Well I'm stumped. I followed everything in the TechNet guide for preparing for and installing Mac clients. Setup notes:
Primary Standalone server is running non-Internet roles (MP, DP, App Catalog roles, Asset Int, SUP), and I installed a new server (VM) yesterday to serve as the server for "Internet"-facing roles: DP, MP, Enrollment Point, Enrollment Proxy Point. Certs have been issued and configured for IIS and the DP on the "Internet" server. At this stage, I do not plan to have the roles serving "Internet" clients actually available to the Internet yet - I'm mainly interested in managing Macs we own that on our network. All servers are 2008 R2, including the root CA.
EDIT: I forgot to mention this. On the IIS cert issued for the "Internet Client" server, I specified both the internal FQDN and the external FQDN (both DNS=) for this server in the SAN. That should be ok...right?
On the Primary Site System Server, all has been well for quite some time - I'm in this server daily and I'm fairly confident that the issue lies with me having done something wrong on either the "Internet client" server, or I've failed to do something on the Mac OS X clients themselves.
I seem to have successfully installed 2 Mac OS X clients, one is 10.9.3, the other is 10.10. I've used the latest client for mac os x which resolved that issue with needing to disable USB_Device in Hardware Inventory, and such devices are enabled for hw inv collection in my Default Client Policy. Enrollment went fine and the wizard succeeded. I also confirmed that CMEnroll worked fine and reported success on both as well. However, when I go to Connect via the System Pref item for Config Mgr, it states "Certificate Not Found" on the UI, and client log files on both macs basically report the same issue. I will try to post some log snippets when I get back to the office later in the evening. Both the root cert and the cert I got for my user (via the wizard) are present in the System Keychain and I even manually marked them as trusted (same behavior before and after doing this).
I've tried enrolling both again (to no avail), just to see if that would do anything. Here's a blip from EnrollmentService.log:
[7, PID:3600][12/03/2014 15:04:21] :WindowsIdentity is created for domain: bpsd user: amalcolm_ad
[7, PID:3600][12/03/2014 15:04:21] :validated user credentials
[7, PID:3600][12/03/2014 15:04:21] :Handling RequestSecurityToken
[7, PID:3600][12/03/2014 15:04:21] :claim identity name: BPSD\amalcolm_AD
[7, PID:3600][12/03/2014 15:04:21] :ConfigManager: RefreshCache: Creating Enrollment Profile 16777217
[7, PID:3600][12/03/2014 15:04:21] :EnrollmentServiceProfile: GetDBCAs retrieved Template information:
[7, PID:3600][12/03/2014 15:04:21] :Template: SCCMClientMac
[7, PID:3600][12/03/2014 15:04:21] :CA: System.Collections.Generic.List`1[System.String]
[7, PID:3600][12/03/2014 15:04:21] :The CA BPSDCORE1.BPSD.BRYANTSCHOOLS.ORG is in forest BPSD.BRYANTSCHOOLS.ORG
[7, PID:3600][12/03/2014 15:04:21] :Impersonating caller: BPSD\amalcolm_AD
[7, PID:3600][12/03/2014 15:04:21] :Revert back to self: NT AUTHORITY\NETWORK SERVICE
[7, PID:3600][12/03/2014 15:04:21] :ConfigManager: Sending CA Success Status - ENROLLSRVMSG_CA_SUCCESS
[7, PID:3600][12/03/2014 15:04:21] :ConfigManager: CA Chains count: 1
[7, PID:3600][12/03/2014 15:04:21] :ConfigManager: Subject name: CN=BPSD-BPSDCORE1-CA, DC=BPSD, DC=BRYANTSCHOOLS, DC=ORG
[7, PID:3600][12/03/2014 15:04:21] :ConfigManager: Issuer Name: CN=BPSD-BPSDCORE1-CA, DC=BPSD, DC=BRYANTSCHOOLS, DC=ORG
[7, PID:3600][12/03/2014 15:04:21] :ConfigManager: CA Chains 1 thumprint: 0FF35C1367A6A094AD9E12D5FB8C3F6FEE85657D
[7, PID:3600][12/03/2014 15:04:21] :ConfigManager: Got root CA hash: 0FF35C1367A6A094AD9E12D5FB8C3F6FEE85657D
[7, PID:3600][12/03/2014 15:04:21] :Impersonating caller: BPSD\amalcolm_AD
[7, PID:3600][12/03/2014 15:04:21] :Revert back to self: NT AUTHORITY\NETWORK SERVICE
[7, PID:3600][12/03/2014 15:04:21] :EnrollmentRequestController: entering State: Start
[7, PID:3600][12/03/2014 15:04:21] :EnrollmentRequestController: exiting state: Start, Result: Succeed
[7, PID:3600][12/03/2014 15:04:21] :EnrollmentRequestController: entering State: AuthenticationApproved
[7, PID:3600][12/03/2014 15:04:21] :EnrollmentRequestController: exiting state: AuthenticationApproved, Result: Failover
[7, PID:3600][12/03/2014 15:04:21] :EnrollmentRequestController: entering State: CertNotInADAccount
[7, PID:3600][12/03/2014 15:04:21] :Impersonating caller: BPSD\amalcolm_AD
[7, PID:3600][12/03/2014 15:04:21] :Revert back to self: NT AUTHORITY\NETWORK SERVICE
[7, PID:3600][12/03/2014 15:04:21] :CALayer: Sending CA Success status - ENROLLSRVMSG_CA_SUCCESS
[7, PID:3600][12/03/2014 15:04:21] :EnrollmentRequestController: exiting state: CertNotInADAccount, Result: Succeed
[7, PID:3600][12/03/2014 15:04:21] :EnrollmentRequestController: entering State: ProcessCertificate
[7, PID:3600][12/03/2014 15:04:21] :Converted expiration date to UTC.
[7, PID:3600][12/03/2014 15:04:21] :EnrollmentRequestController: exiting state: ProcessCertificate, Result: Succeed
[7, PID:3600][12/03/2014 15:04:21] :EnrollmentRequestController: entering State: PrepareProvisioning
[7, PID:3600][12/03/2014 15:04:21] :ConfigManager: GetDBMPName: ConfigMgrIBCM.BRYANTSCHOOLS.ORG:443
[7, PID:3600][12/03/2014 15:04:21] :PrepareProvisioning: ProvisioningXML prepared successfully. Length:8010
[7, PID:3600][12/03/2014 15:04:21] :EnrollmentRequestController: exiting state: PrepareProvisioning, Result: Succeed
[7, PID:3600][12/03/2014 15:04:21] :The ES is in forest BPSD.BRYANTSCHOOLS.ORG
[7, PID:3600][12/03/2014 15:04:21] :InsertCertificateRecord: AC1151AFFB7910E7102AC461E47AE5297F2CBB3A for BPSD\amalcolm_AD
[7, PID:3600][12/03/2014 15:04:21] :Sending status message: ENROLLSRVMSG_SQL_SUCCESS
I do want to note that I was getting a 500 service error previously, but that seems to have been resolved with aspnet_iisreg (v4*) and an iisreset. All components on my Internet-facing server are green and I'm not really seeing any error messages anywhere.
Over in EnrollmentWeb.log, everything seems OK...
Found user credential in the message header for bpsd\amalcolm_ad Enrollment 12/3/2014 3:04:20 PM 7 (0x0007)
Forward client request Enrollment 12/3/2014 3:04:20 PM 7 (0x0007)
Forward server response Enrollment 12/3/2014 3:04:21 PM 7 (0x0007)
So ultimately, the agents seem to be working - client log files record screen lock / user logon activity and generally seem OK from the skimpy logs that are created by mac clients, but it's been hours and these devices still haven't shown up in Config Mgr - not as a Mobile Device or in devices or... anywhere. Both our bound to our AD Domain, and the Mac OS X 10.10 client - which has a computer account present in an OU that I have System Discovery configured to check - does appear in the console, but it shows 'No Client'.
So...I'm a little stumped here. Do Mac clients not record policy activity in a log somewhere? Can someone offer me some leads on where I should be looking for a problem?