Hi Jeff,Correct,we have created Mac certitificate and provided access to security group(list of users) who will have rights to enroll the mac computers after the configuration manager client installed on mac. http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_client2008_cm2012 and this certificate will not be used by domain computers as there are no permissions set. But the issue here is with workstation authentication certificate template which is configure for domain computers with permissions of read and auto-enroll. More via http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_client2008_cm2012 and this template configured by using GPO .If the clients have this certificate ,they will always try to connect to https MP on the first attempt and this cannot be restricted for now.
Thanks,Eswar Koneti www.eskonr.com From: [email protected] To: [email protected] Subject: RE: [mssms] clients connecting to https mp Date: Tue, 15 Jul 2014 17:21:43 +0000 No, not a security group on the GPO, assign permissions on the certificate template itself. You should have a template configured specifically for the mac clients, in the security properties of the template set who you want to be able to enroll to get the mac client cert like so: If you have all of your machines enrolling for a SCCM client cert then you must have Autoenroll checked on Authenticated Users, or Domain Computers etc. The GPO setting for auto enroll is either on or off, it’s up to the security permissions on the certificate template that determine who is allowed to get the cert. The mac clients effectively operate in internet mode only, so the name you have configured for the Internet FQDN is the name by which the mac clients will attempt to talk to the server (just talking about IP resolution here, not publishing the MP to DNS) when you enroll the client on a mac that name is what you’ll have to specify. The Windows clients will not attempt to talk to that name when they are in the network as they’ll recognize that they’re on the intranet and will go to their assigned MP. From: [email protected] [mailto:[email protected]] On Behalf Of Eswar Koneti Sent: Tuesday, July 15, 2014 12:03 PM To: [email protected] Subject: RE: [mssms] clients connecting to https mp Cannot restrict the autoenroll to particular security group as the windows clients require the autoenroll certificate for other functions to work. Mac clients are working as expected but issue with Windows clients. What do you mean by fqdn that is different than server name? Publishing the mac mp in dns will give advantage to Windows clients to retrive mac mp info and assign to it. Regards, Eswar Koneti www.eskonr.com --- Original Message --- From: "Krueger, Jeff" <[email protected]> Sent: July 15, 2014 10:21 PM To: [email protected] Subject: RE: [mssms] clients connecting to https mp “1) disable the GPO for auto enrollment certificate---Not possible to do it “ Try setting the enroll permissions for the cert only to a security group. That will stop all your machines from getting the cert with the auto enroll gpo setting. The Mac devices should be enrolled ideally with the end user of the device as their name will be put into the subject name of the cert. Also, you have a separate site system for the MP/DP rolls for the mac clients? Set that to internet only and put in an Internet FQDN that is different than the server name. Publish that in your internal DNS and the macs will communicate with the site system by that name. From: [email protected] [mailto:[email protected]] On Behalf Of Eswar Koneti Sent: Tuesday, July 15, 2014 9:53 AM To: [email protected] Subject: RE: [mssms] clients connecting to https mp Tried setting mac mp as Internet facing but still clients are able to talk to mac mp instead of htttp mp and yes, its by design, if clients have pki certificate, they always talk to https mp first irrespective of internet or intranet. Btw, i read article from technet blog and adam refers the same problem what i have http://blogs.msdn.com/b/ameltzer/archive/2013/06/17/quick-summary-on-how-management-point-selection-works-in-flexible-formerly-native-mode-in-configuration-manager-2012.aspx but he did not give any solution for what he explained in the article. Regards, Eswar Koneti www.eskonr.com --- Original Message --- From: "Justin Chalfant" <[email protected]> Sent: July 15, 2014 9:38 PM To: [email protected] Subject: RE: [mssms] clients connecting to https mp One potential work around could be to setup the Mac management point as internet facing only and MP/DP. Your current situation where clients prefer HTTPS MP is by design. Thanks, Justin Chalfant Premier Field Engineer �C Configuration Manager Public Sector Microsoft Services Tel : (303) 846-2701 Email: [email protected] If you have any feedback about my work, please let either myself or my manager Ron Hill know at [email protected] From: [email protected] [mailto:[email protected]] On Behalf Of Eswar Koneti Sent: Monday, July 14, 2014 6:32 PM To: [email protected] Subject: [mssms] clients connecting to https mp Running on CM12 R2 CU1. Hierarchy is running on http with couple of management points. recently we had requirement to manage mac machines using cm12 and for this,we setup additional site system role with mp and other required roles running on https. Mac machines are able communicate with https mp and all running good. After couple of days ,end users started complaining that, there see nothing in software center ,no apps nothing. when i looked at one of the client,it was assigned to https MP instead of http and further troubleshooting, identified that, PKI team has enabled the GPO for 'Auto enrollment Certification' on all windows clients for different purpose. PKI Team denied to disable the GPO as it is required for other functions to work properly. I have below things to try but: 1) disable the GPO for auto enrollment certificate---Not possible to do it 2) convert the entire hierarchy to https from http ---requires some testing and at this moment,not willing to go for it. 3) block port 443 (https) from windows clients to https mp-- not sure how will this work ,requires testing any other possible solutions ? Thanks, Eswar Koneti www.eskonr.com CONFIDENTIALITY NOTICE: This email contains information from the sender that may be CONFIDENTIAL, LEGALLY PRIVILEGED, PROPRIETARY or otherwise protected from disclosure. This email is intended for use only by the person or entity to whom it is addressed. If you are not the intended recipient, any use, disclosure, copying, distribution, printing, or any action taken in reliance on the contents of this email, is strictly prohibited. If you received this email in error, please contact the sending party by reply email, delete the email from your computer system and shred any paper copies. Note to Patients: There are a number of risks you should consider before using e-mail to communicate with us. See our Privacy & Security page on www.henryford.com for more detailed information as well as information concerning MyChart, our new patient portal. If you do not believe that our policy gives you the privacy and security protection you need, do not send e-mail or Internet communications to us.
