Note
The information in this topic applies only to System Center 2012 Configuration Manager SP1.

Use the information in the following sections to help you plan to deploy the Configuration Manager client for Linux and UNIX.

Planning for Client Deployment to Linux and UNIX Servers

Before you deploy the Configuration Manager client for Linux and UNIX, review the information in this section to help you plan for a successful deployment.

Prerequisites for Client Deployment

Use the following information to determine the prerequisites you must have in place to successfully install the client for Linux and UNIX.

Dependencies External to Configuration Manager:

Planning for Communication across Forest Trusts for Linux and UNIX Servers

Linux and UNIX servers you manage with Configuration Manager operate as workgroup clients and require similar configurations as Windows-based clients that are in a workgroup. For information about communications from computers that are in workgroups, see the Planning for Communications Across Forests in Configuration Manager section in the Planning for Communications in Configuration Manager topic.

Service Location by the client for Linux and UNIX

Planning for Security and Certificates for Linux and UNIX Servers

For secure and authenticated communications with Configuration Manager sites, the Configuration Manager client for Linux and UNIX uses the same model for communication as the Configuration Manager client for Windows.

When you install the Linux and UNIX client, you can assign the client a PKI certificate that enables it to use HTTPS to communicate with Configuration Manager sites. If you do not assign a PKI certificate, the client creates a self-signed certificate and communicates only by HTTP.

Clients that are provided a PKI certificate when they install use HTTPS to communicate with management points. When a client is unable to locate a management point that supports HTTPS, it will fall back to use HTTP with the provided PKI certificate.

When a Linux or UNIX client uses a PKI certificate you do not have to approve them. When a client uses a self-signed certificate, review the hierarchy settings for client approval in the Configuration Manager console. If the client approval method is not Automatically approve all computers (not recommended), you must manually approve the client.

For more information about how to manually approve the client, see the Managing Clients from the Devices Node section in the How to Manage Clients in Configuration Manager topic.

For information about how to use certificates in Configuration Manager, see PKI Certificate Requirements for Configuration Manager.

About Certificates for use by Linux and UNIX Servers

Configuring Certificates for Linux and UNIX Servers

About Linux and UNIX Operating Systems That do not Support SHA-256

The following Linux and UNIX operating systems that are supported as clients for Configuration Manager were released with versions of OpenSSL that do not support SHA-256:

  • Red Hat Enterprise Linux Version 4 (x86/x64)

  • Solaris Version 9 (SPARC) and Solaris Version 10 (SPARC/x86)

To manage these operating systems with Configuration Manager, you must install the Configuration Manager client for Linux and UNIX with a command line switch that directs the client to skip validation of SHA-256. Configuration Manager clients that run on these operating system versions operate in a less secure mode than clients that support SHA-256. This less secure mode of operation has the following behavior:

  • Clients do not validate the site server signature associated with policy they request from a management point.

  • Clients do not validate the hash for packages that they download from a distribution point.

Security Note
The ignoreSHA256validation option allows you to run the client for Linux and UNIX computers in a less secure mode. This is intended for use on older platforms that did not include support for SHA-256. This is a security override and is not recommended by Microsoft, but is supported for use in a secure and trusted datacenter environment.

When the Configuration Manager client for Linux and UNIX installs, the install script checks the operating system version. By default, if the operating system version is identified as having released without a version of OpenSSL that supports SHA-256, the installation of the Configuration Manager client fails.

To install the Configuration Manager client on Linux and UNIX operating systems that did not release with a version of OpenSSL that supports SHA-256, you must use the install command line switch ignoreSHA256validation. When you use this command line option on an applicable Linux or UNIX operating system, the Configuration Manager client will skip SHA-256 validation and after installation, the client will not use SHA-256 to sign data it submits to site systems by using HTTP. For information about configuring Linux and UNIX clients to use certificates, see Planning for Security and Certificates for Linux and UNIX Servers in this topic. For information about requiring SHA-256, see the Configure Signing and Encryption section in the Configuring Security for Configuration Manager topic.

Note
The command line option ignoreSHA256validation is ignored on computers that run a version of Linux and UNIX that released with versions of OpenSSL that support SHA-256.

See Also