment, and the old is not. So when you said " that
  are trusted and they can use *any* cert that is trusted because at the end of the day, there is no
  difference between two valid certs that have the same purpose as long as they are trusted. "
  that is not correct. Both certs are trusted, and use the same certificate template, but only one certificate would allow the install to complete successfully.
  Once I started using the CCMCERTISSUERS
  switch the client install went swimmingly. The only reason I'm still debating this point is because someone might read this thread see your comments and assume "well I've got my new PKI configured as a trusted root CA, I should be all set" and their
  deployment will fail, just as my pilot did.
  About Intune I'm looking forward to doing a POC in the lab i built with my Note 3. I'm hoping it goes well as I really want to have our MDM migrated into ConfigMgr... I think the
  biggest obstacle outside of selling it to management will be the actual device migration from the current MDM solution. From what I understand of the enrollment process manual install and config is the only path forward.
  Thanks Jason for your post and discussion.

• No of questions in sccm 2012 70-243 exam and the time duration

  how many question in sccm 70-243 exam and time duration for the exam

  Hi,
  I can hardly remember but according to Daniel it was 3 hours and 60 questions.
  http://www.danielclasson.com/passed-the-70-243-administering-and-deploying-system-center-2012-configuration-manager-exam/
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• WildCard Certificate for IBCM - SCCM 2012

  Hi,
  I have a Primary Site at the DataCenter. There are 2 MP's installed there.
  One MP I would like to publish using ISA/TMG for Internet Based Client Management. Can I use a wild card certificate on ISA Server for the same? The MP would have Local Cert in IIS.
  Does SCCM 2012 support wild card certificate?

  My assumption was that you had purchased a wildcard cert and thus were purchasing your certs as you made no mention of an internal PKI.
  What happens at your ISA box is between the client OS and ISA and really has nothing to do with ConfigMgr. So, although I haven't tried it, it should work. If you have an internal PKI though, why aren't you just issuing a non-wildcard cert to the ISA?
  Jason | http://blog.configmgrftw.com

• App-V 5.0SP2 question with SCCM 2012 CU4 (functionality vs full support with R2)

  I understand that for App-V 5.0 SP2 and SCCM 2012 SP1 integration at least CU4 is required but R2 with CU1 for full functionality.
  I’ve attached an image from some session that someone else gave me. I have questions after looking at the slide since there are no details on what is not fully supported with CU4 pre R2.
  Since we have immediate plans to add CU4 to our SCCM 2012 SP1 environment can anyone please give us a break down of what functionality is not available in App-V 5.0 SP2 before we go all the way up to SCCM 2012 R2?
  On another note does anyone have any clue what TechED session that was from so I can see the replay?
  Thanks very much for any info on this.

  Hello,
  As per the slide - CU1 is required for full support with R2.
  See this article;
  http://support.microsoft.com/kb/2938441
  Application Virtualization
  This cumulative update adds support for Microsoft Application Virtualization (App-V) 5.0 Service Pack 2 (SP2). The following issues are seen only in App-V 5.0 SP2 environments earlier than CU1:
  With App-V 5.0 SP2, when a new version of an App-V package supersedes an earlier version, and when that earlier version is being used, the package is listed as not published. Errors that resemble the following are logged in the AppEnforce.log and the AppDiscovery.log
  files.
  AppEnforce.log
  Publish-AppvClientPackage : A publish operation has been scheduled, pending
  the shutdown of all applications in the package or the connection group.
  Publishing Package is successful but one one of the Virtual Package is currently in use. Close this Virtual Package to get the changes into effect
  Performing detection of app deployment type TestApp - Microsoft Application Virtualization 5(ScopeId_0C7279F0-1490-4A0E-A7A3-32A000CEF76D/DeploymentType_d1adf427-ac14-4ee1-9e51-415af7675383, revision 2) for system.
  AppDiscovery.log
  Required component [{AppVPackageRoot}]\TestApp.exe is not published
  With App-V 5.0 SP2, App-V packages that are being used cannot be uninstalled. Errors that resemble the following are logged in the AppEnforce.log file:
  CVEWorker::UninstallConnectionGroup() failed
  Nicke Källén | The Knack| Twitter:
  @Znackattack

• Questions Regarding SCCM 2012 Deployment

  I have been tasked with finding out if SCCM 2012 Config Manager is capable of the following task:
  1) Capturing a User Profile
  2) Backing up the profile
  3) Wiping the target drive
  4) Applying an OS image
  5) Restoring backed-up user profile
  Is this possible with SCCM 2012?
  Let me know, thanks!

  Hi,
  Yes it is possible, a refresh scenario.. here is a video example
  http://www.youtube.com/watch?v=2vkurbe90i4
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Wifi profiles SCCM 2012 R2 and Windows Intune

  Hi All,
  A quick question regarding SCCM 2012 R2 and the new Wifi Profiles feature...
  Can anyone confirm if you need windows Intune combined with SCCM 2012 R2 to be able to deploy WIFI profiles to users devices i.e Windows 8.1, IOS and Android platforms?  Microsoft documentation is not clear on this subject.
  Any help would be much appreciated.
  Regards PowerShell90

  It not as straight forward as one would hope. I am running the latest version of SCCM 2012 R2 CU2 connected to my Windows Intune subscription. There are a lot of hickups. One is that the direct of management needs to be all or nothing. In other words you
  either need to use Windows Intune solely to manage your devices or SCCM 2012 R2 (via connector). If the later then you must do everything from in SCCM 2012 R2. You cannot hybrid manage your devices as this will screw things up.
  Android for some reason is left out on a lot of features. I would think that MS Devs would work hard on the market share that being Android, not iOS. Any way, accord to some official MS articles Android is supported, but others claim that not all features
  are, these being the important ones like Email and Wi-Fi Profiles. They simply do not work.
  I think MS is heading in the right direction but there is a lot of work that needs to be done before this is a competitive product. I could care less if connects to my SCCM 2012 R2 server or not. Here are few things that I sent o a MS Support Rep today that
  need to be address.
  1. Better response time when updating devices after enrollment (e.g. Name change).
  2. The ability to locked down uninstalling Windows Intune from device.<o:p></o:p>
  3. The ability to locked down certain features in the Windows Intune app on device (e.g. User can reset device with Windows Intune app, rename, etc...).<o:p></o:p>
  4. Ability to rename device in either Windows Intune Admin Portal and/or SCCM 2-12 R2.<o:p></o:p>

• SCCM 2012 R2 and SQL

  I have Two Questions
  Should SCCM 2012 and SQL be installed on the same server?
  Should SCCM 2012 be installed on the OS partition or have its own? C: Server 2012 and D:SCCM 2012
  What size should my partition be for OS and SCCM either way?
  I have a server running esxi.
  One option I have would be to install SCCM and SQL on one (VM server) with Server 2012 OS. Its will be 8 processors and 32 RAM.
  Option two will be to split into two VM's One running SCCM 2012 with 4 processors 16 Ram and another VM running SQL with 4 processors and 16 RAM
  My environment is small, 3,500 users
  Thanks

  For the SQL question, you will probably get as many answers as there are ConfigMgr admins.  I typically co-locate SQL on the site server.  As long as enough CPU, disk, and memory resources are allocated, this should be fine.  Consider limiting
  SQL's maximum memory use to a reasonable amount based on the environment.  Many times the answer to the question depends on the environment and how database administration is handled.
  I just found a good article here:
  http://myitforum.com/myitforumwp/2014/12/20/why-you-should-not-use-remote-sql-server-with-configmgr-2012/
  For the disk partition question, I always install ConfigMgr on a separate partition.  Keep in mind that a distribution point will be installed as well.  You don't want content for ConfigMgr filling up the OS partition.  Use the no_sms_on_drive.sms
  file to prevent DP content from being stored on your OS partition.
  I am sure others will have advice as well.  Hopefully that helps.
  Jeff

• SCCM 2012 Default self signed Cert expired...

  SCCM 2012 Default self signed Cert expired - how do I renew it?

  The default selfsigned cert that gets generated with the installation - can be found in administration - security - Certificates  (This is Sccm 2012 RTM)
  Yes, I know this is an old post, but I’m trying to clean them up. Did you solve this problem, if so what was the solution?
  I will bring this back to Kent point, which one of the Certs are you talking about. You can see form the screenshot that I have 6 certs, 3 DP and 3 Boot cert. You can also see that the 3 DP server have a 100 year life and the 3 Boot certs only have 1 year.
  If you are talking about the boot certs then just create the boot image.
  Garth Jones | My blogs: Enhansoft and
  Old Blog site | Twitter:
  @GarthMJ

• Update for Root Certificates for Windows 7 [March 2014] (KB931125) - Expired on SCCM 2012 March 2014 SUG

  Hi all,
  The "Update for Root Certificates for Windows 7 [March 2014] (KB931125)" is Expired on SCCM 2012 March 2014 SUG. Is this a problem and is there going to be any fix for this which we can expect in the future?

  I don't have a 931125 for March 2014; however, I do have a November 2013 for 931125 which is still valid. Per the KB (http://support.microsoft.com/kb/931125) the November 2013 is the current and valid versions.
  931125 is an unusual update as they simply update it with a new version instead of creating a new KB that supersedes it. Now, why they expired the March 2014 version is unknown but they probably found an issue with it shortly after it was released.
  As a rule, you should always ensure that the search you use or criteria in your ADR excludes expired updates.
  So, to answer the question, no this isn't an issue.
  Jason | http://blog.configmgrftw.com

• SCCM 2012 R2 Mac Management - Step-by-Step

  Hi,
  Can anyone please shed some lights on steps I have taken to manage Mac?
  Active Directory:
  Create 2 groups and named them as follow
  ConfigMgr_IIS_SERVERS_CERTIFICATE
  ConfigMgr_MAC_ENROLLMENT_USERS
  PKI:
  Duplicate following templates
  Web Server Authentication ==> Duplicate and Rename it to ConfigMgr_WEBSERVER_CERT
  ==>Allow Read and Enroll Permission to
  ConfigMgr_IIS_SERVERS_CERTIFICATE Group
  Authenticated Session ==> Duplicate and Rename it ConfigMgr_Mac_CERT
  Workstation Authentication ==> Duplicate and Rename it to ConfigMgr_DistributionPoint_CERT ==> Allow Read and Enroll Permission to
  ConfigMgr_IIS_SERVERS_CERTIFICATE Group ==> Click on Subject tab
  and change subject name format:” to Command name and uncheck “User principle name (UPN)” box
  SCCM 2012:
  Let's say for example there would be a dedicated server to support Mac Management and called it
  "SCCM MAC SERVER". Add following roles on this server
  Enrollment Point
  Enrollment Proxy Point
  Management Point (Client Connections: HTTPS, "Allow mobile devices and Mac computers to use this management point" option checked)
  Distribution Point (HTTPS, Allow intranet and internet connections)
  Add "SCCM MAC SERVER" to AD group "ConfigMgr_IIS_SERVERS_CERTIFICATE"
  Open SCCM Console on CAS -> Administrations -> Client Settings -> Default Settings --> Properties -> Enrollment. Make following changes
   Allow users to enroll mobiledevices and mac computers ->YES
  Click on Set Profile button to create new profile
  Give a name "ConfigMgr - Mobile and Mac Profile"
  Click on Add button, select Enterprise CA authority
  Select ConfigMgr_Mac_CERT and click OK to save the profile
  Assign desired users to AD group ConfigMgr_MAC_ENROLLMENT_USERS
  I will highly appreciate if anyone can give their feedback as if I missed any step in here or I am good to proceed with mac management.
  Thank you and Regards,
  Hunzai

  I think you are correct with 3, I have 4 but have one for Windows clients too.
  1 Web Server.
  1 Distribition Point
  1 Windows client
  1 Mac client.
  I have used this blog which I found helpful.
  http://sccmguy.com/2013/11/26/pki-certificates-for-configuration-manager-2012-r2-part-1-of-4-web-server-certificate/
  There are 4 parts with links, they are just an exact replica from Microsoft with the exact same wording but pictures too.
  http://technet.microsoft.com/en-us/library/gg682023.aspx
  Mac cert details here:
  http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_MacClient_SP1

• SCCM 2012 SP1 and SCEP for Mac

  Hello all,
  We have SCCM 2012 SP1 with SECP installed and working well for Windows clients.
  A request came to me that we have the roughly 10ct Mac computers protected by EndPoint and reporting through SCCM.
  Is this possible with what I have now? 
  Please let me know if you have any clues for me.
  Many thanks!

  Hi,
  There is no way to push the SCCM MAC Client to a MAC Computer, you have to install it manually, threre are scripts available on blogs that can assits but still you have to run those scripts manually as well.
  The System Center Endpoint Protection client for MAC is indeed a separate download on the volume licensing site, it is not managed through SCCM it is a standalone antivirus software which download it's defenition files directly from the internet. So there
  is now way to manage it centrally.
  I hope that answered your questions.
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• SCCM 2012 Workgroup Machines - Do I need Certificates?

  Hi All,
  We have SCCM 2012 in our environment with 500 desktops and Servers in total. There are 50 servers in the same VLan as SCCM Server (Single Server).
  We don't have AD extended for specific reasons. We are using manual install and all domain machines are running fine. SCCM MP is set to accept connections on HTTP and HTTPS.
  Workgroup machines are not connected setup for SCCM at this point of time.
  Questions:
  1. Do I need to use Certificates for Workgroup Machines? Is this a must?
  2. If I don't use certificates, as the machines are not in the domain there will be no Kerberos authentication as well. Does SCCM Server require the client to authenticate first when registering? - like Kerberos or Cert Auth?
  Thanks in Advance.

  The answer is No, PKI is not required for managing Workgroup clients. What you do need it configure the Network Access Account, that account will be used by the workgroup clients when communicating with the infrastructure.
  Kent Agerlund | My blogs: blog.coretech.dk/kea and
  SCUG.dk/ | Twitter:
  @Agerlund | Linkedin: Kent Agerlund |
  Mastering ConfigMgr 2012 The Fundamentals

• SCCM 2012 SP1 - CMEnroll Mac OSX Password Prompt

  Hi,
  is there a way to automate the certificate enrollment on Mac OSX,
  im running cmenroll -s fqdn.of.server -ignorecertchainvalidation -u "[email protected]" but im asked for the password for this account.when i put it in, it gets the certificate as it should, but i would like to automcate this task rather than
  going to every Mac to install sccm.
  I tried specifying the password using -p but it doesnt recognize that as a command. does anyone know of a way around it, or another way of automating the certificate request that people know of?
  Thanks

  Thank you Panu
  For me the script worked using this syntax:
  Putting CMEnroll from the macclient.dmg Tools to /tmp
  Using " instead of ' for username
  Using \\ instead of \ to send a literal backslash
  Have the enter \n on a line by itself
  Check EnrollmentServer.log on the SCCM server
  #!/usr/bin/expect
  spawn /tmp/CMEnroll -s hostname -ignorecertchainvalidation -u "domain\\username"
  expect "Please enter your password."
  send "PASSWORD"
  send "\n"
  interact
  Successfully tested on SCCM 2012 SP1 CU2 with Mac OS X 10.8.3 CMClient 5.00.7804.1202