About Client Approval in Configuration Manager
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Configuration Manager 2007 mixed mode does not authenticate clients before they are allowed to join the site. Any computer with the System Center Configuration Manager 2007 client installed and assigned to a site, and that has a self-signed certificate can communicate with a management point, display in the System Center Configuration Manager 2007 console, receive policy from the site, and send information to the site. In mixed mode, if the check box This site contains only ConfigMgr 2007 clients is not selected, then policies containing sensitive data can be sent to any client. However if the check box is selected, only clients that are approved can receive policies containing sensitive data.
A Configuration Manager 2007 client cannot be approved until it has successfully installed and assigned to a site.
Approval can be manual, automatic for computers in trusted domains, or automatic for all computers and is configured as a site property on the site mode tab for mixed mode sites.
The most secure approval method is to automatically approve clients that are members of trusted domains. In this mode, clients that are not members of a trusted domain, including workgroup clients, must be manually approved. If you want to manually verify every client before it is allowed to receive policies containing sensitive data, set the approval mode to manual. Automatically approving all clients is not recommended unless you have other access controls to prevent untrustworthy computers from accessing your network. If a client is not approved by an automatic method, it still displays in the Configuration Manager 2007 console and can be manually approved by locating it in a collection and using Approve from the Action menu. For more information, see How to Approve Configuration Manager Clients.
Mobile device clients do not receive any policies containing sensitive data and therefore do not require approval.
Approval is also not required when the site is configured for native mode, because public key infrastructure (PKI) certificates authenticate clients to the management point and other site systems.
When a Configuration Manager 2007 site is in native mode, client approval is not used. However, if you view a collection in the Configuration Manager console, the approval column is displayed. For native mode sites, the information in this column should not be used.
The following table lists the three approval options that are available as a mixed mode site option.
|Approval Setting||More Information|
Manually approve each computer
Manually approving every computer to join the site introduces the least risk, but the largest administrative overhead. Clients must be manually approved from their assigned site within the Configuration Manager console.
Automatically approve computers in trusted domains
Automatically approving computers in trusted domains automatically approves client computers joined to domains trusted by the site server's domain. When using this setting, you should ensure that you have other security controls in place to prevent untrustworthy computers from joining a trusted domain.
If clients are from a different domain from the site server's domain, you must configure the site's default management point (or NLB management point) with a fully qualified domain name (FQDN) to use this option.
For information about how to specify this FQDN, see How to Configure the Intranet FQDN of Site Systems.
Automatically approve all computers
Automatically approving all computers to join the site will allow any computer to join the site. This setting is never recommended because it allows any computer to become a client without verifying trustworthiness.
Resetting the Client's Approval Status on Site Migration to Native Mode
When a Configuration Manager 2007 site is migrated from mixed mode to native mode, clients do not retain their approval status and the approval status of all clients assigned to the site is automatically set to unapproved.
When the site is operating in native mode, client authentication using the PKI certificates takes the place of approval, and the approval status is not used. However, if the site reverts to mixed mode, clients must be re-approved as if they are new clients.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.