Automatically Enrolling Mac OS X devices into SCCM 2012 R2

If you are unfortunate enough to be in a position where you are required to use SCCM 2012 R2 to manage your fleet of Mac OS X devices. Then you may already be aware that the process to enroll these devices on mass is not easily automated. Unlike other management products like Casper suite, where we have a QuickAdd.pkg which we can install on the client at firstboot or through ARD or any other number of methods that require no user intervention, SCCM is a little bit different. The installer package that is provided installs the client, but it doesn’t install any of the tools required to automate the enrollment via a script for example. Previously with SCCM 2012 SP1 it had been possible to automate the enrollment process by passing the username and password on the command line to the cmenroll binary (albeit in clear text)

Now it seems that MS would rather rely on the user to enter in their AD credentials in the new ConfigMgr GUI window in order to enroll. This is obviously a problem if you have a lab of Mac’s or wish to enroll a number of machines at imaging time using DeployStudio/Casper etc etc. So in this post I will show you how I was able to create a metapackage that contains all the required files and a postflight script which can automatically enroll the device using an AD service account.

From here I will assume that you already have the macclient.dmg which should look like this:

cmclient

First we need to create a package that contains our Client Tools. If you have created packages before this should be a relatively straight forward process. I used Composer and ended up with something looking like this:

composer

We now need to create an enrollment script, or two.

I have two scripts – these are on my github check there for current versions

The first script (sccm_enrollment.sh) defines our environment variables such as server address and then passes them as arguments to our second script (expect_enrollment.sh)

sccm_enrollment.sh

#!/bin/bash

## Calum Hunter
## 12-08-2014
## DEC NSW SCCM PoC Project
## Version 0.1
## 
## Script to enroll the Mac OS X Device into Production SCCM Environment

## Define some variables
server_address="YOUR SERVER ADDRESS"
sccmusername="YOUR USERNAME"
sccmpassword="YOUR PASSWORD"
cmenroll="/Library/Application Support/Microsoft/CCM/Tools/CMEnroll"

## Now hand off to the expect script to perform the enrollment
/tmp/expect_enrollment.sh $server_address $sccmusername $sccmpassword "$cmenroll"

exit 0

The second script takes these arguments and then uses the expect shell to interactively respond to the password promopt

expect_enrollment.sh

#!/usr/bin/expect

## Calum Hunter
## 12-08-2014
## DEC NSW SCCM PoC Project
## Version 0.1

# Grab the variables from the sccm enrollment script
set server_address [lindex $argv 0]; # Get the Server Address from the sccm_enrollment script
set sccmusername [lindex $argv 1]; # Get the sccmuser name form the sccm_enrollment script
set sccmpassword [lindex $argv 2]; # get the sccmpassword from the sccm_enrollment script
set cmenroll [lindex $argv 3]; # get the cmenroll from the sccm_enrollment script

# set a generous timeout
set timeout 20

## Do the script
spawn $cmenroll -s $server_address -ignorecertchainvalidation -u $sccmusername
expect "Please enter your password."
send $sccmpassword
send \n 
expect "Successfully enrolled"
interact

exit 0

So now we have these scripts we will need to package them up. So create another package.

scripts

So now we have should have 3 packages, our CMClient.pkg from MS and our two custom packages.

I use Packages from WhiteBox to create a Distribution package that contains all of our packages and a post flight.

So create a new Distribution Package, give it a name a location and create the project

pkg1

pkgs2

Now ensure that you put in unique identifier and give it a useful version number. Also note that the CMClient.pkg requires a restart, so we will also require a restart here.

pkgs3

We can skip the Payload and move across to Scripts

pkgs4

Drag in the 3 packages to Additional Resources

Create a postflight script that installs our packages and then runs our enrollment script.

Mine is available on my github and it looks like this

#!/bin/sh

## Calum Hunter
## DEC SCCM PoC Project
## Version 0.1
## 13/08/2014

## Post flight script to install the packages
## then run the enrollment scripts

## Determine working directory
install_dir=`dirname $0`

## Install the packages
/usr/sbin/installer -dumplog -verbose -pkg $install_dir/"CMClient.pkg" -target "$3"
/usr/sbin/installer -dumplog -verbose -pkg $install_dir/"SCCM_Enrollment_Scripts.pkg" -target "$3"
/usr/sbin/installer -dumplog -verbose -pkg $install_dir/"SCCM_Mac_Client_Tools.pkg" -target "$3"

## Packages are installed so now run the enrollment script
/tmp/sccm_enrollment.sh

exit 0

set this as your post-installation script.

Now build the package (Build menu -> Build)

You should now have a package that you can deploy using pretty much any method that will install and enroll SCCM with out any user intervention and while the machine is unattended (Loginwindow)

Advertisements

14 comments

  1. I can’t get this script to work. I’ve changed the environmental variables to my settings but it still won’t register. I have to install the client on about 50 mac machines. I thought the username should not include any characters such as “+= or the enrollment fails. I’m fairly new to scripting so any advice would be greatly appreciated. Please help!

    Like

    1. there is quite a lot of moving parts to this. Its pretty hard to help you without a lot more information. However, have you tried creating a simple test user account and password and attempted to use that to enroll the device? If you install the agent on the Machine manually will it enroll into sccm with the account and password you are trying to use in the script?

      Like

      1. We created one shared domain account to use for registration purposes only. It does register without a problem when I run it manually through preferences-configuration manager. I’m also able to run the registration by running the sudo command through the cmenroll tool. Are there any changes supposed to be made under the expect_enrollment.sh script? I’m assuming that script is only to grab the variables from the sccm_enrollment.sh script that you created.

        Like

  2. Thanks for this, helped alot. I create the scripts, the packages, etc. But when i run the complete package, it comes up with a validation error on the packages. Can you help???

    Like

      1. Sadly its just the standard one, “The Installation failed. The installed encountered an error that caused the installation to fail. Contact the software manufacturer for assistance”.

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s