Mac client does not receive policies from Parallels Proxy and cannot be registered

Symptoms

• Mac client does not receive policies from Parallels Proxy
• Mac manual registration was successful, however, Mac is still not registered in SCCM.
• SCCM infrastructure is configured in https mode

Log

Following entries can be found in MP_RegistrationManager.log located on Management Point server (default location is C:\Program Files\SMS_CCM\Logs):

<![LOG[Begin validation of Certificate [Thumbprint 853E2EFD2C066EBB493632CEA81E5EFB13283984] issued to 'D080C83D-5903-7B44-BDE5-14B98C844962']LOG]!><time="12:51:37.499+300" date="10-19-2016" component="MP_RegistrationManager" context="Registration" type="1" thread="26428" file="ccmcert.cpp:1720">
------------------------------------------------
<![LOG[The certificate chain processed correctly but terminated in a root certificate not trusted per ConfigMgr CTL.]LOG]!><time="12:51:37.499+300" date="10-19-2016" component="MP_RegistrationManager" context="Registration" type="3" thread="26428" file="ccmcert.cpp:1478">
------------------------------------------------
<![LOG[Completed validation of Certificate [Thumbprint 853E2EFD2C066EBB493632CEA81E5EFB13283984] issued to 'D080C83D-5903-7B44-BDE5-14B98C844962']LOG]!><time="12:51:37.499+300" date="10-19-2016" component="MP_RegistrationManager" context="Registration" type="1" thread="26428" file="ccmcert.cpp:1867">

Following entries can be found in C:\Windows\Logs\pma_isv_proxy_service.log located on Parallels Configuration Manager Proxy server:

10-19 12:51:37.015 D /pma_isv_proxy_service:2240:18bc/ Got request 'CheckClientStatus' from client d080c83d-5903-7b44-bde5-14b98c844962 @ 10.10.10.84
10-19 12:51:37.031 D /AdsiWrap:2240:18bc/ IADs::Get() returned 0x8000500d (Unable to obtain message text for error -2147463155 (reason 317)) for 'dNSHostName'
10-19 12:51:37.031 D /pma_isv_proxy_service:2240:18bc/ Skip DN 'OU=Computers,DC=domain,DC=local': Unknown error
10-19 12:51:37.032 D /pma_isv_proxy_service:2240:18bc/ Updated client information from RPC request with DDR by '10.10.10.84' (server.domain.local;)
10-19 12:51:37.128 D /pma_isv_proxy_service:2240:18bc/ Could not find resource with SMSID = 'd080c83d-5903-7b44-bde5-14b98c844962'
...
10-19 12:51:37.522 D /SmsMsgApi:2240:18bc/ Registration response for message type 0: '<ClientRegistrationResponse ResponseType="Registration" TimeStamp="2016-10-19T12:51:37Z" Status="3" ApprovalStatus="-1"/>'
10-19 12:51:37.522 W /SmsMsgApi:2240:18bc/ Unable to parse registration response for message type 0: '<ClientRegistrationResponse ResponseType="Registration" TimeStamp="2016-10-19T12:51:37Z" Status="3" ApprovalStatus="-1"/>'
10-19 12:51:37.522 W /SmsResourceMgr:2240:18bc/ Registration response could not be parsed
10-19 12:51:37.522 W /CmProxyUtils:2240:18bc/ Could not reregister client 'd080c83d-5903-7b44-bde5-14b98c844962' with PKI certificate '853e2efd2c066ebb493632cea81e5efb13283984': 3
10-19 12:51:37.522 W /CmProxyUtils:2240:18bc/ Not re-registered client 'd080c83d-5903-7b44-bde5-14b98c844962' with peer certificate f1893ddb89c17299ba6336dee979d70edea109fd (PKI mode): 3
10-19 12:51:37.522 D /pma_isv_proxy_service:2240:18bc/ Sending registration status 2 to 10.10.10.84 (server.domain.local;, d080c83d-5903-7b44-bde5-14b98c844962)

Cause

Parallels Configuration Manager Proxy service fails to issue a certificate for Mac because trusted Root CA is not specified in the SCCM Console.

Resolution

1. Open SCCM Console and navigate to Administration > Site Configuration > Sites > right-click the site in the right pane > Properties > switch to Client Computer Communication tab.

2. Click Set button and add certificate of the appropriate root CA (the one that is the Root CA of Mac PKI certificates).

   

3. Uninstall Mac client.
4. Delete Mac from SCCM Console.
5. Install client and register it.