This little article covers the installation of the SCCM client on a Linux server (SCCM 1610 and Ubuntu 14.04 to be precise). Unlike Windows domain joined computers where the whole process can be completed using the SCCM console, installation on an Ubuntu client - other Debian based versions of Linux should be very similar - is a manual procedure with several steps. The main steps are as follows:
- Request and install a suitable client authentication certificate
- Copy the SCCM client installation files to the Linux servers
- Install the client using command line options
- Approve the client
- The Linux server must run a supported distribution (Ubuntu, RHEL, SUSE, Centos etc.)
- The Linux server must be within a defined SCCM network boundary. Domain joined computers use the subnets defined in Active Directory but other networks such as a DMZ segment have to be manually added as SCCM boundary networks.
- The Linux server must be able to resolve the names of the internal SCCM servers using either DNS or an entry in the server’s hosts file.
As a Linux server has no other means to authenticate to the domain joined SCCM servers, a certificate has to be installed. In a domain environment, this process is entirely automatic and a suitable certificate is installed as part of the SCCM client installation process. Outside of a domain environment, a suitable certificate has to be requested and installed before the SCCM client software installation can start. Note that the following steps can be done on a Windows computer that is joined to the domain. No need to get your hands dirty with Linux when you don't need to.
The certificate can be requested from the Active Directory certificate authority and uses a template based on the inbuilt Workstation Authentication and, for the purposes of this example, will be called SCCM Linux Certificate. This new template is similar to the one used for the domain joined computers but has two important differences.
- The name of the computer must be manually specified in the certificate request instead of being determined from information in Active Directory. Each computer will need its own certificate.
- The certificate must be manually approved by an administrator. This is done for security reasons
Subject = “CN=hostname”
MachineKeySet = True
Exportable = TRUE
KeyLength = 2048
Change the Subject line to add the name of the Ubuntu server e.g. websrv1. This should be the same as the name of the Linux server returned by the hostname command. You can use either a single label name or the FQDN of server as long as the name returned by the hostname command matches the name specified in the subject line. Save the file. In this example it has been saved as SCCMLinuxcert.inf. From an elevated command prompt on your Windows computer (you will need admin rights to do this), change to the folder that you saved the file in and type the following commands
certreq –new SCCMLinuxCert.inf SCCMLinuxCert.req
certreq –submit SCCMLinuxCert.req SCCMLinuxCert.cer
You will then be presented you with a choice of online certification authorities. Select your Active Directory certificate authority. As mentioned above, the properties of the certificate template require manual intervention by an administrator with appropriate rights. Once the certificate request has been approved, run the following command:
certreq –accept SCCMLinuxCert.cer
This will put the certificate in the store in the Windows desktop or server that you are using. This certificate now has to be exported to a pfx format so it can be used in the SCCM client installation process. Using the Certificates MMC snap in, add the current computer node as this will contain the certificate that you need to export. The certificate will be in under the Certificates – Local Computer \Certificates node and will have the name specified in the certificate request. Right click the certificate and export it as a pfx file.
Make sure that you select the options to export the key and to export the certificate chain as the SCCM client installation will fail without these options. Provide a suitably secure password when prompted. You are now ready to install the SCCM client on the workgroup computer.
Copy the latest installation files for the Linux SCCM client files (available from the Microsoft Volume Licensing website) and the exported certificate file to a folder on the Linux server e.g. /home/admin. Depending on how the Linux server has been configured, this can be done by FTP (FileZilla if you need a free graphical interface) or SSH (WinSCP if you need a free graphical interface). Connect via console or SSH to your Linux server so that you can initiate the SCCM client installation.
Note: Again depending on how secure your Linux installation is, you may need to manually grant execute rights on the install script. Do this by running the following command (all on one line):
sudo chmod +x install
Now you can execute the installation script. Substitute your sitecode and management point and fallback status point server names
sudo ./install -mp yourmp.company.com -sitecode XXX -fsp yourfsp.company.com -UsePKICert SCCMLinuxCert.pfx -certpw securepassword -NoCRLCheck ccm-Universalx64.tar
The installation can take some time to complete if the server is busy but is generally much quicker than a Windows workgroup client installation. As with all SCCM client installations, the computer can take about an hour to contact the management point and download all the policies necessary to customise its configuration although it will usually appear in the SCCM console much sooner than that. Note that it may be necessary to approve a Linux client using the SCCM console depending on how your SCCM installation was configured.