SCCM Mac Client Auto Enrollment Script

Since our SCCM server got updated, the old sccm mac client won’t working anymore ( needs to support El Caption), and our certificate expired as well…so basically I have to uninstall the old sccm mac client, and remove the old certificate. and then re-install the new mac sccm client and do the sccm enrollment to generate the certificate again.

At this time we already have Casper, so I just use a single shell script to do this task. here is the script:


# Download & Extract Installation Files
cd /tmp
curl -LOk
sudo unzip -o

# Uninstall current SCCM agent
sudo ./tools/CMUninstall -c

# Delete current SCCM certificates
security find-certificate -c “SCCM” -a -Z | sudo awk ‘/SHA-1/{system(“security delete-certificate -Z “$NF)}’

# Install Mac SCCM Client
sudo installer -package /tmp/CMClient.pkg -target /

# SCCM Enrollment
/usr/bin/expect << EOF

set timeout 60

spawn /tmp/tools/CMEnroll -s -ignorecertchainvalidation -u domain_name\\\username
expect “Please enter your password.”
send raw_password
expect “Successfully enrolled.”


# Delete All the temp files
sudo rm -rf tools
sudo rm -f
sudo rm -f
sudo rm -f CMClient.pkg


A few points:

1. To use expect script inside a shell script, there are a few ways to do it, I just use this format:

/usr/bin/expect << EOF





2. Inside the expect script, if you want to do the escape for the domain username, the format should be domain_name\\\username

3. If you want to enable debug mode in expect script, just add -d in the end, such as “/usr/bin/expect -d <<EOF”

4. wget is not installed by default on Macs, however we can use curl, and to download the zip file, use curl -LOk

5. To complete unisntall sccm mac client, use -c switch.

Leave a Reply