SCCM 2012 WTF moment

We’ve been migrating from SCCM 2007 to SCCM 2012 at work. One very interesting part of SCCM 2012 for us has been the support for Mac OSX that was added in SCCM 2012 SP1. We have about 70 Mac clients, I guess, on top of about 1500 Windows clients, and those 70 clients need a dis-proportionate amount of time to manage, not because of any problems with Mac OSX as such, but rather due to the lack of real tools available to manage a large desktop roll-out.

Please don’t tell me about Apple Remote Desktop or Profile Manager at this point. I know about ARD. I use ARD. It sucks. As does profile manager. They’re both better than nothing, but they are good examples of enterprise software that’s designed and built by people who don’t really understand enterprise requirements.

So far in our testing it’s proven very interesting. There’s something very disconcerting about seeing the SCCM client pop up on a Mac, though I suppose we’ll get used to it in time. The support for Mac OSX in SCCM is basic compared to the support for Windows clients, but this will only improve in time to be fair, and the most important bases are covered; we’ve installed packages and pushed down settings via custom .plist files with SCCM 2012 and it seems to work well enough. There’s a few rough spots if you wanted to be picky but the fact that this works at all is impressive enough.

Microsoft do seem to have missed a trick by not including remote desktop viewing in SCCM 2012 for Mac clients. As the Mac desktop sharing mechanism is essentially VNC then it shouldn’t have been too difficult to add a VNC client or at least allow you to plug your own in. Oh well.

Of more concern is the lack of support for Mountain Lion. Not sure when this will be rectified but it’s a bit of a show-stopper – I think if businesses aren’t already running Mountain Lion on their Macs then they must at least be making plans to move by now.

One final, weird thing I’ll leave you with: Microsoft include a version of System Centre Endpoint Protection for the Mac in this package. Installing Microsoft AntiVirus onto a Mac is weird enough (see below) but the strangest part of this is when you first download it. It comes down from the Microsoft servers as a .msi file. When you run the msi file, which you can only really do on Windows, it extracts a Mac .dmg file.The .dmg file then contains an installer which needs to be extracted from the .dmg so you can run it on your Macs. The intention of this is that you push it out via SCCM of course, but it still feels more than a bit strange to receive Mac software in a msi file.

If you find that confusing to read about, just think about how it felt to my colleague Ian and I when we actually had to deal with it.

System Centre Endpoint Protection installed on a Mac
System Centre Endpoint Protection installed on a Mac

And the question of whether or not Macs need AntiVirus perhaps isn’t as clear-cut as it used to be these days, so this is quite a timely release on Microsoft’s part. Especially for people who can’t switch off well known vulnerability sinkholes like Java or Flash.

Update: My colleague, Ian, has blogged about his experiences with managing Macs via SCCM. His post contains all the technical details I’ve left out and is very well worth a read. Part 1 of his article (here) details our experience with the default SCCM client for the Mac, and Part 2 (here) will detail the results of taking up the kind offer from Carlos / Parallels in the comments below.


  1. Hi Rob. Thanks for sharing your experiences with testing the new SP1 capabilities to manage Macs. Let me know if you are interested in testing a new SCCM plug-in by my company Parallels. It works for Mountain Lion clients and it provides VNC or SSH remote connections into clients. All done via the same SCCM console you use to manage the PCs.

    1. Thanks Carlos. I’ll speak to the guy running the SCCM project and if he wants to take a look we will let you know. If Microsoft don’t get their finger out soon then we will need to do something, that’s for sure.

      1. Hi Carlos,

        I’m Ian, Rob’s colleague who is looking after the SCCM project. I would be very interested in taking you up on your offer. Can you send me details?



      2. Hi Ian,

        We have live demos twice per week, so you can take a look at how the plug-in works. We can then send you trial software to test in your environment.

        Can you please send me your contact info to, so I can get you all the needed info? Once I have your contact info, I’ll reach from my regular work email.


    1. Hi Carlos,

      Sorry, I forgot to reply to your post above.

      I’ve been in contact with the sales department at Parallels and recently had a telephone conference with one of your colleagues in the European sales department (Rudolf). He has hooked me up with an evaluation copy of the SCCM plugin and I’m working with it now. I’m working on my own blog post about it but I have to say, for the most part I like it. Thank you for alerting us to its existence!

  2. Thanks for post Rob. Also, thanks Ian for your post as well.
    I’ve read both of them, and as a experienced Mac administrator have question re: how SCCM is better than ARD and Profile Manager?
    I’ve been using ARD since version 1 came out, and features of Workgroup Manager prior to Profile Manager.
    Now, with roll out of Mountain Lion, I wonder what SCCM does better and what are the features you would say ARD and Profile Manager miss and/or don’t do gracefully? Some examples would be greatly appreciated.

  3. Hi Anton, I’d say that the big advantage of SCCM for us as administrators of a mixed network is the ability to use the same interface and console for managing all our clients. I know that sounds like a small thing but if you’re training helpdesk staff on how to install applications then having the same interface for both simplifies the process.

    As for improvements over ARD, etc., it might be a configuration issue with our network but I’ve never known ARD to work properly for an extended period of time – it seems to associate a particular mac client with the IP address in use at the time you ‘enrol’ the device into the ARD console and even though the client’s DNS records get updated (so, e.g. other management tools can always find the right mac client by using the hostname) this never seemed to work properly for us despite being on a network where we had an OD/AD “magic triangle” configured and working well (so presumably the network config on our mac servers and mac workstations was correct).

    SCCM, with both the standard mac client and the parallels one mentioned in the above comments (which we’re going ahead and buying), just works, with none of the drama we’ve had in the past.

  4. Hi Rob,

    Great to hear you are moving forward with using our SCCM plug-in. Out of curiosity, did you or Ian do a write up on your experience with our solution?

    1. Hi Carlos,
      Ian will be doing a write up on his blog on edugeek, we were just talking about that today in fact – he did most of the work for us so it seems fair to let him get the ‘glory’!

      I believe we’ve also agreed to act as a reference site to other uk education sites too.

    1. Thanks for the update Jon. I hope they’re a bit faster to add support for 10.9 when that appears.

      1. Hi Rob,

        FYI, at the MSFT management summit last month in Las Vegas, they committed to provide support to new OSX versions within 180 days of release.


      2. Thanks for that reply Carlos – 180 days. 6 months doesn’t sound unreasonable for a software lifecycle but on the other hand it’s between 50% and 33% of the lifecycle of the operating system if you think of Apple’s comittement to update OSX roughly once a year.

        Would it be unreasonable to ask what Parallels comittment is? 😉

      3. For our Desktop for Mac product, we normally support the new OSX version on day 1. Since the plug-in is a new product for us, we haven’t gone through an OSX release yet, but the expectation is for us to provide support within 30 days.

  5. Thanks Carlos. Don’t worry, I won’t be the one complaining if there isn’t an update by day 31 ;-)…

    I’ve done dev in the past and that’s actually a very impressive target turn around time. I know that Mac OSX is a major platform for you guys in a way that perhaps it isn’t quite as important to Microsoft but I’m still impressed.

Leave a Reply to Rob Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.