Microsoft Office Manager For Mac

-->

Office 365 is a cloud-based subscription service that brings together the best tools for the way people work today. By combining best-in-class apps like Excel and Outlook with powerful cloud services like OneDrive and Microsoft Teams, Office 365 lets anyone create and share anywhere on any device. Just using Office 2016 on a Mac, specifically Excel. I am trying to find out where the Name Manager function is located in Excel. I know I can define a named cell easily enough in the Mac version, that's OK, but I use Name Manager in Excel when I'm working on a PC (at work) and I could do using this functionality.

Security Bulletin

Vulnerability in Microsoft Office for Mac Could Allow Elevation of Privilege (2721015)

Published: July 10, 2012

Version: 1.0

General Information

Executive Summary

This security update resolves one publicly disclosed vulnerability in Microsoft Office for Mac. The vulnerability could allow elevation of privilege if a malicious executable is placed on an affected system by an attacker, and then another user logs on later and runs the malicious executable. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

This security update is rated Important for Microsoft Office for Mac 2011. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerabilities by correcting the permission settings on the Microsoft Office 2011 folder and other affected folders. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.

See also the section, Detection and Deployment Tools and Guidance, later in this bulletin.

Known Issues. None

Affected and Non-Affected Software

The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.

Microsoft Office

Microsoft Office SoftwareMaximum Security ImpactAggregate Severity RatingUpdates Replaced
Microsoft Office for Mac
[Microsoft Office for Mac 2011](https://www.microsoft.com/download/details.aspx?familyid=877700ed-3d03-4d46-a77b-5063d8f7d2e3) (KB2721015)Elevation of PrivilegeImportantKB2665351 in [MS12-030](http://go.microsoft.com/fwlink/?linkid=238499) replaced by KB2721015
**Non-Affected Software**
Office and Other Software
Microsoft Office 2008 for Mac

Frequently Asked Questions (FAQ) Related to This Security Update

Wherearethe hashes of the security updates?
The SHA1 and SHA2 hashes of the security updates can be used to verify the authenticity of downloaded security update packages. For the hash information pertaining to this update, see Microsoft Knowledge Base Article 2721015.

I am using an older release of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle website.

It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Service Pack Lifecycle Support Policy.

Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information website, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.

Vulnerability Information

Severity Ratings and Vulnerability Identifiers

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the July bulletin summary. For more information, see Microsoft Exploitability Index.

Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Affected SoftwareOffice for Mac Improper Folder Permissions Vulnerability - CVE-2012-1894Aggregate Severity Rating
Microsoft Office for Mac 2011Important
Elevation of Privilege
Important
Office for Mac Improper Folder Permissions Vulnerability - CVE-2012-1894 ------------------------------------------------------------------------ An elevation of privilege vulnerability exists in the way that folder permissions are set in certain Microsoft Office for Mac installations. An attacker could place a malicious executable in the Microsoft Office 2011 folder. If a user later logs on and runs the malicious executable, attacker-provided code can be made to execute in the security context of the current user. If the user runs the malicious executable as an administrator, the attacker could take complete control over an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The attacker would only be able to gain elevated privileges on the affected Mac computer if a user executed the malicious executable. This is not a direct elevation of privilege, but rather it is a luring attack. To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see [CVE-2012-1894](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1894). #### Mitigating Factors for Office for Mac Improper Folder Permissions Vulnerability - CVE-2012-1894 Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation: - An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. - An attacker could use the vulnerability to place a malicious executable in the Microsoft Office 2011 folder. However, the attacker would only be able to gain elevated privileges on the affected Mac computer if a user runs the malicious executable. This is not a direct elevation of privilege, but rather it is a luring attack. - This vulnerability does not affect Office for Mac 2011 installations in an upgrade scenario to Service Pack 2. #### Workarounds for Office for Mac Improper Folder Permissions Vulnerability - CVE-2012-1894 Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality: - **Remove write permission from others in affected folders** To manually change the permissions, run each of the following commands in /Applications/Utilities/Terminal: `/usr/bin/sudo /bin/chmod -R -P o-w /Library/Internet Plug-Ins/SharePointWebKitPlugin.webplugin/` `/usr/bin/sudo /bin/chmod -R -P o-w /Library/Internet Plug-Ins/SharePointBrowserPlugin.plugin/` `/usr/bin/sudo /bin/chmod -R -P o-w /Library/Fonts/Microsoft/` `/usr/bin/sudo /bin/chmod -R -P o-w /Library/Automator/` `/usr/bin/sudo /bin/chmod -R -P o-w /Applications/Microsoft Office 2011/` #### FAQ for Office for Mac Improper Folder Permissions Vulnerability - CVE-2012-1894 **What is the scope of the vulnerability?** This is an elevation of privilege vulnerability. **What causes the vulnerability?** The vulnerability exists in the way folder permissions are set in certain installations of Microsoft Office for Mac. **What might an attacker use the vulnerability to do?** An attacker could place a malicious executable in the Microsoft Office 2011 folder. If a user later logs on and runs the malicious executable, attacker-provided code can be made to execute in the security context of the current user. If the user runs the malicious executable as an administrator, the attacker could take complete control over an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The attacker would only be able to gain elevated privileges on the affected Mac computer if a user executed the malicious executable. This is not a direct elevation of privilege, but rather it is a luring attack. **How could an attacker exploit the vulnerability?** To exploit this vulnerability, an attacker would first have to log on to an affected system and place a malicious executable in the Microsoft Office 2011 folder. When a user later logs on and runs the malicious executable, the attacker-provided code can be made to execute in the security context of the current user. **What systems are primarily at risk from the vulnerability?** Shared workstations, such as those in libraries or internet cafes, are primarily at risk. **What does the update do?** The update addresses the vulnerability by correcting the permission settings on the Microsoft Office 2011 folder and other affected folders. **When this security bulletin was issued, had this vulnerability been publicly disclosed?** Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number [CVE-2012-1894](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1894). **When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?** No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued. ### Update Information Detection and Deployment Tools and Guidance ------------------------------------------- **Security Central** Manage the software and security updates you need to deploy to the servers, desktop, and mobile systems in your organization. For more information see the [TechNet Update Management Center](http://go.microsoft.com/fwlink/?linkid=69903). The [Microsoft TechNet Security website](http://go.microsoft.com/fwlink/?linkid=21132) provides additional information about security in Microsoft products. Security updates are available from [Microsoft Update](http://go.microsoft.com/fwlink/?linkid=40747) and [Windows Update](http://go.microsoft.com/fwlink/?linkid=21130). Security updates are also available from the [Microsoft Download Center](http://go.microsoft.com/fwlink/?linkid=21129). You can find them most easily by doing a keyword search for 'security update.' For customers of Microsoft Office for Mac, Microsoft AutoUpdate for Mac can help keep your Microsoft software up to date. For more information about using Microsoft AutoUpdate for Mac, see [Check for software updates automatically](http://mac2.microsoft.com/help/office/14/en-us/word/item/ffe35357-8f25-4df8-a0a3-c258526c64ea). Finally, security updates can be downloaded from the [Microsoft Update Catalog](http://go.microsoft.com/fwlink/?linkid=96155). The Microsoft Update Catalog provides a searchable catalog of content made available through Windows Update and Microsoft Update, including security updates, drivers and service packs. By searching using the security bulletin number (such as, 'MS07-036'), you can add all of the applicable updates to your basket (including different languages for an update), and download to the folder of your choosing. For more information about the Microsoft Update Catalog, see the [Microsoft Update Catalog FAQ](http://go.microsoft.com/fwlink/?linkid=97900). **Detection and Deployment Guidance** Microsoft provides detection and deployment guidance for security updates. This guidance contains recommendations and information that can help IT professionals understand how to use various tools for detection and deployment of security updates. For more information, see [Microsoft Knowledge Base Article 961747](http://support.microsoft.com/kb/961747). **Microsoft Baseline Security Analyzer** Microsoft Baseline Security Analyzer (MBSA) allows administrators to scan local and remote systems for missing security updates as well as common security misconfigurations. For more information about MBSA, visit [Microsoft Baseline Security Analyzer](http://www.microsoft.com/technet/security/tools/mbsahome.mspx). The following table provides the MBSA detection summary for this security update. | Software | MBSA | |-------------------------------|------| | Microsoft Office for Mac 2011 | No | **Note** For customers using legacy software not supported by the latest release of MBSA, Microsoft Update, and Windows Server Update Services, please visit [Microsoft Baseline Security Analyzer](http://www.microsoft.com/technet/security/tools/mbsahome.mspx) and reference the Legacy Product Support section on how to create comprehensive security update detection with legacy tools. **Windows Server Update Services** Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates to computers that are running the Windows operating system. For more information about how to deploy security updates using Windows Server Update Services, see the TechNet article, [Windows Server Update Services](http://technet.microsoft.com/en-us/wsus/default.aspx). **Systems Management Server** The following table provides the SMS detection and deployment summary for this security update. | Software | SMS 2003 with ITMU | System Center Configuration Manager | |-------------------------------|--------------------|-------------------------------------| | Microsoft Office for Mac 2011 | No | No | **Note** Microsoft discontinued support for SMS 2.0 on April 12, 2011. For SMS 2003, Microsoft also discontinued support for the Security Update Inventory Tool (SUIT) on April 12, 2011. Customers are encouraged to upgrade to [System Center Configuration Manager](http://technet.microsoft.com/en-us/systemcenter/bb980621). For customers remaining on SMS 2003 Service Pack 3, the [Inventory Tool for Microsoft Updates](http://technet.microsoft.com/en-us/sms/bb676783.aspx) (ITMU) is also an option. For SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates (ITMU) can be used by SMS to detect security updates that are offered by [Microsoft Update](http://update.microsoft.com/microsoftupdate) and that are supported by [Windows Server Update Services](http://go.microsoft.com/fwlink/?linkid=50120). For more information about the SMS 2003 ITMU, see [SMS 2003 Inventory Tool for Microsoft Updates](http://technet.microsoft.com/en-us/sms/bb676783.aspx). For more information about SMS scanning tools, see [SMS 2003 Software Update Scanning Tools](http://technet.microsoft.com/en-us/sms/bb676786.aspx). See also [Downloads for Systems Management Server 2003](http://technet.microsoft.com/en-us/sms/bb676766.aspx). System Center Configuration Manager uses WSUS 3.0 for detection of updates. For more information about System Center Configuration Manager Software Update Management, visit [System Center](http://technet.microsoft.com/en-us/systemcenter/bb980621). For more information about SMS, visit the [SMS website](http://go.microsoft.com/fwlink/?linkid=21158). For more detailed information, see [Microsoft Knowledge Base Article 910723](http://support.microsoft.com/kb/910723): Summary list of monthly detection and deployment guidance articles. **Update Compatibility Evaluator and Application Compatibility Toolkit** Updates often write to the same files and registry settings required for your applications to run. This can trigger incompatibilities and increase the time it takes to deploy security updates. You can streamline testing and validating Windows updates against installed applications with the [Update Compatibility Evaluator](http://technet2.microsoft.com/windowsvista/en/library/4279e239-37a4-44aa-aec5-4e70fe39f9de1033.mspx?mfr=true) components included with [Application Compatibility Toolkit](https://www.microsoft.com/download/details.aspx?familyid=24da89e9-b581-47b0-b45e-492dd6da2971&displaylang=en). The Application Compatibility Toolkit (ACT) contains the necessary tools and documentation to evaluate and mitigate application compatibility issues before deploying Windows Vista, a Windows Update, a Microsoft Security Update, or a new version of Windows Internet Explorer in your environment. Security Update Deployment -------------------------- **Affected Software** For information about the specific security update for your affected software, click the appropriate link: #### Office for Mac 2011 #### Deployment Information **Prerequisites** - Mac OS X version 10.5.8 or later version on an Intel processor - Mac OS X user accounts must have administrator privileges to install this security update **Installing the Update** Download and install the appropriate language version of the Microsoft Office for Mac 2011 14.2.3 Update from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?familyid=877700ed-3d03-4d46-a77b-5063d8f7d2e3). - Quit any applications that are running, including virus-protection applications and all Microsoft Office applications, because they might interfere with installation. - Open the Microsoft Office for Mac 2011 14.2.3 Update volume on your desktop. This step might have been performed for you. - To start the update process, in the Microsoft Office for Mac 2011 14.2.3 Update volume window, double-click the Microsoft Office for Mac 2011 14.2.3 Update application, and follow the instructions on the screen. - When the installation finishes successfully, you can remove the update installer from your hard disk. To verify that the installation finished successfully, see the following 'Verifying Update Installation' heading. To remove the update installer, first drag the Microsoft Office for Mac 2011 14.2.3 Update volume to the Trash, and then drag the file that you downloaded to the Trash. **Verifying Update Installation** To verify that a security update is installed on an affected system, follow these steps: 1. In the Finder, navigate to the Application Folder (Microsoft Office 2011). 2. Select Word, Excel, PowerPoint or Outlook and launch the application. 3. On the Application menu, click **About Application_Name** (where Application_Name is Word, Excel, PowerPoint or Outlook). If the Latest Installed Update Version number is **14.2.3**, the update has been successfully installed. **Restart Requirement** This update does not require you to restart your computer. **Removing the Update** This security update cannot be uninstalled. **Additional Information** If you have technical questions or problems downloading or using this update, visit [Microsoft for Mac Support](http://www.microsoft.com/mac/support) to learn about the support options that are available to you. ### Other Information #### Microsoft Active Protections Program (MAPP) To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in [Microsoft Active Protections Program (MAPP) Partners](http://go.microsoft.com/fwlink/?linkid=215201). #### Support **How to obtain help and support for this security update** - Help installing updates: [Support for Microsoft Update](http://support.microsoft.com/ph/6527) - Security solutions for IT professionals: [TechNet Security Troubleshooting and Support](http://technet.microsoft.com/security/bb980617.aspx) - Help protect your computer that is running Windows from viruses and malware: [Virus Solution and Security Center](http://support.microsoft.com/contactus/cu_sc_virsec_master) - Local support according to your country: [International Support](http://support.microsoft.com/common/international.aspx) #### Disclaimer The information provided in the Microsoft Knowledge Base is provided 'as is' without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. #### Revisions - V1.0 (July 10, 2012): Bulletin published. *Built at 2014-04-18T13:49:36Z-07:00* -->

Applies to: Configuration Manager (current branch)

Buy Microsoft Office Mac

This article describes how to deploy and maintain the Configuration Manager client on Mac computers. To learn about what you have to configure before deploying clients to Mac computers, see Prepare to deploy client software to Macs.

When you install a new client for Mac computers, you might have to also install Configuration Manager updates to reflect the new client information in the Configuration Manager console.

In these procedures, you have two options for installing client certificates. Read more about client certificates for Macs in Prepare to deploy client software to Macs.

Microsoft Office Professional For Mac

  • Use Configuration Manager enrollment by using the CMEnroll tool. The enrollment process doesn't support automatic certificate renewal. Re-enroll the Mac computer before the installed certificate expires.

  • Use a certificate request and installation method that is independent from Configuration Manager.

Important

To deploy the client to devices running macOS Sierra, correctly configure the Subject name of the management point certificate. For example, use the FQDN of the management point server.

Configure client settings

Use the default client settings to configure enrollment for Mac computers. You can't use custom client settings. To request and install the certificate, the Configuration Manager client for Mac requires the default client settings.

  1. In the Configuration Manager console, go to the Administration workspace. Select the Client Settings node, and then select Default Client Settings.

  2. On the Home tab of the ribbon, in the Properties group, choose Properties.

  3. Select the Enrollment section, and then configure the following settings:

    1. Allow users to enroll mobile devices and Mac computers: Yes

    2. Enrollment profile: Choose Set Profile.

  4. In the Mobile Device Enrollment Profile dialog box, choose Create.

  5. In the Create Enrollment Profile dialog box, enter a name for this enrollment profile. Then configure the Management site code. Select the Configuration Manager primary site that contains the management points for these Mac computers.

    Note

    If you can't select the site, make sure that you configure at least one management point in the site to support mobile devices.

  6. Choose Add.

  7. In the Add Certification Authority for Mobile Devices window, select the certification authority server that issues certificates to Mac computers.

  8. In the Create Enrollment Profile dialog box, select the Mac computer certificate template that you previously created.

  9. Select OK to close the Enrollment Profile dialog box, and then the Default Client Settings dialog box.

    Tip

    If you want to change the client policy interval, use Client policy polling interval in the Client Policy client setting group.

The next time the devices download client policy, Configuration Manager applies these settings for all users. To initiate policy retrieval for a single client, see Initiate policy retrieval for a Configuration Manager client.

In addition to the enrollment client settings, make sure that you have configured the following client device settings:

  • Hardware inventory: Enable and configure this feature if you want to collect hardware inventory from Mac and Windows client computers. For more information, see How to extend hardware inventory.

  • Compliance settings: Enable and configure this feature if you want to evaluate and remediate settings on Mac and Windows client computers. For more information, see Plan for and configure compliance settings.

For more information, see How to configure client settings.

Download the client for macOS

  1. Download the macOS client file package, Microsoft Endpoint Configuration Manager - macOS Client (64-bit). Save ConfigmgrMacClient.msi to a computer that runs Windows. This file isn't on the Configuration Manager installation media.

  2. Run the installer on the Windows computer. Extract the Mac client package, Macclient.dmg, to a folder on the local disk. The default path is C:Program FilesMicrosoftSystem Center Configuration Manager for Mac client.

  3. Copy the Macclient.dmg file to a folder on the Mac computer.

  4. On the Mac computer, run Macclient.dmg to extract the files to a folder on the local disk.

  5. In the folder, make sure that it contains the following files:

    • Ccmsetup: Installs the Configuration Manager client on your Mac computers using CMClient.pkg

    • CMDiagnostics: Collects diagnostic information related to the Configuration Manager client on your Mac computers

    • CMUninstall: Uninstalls the client from your Mac computers

    • CMAppUtil: Converts Apple application packages into a format that you can deploy as a Configuration Manager application

    • CMEnroll: Requests and installs the client certificate for a Mac computer so that you can then install the Configuration Manager client

Enroll the Mac client

Enroll individual clients with the Mac computer enrollment wizard.

To automate enrollment for many clients, use the CMEnroll tool.

Enroll the client with the Mac computer enrollment wizard

  1. After you install the client, the Computer Enrollment wizard opens. To manually start the wizard, select Enroll from the Configuration Manager preference page.

  2. On the second page of the wizard, provide the following information:

    • User name: The user name can be in the following formats:

      • domainname. For example: contosomnorth

      • user@domain. For example: mnorth@contoso.com

        Important

        When you use an email address to populate the User name field, Configuration Manager automatically populates the Server name field. It uses the default name of the enrollment proxy point server and the domain name of the email address. If these names don't match the name of the enrollment proxy point server, fix the Server name during enrollment.

        The user name and corresponding password must match an Active Directory user account that has Read and Enroll permissions on the Mac client certificate template.

    • Server name: The name of the enrollment proxy point server.

Client and certificate automation with CMEnroll

Use this procedure for automation of client installation and requesting and enrollment of client certificates with the CMEnroll tool. To run the tool, you must have an Active Directory user account.

  1. On the Mac computer, navigate to the folder where you extracted the contents of the Macclient.dmg file.

  2. Enter the following command: sudo ./ccmsetup

  3. Wait until you see the Completed installation message. Although the installer displays a message that you must restart now, don't restart, and continue to the next step.

  4. From the Tools folder on the Mac computer, type the following command: sudo ./CMEnroll -s <enrollment_proxy_server_name> -ignorecertchainvalidation -u '<user_name>'

    After the client installs, the Mac Computer Enrollment wizard opens to help you enroll the Mac computer. For more information, see Enroll the client by using the Mac computer enrollment wizard.

    Example: If the enrollment proxy point server is named server02.contoso.com, and you grant contosomnorth permissions for the Mac client certificate template, type the following command: sudo ./CMEnroll -s server02.contoso.com -ignorecertchainvalidation -u 'contosomnorth'

    Note

    If the user name includes any of the following characters, enrollment fails: <>'+=,. Use an out-of-band certificate with a user name that doesn't include these characters.

    For a more seamless user experience, script the installation steps. Then users only have to supply their user name and password.

  5. Type the password for the Active Directory user account. When you enter this command, it prompts for two passwords. The first password is for the super user account to run the command. The second prompt is for the Active Directory user account. The prompts look identical, so make sure that you specify them in the correct sequence.

  6. Wait until you see the Successfully enrolled message.

  7. To limit the enrolled certificate to Configuration Manager, on the Mac computer, open a terminal window and make the following changes:

    1. Enter the command sudo /Applications/Utilities/Keychain Access.app/Contents/MacOS/Keychain Access

    2. In the Keychain Access window, in the Keychains section, choose System. Then in the Category section, choose Keys.

    3. Expand the keys to view the client certificates. Find the certificate with a private key that you installed, and open the key.

    4. On the Access Control tab, choose Confirm before allowing access.

    5. Browse to /Library/Application Support/Microsoft/CCM, select CCMClient, and then choose Add.

    6. Choose Save Changes and close the Keychain Access dialog box.

  8. Restart the Mac computer.

To verify that the client installation is successful, open the Configuration Manager item in System Preferences on the Mac computer. Also update and view the All Systems collection in the Configuration Manager console. Confirm that the Mac computer appears in this collection as a managed client.

Tip

To help troubleshoot the Mac client, use the CMDiagnostics tool included with the Mac client package. Use it to collect the following diagnostic information:

  • A list of running processes
  • The Mac OS X operating system version
  • Mac OS X crash reports relating to the Configuration Manager client including CCM*.crash and System Preference.crash.
  • The Bill of Materials (BOM) file and property list (.plist) file created by the Configuration Manager client installation.
  • The contents of the folder /Library/Application Support/Microsoft/CCM/Logs.

The information collected by CmDiagnostics is added to a zip file that is saved to the desktop of the computer and is named cmdiag-<hostname>-<datetime>.zip

Microsoft Office Manager For Mac

Manage certificates external to Configuration Manager

You can use a certificate request and installation method independent from Configuration Manager. Use the same general process, but include the following additional steps:

  • When you install the Configuration Manager client, use the MP and SubjectName command-line options. Enter the following command: sudo ./ccmsetup -MP <management point internet FQDN> -SubjectName <certificate subject name>. The certificate subject name is case-sensitive, so type it exactly as it appears in the certificate details.

    Example: The management point's internet FQDN is server03.contoso.com. The Mac client certificate has the FQDN of mac12.contoso.com as a common name in the certificate subject. Use the following command: sudo ./ccmsetup -MP server03.contoso.com -SubjectName mac12.contoso.com

  • If you have more than one certificate that contains the same subject value, specify the certificate serial number to use for the Configuration Manager client. Use the following command: sudo defaults write com.microsoft.ccmclient SerialNumber -data '<serial number>'.

    For example: sudo defaults write com.microsoft.ccmclient SerialNumber -data '17D4391A00000003DB'

Renew the Mac client certificate

This procedure removes the SMSID. The Configuration Manager client for Mac requires a new ID to use a new or renewed certificate.

Important

After you replace the client SMSID, when you delete the old resource in the Configuration Manager console, you also delete any stored client history. For example, hardware inventory history for that client.

  1. Create and populate a device collection for the Mac computers that must renew the computer certificates.

  2. In the Assets and Compliance workspace, start the Create Configuration Item Wizard.

  3. On the General page of the wizard, specify the following information:

    • Name: Remove SMSID for Mac

    • Type: Mac OS X

  4. On the Supported Platforms page, select all Mac OS X versions.

  5. On the Settings page, select New. In the Create Setting window, specify the following information:

    • Name: Remove SMSID for Mac

    • Setting type: Script

    • Data type: String

  6. In the Create Setting window, for Discovery script, select Add script. This action specifies a script to discover Mac computers configured with an SMSID.

  7. In the Edit Discovery Script window, enter the following shell script:

  8. Choose OK to close the Edit Discovery Script window.

  9. In the Create Setting window, for Remediation script (optional), choose Add script. This action specifies a script to remove the SMSID when it's found on Mac computers.

  10. In the Create Remediation Script window, enter the following shell script:

  11. Choose OK to close the Create Remediation Script window.

  12. On the Compliance Rules page, choose New. Then in the Create Rule window, specify the following information:

    • Name: Remove SMSID for Mac

    • Selected setting: Choose Browse and then select the discovery script that you previously specified.

    • In the following values field: The domain/default pair of (com.microsoft.ccmclient, SMSID) does not exist.

    • Enable the option to Run the specified remediation script when this setting is noncompliant.

  13. Complete the wizard.

  14. Create a configuration baseline that contains this configuration item. Deploy the baseline to the target collection.

    For more information, see How to create configuration baselines.

  15. After you install a new certificate on Mac computers that have the SMSID removed, run the following command to configure the client to use the new certificate:

See also