Mac Os X Client Management Software

Once you upgrade to the next version of Configuration Manager, you’ll notice that you now have two options for managing Mac OS X devices – client management and MDM. The client management features remain unchanged from prior versions of Configuration. Dec 31, 2019 Sure, there are many Mac management solutions to choose from. But most lack the functionality for full lifecycle management, connection and state-of-the-art security. And Windows management solutions for Mac management only offer a limited feature set to manage Mac.

Remote control of your Macintosh allows you to access a remote (host) computer across a network or the Internet from a local (client) system. The screen of the shared host computer appears locally, and you use your mouse and keyboard to control the other system from afar. Historically there have been fewer options to accomplish this for Macs than PCs, but the situation has been improving steadily.

Part 1 of this covers general considerations and Apple-supported methods available for remote system control that will generally work on any version of Mac OS X (Jaguar, Panther, Tiger, and Leopard). Part 2 addresses some commercial solutions that also support multiple OS versions, along with how to force-reboot a remote Mac. Part 3 looks at on new options provided by Mac OS X 10.5 Leopard.

General Considerations

Remote control capabilities vary by method used and include remote desktop control (screen sharing), file transfers, and system management (patches and updates). With any remote desktop method, access to the remote system is slower than when you are sitting in front of that computer. The method used, network bandwidth available, and types of traffic will determine the “sluggishness” factor.

Minimizing the amount of data you need to transmit for screen sharing will make the process run more quickly. Closing unnecessary windows on the remote system and using a flat single-color desktop (instead of a complicated picture or pattern) will speed up response. Patience is a must, but remember it’s usually faster than traveling there!

Needs and realities often dictate your options. Some remote control methods work across different versions of the Mac OS (or cross-platform), while others require the same OS version on local and remote machines. Some methods require you to know the IP address of the remote system to connect and may require special firewall configurations, while others will work without any special settings or knowledge – usually!

It’s often helpful to use two remote control methods simultaneously (if possible), especially if you’re running a server or access is otherwise critical. Programs crash, network and Internet conditions vary, and you may find yourself locked out at a critical time. Sometimes method B works when method A doesn’t; then you can fix method A or reboot the machine from afar.

Apple Remote Desktop (ARD)

Apple’s native remote control solution is Apple Remote Desktop (ARD). ARD server software has been built into Mac OS X since 10.3 Panther and was available as an optional install for earlier versions of OS X. ARD provides the full gamut of remote system control: scalable screen sharing, file transfers to and from the remote systems, and remote software updating of individual machines and whole networks at a time. On a LAN, network admins with multiple Macs to manage will find this tool indispensable.

To enable an ARD host (server) in Panther and Tiger, go to System Preferences –> Sharing and turn on Apple Remote Desktop, then click Access Privileges and enable all desired services for one or more users. In Leopard you also enable ARD via System Preferences –> Sharing, but control capabilities have been split into separate Screen Sharing and Remote Management sections; click Options for choosing Remote Management services. ARD access from afar is via your host Mac’s account password.

To control an ARD-shared host computer, you need to use the Apple Remote Desktop administrator software. Apple sells two versions, a 10-client version for $299 or an unlimited client version for $499. The client limit dictates how many remote systems you can manage simultaneously; most home users and small business will be fine with the 10-client version. Bonjour support is available to find systems on your local network, or you can add them by IP address.

Across the Internet you must know the IP address of the remote computer or network gateway to establish a connection; this requires either a static IP address on the remote end or the use of a dynamic DNS locator service (like DynDNS) to find your remote system in times of need. ARD requires forwarding TCP and UDP ports 3283 through firewalls. Traffic can be routed across VPNs if one is available.

ARD is a powerful tool, but power comes at a price. Fortunately for home and small business users there are other options.

Virtual Network Computing (VNC)

VNC is an open source software effort to provide cross-platform remote screen sharing capabilities. Long an option for Windows, VNC support was spotty on Mac OS 9 but is solid on Mac OS X. It has become my primary method of controlling remote Macs and PCs from other Macs (and PCs) when static IP addresses are available.

The remote Mac needs to run a VNC server; starting with Mac OS X 10.4 Tiger the built-in ARD software has included the option to use VNC for screen sharing. Go back to System Preferences –> Sharing –> Apple Remote Desktop (Tiger) or Screen Sharing (Leopard) and click the Access Privileges or Options button (as applicable). Enable Share Screen with VNC clients and use a strong password.

On pre-Tiger Macs or as an alternate option for all Macs, the free Vine VNC Server (for OS X and OS 9) and it’s older precursor, OSXvnc, offer excellent VNC server packages with more options than Apple’s built-in server. In my experience the Vine and OSXvnc packages are more stable and resilient than Apple’s built-in server – I’ve had onboard VNC stop working many times and require a reboot to fix, while the standalone server rarely fails. I use Vine VNC Server on many of the business systems I support.

A VNC client viewer application is required to view your remote Mac on your local system. Apple did not provide a VNC viewer in Mac OS X until 10.5 Leopard (see Part 3 of this series), but the open source market came earlier to the rescue. Chicken of the VNC is a good free VNC viewer with a silly name, and it runs on Mac OS X 10.3 Panther through 10.5 Leopard.

For a step up, $30 will get you the Vine VNC Viewer; this software is faster and more stable than Chicken of the VNC, and it offers screen size scaling (invaluable when controlling a big screen from a small laptop) and clipboard sharing. Mac OS X Tiger or Leopard is required.

Both Vine and Chicken of the VNC will find local network systems using Bonjour. Across the Internet you will need to know the IP address of the remote computer or use a dynamic DNS locator service. VNC uses TCP port 5900 for control and, as with ARD, requires port forwarding through firewalls and routers. VNC works fine across VPNs.

Mac Os X Client Management Software Free

VNC provides screen sharing capabilities without file transfers. To work around this limitation you can use a network and/or Internet-accessible resource that both systems can reach: an FTP server, a shared Mac disk using AFP (AppleShare), a shared Windows volume using SMB, or a webserver with upload/download capability. Post the software or document from one system and grab it from the other via your shared disk or server.

Continued in Software to Remotely Control and Reboot Your Mac.

Methods of Mac Remote Control

  • Part 1: Remotely Control Your OS 9 or OS X Mac

This article was originally published on Adam’s Oakbog website. It has been adapted and reprinted here with his permission.

Keywords:#appleremotedesktop #vnc

Short link: http://goo.gl/DZUs4C

searchword: macremotecontrol

V2ray-->

Applies to: Configuration Manager (current branch)

This article describes how to deploy and maintain the Configuration Manager client on Mac computers. To learn about what you have to configure before deploying clients to Mac computers, see Prepare to deploy client software to Macs.

When you install a new client for Mac computers, you might have to also install Configuration Manager updates to reflect the new client information in the Configuration Manager console.

In these procedures, you have two options for installing client certificates. Read more about client certificates for Macs in Prepare to deploy client software to Macs.

  • Use Configuration Manager enrollment by using the CMEnroll tool. The enrollment process doesn't support automatic certificate renewal. Re-enroll the Mac computer before the installed certificate expires.

  • Use a certificate request and installation method that is independent from Configuration Manager.

Important

Client

To deploy the client to devices running macOS Sierra, correctly configure the Subject name of the management point certificate. For example, use the FQDN of the management point server.

Configure client settings

Use the default client settings to configure enrollment for Mac computers. You can't use custom client settings. To request and install the certificate, the Configuration Manager client for Mac requires the default client settings.

  1. In the Configuration Manager console, go to the Administration workspace. Select the Client Settings node, and then select Default Client Settings.

  2. On the Home tab of the ribbon, in the Properties group, choose Properties.

  3. Select the Enrollment section, and then configure the following settings:

    1. Allow users to enroll mobile devices and Mac computers: Yes

    2. Enrollment profile: Choose Set Profile.

  4. In the Mobile Device Enrollment Profile dialog box, choose Create.

  5. In the Create Enrollment Profile dialog box, enter a name for this enrollment profile. Then configure the Management site code. Select the Configuration Manager primary site that contains the management points for these Mac computers.

    Note

    If you can't select the site, make sure that you configure at least one management point in the site to support mobile devices.

  6. Choose Add.

  7. In the Add Certification Authority for Mobile Devices window, select the certification authority server that issues certificates to Mac computers.

  8. In the Create Enrollment Profile dialog box, select the Mac computer certificate template that you previously created.

  9. Select OK to close the Enrollment Profile dialog box, and then the Default Client Settings dialog box.

    Tip

    If you want to change the client policy interval, use Client policy polling interval in the Client Policy client setting group.

The next time the devices download client policy, Configuration Manager applies these settings for all users. To initiate policy retrieval for a single client, see Initiate policy retrieval for a Configuration Manager client.

In addition to the enrollment client settings, make sure that you have configured the following client device settings:

Mac Os X Client Management Software 2017

  • Hardware inventory: Enable and configure this feature if you want to collect hardware inventory from Mac and Windows client computers. For more information, see How to extend hardware inventory.

  • Compliance settings: Enable and configure this feature if you want to evaluate and remediate settings on Mac and Windows client computers. For more information, see Plan for and configure compliance settings.

For more information, see How to configure client settings.

Download the client for macOS

  1. Download the macOS client file package, Microsoft Endpoint Configuration Manager - macOS Client (64-bit). Save ConfigmgrMacClient.msi to a computer that runs Windows. This file isn't on the Configuration Manager installation media.

  2. Run the installer on the Windows computer. Extract the Mac client package, Macclient.dmg, to a folder on the local disk. The default path is C:Program FilesMicrosoftSystem Center Configuration Manager for Mac client.

  3. Copy the Macclient.dmg file to a folder on the Mac computer.

  4. On the Mac computer, run Macclient.dmg to extract the files to a folder on the local disk.

  5. In the folder, make sure that it contains the following files:

    • Ccmsetup: Installs the Configuration Manager client on your Mac computers using CMClient.pkg

    • CMDiagnostics: Collects diagnostic information related to the Configuration Manager client on your Mac computers

    • CMUninstall: Uninstalls the client from your Mac computers

    • CMAppUtil: Converts Apple application packages into a format that you can deploy as a Configuration Manager application

    • CMEnroll: Requests and installs the client certificate for a Mac computer so that you can then install the Configuration Manager client

Enroll the Mac client

Enroll individual clients with the Mac computer enrollment wizard.

To automate enrollment for many clients, use the CMEnroll tool.

Enroll the client with the Mac computer enrollment wizard

  1. After you install the client, the Computer Enrollment wizard opens. To manually start the wizard, select Enroll from the Configuration Manager preference page.

  2. On the second page of the wizard, provide the following information:

    • User name: The user name can be in the following formats:

      • domainname. For example: contosomnorth

      • user@domain. For example: mnorth@contoso.com

        Important

        When you use an email address to populate the User name field, Configuration Manager automatically populates the Server name field. It uses the default name of the enrollment proxy point server and the domain name of the email address. If these names don't match the name of the enrollment proxy point server, fix the Server name during enrollment.

        The user name and corresponding password must match an Active Directory user account that has Read and Enroll permissions on the Mac client certificate template.

    • Server name: The name of the enrollment proxy point server.

Client and certificate automation with CMEnroll

Use this procedure for automation of client installation and requesting and enrollment of client certificates with the CMEnroll tool. To run the tool, you must have an Active Directory user account.

  1. On the Mac computer, navigate to the folder where you extracted the contents of the Macclient.dmg file.

  2. Enter the following command: sudo ./ccmsetup

  3. Wait until you see the Completed installation message. Although the installer displays a message that you must restart now, don't restart, and continue to the next step.

  4. From the Tools folder on the Mac computer, type the following command: sudo ./CMEnroll -s <enrollment_proxy_server_name> -ignorecertchainvalidation -u '<user_name>'

    After the client installs, the Mac Computer Enrollment wizard opens to help you enroll the Mac computer. For more information, see Enroll the client by using the Mac computer enrollment wizard.

    Example: If the enrollment proxy point server is named server02.contoso.com, and you grant contosomnorth permissions for the Mac client certificate template, type the following command: sudo ./CMEnroll -s server02.contoso.com -ignorecertchainvalidation -u 'contosomnorth'

    Note

    If the user name includes any of the following characters, enrollment fails: <>'+=,. Use an out-of-band certificate with a user name that doesn't include these characters.

    For a more seamless user experience, script the installation steps. Then users only have to supply their user name and password.

  5. Type the password for the Active Directory user account. When you enter this command, it prompts for two passwords. The first password is for the super user account to run the command. The second prompt is for the Active Directory user account. The prompts look identical, so make sure that you specify them in the correct sequence.

  6. Wait until you see the Successfully enrolled message.

  7. To limit the enrolled certificate to Configuration Manager, on the Mac computer, open a terminal window and make the following changes:

    1. Enter the command sudo /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access

    2. In the Keychain Access window, in the Keychains section, choose System. Then in the Category section, choose Keys.

    3. Expand the keys to view the client certificates. Find the certificate with a private key that you installed, and open the key.

    4. On the Access Control tab, choose Confirm before allowing access.

    5. Browse to /Library/Application Support/Microsoft/CCM, select CCMClient, and then choose Add.

    6. Choose Save Changes and close the Keychain Access dialog box.

  8. Restart the Mac computer.

To verify that the client installation is successful, open the Configuration Manager item in System Preferences on the Mac computer. Also update and view the All Systems collection in the Configuration Manager console. Confirm that the Mac computer appears in this collection as a managed client.

Tip

To help troubleshoot the Mac client, use the CMDiagnostics tool included with the Mac client package. Use it to collect the following diagnostic information:

  • A list of running processes
  • The Mac OS X operating system version
  • Mac OS X crash reports relating to the Configuration Manager client including CCM*.crash and System Preference.crash.
  • The Bill of Materials (BOM) file and property list (.plist) file created by the Configuration Manager client installation.
  • The contents of the folder /Library/Application Support/Microsoft/CCM/Logs.

The information collected by CmDiagnostics is added to a zip file that is saved to the desktop of the computer and is named cmdiag-<hostname>-<datetime>.zip

Manage certificates external to Configuration Manager

You can use a certificate request and installation method independent from Configuration Manager. Use the same general process, but include the following additional steps:

  • When you install the Configuration Manager client, use the MP and SubjectName command-line options. Enter the following command: sudo ./ccmsetup -MP <management point internet FQDN> -SubjectName <certificate subject name>. The certificate subject name is case-sensitive, so type it exactly as it appears in the certificate details.

    Example: The management point's internet FQDN is server03.contoso.com. The Mac client certificate has the FQDN of mac12.contoso.com as a common name in the certificate subject. Use the following command: sudo ./ccmsetup -MP server03.contoso.com -SubjectName mac12.contoso.com

  • If you have more than one certificate that contains the same subject value, specify the certificate serial number to use for the Configuration Manager client. Use the following command: sudo defaults write com.microsoft.ccmclient SerialNumber -data '<serial number>'.

    For example: sudo defaults write com.microsoft.ccmclient SerialNumber -data '17D4391A00000003DB'

Renew the Mac client certificate

Mac Os X Client Management Software Pdf

This procedure removes the SMSID. The Configuration Manager client for Mac requires a new ID to use a new or renewed certificate.

Important

After you replace the client SMSID, when you delete the old resource in the Configuration Manager console, you also delete any stored client history. For example, hardware inventory history for that client.

  1. Create and populate a device collection for the Mac computers that must renew the computer certificates.

  2. In the Assets and Compliance workspace, start the Create Configuration Item Wizard.

  3. On the General page of the wizard, specify the following information:

    • Name: Remove SMSID for Mac

    • Type: Mac OS X

  4. On the Supported Platforms page, select all Mac OS X versions.

  5. On the Settings page, select New. In the Create Setting window, specify the following information:

    • Name: Remove SMSID for Mac

    • Setting type: Script

    • Data type: String

  6. In the Create Setting window, for Discovery script, select Add script. This action specifies a script to discover Mac computers configured with an SMSID.

  7. In the Edit Discovery Script window, enter the following shell script:

  8. Choose OK to close the Edit Discovery Script window.

  9. In the Create Setting window, for Remediation script (optional), choose Add script. This action specifies a script to remove the SMSID when it's found on Mac computers.

  10. In the Create Remediation Script window, enter the following shell script:

  11. Choose OK to close the Create Remediation Script window.

  12. On the Compliance Rules page, choose New. Then in the Create Rule window, specify the following information:

    • Name: Remove SMSID for Mac

    • Selected setting: Choose Browse and then select the discovery script that you previously specified.

    • In the following values field: The domain/default pair of (com.microsoft.ccmclient, SMSID) does not exist.

    • Enable the option to Run the specified remediation script when this setting is noncompliant.

  13. Complete the wizard.

  14. Create a configuration baseline that contains this configuration item. Deploy the baseline to the target collection.

    For more information, see How to create configuration baselines.

  15. After you install a new certificate on Mac computers that have the SMSID removed, run the following command to configure the client to use the new certificate:

Client Os Vs Server Os

See also