Managing Mac OS X with System Center 2012 Configuration Manager

  • Article

I am going to detail some of the scenarios on managing Mac Computers with System Center 2012 R2 Configuration Manager. 

Key links to get started:

  • The following Mac versions are supported in this release:
  • Mac OS X 10.6 (Snow Leopard)
  • Mac OS X 10.7 (Lion)
  • Mac OS X 10.8 (Mountain Lion)
  • Mac OS X 10.9 (Mavericks)
  • Mac OS X 10.10 (Yosemite)
  • Mac OS X 10.11 (El Capitan)

 

How to Install Clients on Mac Computers in Configuration Manager - https://technet.microsoft.com/en-us/library/jj591553.aspx which includes the following steps:

Steps to install and configure Site Server Roles to support Mac Clients

  • Management point
  • Distribution point
  • Enrollment point
  • Enrollment proxy point

Steps to install Client on Mac Computers

  • Installing the client
  • Enrolling the client
  • Upgrading the client
  • Uninstalling the client

Here is a screen shot of the Mac Client:

 

The Mac Client can be configured using Client Agents Settings: Enrollment (Default Client Settings), Computer Policy, Compliance Settings and Hardware Inventory.

Here are some of the features that Configuration Manager supports on Mac computers with screen shots:

Discovery – Discovers Mac OS X system in Active Directory and through network discovery

Hardware Inventory – Provides hardware inventory and auditing of computers running Mac OS X, including a list of installed software similar to add/remove programs for Windows systems.

 

Settings Management – Ensures computers running Mac OS X comply with company policies using scripts and preference list management.

This is an example and screen shots for Detecting if Security Update is applied. Create necessary Compliance Items, add them to a Baseline, then deploy Baseline to a Mac Collection(s).

Image below is a screen shot of Configuration Item Setting to detect if Security Update 2013-001 (Lion) is installed. You can get the Application ID from Package or get Application ID and Key from the installation XML file using pkgutil command.

Configuration Item Rule to report if Security Update 2013-001 (Lion) is NOT installed and create a Noncompliance Severity Warning for Reporting.

I also created Compliance Settings to detect if System Center 2012 Endpoint Protection for Mac is installed and another to detect if it is running.  You can create Compliance for just about anything using a Shell Script and/or Preference List.

Application Deployment – Distributes required software via app model.

To create an application, you have to run the CMAppUtil on a Mac Computer to create the .cmmac file.  In my example, I created an Application package for System Center 2012 Endpoint Protection.  Once the package is created, you can import it using Application Model in Configuration Manager Console.

Configuration Manager does not support the deployment of Mac applications to users; these deployments must be to a device.  For more information on deploying Software to Mac Computers, please visit How to Create and Deploy Applications for Mac Computers in Configuration Manager - https://technet.microsoft.com/en-us/library/jj687950.aspx

You can create a Device Collection based on Operating System by using the following: Mac OS X%, Mac OS X 10.7%,  or ClientEdition = 5 in your query.

Here is a picture of what the Mac User will see when deploying software:

 

Software Updates Management – Distributes patches utilizing Software Distribution and Settings management features.

There are a couple of way to accomplish this.  Create the software update packages using CMAppUtil, import them into Configuration Manager Application Model and then use Compliance Settings to detect if they are installed and remediate if desired.

Another option is to use the built-in command softwareupdate on Mac Computers.

NOTE: I have not finished testing this, but this is what I am targeting...

You can use a Discovery Shell Script to run softwareupdate -l | grep 'update' - ( Update - the script is taking too long and timing out, set the script to run on a set schedule and not during the client connect).

and

Then use a Remediation Shell Script to run softwareupdate -i -a (or other appropriate switched).

Finally, set the Compliance Rule to look for The value returned by the specified script: Contains "No new software available"

 

 

Reporting - You can report and monitor all the features listed above using standard reports and built-in monitoring tools in Configuration Manager Console.

 

Internet-Based Client Management - Internet-based client management allows you to manage Mac clients when they are not connected to your company network but have a standard Internet connection.

 

Log Files - Log file for Configuration Manager client for Mac computers records information in the following locations:

Log name

Details

CCMClient- <date_time> .log

Records activities that are related to the Mac client operations, which includes application management, inventory, and error logging.

This log file is located in the folder /Library/Application Support/Microsoft/CCM/Logs on the Mac computer.

CCMClient- <date_time> .log

Records activities that are related to the Mac client operations, which includes application management, inventory, and error logging.

This log file is located in the folder /Library/Application Support/Microsoft/CCM/Logs on the Mac computer.

CCMAgent- <date_time> .log

Records information that is related to client operations, which includes user logon and logoff operations and Mac computer activity.

This log file is located in the folder ~/Library/Logs on the Mac computer.

CCMNotifications- <date_time> .log

Records activities that are related to Configuration Manager notifications displayed on the Mac computer.

This log file is located in the folder ~/Library/Logs on the Mac computer.

 Additionally, the log file SMS_DM.log on the site system server records communication between Mac computers and the management point that is enabled for mobile devices and Mac computers.