如何將用戶端部署至 MacHow to deploy clients to Macs

適用於: Configuration Manager (最新分支)Applies to: Configuration Manager (current branch)

本文描述如何在 Mac 電腦上部署和維護 Configuration Manager 用戶端。This article describes how to deploy and maintain the Configuration Manager client on Mac computers. 若要了解您必須先進行何種設定,再將用戶端部署到 Mac 電腦,請參閱準備將用戶端軟體部署到 MacTo learn about what you have to configure before deploying clients to Mac computers, see Prepare to deploy client software to Macs.

為 Mac 電腦安裝新的用戶端時,您可能必須同時安裝 Configuration Manager 更新,以反映 Configuration Manager 主控台中的新用戶端資訊。When you install a new client for Mac computers, you might have to also install Configuration Manager updates to reflect the new client information in the Configuration Manager console.

在這些程序中,您有兩個選項可以安裝用戶端憑證。In these procedures, you have two options for installing client certificates. 準備將用戶端軟體部署到 Mac 中,深入了解 Mac 的用戶端憑證。Read more about client certificates for Macs in Prepare to deploy client software to Macs.

重要

若要將用戶端部署到執行 macOS Sierra 的裝置上,請正確設定管理點憑證的主體名稱To deploy the client to devices running macOS Sierra, correctly configure the Subject name of the management point certificate. 例如,使用管理點伺服器的 FQDN。For example, use the FQDN of the management point server.

設定用戶端設定Configure client settings

使用預設用戶端設定來設定 Mac 電腦的註冊。Use the default client settings to configure enrollment for Mac computers. 您無法使用自訂用戶端設定。You can't use custom client settings. 若要要求及安裝憑證,Configuration Manager Mac 用戶端需要使用預設用戶端設定。To request and install the certificate, the Configuration Manager client for Mac requires the default client settings.

  1. 在 Configuration Manager 主控台中,移至 [系統管理] 工作區。In the Configuration Manager console, go to the Administration workspace. 選取 [用戶端設定] 節點,然後選取 [預設用戶端設定] 。Select the Client Settings node, and then select Default Client Settings.

  2. 在功能區 [常用] 索引標籤的 [內容] 群組中,選擇 [內容] 。On the Home tab of the ribbon, in the Properties group, choose Properties.

  3. 選取 [註冊] 區段,然後進行下列設定:Select the Enrollment section, and then configure the following settings:

    1. 允許使用者註冊行動裝置和 Mac 電腦Allow users to enroll mobile devices and Mac computers: Yes

    2. 註冊設定檔: 按一下 [設定設定檔] 。Enrollment profile: Choose Set Profile.

  4. 在 [行動裝置註冊設定檔] 對話方塊中,選擇 [建立] 。In the Mobile Device Enrollment Profile dialog box, choose Create.

  5. 在 [建立註冊設定檔] 對話方塊中,輸入此註冊設定檔的名稱。In the Create Enrollment Profile dialog box, enter a name for this enrollment profile. 然後設定 [管理站台碼] 。Then configure the Management site code. 選取包含用於這些 Mac 電腦管理點的 Configuration Manager 主要站台。Select the Configuration Manager primary site that contains the management points for these Mac computers.

    注意

    如果您無法選取站台,請確認站台內至少有一個管理點設定為支援行動裝置。If you can't select the site, make sure that you configure at least one management point in the site to support mobile devices.

  6. 選擇 [新增] 。Choose Add.

  7. 在 [新增行動裝置的憑證授權單位] 視窗中,選取負責簽發憑證給 Mac 電腦的憑證授權單位伺服器。In the Add Certification Authority for Mobile Devices window, select the certification authority server that issues certificates to Mac computers.

  8. 於 [建立註冊設定檔] 對話方塊中,選取您先前建立的 Mac 電腦憑證範本。In the Create Enrollment Profile dialog box, select the Mac computer certificate template that you previously created.

  9. 選取 [確定] 關閉 [註冊設定檔] 對話方塊,然後按一下 [預設用戶端設定] 對話方塊。Select OK to close the Enrollment Profile dialog box, and then the Default Client Settings dialog box.

    提示

    若要變更用戶端原則間隔,請使用 [用戶端原則] 用戶端設定群組中的 [用戶端原則輪詢間隔] 。If you want to change the client policy interval, use Client policy polling interval in the Client Policy client setting group.

裝置下一次下載用戶端原則時,Configuration Manager 會為所有使用者套用這些設定。The next time the devices download client policy, Configuration Manager applies these settings for all users. 若要起始單一用戶端的原則抓取,請參閱起始 Configuration Manager 用戶端的原則抓取To initiate policy retrieval for a single client, see Initiate policy retrieval for a Configuration Manager client.

除了註冊用戶端設定之外,也請確認您已設定下列用戶端裝置設定︰In addition to the enrollment client settings, make sure that you have configured the following client device settings:

  • 硬體清查:啟用並設定此功能,從 Mac 和 Windows 用戶端電腦收集硬體清查。Hardware inventory: Enable and configure this feature if you want to collect hardware inventory from Mac and Windows client computers. 如需詳細資訊,請參閱如何擴充硬體清查For more information, see How to extend hardware inventory.

  • 合規性設定:啟用並設定此功能,以在 Mac 和 Windows 用戶端電腦上評估和補救設定。Compliance settings: Enable and configure this feature if you want to evaluate and remediate settings on Mac and Windows client computers. 如需詳細資訊,請參閱規劃和設定合規性設定For more information, see Plan for and configure compliance settings.

如需詳細資訊,請參閱如何設定用戶端設定For more information, see How to configure client settings.

下載適用於 macOS 的用戶端Download the client for macOS

  1. 下載 macOS 用戶端檔案套件:Microsoft Endpoint Configuration Manager - macOS 用戶端 (64 位元) (英文)。Download the macOS client file package, Microsoft Endpoint Configuration Manager - macOS Client (64-bit). ConfigmgrMacClient.msi 儲存至執行 Windows 的電腦。Save ConfigmgrMacClient.msi to a computer that runs Windows. Configuration Manager 安裝媒體並未提供這個檔案。This file isn't on the Configuration Manager installation media.

  2. 在 Windows 電腦上執行安裝程式。Run the installer on the Windows computer. 將 Mac 用戶端套件 Macclient.dmg 解壓縮至本機磁碟上的資料夾。Extract the Mac client package, Macclient.dmg, to a folder on the local disk. 預設路徑為 C:\Program Files\Microsoft\System Center Configuration Manager for Mac clientThe default path is C:\Program Files\Microsoft\System Center Configuration Manager for Mac client.

  3. Macclient.dmg 檔案複製到 Mac 電腦上的資料夾。Copy the Macclient.dmg file to a folder on the Mac computer.

  4. 在 Mac 電腦上執行 Macclient.dmg,將檔案解壓縮至本機磁碟機的資料夾。On the Mac computer, run Macclient.dmg to extract the files to a folder on the local disk.

  5. 在資料夾中,確認其包含下列檔案:In the folder, make sure that it contains the following files:

    • Ccmsetup:使用 CMClient.pkg 在您的 Mac 電腦上安裝 Configuration Manager 用戶端Ccmsetup: Installs the Configuration Manager client on your Mac computers using CMClient.pkg

    • CMDiagnostics:在 Mac 電腦上收集與 Configuration Manager 用戶端相關的診斷資訊CMDiagnostics: Collects diagnostic information related to the Configuration Manager client on your Mac computers

    • CMUninstall:從 Mac 電腦解除安裝用戶端CMUninstall: Uninstalls the client from your Mac computers

    • CMAppUtil:將 Apple 應用程式套件轉換成可部署為 Configuration Manager 應用程式的格式CMAppUtil: Converts Apple application packages into a format that you can deploy as a Configuration Manager application

    • CMEnroll:要求並安裝 Mac 電腦的用戶端憑證,以便您安裝 Configuration Manager 用戶端CMEnroll: Requests and installs the client certificate for a Mac computer so that you can then install the Configuration Manager client

註冊 Mac 用戶端Enroll the Mac client

使用 Mac 電腦註冊精靈 註冊個別用戶端。Enroll individual clients with the Mac computer enrollment wizard.

若要將多個用戶端的註冊自動化,請使用 CMEnroll 工具To automate enrollment for many clients, use the CMEnroll tool.

使用 [Mac 電腦註冊精靈] 註冊用戶端Enroll the client with the Mac computer enrollment wizard

  1. 安裝用戶端後,[電腦註冊精靈] 隨即開啟。After you install the client, the Computer Enrollment wizard opens. 若要以手動方式啟動精靈,請從 [Configuration Manager] 喜好設定頁面選取 [註冊] 。To manually start the wizard, select Enroll from the Configuration Manager preference page.

  2. 在精靈的第二個頁面上,提供下列資訊︰On the second page of the wizard, provide the following information:

    • 使用者名稱:使用者名稱的格式可以如下︰User name: The user name can be in the following formats:

      • domain\namedomain\name. 例如:contoso\mnorthFor example: contoso\mnorth

      • user@domainuser@domain. 例如:mnorth@contoso.comFor example: mnorth@contoso.com

        重要

        當您使用電子郵件地址填入 [使用者名稱] 欄位時,Configuration Manager 會自動填入 [伺服器名稱] 欄位。When you use an email address to populate the User name field, Configuration Manager automatically populates the Server name field. 會使用註冊 Proxy 點伺服器的預設名稱,以及電子郵件地址的網域名稱。It uses the default name of the enrollment proxy point server and the domain name of the email address. 如果這些名稱不符合註冊 Proxy 點伺服器的名稱,請在註冊期間修正 [伺服器名稱] 。If these names don't match the name of the enrollment proxy point server, fix the Server name during enrollment.

        使用者名稱和對應密碼必須符合 Active Directory 使用者帳戶,並具有 Mac 用戶端憑證範本的讀取註冊權限。The user name and corresponding password must match an Active Directory user account that has Read and Enroll permissions on the Mac client certificate template.

    • 伺服器名稱:註冊 Proxy 點伺服器的名稱。Server name: The name of the enrollment proxy point server.

使用 CMEnroll 的用戶端和憑證自動化Client and certificate automation with CMEnroll

使用此程序來自動化用戶端安裝,以及使用 CMEnroll 工具來要求和註冊用戶端憑證。Use this procedure for automation of client installation and requesting and enrollment of client certificates with the CMEnroll tool. 若要執行此工具,您必須擁有 Active Directory 使用者帳戶。To run the tool, you must have an Active Directory user account.

  1. 在 Mac 電腦上,巡覽至 Macclient.dmg 檔案內容解壓縮所在的資料夾。On the Mac computer, navigate to the folder where you extracted the contents of the Macclient.dmg file.

  2. 輸入下列命令:sudo ./ccmsetupEnter the following command: sudo ./ccmsetup

  3. 請等候直至您看見 [已完成安裝] 訊息。Wait until you see the Completed installation message. 雖然安裝程式會顯示必須立即重新啟動的訊息,但請不要重新啟動,並繼續下一個步驟。Although the installer displays a message that you must restart now, don't restart, and continue to the next step.

  4. 在 Mac 電腦的工具資料夾中鍵入下列命令︰sudo ./CMEnroll -s <enrollment_proxy_server_name> -ignorecertchainvalidation -u '<user_name>'From the Tools folder on the Mac computer, type the following command: sudo ./CMEnroll -s <enrollment_proxy_server_name> -ignorecertchainvalidation -u '<user_name>'

    用戶端安裝之後,Mac [電腦註冊精靈] 便會開啟以協助您註冊 Mac 電腦。After the client installs, the Mac Computer Enrollment wizard opens to help you enroll the Mac computer. 如需詳細資訊,請參閱使用 Mac 電腦註冊精靈註冊用戶端For more information, see Enroll the client by using the Mac computer enrollment wizard.

    範例:如果註冊 Proxy 點伺服器命名為 server02.contoso.com,且 contoso\mnorth 已取得 Mac 用戶端憑證範本的權限,請鍵入下列命令︰sudo ./CMEnroll -s server02.contoso.com -ignorecertchainvalidation -u 'contoso\mnorth'Example: If the enrollment proxy point server is named server02.contoso.com, and you grant contoso\mnorth permissions for the Mac client certificate template, type the following command: sudo ./CMEnroll -s server02.contoso.com -ignorecertchainvalidation -u 'contoso\mnorth'

    注意

    如果使用者名稱包含任何下列字元,註冊便會失敗:<>"+=,If the user name includes any of the following characters, enrollment fails: <>"+=,. 請使用不包含這些字元的使用者名稱來使用頻外憑證。Use an out-of-band certificate with a user name that doesn't include these characters.

    為了提供更順暢的使用者體驗,請編寫安裝步驟。For a more seamless user experience, script the installation steps. 如此一來,使用者只需要提供其使用者名稱和密碼。Then users only have to supply their user name and password.

  5. 輸入 Active Directory 使用者帳戶的密碼。Type the password for the Active Directory user account. 當您輸入此命令時,會提示輸入兩個密碼。When you enter this command, it prompts for two passwords. 第一個密碼是針對執行命令的進階使用者帳戶。The first password is for the super user account to run the command. 第二個提示是針對 Active Directory 使用者帳戶。The second prompt is for the Active Directory user account. 提示外觀看似相同,所以請確認是否以正確順序輸入密碼。The prompts look identical, so make sure that you specify them in the correct sequence.

  6. 請等候直至您看見 [已順利註冊] 訊息。Wait until you see the Successfully enrolled message.

  7. 若要將註冊的憑證限制到 Configuration Manager,請在 Mac 電腦上開啟終端機視窗,並進行下列變更︰To limit the enrolled certificate to Configuration Manager, on the Mac computer, open a terminal window and make the following changes:

    1. 輸入命令 sudo /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain AccessEnter the command sudo /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access

    2. 在 [金鑰鏈存取] 視窗的 [金鑰鏈] 區段中,選擇 [系統] 。In the Keychain Access window, in the Keychains section, choose System. 然後在 [類別] 區段中選擇 [金鑰] 。Then in the Category section, choose Keys.

    3. 展開金鑰以檢視用戶端憑證。Expand the keys to view the client certificates. 使用已安裝的私密金鑰來尋找憑證,並開啟金鑰。Find the certificate with a private key that you installed, and open the key.

    4. 在 [存取控制] 索引標籤上,選擇 「Confirm before allowing access」 (允許存取前先確認) 。On the Access Control tab, choose Confirm before allowing access.

    5. 瀏覽至 /Library/Application Support/Microsoft/CCM,選取 [CCMClient] ,然後選擇 [新增] 。Browse to /Library/Application Support/Microsoft/CCM, select CCMClient, and then choose Add.

    6. 選擇 [儲存變更] 並關閉 [金鑰鏈存取] 對話方塊。Choose Save Changes and close the Keychain Access dialog box.

  8. 重新啟動 Mac 電腦。Restart the Mac computer.

若要驗證用戶端安裝是否已順利完成,請在 Mac 電腦的 [系統喜好設定] 開啟 [Configuration Manager] 項目。To verify that the client installation is successful, open the Configuration Manager item in System Preferences on the Mac computer. 也請在 Configuration Manager 主控台中更新並檢視 [所有系統] 集合。Also update and view the All Systems collection in the Configuration Manager console. 請確認 Mac 電腦作為受控用戶端顯示在此集合中。Confirm that the Mac computer appears in this collection as a managed client.

提示

若要協助 Mac 用戶端進行疑難排解,請使用 Mac 用戶端套件所包含的 CMDiagnostics 工具。To help troubleshoot the Mac client, use the CMDiagnostics tool included with the Mac client package. 您可以將其用於收集下列診斷資訊:Use it to collect the following diagnostic information:

  • 執行中處理程序清單A list of running processes
  • Mac OS X 作業系統版本The Mac OS X operating system version
  • 與 Configuration Manager 用戶端相關的 Mac OS X 當機報告 (其中包含 CCM*.crashSystem Preference.crash)。Mac OS X crash reports relating to the Configuration Manager client including CCM*.crash and System Preference.crash.
  • 由 Configuration Manager 用戶端安裝所建立的用料表 (BOM) 檔案和內容清單 (.plist) 檔案。The Bill of Materials (BOM) file and property list (.plist) file created by the Configuration Manager client installation.
  • 資料夾 /Library/Application Support/Microsoft/CCM/Logs 的內容。The contents of the folder /Library/Application Support/Microsoft/CCM/Logs.

系統會將 CmDiagnostics 收集的資訊新增至 ZIP 檔案,並儲存於電腦桌面上,且命名為 cmdiag-<hostname>-<datetime>.zipThe information collected by CmDiagnostics is added to a zip file that is saved to the desktop of the computer and is named cmdiag-<hostname>-<datetime>.zip

管理 Configuration Manager 外部的憑證Manage certificates external to Configuration Manager

您可以使用獨立於 Configuration Manager 的憑證要求和安裝方法。You can use a certificate request and installation method independent from Configuration Manager. 使用相同的一般程序,但包含下列額外步驟:Use the same general process, but include the following additional steps:

  • 安裝 Configuration Manager 用戶端時,請使用 MPSubjectName 命令列選項。When you install the Configuration Manager client, use the MP and SubjectName command-line options. 輸入下列命令:sudo ./ccmsetup -MP <management point internet FQDN> -SubjectName <certificate subject name>Enter the following command: sudo ./ccmsetup -MP <management point internet FQDN> -SubjectName <certificate subject name>. 憑證主體名稱區分大小寫,請依憑證詳細資料中所顯示正確鍵入。The certificate subject name is case-sensitive, so type it exactly as it appears in the certificate details.

    範例:管理點的網際網路 FQDN 為 server03.contoso.comExample: The management point's internet FQDN is server03.contoso.com. Mac 用戶端憑證具有 mac12.contoso.com 的 FQDN,作為憑證主體的一般名稱。The Mac client certificate has the FQDN of mac12.contoso.com as a common name in the certificate subject. 使用下列命令:sudo ./ccmsetup -MP server03.contoso.com -SubjectName mac12.contoso.comUse the following command: sudo ./ccmsetup -MP server03.contoso.com -SubjectName mac12.contoso.com

  • 如果您有多個憑證含有相同的主體值,請指定要用於 Configuration Manager 用戶端的憑證序號。If you have more than one certificate that contains the same subject value, specify the certificate serial number to use for the Configuration Manager client. 使用下列命令:sudo defaults write com.microsoft.ccmclient SerialNumber -data "<serial number>"Use the following command: sudo defaults write com.microsoft.ccmclient SerialNumber -data "<serial number>".

    例如:sudo defaults write com.microsoft.ccmclient SerialNumber -data "17D4391A00000003DB"For example: sudo defaults write com.microsoft.ccmclient SerialNumber -data "17D4391A00000003DB"

更新 Mac 用戶端憑證Renew the Mac client certificate

此程序會移除 SMSID。This procedure removes the SMSID. Mac 的 Configuration Manager 用戶端需要新的識別碼,以使用新或更新的憑證。The Configuration Manager client for Mac requires a new ID to use a new or renewed certificate.

重要

取代用戶端 SMSID 後,從 Configuration Manager 主控台刪除較舊資源時,您也可以刪除任何已儲存的用戶端歷程記錄。After you replace the client SMSID, when you delete the old resource in the Configuration Manager console, you also delete any stored client history. 例如該用戶端的硬體清查歷程記錄。For example, hardware inventory history for that client.

  1. 針對必須更新電腦憑證的 Mac 電腦建立並填入一個裝置集合。Create and populate a device collection for the Mac computers that must renew the computer certificates.

  2. 在 [資產與相容性] 工作區內,開啟 [建立設定項目精靈] 。In the Assets and Compliance workspace, start the Create Configuration Item Wizard.

  3. 在精靈的 [一般] 頁面上,指定下列資訊︰On the General page of the wizard, specify the following information:

    • 名稱移除 Mac 的 SMSIDName: Remove SMSID for Mac

    • 類型Mac OS XType: Mac OS X

  4. 在 [支援的平台] 頁面上選取所有 Mac OS X 版本。On the Supported Platforms page, select all Mac OS X versions.

  5. 在 [設定] 頁面上選取 [新增] 。On the Settings page, select New. 在 [建立設定] 視窗中指定下列資訊:In the Create Setting window, specify the following information:

    • 名稱移除 Mac 的 SMSIDName: Remove SMSID for Mac

    • 設定類型指令碼Setting type: Script

    • 資料類型字串Data type: String

  6. 在 [建立設定] 視窗中,針對 [探索指令碼] 選取 [新增指令碼] 。In the Create Setting window, for Discovery script, select Add script. 此動作會指定指令碼,探索透過 SMSID 設定的 Mac 電腦。This action specifies a script to discover Mac computers configured with an SMSID.

  7. 在 [編輯探索指令碼] 視窗中,輸入下列殼層指令碼:In the Edit Discovery Script window, enter the following shell script:

    defaults read com.microsoft.ccmclient SMSID  
    
  8. 選擇 [確定] 以關閉 [編輯探索指令碼] 視窗。Choose OK to close the Edit Discovery Script window.

  9. 在 [建立設定] 視窗中,針對 [補救指令碼 (選擇性)] ,選擇 [新增指令碼] 。In the Create Setting window, for Remediation script (optional), choose Add script. 此動作會指定指令碼,在 Mac 電腦上發現 SMSID 時將其移除。This action specifies a script to remove the SMSID when it's found on Mac computers.

  10. 在 [建立補救指令碼] 視窗中,輸入下列殼層指令碼:In the Create Remediation Script window, enter the following shell script:

    defaults delete com.microsoft.ccmclient SMSID  
    
  11. 選擇 [確定] 以關閉 [建立補救指令碼] 視窗。Choose OK to close the Create Remediation Script window.

  12. 在 [合規性規則] 頁面上選擇 [新增] 。On the Compliance Rules page, choose New. 然後,在 [建立原則] 視窗中指定下列資訊:Then in the Create Rule window, specify the following information:

    • 名稱移除 Mac 的 SMSIDName: Remove SMSID for Mac

    • 選取的設定︰按一下 [瀏覽] ,然後選取您先前指定的探索指令碼。Selected setting: Choose Browse and then select the discovery script that you previously specified.

    • 下列值欄位中: (com.microsoft.ccmclient SMSID) 的網域/預設組不存在In the following values field: The domain/default pair of (com.microsoft.ccmclient, SMSID) does not exist.

    • 啟用 [當此設定不符合規範時,執行指定的補救指令碼] 選項。Enable the option to Run the specified remediation script when this setting is noncompliant.

  13. 完成精靈。Complete the wizard.

  14. 建立包含此設定項目的設定基準。Create a configuration baseline that contains this configuration item. 將基準部署至目標集合。Deploy the baseline to the target collection.

    如需詳細資訊,請參閱如何建立設定基準For more information, see How to create configuration baselines.

  15. 在已移除 SMSID 的 Mac 電腦上安裝新憑證後,執行下列指令以設定用戶端使用新憑證:After you install a new certificate on Mac computers that have the SMSID removed, run the following command to configure the client to use the new certificate:

    sudo defaults write com.microsoft.ccmclient SubjectName -string <subject_name_of_new_certificate>  
    

請參閱See also

準備將用戶端部署到 MacPrepare to deploy clients to Macs

維護 Mac 用戶端Maintain Mac clients