SCCM 2012 SP1 now supports the management of various types of Linux, Unix, and Mac OS X operating systems, greatly expanding the capabilities of SCCM in a mixed environment. In this example we'll install the agent on Red Hat Enterprise Linux since it is an officially supported Linux distribution and is probably one of the more common flavors in enterprise environments.
The first step is to download the agent installation files, which are not included in the SCCM SP1 installation files or the installation media. The files can be downloaded from here: http://www.microsoft.com/en-us/download/details.aspx?id=36212. The one we are interested in is the "SC 2012 CM SP1 RTM client for RHEL.EXE". Run the .exe when it has finished downloading and accept the License Agreement. The next screen will let you determine where to save the files. Save them to a network share since you will need to copy them onto your Linux server. When the extraction is complete you will have these files:
[caption id="attachment_11793" align="aligncenter" width="259"]
You will need the install file and the .tar file that corresponds to your version of Red Hat Enterprise Linux[/caption]
The Red Hat Server I am using is running 64 bit RHEL 6, so I need to copy "ccm-RHEL6x184.108.40.206.4014.tar" and "install" to a location on that server. In this case I just copied them to a folder on my desktop. I installed the Gnome GUI on my Linux server to make things a little easier on myself, but everything in this guide can be done from the command line only.
Even though the installation files are now on the Linux server we aren't ready to install the agent yet. In my environment my Linux server doesn't trust my Windows PKI and the Windows servers don’t trust the Linux server, so the agent isn't going to run correctly if we run the install command right now. We need to do a little certificate legwork in order to get things working smoothly.
First, we are going to generate a certificate request on our Linux server, which can be submitted to a Windows Certificate Authority. On the Linux server open a terminal and make sure you have root permissions. You can gain root permissions by typing in the command “su” and hitting enter. It will prompt you for the root password. Next, enter this command:
- openssl req -newkey rsa:2048 -nodes -keyout host.key -out host.csr -subj /CN=cncy-lin-03.concurrency.com
Change the cncy-lin-03.concurrency.com part to match the FQDN of your particular Linux server. The command will output a file to the location your Terminal session is currently located. Take the certificate file and copy it to a Windows machine (I find that the certificate enrollment website doesn’t work very well on Linux browsers).
Next, you are going to need to log into the domain-joined Windows server that will issue certificates for you, whether it’s a root or intermediate Certificate Authority. We are going to need to modify certificate templates, so make sure you have appropriate permissions to do so (Domain Admin credentials should do the trick). On the Certificate Authority, open an mmc and add the Certificate Template and Certificate Authority snap-ins.
Make a duplicate of the Workstation Authentication template in the Certificate Templates snap-in. Give the new template an easy to remember name, like Linux Workstations.
[caption id="attachment_11820" align="aligncenter" width="402"]
You may want to set the validity period to be longer than 1 year[/caption]
Go to the Subject Name tab and select “Supply in the request”.
Next, go to the Security tab and make sure your user account has Enroll permissions on the template. Then click OK.
In the Certificate Authority snap-in right click Certificate Templates, select New, and then select Certificate Template to Issue.
Find the new template (Linux Servers) in the list and click OK. Now open a web browser and go to your CA’s enrollment webpage. In my environment it is just http:///certsrv. Click Request a Certificate under Task, and then choose Advanced Certificate Request. Choose the second option on the next screen:
[caption id="attachment_11799" align="aligncenter" width="604"]
You need to choose the second option because the first won't accept the type of certificate request we created on the Linux Server.[/caption]
Copy the contents of your .csr certificate request file by opening it in Notepad. Enter the contents in the request field and make sure you choose the correct Certificate Template. Then click Submit.
On the next screen choose to download the certificate as Base 64 encoded. Download the certificate and the certificate chain. The request response file will be named certnew.cer and the chain will be named certnew.p7b.
Copy both files to your Linux server and put them in the same directory as your host.key and host.csr files that were created when we generated the certificate request. This will make some commands a little bit simpler. Next, open a Terminal and elevate the session to root using the “su” command. Navigate in the Terminal to the directory containing all of the certificate files. Run this command to convert the .p7b file into something we can properly use:
- openssl pkcs7 -print_certs -in certnew.p7b -out certchain.cer
The next command will use openssl to create a PFX file that can be used in the installation of the SCCM agent:
- openssl pkcs12 -export -in certnew.cer -inkey host.key -certfile certchain.cer -name cncy-lin-03 -passout pass:hostcertpassword -out host.pfx
Change the cncy-lin-03 part to the shortname of your Linux server. You should not use the full FQDN because the installation will fail. Also change the hostcertpassword section to whatever password you want set on the PFX file. Now we should have a file called host.pfx that we can use when installing the SCCM agent. Run this command to install the agent. The command assumes that the SCCM installation files are in the same location as host.pfx on the Linux server.
- ./install -mp fqdn.sccm-mp.domain.com -sitecode 123 -UsePKICert host.pfx -certpw hostcertpassword -httpsport 443 -NoCRLCheck ccm-RHEL6x220.127.116.11.4014.tar
Change fqdn.sccm-mp.domain.com to the FQDN of your SCCM Management Point server, and change 123 to your SCCM site code. Also make sure that hostcertpassword is the same as what you specified in the previous command. When this command is finished running the SCCM agent will be installed:
Open a second terminal window and run this command:
- tail -f /var/opt/microsoft/scxcm.log
This will allow you to monitor the SCCM log file. Next, go back to the original terminal window and run these two commands:
- /opt/Microsoft/configmgr/bin/ccmexec -rs hinv
- /opt/Microsoft/configmgr/bin/ccmexec -rs policy
The first of these commands will run a hardware inventory. The second command will force a policy retrieval. Return to the second terminal window you ran the tail command in. When the hardware inventory is done you will see a message stating “Inventory: Successfully sent report” and you should see messages referring to policy bodies being downloaded. After these are run the Linux server will appear in the SCCM Console and the Resource Explorer will be populated with information about your Linux server: