“1) disable the GPO for auto enrollment certificate---Not possible to do it “
Try setting the enroll permissions for the cert only to a security group. That will stop all your machines from getting the cert with the auto enroll gpo setting. The Mac devices should be enrolled ideally with the end user of the device as their name will be put into the subject name of the cert. Also, you have a separate site system for the MP/DP rolls for the mac clients? Set that to internet only and put in an Internet FQDN that is different than the server name. Publish that in your internal DNS and the macs will communicate with the site system by that name. From: [email protected] [mailto:[email protected]] On Behalf Of Eswar Koneti Sent: Tuesday, July 15, 2014 9:53 AM To: [email protected] Subject: RE: [mssms] clients connecting to https mp Tried setting mac mp as Internet facing but still clients are able to talk to mac mp instead of htttp mp and yes, its by design, if clients have pki certificate, they always talk to https mp first irrespective of internet or intranet. Btw, i read article from technet blog and adam refers the same problem what i have http://blogs.msdn.com/b/ameltzer/archive/2013/06/17/quick-summary-on-how-management-point-selection-works-in-flexible-formerly-native-mode-in-configuration-manager-2012.aspx<https://urldefense.proofpoint.com/v1/url?u=http://blogs.msdn.com/b/ameltzer/archive/2013/06/17/quick-summary-on-how-management-point-selection-works-in-flexible-formerly-native-mode-in-configuration-manager-2012.aspx&k=DRaZFQufJSh%2Bz2CJu01vGA%3D%3D%0A&r=G7Rp%2FyVEkz9AB1xRQWzmh1E0dbzzZxlFIY6QTWSRqzc%3D%0A&m=SBP9nKTpnXD%2FR%2BIiVSi0yw%2F%2FIy0puYDsn7m0W7xxlG4%3D%0A&s=b31edd4988788b42eb7bf81f99fc94d7cf876529428dd9ddf791241007ada19a> but he did not give any solution for what he explained in the article. Regards, Eswar Koneti www.eskonr.com<https://urldefense.proofpoint.com/v1/url?u=http://www.eskonr.com&k=DRaZFQufJSh%2Bz2CJu01vGA%3D%3D%0A&r=G7Rp%2FyVEkz9AB1xRQWzmh1E0dbzzZxlFIY6QTWSRqzc%3D%0A&m=SBP9nKTpnXD%2FR%2BIiVSi0yw%2F%2FIy0puYDsn7m0W7xxlG4%3D%0A&s=0825d4a1d9bde51a15736c70896734134750d4408a22498fd8d817112d14f752> --- Original Message --- From: "Justin Chalfant" <[email protected]<mailto:[email protected]>> Sent: July 15, 2014 9:38 PM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] clients connecting to https mp One potential work around could be to setup the Mac management point as internet facing only and MP/DP. Your current situation where clients prefer HTTPS MP is by design. Thanks, Justin Chalfant Premier Field Engineer – Configuration Manager Public Sector Microsoft Services Tel : (303) 846-2701 Email: [email protected]<mailto:[email protected]> If you have any feedback about my work, please let either myself or my manager Ron Hill know at [email protected]<mailto:[email protected]> From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Eswar Koneti Sent: Monday, July 14, 2014 6:32 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] clients connecting to https mp Running on CM12 R2 CU1. Hierarchy is running on http with couple of management points. recently we had requirement to manage mac machines using cm12 and for this,we setup additional site system role with mp and other required roles running on https. Mac machines are able communicate with https mp and all running good. After couple of days ,end users started complaining that, there see nothing in software center ,no apps nothing. when i looked at one of the client,it was assigned to https MP instead of http and further troubleshooting, identified that, PKI team has enabled the GPO for 'Auto enrollment Certification' on all windows clients for different purpose. PKI Team denied to disable the GPO as it is required for other functions to work properly. I have below things to try but: 1) disable the GPO for auto enrollment certificate---Not possible to do it 2) convert the entire hierarchy to https from http ---requires some testing and at this moment,not willing to go for it. 3) block port 443 (https) from windows clients to https mp-- not sure how will this work ,requires testing any other possible solutions ? Thanks, Eswar Koneti www.eskonr.com<https://urldefense.proofpoint.com/v1/url?u=http://www.eskonr.com&k=DRaZFQufJSh%2Bz2CJu01vGA%3D%3D%0A&r=G7Rp%2FyVEkz9AB1xRQWzmh1E0dbzzZxlFIY6QTWSRqzc%3D%0A&m=SBP9nKTpnXD%2FR%2BIiVSi0yw%2F%2FIy0puYDsn7m0W7xxlG4%3D%0A&s=0825d4a1d9bde51a15736c70896734134750d4408a22498fd8d817112d14f752> ________________________________ CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies. Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy & Security page on www.henryford.com for more detailed information as well as information concerning MyChart, our new patient portal. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
