Professional Documents
Culture Documents
This product is protected by United States and international copyright laws. The product’s underlying technology,
patents, and trademarks are listed at http://www.parallels.com/about/legal/.
Microsoft, Windows, Windows Server, Windows Vista are registered trademarks of Microsoft Corporation.
Apple, Mac, the Mac logo, OS X, macOS, iPad, iPhone, iPod touch are trademarks of Apple Inc., registered in the US
and other countries.
Linux is a registered trademark of Linus Torvalds.
All other marks and names mentioned herein may be trademarks of their respective owners.
Contents
Introduction ............................................................................................................... 8
Parallels Mac Management Features Overview................................................................. 8
About This Guide ............................................................................................................ 9
Pre-Installation Procedures .................................................................................... 10
Parallels Mac Management Component Overview .......................................................... 10
Pre-Installation Checklist ............................................................................................... 11
Installation Requirements............................................................................................... 12
General Requirements ........................................................................................................... 12
Parallels Configuration Manager Proxy Requirements ............................................................ 13
Parallels NetBoot Server Requirements ................................................................................. 14
Parallels OS X Software Update Point Requirements ............................................................. 15
Parallels MDM Server Requirements ...................................................................................... 15
The Reporting Functionality Requirements ............................................................................ 15
Communication Ports and Protocols ..................................................................................... 16
User Rights Requirements ............................................................................................. 17
Permissions for Running Parallels Proxy Configuration Wizard............................................... 17
Permissions for Running Parallels Proxy Service .................................................................... 22
Permissions for Running Parallels OS X Software Update Point............................................. 23
Configuring Configuration Manager Boundaries ............................................................. 24
Configuring Windows Firewall ........................................................................................ 25
Integrating Parallels Mac Management with PKI ............................................................. 25
PKI Integration Overview ....................................................................................................... 26
What This Section Does Not Cover ....................................................................................... 26
Creating Certificate Templates for Parallels Proxy and Mac Computers ................................. 26
Creating a Security Group ..................................................................................................... 28
Handling Expired Certificates ................................................................................................. 28
Contents
Introduction
Parallels Mac Management for Microsoft SCCM extends Microsoft System Center Configuration
Manager 2012 and 2012 R2 (or newer) with support for Mac computers. For companies that
already have Microsoft SCCM in place, Parallels Mac Management allows administrators to use
SCCM as their only system to manage both PCs and Mac.
In This Chapter
Parallels Mac Management Features Overview ........................................................ 8
About This Guide ................................................................................................... 9
Parallels Mac Management fully integrates with the Configuration Manager console, so IT
administrators can manage Mac and Windows computers using the same familiar graphical user
interface.
The guide begins with the information on how to prepare your computing environment for the
installation of Parallels Mac Management. It then describes in detail how to install and configure
Parallels Mac Management components. The guide continues with the information on how to use
Parallels Mac Management features. It concludes with appendices containing miscellaneous useful
information.
9
CHAPTER 2
Pre-Installation Procedures
This chapter describes the pre-installation steps that ensure successful installation of Parallels Mac
Management for Microsoft SCCM.
In This Chapter
Parallels Mac Management Component Overview ................................................... 10
Pre-Installation Checklist......................................................................................... 11
Installation Requirements ........................................................................................ 12
User Rights Requirements ...................................................................................... 17
Configuring Configuration Manager Boundaries....................................................... 24
Configuring Windows Firewall ................................................................................. 25
Integrating Parallels Mac Management with PKI ...................................................... 25
Pre-Installation Checklist
You can use the following checklist to help you prepare your environment for the deployment of
Parallels Mac Management for Microsoft SCCM. The Reference column contains links to topics
describing how to accomplish a corresponding tasks. Most of these topics are located in the
Installation Requirements (p. 12) and some other sections that follow this one.
Category Task Reference
General Check the requirements for supported
General Requirements (p. 12)
requirements SCCM, Windows, and OS X versions.
Parallels Proxy .NET Framework 4.0 is required .NET Framework 4.0 (p. 13)
Parallels Proxy Configure Windows Firewall Configuring Windows Firewall (p. 25)
11
Pre-Installation Procedures
Installation Requirements
Before proceeding, please read this section to learn about system requirements for installing Parallels Mac Management
for Microsoft SCCM.
The section begins with General Requirements and then describes requirements for installing individual Parallels Mac
Management components. It concludes with describing communications ports and protocols used by Parallels Mac
Management.
General Requirements
Parallels Mac Management supports Microsoft System Center Configuration Manager 2012, 2012
R2, and newer. Please make sure that you have the latest service pack and critical updates
installed.
Windows components of Parallels Mac Management follow the same system requirements as the
Microsoft System Center components.
Supported OS X Versions
12
Pre-Installation Procedures
1 Open Start > Administrative tools > Internet Information Services (IIS) Manager.
2 Navigate to Sites / Default Web Site.
3 Click the Default Web Site and double-click Authentication in the IIS section.
4 Check that Windows Authentication is enabled.
5 Click the Default Web Site and double-click Authorization Rules in the IIS section.
6 Check that authorization is allowed to all users
13
Pre-Installation Procedures
Network Configuration
For details on how your network environment should be configured, see the following KB article:
http://kb.parallels.com/118518
In addition, verify that your Mac computers have network access to SCCM site servers. Use the
traceroute command in OS X and tracert in Windows to verify network access. Access to
the following servers needs to be checked:
• The server that will host Parallels Configuration Manager Proxy
• The Active Directory server
• The Management Point role server
• The Distribution Point role server
Check the IP address of the DNS server in OS X network preferences on a Mac:
14
Pre-Installation Procedures
Additionally, the user account that you'll use to configure the Parallels NetBoot Server must have
sufficient privileges. See the following KB article: http://kb.parallels.com/117937
Depending on your network topology, you may also need to configure UDP traffic forwarding, so
DHCP broadcast packets from Mac computers can reach the DHCP server and the NetBoot
server. For the complete information about setting up the network environment for NetBoot, please
read the following KB article: http://kb.parallels.com/118518.
Please also see Communication Ports and Protocols (p. 16) for the list of ports used by NetBoot
Server.
15
Pre-Installation Procedures
Report Viewer
16
Pre-Installation Procedures
Additionally, you must enable RPC ports to allow WMI/RPC traffic to pass through. RPC ports can
be opened by enabling the Group Policy firewall exception as described below:
1 Edit the Group Policy object (GPO), which is used to manage Windows Firewall settings in your
organization. The GPO can be edited using the Group Policy Object Editor snap-in
(gpedit.msc).
2 In the GPO Editor, navigate to Computer Configuration / Administrative Templates /
Network / Network Connections / Windows Firewall.
3 Open either the Domain Profile or Standard Profile, depending on which profile you use.
4 Right-click the Windows Firewall: Allow inbound remote administration exception item and
choose Edit.
5 Select the Enabled option and click OK.
• The Parallels Configuration Manager Proxy is configured for the first time.
• The Proxy has been previously configured and you want to reconfigure it using a different user
account.
Some of the instructions apply to the first scenario only and some apply to both. Simply follow the
instructions that correspond to your configuration and skip those that don't.
Note: When creating (or choosing) a user account that you will use to configure Parallels Configuration
Manager Proxy, consider the following. If Parallel Configuration Manager Proxy and Active Directory will
run on different computers, the described permissions must be granted directly to the user or to a
custom group (not a built-in group, like Administrators) to which the user belongs. If Parallels Proxy and
AD will run on the same server, you can add the user to a built-in group.
17
Pre-Installation Procedures
1 On the computer where the SMS Provider is installed, click Start > Administrative Tools >
Component Services.
2 In the Component Services window, navigate to Console Root / Component Services /
Computers / My Computer / DCOM Config. Scroll down to Windows Management and
Instrumentation, right-click it, and then click Properties in the context menu.
3 Click the Security tab. The Launch and Activation Permissions section will have either the
Use Default or the Customize option selected depending on your server configuration.
4 If the Customize option is selected, click the Edit button, then add the user to the list and
grant the user the Remote Activation permission. You may skip the remaining steps.
5 If the Use Default option is selected, close this window and continue with the following steps.
6 In the Component Services window, navigate to Console Root / Component Services /
Computers. Right-click My Computer and click Properties in the context menu.
7 Click the COM Security tab.
8 In the Launch and Activation Permissions section, click Edit Default.
9 Add the user to the list and grant the user Remote Activation permission.
1 Open ADSI Edit by clicking Start > Administrative Tools > ADSI Edit.
2 Verify that the following container exists: DC=<domain> / DC=<com> / CN=System /
CN=ParallelsServices.
3 If the container above doesn't exist, grant the user the Create All Child Objects and Read
permissions on the CN=System container. When granting these permissions to the user, apply
it to This object and all descendant objects.
4 If the container exists, do the following:
• Make sure the user have Read, Write, and Create All Child Objects permissions on it.
• Make sure the user has the Full Control permission on the CN=ParallelsServices /
PmaConfigMgrProxy-<site-code> container.
5 Verify that the DC=<domain> / DC=<com> / CN= Program Data / CN=Parallels container
exists.
6 If the container above doesn't exist, grant the user the Create All Child Objects and Read
permissions on the CN=Program Data container. When granting these permissions to the user,
apply it to This object and all descendant objects.
7 If the CN=Parallels container exists, continue with the following steps.
8 Verify that the CN=Parallels / CN=Parallels Management Suite container exists. If it doesn't,
grant the user the Create All Child Objects and Read permissions on CN=Parallels container.
9 If the CN=Parallels / CN=Parallels Management Suite container exists, make sure that the user
has Read, Write, and Create All Child Objects permissions on it.
19
Pre-Installation Procedures
1 Open ADSI Edit by clicking Start > Administrative Tools > ADSI Edit.
2 Locate the required object:
• If you specify a user as a service account during the configuration, you should locate this
user object.
Note: The user object you select in this step must be the object of the user that will be used to run the
service, not of the user that will be used to configure it. If you'll be using the same user to configure and
to run the Parallels Configuration Manager Proxy service, then select the domain user object that you
created in previous steps.
• If you choose LocalSystem as a service account during the configuration, you should locate
the computer object you are running Proxy on.
3 Right-click the object, select Properties in the context menu, and then click the Security tab in
the user properties dialog.
4 Add the user that will be configuring the Parallels Configuration Manager Proxy to the Group or
user names list and then click the Advanced button.
5 In the Advanced Security Settings dialog, select the user that you added to the list in the
previous step and click the Edit button.
6 In the Permission Entry dialog, click the Properties tab.
7 In the Apply to drop-down list, select This object only.
8 In the Permissions list, select the Read servicePrincipalName and Write
servicePrincipalName permissions.
9 Close all dialogs.
To grant the user the right to create databases in SQL Server, assign the user to the dbcreator role
as follows:
1 Run SQL Server Management Studio by clicking Start > All Programs > Microsoft SQL
Server 2008 R2.
20
Pre-Installation Procedures
If you have previously configured Parallels Mac Management Proxy on this site, then the Parallels
Mac Management database should already exist in this SQL Server instance. To verify this, connect
to the SQL Server and look for a database named "PMM_<side-code>" (where <site-code> is your
SCCM site code). If a database with such a name exists, then perform the steps below. If the
database doesn't exist, skip to the next section.
Assuming that the "PMM_<side-code>" database exists, grant the user the necessary permissions
on it as follows:
1 In Microsoft SQL Server Management Studio, navigate to Security / Logins.
2 Right-click the user that will configure the Parallels Proxy and click Properties.
3 In the left pane, click User Mapping.
4 In the right pane, select the "PMM_<side-code>" database (select the Map checkbox) and then
select the following roles in the Database role membership list:
• db_datareader
• db_datawriter
• db_ddladmin
• db_securityadmin
• public
5 Click OK.
Note: When creating (or choosing) a user account that will be used to run the Proxy service, consider the
following. If Parallel Configuration Manager Proxy and Active Directory will run on different computers,
permissions must be granted directly to the user or to a custom group (not a built-in group, like
Administrators) to which the user belongs. If the Proxy and AD will run on the same server, you can add
the user to a built-in group.
The user configuring Parallels Configuration Manager Proxy must be a domain user. You can use
and existing domain user or you can create a new one.
The user must be a local administrator on the computer running the Parallels Configuration
Manager Proxy.
The user must have the DCOM Remote Activation permission. To grant the permission:
1 On the computer where the SMS Provider is installed, click Start > Administrative Tools >
Component Services.
22
Pre-Installation Procedures
For additional information, please see Parallels OS X Software Update Point Requirements (p.
15).
23
Pre-Installation Procedures
Note: Please make sure that you complete all of the steps described below or you will not be able to
enroll your Mac computers in Configuration Manager.
Create a Boundary
After you create a boundary, you need to create a boundary group, add the boundary to it, and
associate a site system server with the group.
24
Pre-Installation Procedures
The name and path of the Configuration Manager Proxy executable is:
To add the executables to the Windows firewall exception list, open the Windows Control Panel
and click (or double-click) Windows Firewall. Add the .exe files to the list of programs allowed
through Windows Firewall.
For the list of ports used by Parallels Mac Management for Microsoft SCCM, see Services, Ports
and Protocols (p. 16).
If you would like to integrate Parallels Mac Management with PKI, you need to complete the steps
described in the following subsections prior to installing Parallels Mac Management. If not, you can
skip this section and continue with Installing Parallels Mac Management for Microsoft SCCM
(p. 29). You can perform the PKI integration at any time later by completing the steps described in
this section and then reconfiguring Parallels Mac Management. The reconfiguration involves running
the Configuration Manager Proxy Configuration Wizard (described later in this guide) and
specifying the appropriate options on the Parallels Client certificate management settings page
of the wizard.
25
Pre-Installation Procedures
• Obtaining security certificates for assigned Mac computers from a certificate authority trusted
by SCCM.
• Securing communications between Mac computers and SCCM by using mutual authentication
and encrypted data transfers.
Parallels Mac Management supports certificate authority certificates on the following versions of
Windows:
• Windows Server 2008
• Windows Server 2008 R2
• Windows Server 2012
• Windows Server 2012 R2 (or newer)
Note: Integration is provided for Microsoft Certificate Services only. No third-party certificate services are
supported
26
Pre-Installation Procedures
3 Right-click Certificate Templates and click Manage. The Certificate Template Console
opens.
4 In the template list, locate Web Server, right-click it and then click Duplicate Template. The
Properties of New Template dialog opens.
5 On the Compatibility tab page, select Windows Server 2008 as Certification Authority and
Windows 7 / Server 2008 R2 as Certificate recipient.
6 On the General tab page, specify a template name.
7 On the Cryptography tab page:
• Set Minimum key size to 2048.
• Set Provider Category to Legacy Cryptographic Service Provider.
• Set Algorithm to Determined by CSP.
8 On the Request Handling tab page, select the Allow private key to be exported option.
9 On the Subject Name tab page, select the Supply in the request option and the Use subject
information from existing certificates for autoenrollment renewal requests option.
10 On the Extension tab page, double-click the Application Policies extension, then click Add
and select Client Authentication from the list. Click OK and then OK again. The Client
Authentication description should appear in the Description of Application Policies list.
11 On the Security tab page, add the server that hosts Parallels Configuration Manager Proxy and
the user account under which the Proxy is running. Grant them Enroll and Autoenroll
permissions. Please note that if the Proxy is running under the LocalSystem account, then you
only need to add the computer name.
12 Click OK to close the Properties of New Template dialog.
13 Close the Certificate Template Console.
14 Back in the Certification Authority window, right-click Certificate Templates again and
choose New > Certificate Template to Issue.
15 Select the template that you created in the previous steps and click OK to enable it.
27
Pre-Installation Procedures
28
Installation and Configuration
• When Parallels Proxy needs to communicate with a Mac, it first examines the digital certificate
of the Parallels Mac Client running on it. If a certificate has expired or will expire soon, it will
automatically renew the certificate.
• Parallels Proxy will also check if the signing certificate of the currently used certification authority
matches the one used by the Parallels Mac Client's certificate. If it's not, a new certificate will be
issued for the Parallels Mac Client using the current CA.
• Parallels Proxy validates its own digital certificate at preset intervals. If a certificate is not valid, a
log entry is created in the isv_proxy_service.log file and in the Windows event log. The
relevant log entries can be viewed in the %WINDIR%\Logs\pma_isv_proxy_service.log
file and in the Windows event viewer (eventvwr) by navigating to Windows Logs > Application
and searching for "Parallels Mac Management for Microsoft SCCM" entires.
Note: Parallels Mac Management v5.0 does not support automatic renewal of the Parallels Proxy
certificate. This functionality may become available in a later version of Parallels Mac Management. For
the instructions on how to renew the certificate manually, please read
http://kb.parallels.com/en/123836.
This chapter will take you through the installation of Parallels Mac Management for Microsoft
SCCM.
Installation Overview
Parallels Mac Management for Microsoft SCCM consists of several components, which are
installed in Windows using the same installation wizard (except Parallels Mac Client, which is
installed in OS X). If you are installing the components on different servers, run it on each server and
select only the component(s) that you want installed on that particular server.
Please note that Parallels Configuration Manager Proxy must be installed on each primary SCCM
site. If you have secondary sites, you can choose from the following installation options:
• Installing Parallels Configuration Manager Proxy on the primary and secondary sites. This option
allows you to better manage bandwidth utilization between Mac computers, the distribution
point, and the management point. You must install Parallels Configuration Manager Proxy on
the primary site and then on a secondary sites (in that order).
• Installing Parallels Configuration Manager Proxy on the primary site only. If you use this option,
Mac computers will communicate directly with the Configuration Manager Proxy installed on the
primary site.
29
Installation and Configuration
Before running the installation wizard, please make sure that you have read Installation
Requirements (p. 12) for each component that you are planning to install.
When installing Parallels Mac Management for the first time, you must install at least Parallels
Configuration Manager Proxy and the Configuration Manager Console Extension (but necessarily
both on the same Windows machine). Other components are optional, so you should install them
only if you want to use the functionality that they provide. You should also decide in advance on
which servers you want to install individual components and then run the setup wizard on each
server selecting only the component(s) you want to install.
1 Run the Parallels Mac Management for Microsoft SCCM Setup Wizard.
2 Read the info on the Welcome page and click Next.
3 On the License Agreement page, read the End-User License Agreement. If agreed with the
terms, select I accept the terms in the license agreement and click Next.
4 On the Select Components page, select the components you wish to install from the following
list:
• Parallels Configuration Manager Proxy. A Windows service application that acts as a
proxy between SCCM and Mac computers. This component is required for Parallels Mac
Management to work.
• Configuration Manager Console Extension. This component consists of a set of dynamic
libraries that extend the Configuration Manager console to provide a graphical user interface
enabling you to manage Mac computers. The component must be installed on the
computer where the Configuration Manager console is running.
• NetBoot Server. Enables Mac computers to boot from a network. You need to install this
component if you plan to deploy OS X images on Mac computers.
• OS X Software Update Point. Allows you to manage Apple software updates (patches) for
OS X using the native SCCM functionality. The component must be installed on a server
where Windows Server Update Services (WSUS) is installed.
• MDM Server. Select this component if you plan to deploy and enroll new Mac computers in
SCCM using the Apple Device Enrollment Program (DEP).
• Click Next and then click Install to begin the installation.
5 Wait for the installation to finish.
30
Installation and Configuration
6 On the Setup Completed page, verify that the installation was successful. Make sure that the
Configure Parallels Mac Management for Microsoft SCCM option is selected and click
Finish to close the Setup Wizard.
In a second a two, a configuration wizard will open where you can configure Parallels Mac
Management. Each Parallels Mac Management component has its own configuration wizard
(except the Configuration Manager Console Extension, which doesn't need to be configured). For
example, if you chose to install all of the components on the same server, all configuration wizards
will automatically run one after another. As soon as you complete one wizard, the next one will
open after a short delay.
Read on to learn how to use configuration wizards to configure Parallels Mac Management
components.
To configure the Parallels Configuration Manager Proxy, complete the wizard as described in the
subsequent sections.
Prerequisites Check
The Prerequisites Check page displays a list of prerequisites for Parallels Configuration Manager
Proxy and verifies if they are met. The prerequisites include the following:
• Current user's access rights for configuring the Proxy service. If the the has insufficient right,
you cannot proceed and will need to either set the necessary rights or use a different user.
• Access rights of the user you specified in the previous step for running the Proxy service. If the
rights are insufficient, grant the rights or go back and specify a different user.
• Proxy-related Active Directory data (containers with values), which are required to configure and
run the Proxy service. If the verification indicates a failure, make the appropriate modifications to
Active Directory.
If one or more prerequisites are not met, you cannot advance to the next wizard page until you
make the necessary adjustments. The instructions are provided on the screen for each prerequisite
that's not met (you may need to scroll the list to the right to see them). You can also read the User
Rights Requirements section (p. 17) for the complete list of requirements. You don't have to quit
the wizard at this point. Simply make the required changes and then click the Rerun button. If the
fixes were sufficient (all prerequisites are met), the Next button becomes enabled and you can
continue to the next wizard page.
The options described below allow you to integrate Parallels Mac Management with Windows
Public Key Infrastructure (PKI). If you don't use PKI, you don't have to configure these options.
• The Certificate Authority field is automatically populated with the name of a Certificate
Authority (CA) detected by the wizard. To specify a CA manually, click the Browse button.
• The Parallels Proxy certificate template field is used to specify a certificate template for the
Parallels Configuration Manager Proxy. Click the Browse button to select a template. If you
followed the instructions in the Creating Certificate Templates for Parallels Proxy and Mac
Computers (p. 26) section, you should see the Parallels Proxy certificate template that you
created.
• The Mac client certificate template field is used to specify a certificate template for Mac
computers. Click the Browse button to select a template.
Note: If you are reassigning a certificate template on this site, the newly enrolled Mac computers will use
the new template. Previously assigned Mac computers will continue using the certificates that was issued
using the old template.
32
Installation and Configuration
If the Parallels Configuration Manager Proxy has already been configured not to use PKI and if there are
Mac computers assigned to the site, then the Proxy certificate will be re-issued.
Role-Based Security
The Role-based security page allows you to configure the Configuration Manager Proxy role-
based access control. The roles are created during the Parallels Mac Management installation and
include the following:
• Problem Monitor Users. Members of this role are allowed to run the Problem Monitor, view
problem reports, delete reports, and perform some other related tasks. See Using Problem
Monitoring Utility (p. 188) for more info.
• FileVault Key Administrators. This role grants read rights to the Parallels Mac Management
SQL Server database (p. 197). The database is used to store FileVault 2 recovery information
for Mac computers. Users and groups that have read access will be able to retrieve and view
the recovery keys for Mac computers in the Configuration Manager console. By default, only the
Domain Admins group is granted access to the database. The Parallels Configuration Manager
Proxy account is granted access automatically. To grant access to other users, add them to
this role.
• Administrator. Members of this role have full access to all Parallels Mac Management features.
• Enrollers. Members of this role can only enroll Mac computers in SCCM.
You can select a role and see the default users and groups for it. To remove a group, select it and
click the "-" button. To add a group or a user click the "+" button and use the standard Select
Users, Computers, Service Accounts, or Groups dialog to specify a user or a group.
Parallels Configuration Manager Proxy uses these ports to serve requests from the Configuration
Manager console and Parallels Mac Client running on Mac computers. The Proxy publishes its
current port configuration in Active Directory and the DNS so that managed Mac computers can
discover it if the port configuration changes.
The default ports that you see on the page should only be changed if they are used by some other
processes/applications running on the same server as the Configuration Manager Proxy.
33
Installation and Configuration
If you choose to participate in the program, all sites (primary and secondary) will participate. The
information about the Parallels Mac Management that you are using will be sent to Parallels once
every two weeks. Please note that no sensitive information of any kind will be collected. If you
decide not to participate in the program, you can join the program later by reconfiguring the
Parallels Configuration Manager Proxy on the primary site and selecting this option.
If you need to reconfigure the Parallels Configuration Manager Proxy later, you can run the
configuration wizard again and repeat the steps described above. After you update the Proxy
configuration, the Configuration Manager Proxy service must be restarted for changes to take
effect.
To configure the Parallels NetBoot server, complete each wizard page as described below.
On the SMS Provider location page, specify the hostname or IP address of the server where the
SMS Provider is installed. If the SMS Provider and the NetBoot server are installed on the local
server, select the Local server option. If the SMS Provider is installed on a different server, select
the Remote server option and enter the server hostname or IP address.
On this page, specify a user account for running the NetBoot service:
• The account must have read/write access to the SMS Provider.
34
Installation and Configuration
• Select the Local System account option to use the standard Windows LocalSystem account.
• Select This account to specify a domain account or a local user account.
• In the Password field, specify the account password.
The LocalSystem account is normally used when the SMS Provider is located on the same server
as the NetBoot service. A specific account may also be used to manage access rights of the
NetBoot service. When running on different computers, the NetBoot service must have DCOM
Remote Activation permissions. Permissions on the WMI namespace can be set using Server
Manager > Configuration > WMI Control snap-in. Permissions for DCOM remote activation can
be set via dcomcnfg.exe on a computer where the SMS provider is running.
Specify a folder where the NetBoot server will store .dmg images.
Configuration progress
The Configuration progress page display the progress bar while the NetBoot server is being
configured. Once the process is complete, review the result of each operation and click Finish to
exit the wizard.
If you need to reconfigure the Parallels NetBoot Server later, you can run the configuration utility
again and repeat the steps described above.
35
Installation and Configuration
You can also run the wizard manually by navigating to Apps > Parallels and double-clicking MDM
Service Configuration Utility.
To configure the component, complete the wizard as described in the subsequent sections.
36
Installation and Configuration
• Import SSL certificate from file. To import a certificate from a file, select this option and then
click Browse to select the file. If the certificate file is password-protected, specify the password
in the field provided.
APNs Certificate
Parallels Mac Management uses push notifications for MDM functions, such as Parallels Mac Client
push installation and some others. To enable push notifications, you need to obtain a corporate
APNs push certificate and make it available to the MDM server.
The APNs Certificate page gives you the three options of specifying a certificate described below.
Please note that depending your selection, the wizard will go to a different page when you click
Next.
The Generate an APNs Certificate wizard page opens after you select the Generate a new APNs
certificate option on the APNs Certificate page (described in the previous section) and click Next.
An APNs certificate must be obtained on the Apple Push Certificates Portal. To obtain it, you need
a certificate signing request (CSR) signed by Parallels. The first page of the Generate an APNs
Certificate wizard gives you the following two options to obtain a CSR signed by Parallels:
• Obtain a CSR from Parallels automatically. This option allows you to obtain a signed CSR
from Parallels right from this wizard. You can only use this option if your local server can access
the Parallels certificate signing service (pmm.parallels.com) over the Internet. If your local server
has unrestricted Internet access, you can use this option. If your Internet access is limited to
certain domains, you may add pmm.parallels.com to the allowed domain list (if your security
policy allows it).
37
Installation and Configuration
License key: When using the automatic CSR option, you must also specify your Parallels Mac
Management license key in the field provided.
• Save the CSR file locally and then sign it using the Parallels certificate signing service.
This option allows you to save a CSR file locally and then sign it on the Parallels certificate
signing service manually. Select this option if your local server can't access the Parallels
certificate signing service (pmm.parallels.com) over the Internet.
After making your selection, click Next to continue. Depending on the option selected, please read
the corresponding subsection below.
When you select this option and click Next, the configuration wizard will do the following:
1 Create a CSR and an associated private key.
Important Note: The private key associated with this CSR will NOT become available to Parallels.
2 Connect to the Parallels certificate signing service over the Internet and sign the CSR with
Parallels' own MDM Signing Certificate.
3 When the signing process is complete, the next page opens where you can specify a local
folder where you want to save the signed CSR file and the private key.
4 Once the CSR file is saved, another page opens with instructions to proceed to the Apple Push
Certificates Portal. DO NOT click Next yet and do the following:
a Open the Apple Push Certificates Portal in a web browser and log in using your Apple ID
and password.
b Upload the signed CSR file.
c Download the created APNs certificate file named “MDM_<VendorName>_Certificate.pem”.
5 Back in the wizard, click Next to proceed to the page where you can upload the APNs file to
the MDM server. Click Browse to browse for a target folder.
6 When done, click Next to upload the APNs file and proceed to the Prerequisites Check page
(p. 39).
Save the CSR file locally and then sign it using the Parallels certificate signing
service
When you select this option and click Next in the step described in the beginning of this section,
the the following will happen:
1 The configuration wizard creates a CSR and an associated private key.
Important Note: The private key associated with this CSR will NOT become available to Parallels.
2 A page opens where you can specify a local folder for saving the CSR and the private key files.
Specify the folder and click Next.
38
Installation and Configuration
3 Another page opens with instructions on how to proceed with signing the CSR and obtaining
an APNs certificate from Apple. DO NOT click Next yet and do the following:
a Visit Parallels My Account at https://account.parallels.com. Sign in using your Parallels My
Account email address and password (if you don't have an account, you must register for
one first).
b Once signed in, navigate to Parallels Mac Management > MDM Certificate Signing
Request.
c Follow the instructions on the MDM Certificate Signing Request page and upload the
CSR file that you saved in step 2 above. When instructed, download the signed CSR to
your local server.
d Open the Apple Push Certificates Portal in a web browser and log in using your Apple ID
and password.
e Upload the signed CSR that you obtained from Parallels My Account earlier.
f Download the created APNs certificate file named “MDM_<VendorName>_Certificate.pem”.
4 Back in the wizard, click Next to proceed to the page where you can upload the APNs file to
the MDM server. Click Browse to browse for a target folder.
5 When done, click Next to upload the APNs file and proceed to the Prerequisites Check page
(p. 39).
Prerequisites Check
Verify that all of MDM server requirements are met. The requirements that are checked on this page
are as follows:
• Ports for incoming connections that you specified for this MDM server must not be used by any
other program or service.
• The specified web server certificate must be issued to the current host and must not be
expired.
• The specified APNs certificate must be valid and not expired at the time of verification.
• The MDM server must be able to connect to APNs. See the Certificates Requirements
subsection in Parallels MDM Server Requirements (p. 15) for details.
If one or more of the requirements are not met, you have to resolve any issues before proceeding. If
an issue can be resolved on one of the wizard pages, click Back to go to that page. If it's an
external issue, correct it and click Rerun to perform the validation again.
39
Installation and Configuration
For the complete information about enabling and using the DEP functionality in Parallels Mac
Management, please read the Apple Device Enrollment Program section (p. 172).
If you experience difficulties accessing Mac computers from the Configuration Manager console,
verify that certificate permissions are valid for the account that you use to run the Parallels
Configuration Manager Proxy service.
To verify that the Configuration Manager Proxy service account has permissions to
read the certificate private key
1 Open the Microsoft Management Console (MMC) from the Start menu by clicking Run and
then typing "mmc".
2 In the File menu, select Add/Remove Snap-in...
3 In the Add or Remove Snap-ins dialog, find and select Certificates in the Available snap-ins
list. Click Add.
4 In the Certificate snap-in dialog, select Computer account and then select Local computer.
5 Click OK in the Add or Remove Snap-in dialog.
6 In the snap-in tree, navigate to Certificates (Local Computer)\Personal\Certificates and
expand it to view the available certificates.
7 Make sure that the Configuration Manager Proxy certificate exists. If it doesn't, run the
Configuration Manager Proxy configuration utility.
40
Installation and Configuration
8 Right-click the Configuration Manager Proxy certificate, point to All Tasks, and then click
Manage Private Keys.
9 In the Permissions for Configuration Manager Proxy private keys dialog, verify that the user
(or a group to which the user belongs) has Read access to the certificate's private key.
To export a certificate:
To import a certificate:
42
Installation and Configuration
17 Mac computers will automatically discover the new Parallels Configuration Manager Proxy and
will update their own local Proxy connection records. For more information, please see
Updating Proxy Connection URL (p. 68).
To run the uninstaller, go to Control Panel > Programs > Uninstall a program and uninstall the
Parallels Mac Management for Microsoft SCCM program. If Parallels Mac Management
components are installed on different servers, you need to uninstall each component individually.
When done, install the new version of Parallels Mac Management for Microsoft SCCM. Please note
that after upgrading Parallels Mac Management, you need to upgrade the Parallels Mac Client on
each managed Mac. See Upgrading Parallels Mac Client (p. 69) for more information.
43
CHAPTER 3
This chapter explains how Parallels Mac Management licensing works and how to obtain a license
and use it to activate a Parallels Mac Management installation.
You can read more about Parallels Mac Management licensing in the Parallels Mac Management
for Microsoft SCCM Licensing Guide, which is available for reading and downloading on the
Parallels website.
In This Chapter
Parallels Mac Management Licensing ..................................................................... 44
Activate Parallels Mac Management ........................................................................ 51
You license Parallels Mac Management with a prepaid subscription, which works as follows:
• A subscription is purchased for a predefined period of time.
• A subscription can include any number of individual licenses (the maximum number of Mac
computers that you can manage).
• Support is included in the cost of the subscription.
No matter how many licenses in your subscription, you'll receive a single license key. A license key
can be used to activate a single installation of Parallels Mac Management. If you need to activate
several Parallels Mac Management installations to work simultaneously, you need multiple license
keys.
Purchasing a Subscription
To purchase a Parallels Mac Management subscription, please contact the Parallels Sales team or
a Parallels Partner/Reseller.
Licensing and Activation
You can create an account for your company or organization when you first register with Parallels
My Account, or after you already created a private account.
If you are a new customer and don't have a Parallels account yet, you can create one for yourself
and your organization as follows:
45
Licensing and Activation
3 Select the I represent a company or an organization option. This step is required to create a
business account for your organization.
4 Specify your personal and your company info (all fields are required) and click Create Account.
This creates an account for you personally and a business account for your organization to which
you are assigned as the account administrator. When you log in to your account using you email
address and password, you can manage personal and business products from the same account.
If you already have a personal Parallels account, follow these steps to create a business account
for your organization:
46
Licensing and Activation
2 Click next to your user name to open a side menu. If the Dashboard page is not already
displayed, click Dashboard in the side menu.
3 On the Dashboard page, click Create a business account in the Quick Actions section.
4 A message box opens with an explanation of what a business account is. Read it and then click
Proceed.
5 In the Registering a Business Account dialog, type the name of your organization and then
specify your country, state/city (if applicable), ZIP or postal code, and your business phone
number.
47
Licensing and Activation
A business account is created for your organization to which you are assigned as the account
administrator. When you log in to your personal account, you can manage personal and business
products from the same account.
Register a Subscription
To register your subscription in Parallels My Account:
2 Click next to your user name to open a side menu. If the Dashboard page is not already
displayed, click Dashboard in the side menu.
3 Click the Register a license key link in the Quick Actions section. The Register a License
Key page opens.
You can also open this page by expanding Subscriptions and Licenses section in the side
menu, then clicking Corporate Subscriptions, and finally clicking the Register a License Key
link.
4 Type the license key that you received with your subscription and click Register.
5 When your license key is registered, you will see a confirmation message.
48
Licensing and Activation
6 If you would like to view your subscription information, click the Open Corporate
Subscriptions button. This will open the Subscription Details page where you can view the
information.
Your subscription is now registered and your license key can be used to activate the Parallels
product to which it applies.
Creating a sublicense
To create a sublicense:
1 In the side menu, expand Subscriptions and Licenses and click Corporate Subscriptions.
2 If you have more than one Parallels product registered, select Parallels Mac Management in the
drop-down list and then click a subscription for which you want to create a sublicense.
3 On the Subscription Details page, click Details in the Products section.
4 On the Product Details page, click Create a Sublicense.
5 The New Sublicense dialog opens.
6 Type a sublicense name.
7 Specify the number of licenses to allocate to this sublicense.
8 In the Expires section, select one of the following:
• With the subscription. The sublicense will have the same expiration date as the
subscription.
• On date. Specify a desired expiration date.
9 Click Create to create a sublicense.
49
Licensing and Activation
10 The New Sublicense dialog opens where you can review the created sublicense. Note the
License Key property. This is the key that was automatically assigned to this sublicense. You'll
need it to activate a Parallels Mac Management installation. You can copy or write it down now
or you can do it later.
11 Click Close to close the New Sublicense dialog.
12 The sublicense appears on the Product Details page in the Sublicenses section.
The first row in the table always displays the primary license key. This is the same key as the one
displayed in the Product Details section above the Sublicenses section. The key is included in
this table for you to easily see in one place how your licenses are distributed between your primary
key and sublicenses.
Modifying a sublicense
To modify a sublicense, click the Edit link on the same row. This opens the Edit Sublicense dialog.
You can modify any of the sublicense properties except the license key.
Please note that if you want to decrease the number of licenses in a sublicense, you have to make
sure that no active Mac computers will be affected in the corresponding SCCM site. If the number
of individual licenses in a sublicense falls below the number of active Mac computers, you will lose
the ability to manage some of them.
Deleting a sublicense
To delete a sublicense, click the Edit link and then click the Delete button. You should only delete
a sublicense if you never used it to activate Parallels Mac Management or if you deactivated the
corresponding Parallels Mac Management installation prior to deleting the sublicense.
50
Licensing and Activation
You can use the online or the offline activation method. The method you choose depends on the
following:
• If the server on which you have Parallels Proxy installed has limited or no Internet access, you
must use the offline activation method.
• If the server has Internet access, you can use the online activation method.
The subsequent sections describe each method in detail.
Activate Online
Note: During online activation, Parallels Proxy needs to communicate with the Parallels Licensing Server
at https://pmm.parallels.com. You need to make sure that the Parallels Proxy server can access this
resource. If this requirement cannot be met, you will have to use the offline activation method as
described in the section that follows this one.
51
Licensing and Activation
Activate Offline
If the server on which you have Parallels Proxy installed has limited or no Internet access, you can
use the offline activation method described below.
Important: Before using offline activation, you must contact your Parallels sales representative or a sales
engineer and request to enable this functionality in Parallels My Account. By default, this functionality is
disabled.
9 Once signed in, click next to your user name to open a side menu.
10 In the side menu, expand the Parallels Mac Management section and click Offline Activation
and Validation.
11 On the Offline Activation and Validation page, submit the offline activation request file you
saved earlier.
12 Follow the instructions and download the license activation file.
13 Go back to the Configuration Manager console. In the Parallels Mac Management - Activate
License dialog, click Browse and select the license activation file you've obtained from
Parallels My Account.
14 Click Next. Your license information is displayed on the screen. Review the information and
click Activate.
15 On successful activation, the display value of the License status column in the Licenses list in
the SCCM console changes to Activated.
Your Parallels Mac Management installation is activated and the activation information is added to
your Parallels My Account.
52
Licensing and Activation
Note: If you activated Parallels Mac Management using the offline activation method, you need to
synchronize the local license information with Parallels My Account using the offline refresh method as
described in the following subsection.
The Refresh button on the Parallels Mac Management - License Information dialog allows you
to retrieve the current license information from the Parallels Licensing Server to reflect possible
changes to your subscription. Normally, this update is done automatically every 24 hours if the
server on which the Parallels Proxy is running has Internet access. By clicking the Refresh button,
you can retrieve this information at any time. This functionality is useful when, for example, you
upgrade your subscription to have more licenses and want the licenses to become available in your
Parallels Mac Management installation without waiting for the automatic refresh to happen.
If the server on which Parallels Proxy is running has Internet access, simply click the Refresh
button to update the license information. If the server has limited or no Internet access, read the
following subsection.
53
Licensing and Activation
If the server hosting Parallels Proxy has limited or no Internet access, you must use the offline
refresh method by following these steps:
1 Click Refresh.
2 If this Parallels Mac Management installation was activated using the offline method, you will
first be asked to save the offline request file.
3 After you save the file, you'll be asked to specify the file containing the latest subscription
information. You must obtain this file from Parallels My Account. Don't close this dialog (you will
return to it later).
4 Visit https://account.parallels.com and sign in using your email address and
password.
5 Once signed in, click next to your user name to open a side menu.
6 In the side menu, expand the Parallels Mac Management section and click Offline Activation
and Validation.
7 On the Offline Activation and Validation page, specify the offline request file you saved earlier.
8 Follow the instructions and download the subscription information file.
9 Go back to the Configuration Manager console and select this file.
10 Your local subscription information is updated with the latest information from the file you've
obtained from Parallels My Account.
• To stop receiving alerts in the Configuration Manager console or the Problem Monitor, remove
the excess Mac computers from SCCM.
• If the Parallels Mac Management installation was activated using a sublicense, you can add
more licenses to it in Parallels My Account. To do this, you must have unused licenses in the
subscription.
• If you used the master license key to activate Parallels Mac Management, then it means that
you don't have any licenses left and need to upgrade your subscription (i.e. buy more licenses).
Depending on whether you activated Parallels Mac Management using the online or the offline
activation method, the deactivation will be performed using the same method.
55
Licensing and Activation
8 Once signed in, click next to your user name to open a side menu.
9 In the side menu, expand the Parallels Mac Management section and click Offline Activation
and Validation.
10 On the Offline Activation and Validation page, specify the offline deactivation request file you
saved earlier.
Parallels Mac Management is now deactivated and the license key can be used to activate a
different installation.
56
CHAPTER 4
Parallels Mac Client is a software for Mac that enables communication between a Mac computer
and the Parallels Configuration Manager Proxy. Before you can manage a Mac computer in SCCM,
you need to install Parallels Mac Client on it and enroll the Mac in Configuration Manager.
In This Chapter
Installation Options Overview .................................................................................. 57
Installing Parallels Mac Client Using Discovery Methods .......................................... 58
Running Parallels Mac Client Installer on a Mac ....................................................... 64
Installing Parallels Mac Client Using a Script ............................................................ 65
Push Install or Update Parallels Mac Client .............................................................. 66
Configuring the Firewall .......................................................................................... 67
Verifying Parallels Mac Client Deployment ............................................................... 68
Updating Parallels Proxy Connection URL ............................................................... 68
Uninstalling Parallels Mac Client .............................................................................. 69
Upgrading Parallels Mac Client ............................................................................... 69
Using Parallels Mac Client Tools ............................................................................. 71
Parallels Network Discovery can discover any Mac on your network. Active Directory System
Discovery can discover domain joined Mac computers. You can use one of the methods or both
depending on your situation. For example, if all your Mac computers are domain joined, you can
use SCCM AD System Discovery. If some (or all) of your Mac computers are non-domain joined,
you can use Parallels Network Discovery to discover these Mac computers.
If you want to use a domain account to push install Parallels Mac Client, you need to grant
administrative privileges to it on a Mac. You can do this as follows:
1 Open System Preferences > Users & Groups and click Login Options at the bottom of the
left pane.
2 In the right pane, click Network Account Server: Edit...
Please note that if the button says "Join..." (not "Edit") then this Mac is not a member of a
domain, so the following instructions will not work.
3 In the dialog that opens, click Open Directory Utility.
4 On the Services tab page of the Directory Utility dialog, select Active Directory and then
click the pencil icon to edit the settings.
5 In the dialog that opens, click Show Advanced Options and then click the Administrative tab.
6 Select the Allow administration by option and add the desired domain user or group to the
list. Remember the account as you will use it later to configure the client push installation.
7 Click OK to save the changes and then close all dialogs.
58
Parallels Mac Client Deployment
If you have Mac computers that are not members of a domain (or if you don't want to use a domain
account for any reason), you need to create a local OS X user with administrative privileges. To add
a user, open System Preferences > Users and Groups, click the plus-sign icon, select
Administrator and specify the user information. Remember the user name and password as you
will use it later to configure the client push installation.
Parallels Configuration Manager Proxy will connect to Mac computers over SSH, so you need to
enable SSH access on each Mac. To do so:
When creating local accounts or granting permissions to domain accounts on multiple Mac
computers, you can set up the same account on all of them. This way you can configure Parallels
Proxy to use the same account name and password to log into every Mac. However, if you want to
use multiple accounts, you can do that too. For example, you can use one account on a certain
group of Mac computers and another on a different group. Parallels Proxy will try every account
that you configured, one by one, until a connection with a Mac can be established. Adding the
account information to the push installation configuration is described later in this section.
59
Parallels Mac Client Deployment
2 Click the Mac Client Push Installation toolbar item (or right-click on the site and choose
Parallels Mac Client Push Installation). This opens the Parallels Mac Client Push
Installation Properties dialog.
3 On the General tab page, select the Enable automatic site-wide client push installation
option.
4 Specify one or more collections containing Mac computers to which you'll be push installing
Parallels Mac Client. The Install client to all Mac OS X Systems option covers all Mac
resources in every collection. The second option allows you to select one or more specific
collections.
5 Select the Accounts tab and then click the New icon to specify an account that will be used to
push install Parallels Mac Client on discovered Mac computers. This can be a domain account
or a local Mac account. See Enabling Remote Access on Mac Computers (p. 58) for the
information on how to configure the accounts.
6 Click OK to save the Parallels Mac Client push installation properties.
Once the push installation properties are configured, Parallels Proxy will begin monitoring the
system for discovered Mac computers. If you already have Mac resources in SCCM that don't have
Parallels Mac Client installed, Parallels Proxy will identify these resources as Mac computers and
will try to push install Parallels Mac Client on them. Newly discovered Mac computers will also be
identified and the client will be push installed on them as well. The following sections describe how
to configure and run Parallels Network Discovery and provides additional information about SCCM
Active Directory System Discovery.
60
Parallels Mac Client Deployment
General
Accounts
On the Accounts tab page, click the provided link to open the Parallels Mac Client Push
Installation Properties dialog. If you haven't configured these properties yet, please refer to
Configuration Parallels Mac Client Push Installation Properties (p. 59) for more information.
61
Parallels Mac Client Deployment
Boundaries
On the Boundaries tab page, specify the Configuration Manager boundaries to search. You can
use boundaries as a search option together with the options on the Subnets tab page. Searching
boundaries should be the primary method. If you haven't configured boundaries and boundary
groups in SCCM, you need to do it as described in the Configuring Configuration Manager
Boundaries section (p. 24).
• Boundary Groups — Lists boundary groups. Highlight a group to view its member boundaries
in the list below it. To include the entire group in a discovery search, select the checkbox in
front of the group name.
• Boundaries — Lists boundaries that belong to the highlighted boundary group. Select the
boundaries to include in a discovery search.
• Filter — Allows you to specify a filter for the Boundaries to search lists. You can type any part
of the text that might appear in the boundary's name, type, or description.
Subnets
On the Subnets tab page, you can specify the subnets to search:
1 Select Search local subnets if that's what you want to do. To search other subnets (in
addition to or instead of local subnets), click the New icon and then enter the Subnet and
Mask information. Make sure that the Enable subnet search checkbox is selected and then
click OK.
2 On the Schedule tab page, click the New icon to set a schedule for running discovery. The
Custom Schedule dialog opens.
3 Set the start date and time for a discovery run.
4 Set the discovery duration. This setting specifies the maximum length of time for a discovery
run. If all resources are discovered before this time is up, the run will continue with minimal
network traffic. If the run doesn't complete before this time, only the resources already
discovered will be included in the result.
5 In the Recurrence pattern group box, select how this schedule will recur. The following
choices are available:
• None: The scheduled run is a one-time-only event.
• Weekly: The scheduled run will occur weekly at the same start time.
• Monthly: The scheduled run will occur monthly at the same start time.
• Custom Interval: The scheduled run will occur at a custom interval set by the administrator.
When done, close all dialogs to save the Parallels Network Discovery configuration settings.
62
Parallels Mac Client Deployment
1 When discovery finds a Mac, it will add it to SCCM as a resource and will continue searching
the network.
2 Parallels Proxy will then connect to the Mac over SSH and will push the Parallels Mac Client
installation package to it.
3 The installer will install Parallels Mac Client on the Mac and then enroll it in Configuration
Manager.
In a situation when a discovered Mac has Parallels Mac Client already installed, the following
scenarios will be considered:
• If the client is registered with a different Parallels Configuration Manager Proxy, but reports the
same Configuration Manager site code as the current site, the client is re-registered with the
current Configuration Manager Proxy and the Mac remains to be managed on the current site.
This scenario may occur when you re-install the Configuration Manager Proxy on your
Configuration Manager site (e.g. install in on a different computer).
• If the client is registered with a different Parallels Configuration Manager Proxy and reports a
different site code, the client registration will remain the same and the Mac will be ignored by
Network Discovery. This situation may occur when a Mac computer (e.g. a laptop) is managed
by Parallels Mac Management in one organization and is brought in to another organization that
also uses Parallels Mac Management to manage their Mac computers. The site code
comparison allows you to prevent a situation when a Mac is added by mistake to a wrong
Configuration Manager site.
The discovered Mac computers are placed into the All Mac OS X Systems collection. Please note
that if you have secondary sites, Mac computers within their scope will be placed into the same All
Mac OS X Systems collection on the primary site. For more information, see Collections in
Parallels Mac Management (p. 76).
Note: Please note that for Parallels Mac Management to push install Parallels Mac Client on Mac
computers discovered by AD System Discovery, the push installation properties must be configured as
described in the Configuring Parallels Mac Client Push Installation Properties section (p. 59).
63
Parallels Mac Client Deployment
First, you need to download the Parallels Mac Client installer to the Mac:
1 Make sure that the Parallels Configuration Manager Proxy service is installed and running.
2 Log into the computer running the Configuration Manager console.
3 In the Configuration Manager console, navigate to Administration / Overview / Parallels Mac
Management / Mac Client Enrollment.
4 In the Mac Client Enrollment list, right-click the Mac Client installation package download
URL item and then click Properties in the context menu.
5 Copy the URL from the Mac Client Installer URL field and give it to the Mac user (e.g. email it).
The URL will look similar to the following:
http://myhost.local:8761/files/pma_agent.dmg
6 The Mac user enters the URL into a Web browser to download the pma_agent.dmg image.
If you close the wizard without completing the enrollment, it will run automatically at predefined
intervals (5-10 minutes) and every time you restart the Mac. To stop this from happening, either
resolve the problem and enroll the Mac or uninstall Parallels Mac Client (p. 69).
5 If firewall is enabled in OS X, a message will be displayed asking you if pma_agent.app
should be allowed to accept incoming connections. Click Allow. This will add
pma_agent.app to the firewall exception list.
1 On the computer running Parallels Configuration Manager Proxy, navigate to the C:\Program
Files (x86)\Parallels\Parallels Mac Management for Microsoft
SCCM\files directory.
2 Locate the InstallAgentUnattended.sh file and copy it to a Mac. Copy the file to a Mac.
Alternately, you can use Apple Remote Desktop to run the script on a Mac remotely.
3 Please note that you must use sudo to run the script because enrolling a Mac in Configuration
Manager requires superuser privileges.
When you run the script, provide the following parameters (in the order listed):
• agent_download_url — the URL of the Parallels Mac Client installer. The URL can be
obtained in the Configuration Manager console as described in Manually Installing
Parallels Mac Client.
• user_name — specifies the name of a domain user account that will be used to register
Parallels Mac Client with the Configuration Manager Proxy. Please note that that the name
must contain the domain logon name (e.g. UserName). It must NOT contain a domain name
separated by a slash or an at (@) sign.
• user_password — the domain user password.
• domain_name — your company's domain name.
65
Parallels Mac Client Deployment
Example:
$ sudo ./InstallAgentUnattended.sh http://myhost.local:8761/files/pma_agent.dmg
myname mypass mydomain
If you receive the "Permission denied" error when executing the script, run the following
command to set the file permissions and then execute the script again:
$ chmod 755 InstallAgentUnattended.sh
If you wish, you can hard code the URL, user/password, and the domain parameter values in the
script, so you (or the Mac user) won't have to enter them in the command line. To hard code the
parameter values, open the script in an editor and change the values of the input parameters from
$1, $2, $3, $4 to the desired values. The parameter names in the script are self-explanatory. Once
the script is ready, give it to your Mac users, so they can execute it on their Mac computers, or use
Apple Remote Desktop to execute it on Mac computers remotely.
When the script runs on a Mac, it displays the information in the console about the processes that
its running. When the script completes executing, it returns a numeric code. To see the return
code, run the following command after the scrip finished executing:
$ echo $?
The "0" code returned by the above command indicates that Parallels Mac Client has been installed
and registered properly. Any other code indicates a failure (you can also read the last messages in
the console to get an idea of what went wrong).
5 Click Next.
6 On the second page of the wizard, specify what to do if Parallels Mac Client is already installed
on a Mac. The following options are available:
• Install Parallels Mac Client if it is already installed. If you select this option, Parallels Mac
Client will be re-installed on a Mac over the existing installation. If you clear this option,
Parallels Mac Client will not be re-installed unless the push installation process finds a re-
installation necessary due to a problem of some sort.
• Uninstall the existing Parallels Mac Client before installation. This option becomes
enabled only if you select the option above. If selected, Parallels Mac Client will first be
uninstalled from a Mac and then a fresh installation will be performed. Note that during the
uninstallation, the existing Parallels Mac Client state (policies received, software installation
states, etc.) will be lost. If this option is cleared, the Parallels Mac Client state will be
preserved.
7 Click Next.
8 A dialog opens displaying the progress (number of processed Mac computers). To see more
information, click Details. To hide the dialog and continue the operation, click Hide. To cancel
the operation, click Cancel.
1 From the Apple menu, select System Preferences. The System Preferences dialog opens.
2 Select Security & Privacy and then click the Firewall tab.
3 If the firewall is running, the green light indicator will be "on" and its label will read "Firewall: On".
4 Click Advanced.
5 Click the + icon. The Mac directory tree dialog opens.
6 In the directory tree, navigate to the /Library/Parallels folder and select the
pma_agent.app file.
7 Click Add and then click OK.
8 Close the System Preferences window.
67
Parallels Mac Client Deployment
To see if a Mac has Parallels Mac Client installed and running on it, look at the Client and Client
Activity properties, which should say "Yes" and "Active" respectively. If the Client property says
"No", it means that the Mac cannot be managed in SCCM because Parallels Mac Client is not
installed on it. If the Client Activity property says "Inactive", the Mac may be turned off,
disconnected from the network, or it may have some other issues that prevent the Configuration
Manager to communicate with it.
Parallels Mac Client running on a Mac connects to the Parallels Configuration Manager Proxy using
the connection URL that it obtains from the Active Directory during the Parallels Mac Client
installation. If at some point the client fails to establish a connection with the proxy, it will try to
recover the connection as follows:
1 First, it will try to access DNS records for the location of the Configuration Manager Proxy. If it
finds the new connection URL in DNS, it will use it to connect to the Configuration Manager
Proxy.
2 If the location cannot be found in DNS at this time, the client will keep trying to connect to the
Proxy and to find the new location in DNS for a period of one week.
3 If after a week the connection still cannot be establish, a dialog box will be displayed in OS X
asking the Mac user to enter the Active Directory credentials. The client will then connect to the
Active Directory and try to retrieve the Configuration Manager Proxy connection URL from it. If
succeeded, the client will use the URL to connect to the Configuration Manager Proxy. If it fails
again, it will display an error message to the Mac user advising them to contact the system
administrator.
For additional information about migrating the Configuration Manager proxy to a different server,
please see Migrating Configuration Manager Proxy (p. 41).
68
Parallels Mac Client Deployment
You can also run the Parallels Mac Client uninstaller in interactive mode as follows:
After Parallels Mac Client is uninstalled, the Mac will remain in the Configuration Manager database
but its management will not be possible. You can reinstall the client on the Mac later to restore
management functions.
To use this functionality, the Automatic Parallels Mac Client Upgrade option must be enabled in
the Configuration Manager console as described below:
3 Click the Automatic Mac Client Upgrade tab and select the Upgrade client automatically
when new client updates are available option.
After you enable this option, Parallels Mac Client running on a Mac will begin to periodically check
whether it needs to be upgraded. If you upgrade Parallels Mac Management to a newer version
while this option is enabled (or prior to enabling it), Parallels Mac Client will be automatically
upgraded on all managed Mac computers. The Parallels Mac Client registration parameters will be
inherited from the existing registration file, so you don't have to configure it again.
Note: It may take up to an hour (or more) for Mac computers to upgrade after Parallels Mac
Management is upgraded.
1 Obtain the Parallels Mac Client installation image file as described in Manually Installing
Parallels Mac Client.
70
Parallels Mac Client Deployment
2 Distribute the client installation image to Mac computers. The Deploying Software via SCCM
Package Deployment section (p. 112) describes how to accomplish this task.
Note that when creating a program for the distribution package, the Command Line property
should be specified as follows:
:pma_agent.dmg/Parallels Mac Management for Microsoft SCCM.pkg::
When you install Parallels Mac Client via software distribution, the client registration parameters will
be inherited from the existing registration file, so you don't have to configure the client again.
71
Parallels Mac Client Deployment
2 Click the Parallels Mac Management icon (or click VIew > Parallels Mac Management for
Microsoft SCCM).
4 The General box contains the following Parallels Mac Client properties:
• Certificate expiration date. The date and time when the Parallels Mac Client certificate
expires.
• Certificate subject name. A globally unique name identifying the Parallels Mac Client for
which the certificate was issued.
• Connected to SCCM Proxy. The last date and time the Parallels Mac Client established a
connection with the Parallels Configuration Manager Proxy.
72
Parallels Mac Client Deployment
• Policies received. The last time the Parallels Mac Client downloaded its policy.
• SCCM Proxy URL. The URL of the computer where the Parallels Configuration Manager
Proxy is running. This is the Parallels Configuration Manager Proxy with which this Parallels
Mac Client is registered.
• Site code. The code of the Configuration Manager site to which this Mac is assigned.
• Unique identifier. A globally unique ID assigned to this Parallels Mac Client instance.
• Version. The Parallels Mac Client version number.
5 The buttons at the bottom of the window are:
• Connect. When clicked, connects to the Parallels Configuration Manager Proxy and
downloads the latest policy from Configuration Manager. For more information, please see
Initiating Policy Retrieval below.
• Send Problem Report. Click this button to send a problem report to Parallels Support. For
more information, please see Sending Problem Reports from Parallels Mac Client below.
To initiate policy retrieval from the command line, open Terminal, change directory to
/Library/Parallels/pma_agent.app/Contents/MacOS and type the following
command:
$ ./pmmctl get-policies
On completion, the command returns one of the following XML documents depending on the
result.
73
Parallels Mac Client Deployment
where the <integer> element contains the error code, and the <string> element contains the
error description.
where the <integer> value of the <NumberOfPolicyUpdates> key contains the number of
policy updates retrieved.
To obtain the list of possible error codes with descriptions, use the following command:
$ pmmctl error-info
74
Parallels Mac Client Deployment
3 Once the report file is generated, a message is displayed in the dialog specifying its location on
the local hard drive. Clicking the Send button will send the report to the Parallels Configuration
Manager Proxy, which will notify the IT administrator through the Problem Monitoring utility. The
Problem Monitor can then be used to view the report summary and to send it to Parallels
Support.
The problem reporting utility can also be run from Finder as follows:
75
CHAPTER 5
This chapter describes how to use the Parallels Mac Management features.
In This Chapter
The Configuration Manager Admin Console ............................................................ 76
Device Collections in Parallels Mac Management .................................................... 76
Hardware and Software Inventory ........................................................................... 77
Compliance Settings .............................................................................................. 80
Deploying Software via SCCM Package Deployment............................................... 112
Deploying Software via SCCM Application Deployment ........................................... 117
Operating System Deployment ............................................................................... 126
OS X Software Update Management ...................................................................... 153
Executing Scripts on Mac Computers ..................................................................... 171
Apple Device Enrollment Program ........................................................................... 172
Deploying Parallels Desktop to Mac Computers ...................................................... 180
Deploying SCCM Client in Windows Running in a Virtual Machine............................ 183
Providing Remote Assistance to Mac Users ............................................................ 185
Problem Reporting and Monitoring ......................................................................... 186
Initiating Policy Retrieval from SCCM....................................................................... 190
To see the All Mac OS X Systems collection, open the Configuration Manager console and
navigate to Assets and Compliance / Overview / Device Collections / All Mac OS X Systems.
The collection can contain both managed and unmanaged Mac computers. A Mac is added to a
collection as an unmanaged resource if Parallels Mac Client is not installed on it or if it's not
registered with the Configuration Manager Proxy. You can still view the properties of an
unmanaged Mac and connect to it using SSH or VNC if needed.
To identify managed and unmanaged Mac resources in the All Mac OS X Systems collection:
The All Mac OS X Systems collection uses the following criteria in the WHERE clause of its SQL
statement:
Therefore, the Mac resources that have the client version ending with "PMA" are displayed in the
All Mac OS X Systems collection. You can create your own collections for Mac resources using a
different criteria if needed.
Unknown Mac OS X Systems is a special collection to which you deploy task sequences as part
of OS X deployment. The collection is not supposed to contain any devices. For more information,
see Operating System Deployment (p. 126).
1 Open the collection containing Mac resources (e.g. All Mac OS X Systems).
2 Right-click a Mac of interest and select Start > Resource Explorer in the context menu.
3 The Resource Explorer snap-in opens where you can browse the inventory categories
(classes) and view the relevant hardware and software information.
To request an unscheduled inventory update:
77
Using Parallels Mac Management for Microsoft SCCM
1 In the Configuration Manager console, open the device collection containing your Mac
computers.
2 Select one or more Mac computers (or the entire collection), then right-click on a selection and
choose Request Inventory Update.
3 A dialog opens displaying the progress (number of processed Mac computers). To see more
information, click Details. To hide the dialog and continue the operation, click Hide. To cancel
the operation, click Cancel.
4 Once the operation is completed, you can view hardware and software inventory as described
above.
Computer System
This node reports general computer information along with names of currently logged on users. The
User Name column contains the user name in the qualifier\account format, where qualifier
is the computer’s NetBIOS name or a domain name. If there's no currently logged on user, the
column will contain SYSTEM as a value.
This node reports all existing local user accounts (even if they haven't logged on recently) and all
domain users who have logged on in the last 90 days. Each row in the list represents the network
login profile of a specific user:
78
Using Parallels Mac Management for Microsoft SCCM
• The Name column contains the name of the account on a domain or the computer.
• The Full Name column contains the full name of the user belonging to the network login profile.
• The Home Directory column contains the path to the home directory of the user.
• The Last Logoff and Last Logon columns indicate date and time the user last logged off the
system and logged on to system respectively.
• The Number of Logons column indicates the number of successful times the user tried to log
on to this account.
This node allows you to easily see the top console user, which is the user who spends the most
time logged on to the console. The information reported here is gathered from the OS X user
accounting database by using logon and logoff events. When matching logon and logoff events are
found, the information is used to calculate the amount of time the user was logged on. The
resulting information is aggregated by user and ordered by total console usage. The information is
calculated and displayed for the last 90 days.
• The Last Console Use column contains the last date and time when the user logged off from
the console.
• The Number Of Console Logins column contains the total number of logons recorded in the
user accounting database for the specific user.
• The System Console User column contains the user name for the user logged on to the
console.
79
Using Parallels Mac Management for Microsoft SCCM
• The Total User Console Minutes column contains the total number of console logon minutes
recorded in the database for the user.
Compliance Settings
Compliance settings is a set of tools that allow you to assess the compliance of Mac computers in
your organization with regard to whether OS X is configured correctly, volumes on Mac computers
are encrypted, and whether Parallels Desktop (if installed) is configured properly. Compliance is
evaluated by creating a configuration baseline that contains configuration items that you want to
evaluate.
This section contains information about how to create configuration items, set up a configuration
baseline, and then deploy the baseline to a device collection.
First, you need to create an OS X configuration profile using one of the following options:
• Using a custom OS X profile editor. The editor is provided by Parallels Mac Management and is
integrated into the Configuration Manager console.
• Creating a profile from a .mobileconfig file that can be created using the OS X Server's
Profile Manager.
Read on to learn how use the options above.
80
Using Parallels Mac Management for Microsoft SCCM
81
Using Parallels Mac Management for Microsoft SCCM
The left pane of the dialog contains the list of payloads. The right pane contains the settings for a
selected payload. When you select a payload for the first time, the right pane will only contain a
short description and the Configure button.
82
Using Parallels Mac Management for Microsoft SCCM
Clicking the Configure button will show the configurable properties for the selected payload.
Specify the desired payload properties and continue to another payload. Click OK at any time to
save the changes and close the dialog.
If you don't specify any values for a payload, it will be excluded from the configuration profile and
will not be evaluated on Mac computers. If you configured a payload but would like to remove it
from the profile, click the X icon in the payload header area.
When setting up an OS X profile for multiple users, it may not be possible to specify all of the
settings in advance. For example, when configuring the Exchange payload, the user account,
email address, and password must be specified individually for each user. In a case like this, you
may allow Mac users to provide the required settings interactively when the profile is applied on a
Mac.
Some of the editable fields on payload screens are marked in light gray as required, set on device,
and optional. Required fields must have a value or you will not be able to save the profile. "Set on
device" fields can be mandatory or optional, and are usually set on a Mac by the Mac user (e.g.
user names and passwords).
83
Using Parallels Mac Management for Microsoft SCCM
The logic that determines whether the profile is applied on a Mac interactively or silently is as
follows:
• To use the interactive mode, enter the %user_interaction_required% tag into a field
instead of a value. If a payload contains this tag in at least one field, a Mac user will be
prompted to manually enter all of the missing settings. The interactive mode will be used even if
none of the missing settings are actually required on the OS X side. You can enter the
%user_interaction_required% tag into any field that you want a user to set manually,
including the required, set-on-device, and optional fields.
• If a payload does not contain the %user_interaction_required% tag, an attempt will be
made to apply the profile on a Mac silently. If the profile cannot be applied silently (one or more
settings that are required on the OS X side are missing), the interactive mode will be used and
the user will have to specify them manually.
In interactive mode, a standard System Preferences dialog will be opened in OS X for each
corresponding payload where the user will have to specify the required settings. The dialog has the
Install and Cancel buttons. To apply the settings, the user clicks the Install button. If the specified
values don't pass validation, the user will have to enter them again. On success, a report will be
sent to SCCM. If the user clicks the Cancel button, the profile installation is aborted and a report is
sent to the administrator.
Please note that when you create an OS X configuration profile using the Profile Manager, you have
an option to set the Profile Distribution Type to Automatic Push or Manual Download. When
you use the profile editor in the Configuration Manager console (described in this section), the
distribution type is always Manual Download. The requirements for specifying certain settings are
not as strict with the Manual Download distribution type.
Payload Overview
The first item in the payload list is Configuration Item. It's not really a payload and is used to
specify a configuration item name and optional description. This is the name that will appear in the
Configuration Items list in the Configuration Manager console after you save the profile.
The General payload (second in the list) is used to specify general information for the configuration
profile.
The rest of the payloads are used to specify the corresponding OS X system preferences. The
following list provides a general description of each payload. For the complete information about
creating an OS X configuration profile, please refer to Apple documentation.
Payload Description
84
Using Parallels Mac Management for Microsoft SCCM
When you are finished entering the configuration profile information, click the OK button. This will
create a configuration item that will appear in the Configuration Items list in the Configuration
Manager console. Press F5 to refresh the list.
To edit the profile, right-click it and select Edit Parallels Configuration Item from the context
menu.
To evaluate Mac computers for compliance, you need to add the configuration item to a baseline
and then deploy it to a Mac collection. See Deploying Configuration Baseline (p. 110) for more
information.
85
Using Parallels Mac Management for Microsoft SCCM
• System profile. Use this option when you want to install the configuration profile as root.
6 Click the Browse button, select a .mobileconfig file, and click Open.
7 Click OK to save the configuration item. The new configuration item is created with the XML
content of the configuration profile embedded into it. Press F5 to refresh the Configuration
Items list to see the new item.
8 To edit the profile, right-click it and select Edit Parallels Configuration Item from the context
menu. The Mac OS X Configuration Profile dialog will now have the Import from
.mobileconfig and Export to .mobileconfig buttons. Using these two buttons, you can export
the profile into a file, edit it in an external application (e.g. Profile Manager) and then import it
back into the configuration item.
86
Using Parallels Mac Management for Microsoft SCCM
The import operation will perform the following validations of the profile data:
• The profile type (User or System) must be the same as the original.
• If this is a signed profile, the payload identifier must be the same as the original.
• If the profile is not signed but the payload identifier differs from the original, a message box
containing this information will be displayed. You'll have an option to cancel or continue the
importing operation.
To evaluate Mac computers for compliance, you need to add the configuration item to a baseline
and then deploy it to a Mac collection. See Deploying Configuration Baseline (p. 110) for more
information.
Profile Manager is a tool provided by Apple that allows you to create an OS X configuration profile
(an XML file) containing the configuration settings that your organization requires. The configuration
profile can then be deployed to Mac computers to configure them using the specified settings.
Note: You need a Mac with an OS X Server installed to use the Profile Manager.
When setting up a profile for multiple users, it may not be possible to specify all of the settings in
advance. For example, when configuring the Exchange payload, the user account, email address,
and password must be specified individually for each user. In a case like this, you may allow Mac
users to provide the required settings interactively when the profile is applied on a Mac. The logic
that determines whether the profile is applied on a Mac interactively or silently is as follows:
• To use the interactive mode, enter the %user_interaction_required% tag into a field
instead of the actual value. If a payload contains this tag in at least one field, the Mac user will
be prompted to manually enter all of the missing settings. The interactive mode will be used
even if none of the missing settings are actually required on the OS X side. You can enter the
%user_interaction_required% tag into any field that you want a user to set manually.
87
Using Parallels Mac Management for Microsoft SCCM
In the interactive mode, a standard System Preferences dialog will be opened in OS X for each
corresponding payload where the user will have to specify the required settings. The dialog has the
Install and Cancel buttons. To apply the settings, the user clicks the Install button. If the specified
values are invalid, the user will have to enter them again. On success, a report will be sent to
SCCM. If the user clicks the Cancel button, the profile installation is aborted and an appropriate
report is sent to the administrator.
When you save the configuration profile, Profile Manager creates a file with the ".mobileconfig"
extension. The file is an XML document containing the OS X configuration settings that you
specified. Copy the file to a location where the Configuration Manager console can access it (e.g. a
directory on the server running the Configuration Manager console).
Before creating a FileVault 2 configuration item, you need to decide whether you want to use an
institutional or a personal recovery key. The following explains what these keys are.
When preparing to encrypt the disk, the Mac user is asked to specify a password that will be used
to unlock an encrypted disk. If the user forgets the password, he/she will not be able to log into the
computer. The recovery key is a "safety net" that can be used to unlock the disk if the user forgets
the password.
88
Using Parallels Mac Management for Microsoft SCCM
To use an institutional recovery key on multiple Mac computers, you need to create a
FileVaultMaster keychain file. The file will contain a recovery key (private key) needed to recover a
disk encrypted with FileVault 2 and a public certificate.
To create a FileVaultMaster keychain, run the following command in Terminal (the command is
available in OS X 10.7.2 or later):
$ security create-filevaultmaster-keychain /path/to/FileVaultMaster.keychain
You can omit the target path and filename if you want to create the
FileVaultMaster.keychain file in the default /Users/user-name/Library/Keychains
directory.
When prompted, choose and enter a password for the new keychain, This will become your master
password. After the keychain is created, make one or more backup copies of the
FileVaultMaster.keychain file and store them in a safe location, such as an external drive or
an encrypted volume.
You now need to export the X.509 asymmetric public certificate from the FileVaultMaster keychain
to a DER encoded certificate file.
Note: If you want to use a personal recovery key, jump to FileVault 2 Encryption with Personal
Recovery Key (p. 96).
90
Using Parallels Mac Management for Microsoft SCCM
When the disk encryption operation is initiated on a Mac, the Parallels Mac Client begins reporting
the encryption status to the Parallels Configuration Manager Proxy. The current encryption status is
saved in the Mac's hardware inventory record in Configuration Manager and can be viewed in the
Configuration Manager console. If at some later point the Mac user (or a third-party program)
encrypts, decrypts, or re-encrypts the disk, the Parallels Mac Client running on a Mac will detect it
and the encryption status will be immediately updated.
You can view the FileVault 2 encryption status for a particular Mac or you can run a report and view
the information for all Mac computers as a single list.
In the Configuration Manager console, navigate to Monitoring / Reporting / Reports. Locate the
FileVault 2 Disk Encryption report and double-click it. The FileVault 2 Disk Encryption dialog
opens displaying the report.
Each row in the report represents a corresponding Mac volume and contains the following
columns:
After Mac computers have been encrypted, the best way for the IT administrator to monitor the
Mac encryption status is to configure a baseline containing a FileVault 2 configuration item to run as
often as necessary (e.g. daily). If an unauthorized change is made to the FileVault 2 encryption, the
baseline run will report an error to Configuration Manager. The IT administrator will be able to see it
and check the hardware inventory record for a particular Mac.
Note: You should be aware of one scenario when the FileVault 2 encryption status may not be reported
accurately in the Mac hardware inventory. This will happen when (a) a Mac is removed from the
Configuration Manager site, (b) the Parallels Mac Client is uninstalled from it, and (c) the Mac is then
assigned to the site again. If the Mac was encrypted with FileVault 2 prior to removing it from the site, the
encryption status will be reported as Encrypted by a 3rd party. To make the status to report accurately,
you'll need to decrypt the disk and then encrypt it again.
92
Using Parallels Mac Management for Microsoft SCCM
After you deploy a configuration baseline to a device collection, Mac computers in the collection will
be evaluated for compliance. If FileVault 2 is already enabled on a Mac, no action will be performed
on it. If FileVault 2 is not enabled, the Mac user will see a message box saying that the Mac is about
to be encrypted. The dialog has two buttons: Encrypt and Postpone:
• If the user clicks Encrypt, another dialog opens where the user must select one or more OS X
user accounts that will be allowed to unlock the disk after it is encrypted.
Note: The dialog displays all user accounts that exist on this Mac, but the user needs to select only
those accounts that should be allowed to unlock the disk. If more accounts are added to the Mac later,
they will not have this privilege. To grant the privilege to the new account(s), the disk encryption must be
removed and then the encryption procedure must be performed from the beginning.
To select an account, the user needs to click the Enable button next to the account name and
then enter a password that will be used to unlock the encrypted disk. The user can enable
multiple OS X user accounts if needed, but at least one account must be enabled to continue.
When the necessary accounts are enabled, the user clicks Encrypt to enable FileVault 2. To
perform the actual encryption, the user must restart the Mac.
• If the user postpones the encryption on the first dialog, the dialog will open again in 5 minutes.
The user has the ability to keep postponing the encryption procedure indefinitely. The time
period after which the dialog is displayed is doubled each time the user clicks Postpone, but
will never exceed one hour.
If a FileVault 2 encrypted disk becomes unbootable, you will need to unlock it. The following steps
describe how to unlock an encrypted disk using a password of an OS X account that's authorized
to unlock the encryption.
Once the volume is decrypted, you'll have full access to the hard disk.
To unlock an encrypted disk using an institutional recovery key, you need the original
FileVaultMaster.keychain file that contains the recovery key. You must also know the master
password that you've set when you created the file.
To retrieve the SHA1 fingerprint of the original certificate that used during encryption:
1 In the Configuration Manager console, navigate to the device collection containing the Mac (e.g.
All Mac OS X Systems).
2 Locate the Mac in the list. If you can't find the Mac, read If You Can't Find the Mac in Any of
the Collections below.
3 Right-click the Mac and then click Properties.
4 In the Properties dialog, click the FileVault 2 tab to view the FileVault 2 encryption information
for the Mac. The properties are:
• Hardware ID. Contains the Mac hardware ID.
• Serial Number. Contains the Mac serial number.
• Personal Key. Contains the personal recovery key (will be blank if an institutional key was
used).
• Institutional key. Contains the SHA1 fingerprint of the institutional key certificate (will be
blank if a personal key was used).
• LVGUUID. The UUID of the logical volume group.
• LVUUID. The UUID of the logical volume.
• PVUUID. The UUID of the physical volume.
5 Compare the value of the Institutional key property to the fingerprint of the certificate in a
FileVaultMaster.keychain file. The file that has the matching fingerprint contains the correct
institutional recovery key.
94
Using Parallels Mac Management for Microsoft SCCM
Assuming that you have the correct FileVaultMaster.keychain file, do the following to unlock the
encrypted disk:
1 Boot your Mac from the Recovery HD partition by holding down Command –R.
2 Connect an external drive containing the original FileVaultMaster.keychain file.
3 Run Terminal (Application/Utilities). If the keychain is stored in an encrypted disk image, use the
following command to mount it:
$ hdiutil attach /path/to/diskImage
4 Use the following command to unlock the FileVaultMaster.keychain file:
$ security unlock-keychain /path/to/FileVaultMaster.keychain
5 Enter the Master Password to unlock the keychain. If the password is accepted, the command
prompt will return.
6 Use the following command to list the available Core Storage volumes:
$ diskutil cs list
7 Look for the UUID of a Logical Volume, usually the last in the list. Select and copy the UUID to
be used in the next step.
8 Use the following command to unlock the encrypted disk. Be sure to insert the UUID from the
previous step and the correct path to the keychain file:
$ diskutil cs unlockVolume UUID -recoveryKeychain /path/to/FileVaultMaster.keychain
9 When the command completes, the volume will be unlocked and mounted. You'll be able to
back up data using Disk Utility, or by using a command line tool such as ditto.
95
Using Parallels Mac Management for Microsoft SCCM
If the command fails, it is possible that the disk was re-encrypted by the Mac user or a third-
party program. You can compare the UUIDs of the volumes displayed by the diskutil cs
list command to the LVGUUID, LVUUID, and PVUUID values on the FileVault 2 tab of the
Mac Properties dialog (see the Retrieve Personal Recovery Key subsection above). The
values should match. If they don't, it means that the disk was re-encrypted, in which case the
recovery key stored in the keychain file will not work.
10 Once the disk is unlocked, you can decrypt it by running the following command:
$ diskutil cs revert UUID -recoveryKeychain /path/to/FileVaultMaster.keychain
Note: If you want to use an institutional recovery key, jump to FileVault 2 Encryption with Institutional
Recovery Key (p. 89).
96
Using Parallels Mac Management for Microsoft SCCM
2 Right-click Configuration Items and then point to Create Parallels Configuration Item and
click FileVault 2 Configuration Item.
97
Using Parallels Mac Management for Microsoft SCCM
When the disk encryption operation is initiated on a Mac, the Parallels Mac Client begins reporting
the encryption status to the Parallels Configuration Manager Proxy. The current encryption status is
saved in the Mac's hardware inventory record in Configuration Manager and can be viewed in the
Configuration Manager console. If at some later point the Mac user (or a third-party program)
encrypts, decrypts, or re-encrypts the disk, the Parallels Mac Client running on a Mac will detect it
and the encryption status will be immediately updated.
You can view the FileVault 2 encryption status for a particular Mac or you can run a report and view
the information for all Mac computers as a single list.
In the Configuration Manager console, navigate to Monitoring / Reporting / Reports. Locate the
FileVault 2 Disk Encryption report and double-click it. The FileVault 2 Disk Encryption dialog
opens displaying the report.
Each row in the report represents a corresponding Mac volume and contains the following
columns:
After Mac computers have been encrypted, the best way for the IT administrator to monitor the
Mac encryption status is to configure a baseline containing a FileVault 2 configuration item to run as
often as necessary (e.g. daily). If an unauthorized change is made to the FileVault 2 encryption, the
baseline run will report an error to Configuration Manager. The IT administrator will be able to see it
and check the hardware inventory record for a particular Mac.
Note: You should be aware of one scenario when the FileVault 2 encryption status may not be reported
accurately in the Mac hardware inventory. This will happen when (a) a Mac is removed from the
Configuration Manager site, (b) the Parallels Mac Client is uninstalled from it, and (c) the Mac is then
assigned to the site again. If the Mac was encrypted with FileVault 2 prior to removing it from the site, the
encryption status will be reported as Encrypted by a 3rd party. To make the status to report accurately,
you'll need to decrypt the disk and then encrypt it again.
99
Using Parallels Mac Management for Microsoft SCCM
After you deploy a configuration baseline to a device collection, Mac computers in the collection will
be evaluated for compliance. If FileVault 2 is already enabled on a Mac, no action will be performed
on it. If FileVault 2 is not enabled, the Mac user will see a message box saying that the Mac is about
to be encrypted. The dialog has two buttons: Encrypt and Postpone:
• If the user clicks Encrypt, another dialog opens where the user must select one or more OS X
user accounts that will be allowed to unlock the disk after it is encrypted.
Note: The dialog displays all user accounts that exist on this Mac, but the user needs to select only
those accounts that should be allowed to unlock the disk. If more accounts are added to the Mac later,
they will not have this privilege. To grant the privilege to the new account(s), the disk encryption must be
removed and then the encryption procedure must be performed from the beginning.
To select an account, the user needs to click the Enable button next to the account name and
then enter a password that will be used to unlock the encrypted disk. The user can enable
multiple OS X user accounts if needed, but at least one account must be enabled to continue.
When the necessary accounts are enabled, the user clicks Encrypt to enable FileVault 2. To
perform the actual encryption, the user must restart the Mac.
• If the user postpones the encryption on the first dialog, the dialog will open again in 5 minutes.
The user has the ability to keep postponing the encryption procedure indefinitely. The time
period after which the dialog is displayed is doubled each time the user clicks Postpone, but
will never exceed one hour.
If a FileVault 2 encrypted disk becomes unbootable, you will need to unlock it. The following steps
describe how to unlock an encrypted disk using a password of an OS X account that's authorized
to unlock the encryption.
Once the volume is decrypted, you'll have full access to the hard disk.
The key is stored in the Parallels Mac Management database (p. 197) and can be obtained as
follows:
1 In the Configuration Manager console, navigate to the device collection containing the Mac (e.g.
All Mac OS X Systems).
2 Locate the Mac in the list. If you can't find the Mac, read If you Can't Find the Mac in Any of
the Collections below.
3 Right-click the Mac and then click Properties.
4 In the Properties dialog, click the FileVault 2 tab to view the FileVault 2 encryption information
for the Mac. The properties are:
• Hardware ID. Contains the Mac hardware ID.
• Serial Number. Contains the Mac serial number.
• Personal Key. Contains the personal recovery key (will be blank if an institutional key was
used).
• Institutional key. Contains the SHA1 fingerprint of the institutional key certificate (will be
blank if a personal key was used).
• LVGUUID. The UUID of the logical volume group.
• LVUUID. The UUID of the logical volume.
• PVUUID. The UUID of the physical volume.
5 Copy the value of the Personal key property. If the property doesn't have a value but the
Institutional key property underneath it does, then this Mac was encrypted with an institutional
recovery key. If that's the case, please read Recovering Encrypted Disk Using Institutional
Key (p. 94).
101
Using Parallels Mac Management for Microsoft SCCM
1 Boot your Mac from the Recovery HD partition by holding down Command –R.
2 Use the following command to list the available Core Storage volumes:
$ diskutil cs list
3 Look for the UUID of a Logical Volume, usually the last in the list. Select and copy the UUID to
be used in the next step.
4 Use the following command to unlock the encrypted disk. Be sure to insert the UUID from the
previous step:
$ diskutil cs unlockVolume UUID -passphrase recoverykey
5 When the command completes, the volume will be unlocked and mounted. You'll be able to
back up data using Disk Utility, or by using a command line tool such as ditto.
If the command fails, it is possible that the disk was re-encrypted by the Mac user or a third-
party program. You can compare the UUIDs of the volumes displayed by the diskutil cs
list command to the LVGUUID, LVUUID, and PVUUID values on the FileVault 2 tab of the
Mac Properties dialog (see the Retrieve Personal Recovery Key subsection above). The
values should match. If they don't, it means that the disk was re-encrypted, in which case the
recovery key stored in the Parallels Mac Management database will not work.
6 Once the disk is unlocked, you can decrypt it by running the following command:
$ diskutil cs decryptVolume UUID -passphrase recoverykey
102
Using Parallels Mac Management for Microsoft SCCM
3 Enter a name and and optional description for this configuration item.
4 The Security page allows you to specify password requirements for using Parallels Desktop
features and whether or not the Mac users will be allowed to change Parallels Desktop
preferences. To enable password requirements, click the ON/OFF switch to toggle it to "ON"
and then select the desired options. Do the same for the Edit Parallels Desktop settings
option.
103
Using Parallels Mac Management for Microsoft SCCM
• The License page allows you to specify the Parallels Desktop license key and customize the
Request Support settings. The license key that you specify will be applied to Parallels Desktop
on Mac computers (e.g. when you want to update it). The Request support settings allow you
to specify the action for the Help > Request Support menu item in the Parallels Desktop
graphical user interface.
• The USB behavior page allows you to specify what to do when a USB device is connected to a
Mac.
• The Updates page allows you to specify Parallels Desktop update options.
• The Network page specifies the Parallels Desktop network settings.
• The Miscellaneous page allows you to specify the default virtual machine folder and the
participation in Parallels Customer Experience program.
When finished, click OK to save the configuration item and close the dialog. To view the new item
in the Configuration Items list, press F5 to refresh it. To modify the configuration item, right-click it
and then click Edit Parallels Configuration Item in the context menu.
To evaluate Mac computers for compliance, you need to add the configuration item to a baseline
and then deploy it to a Mac collection. See Deploying Configuration Baseline (p. 110) for more
information.
Note: The settings that you specify in a virtual machine configuration item will be applied to all existing
virtual machines on a Mac.
104
Using Parallels Mac Management for Microsoft SCCM
105
Using Parallels Mac Management for Microsoft SCCM
To evaluate Mac computers for compliance, you need to add the configuration item to a baseline
and then deploy it to a Mac collection. See Deploying Configuration Baseline (p. 110) for more
information.
To use scripts, you need to create a standard SCCM configuration item in the Configuration
Manager console. When creating a configuration item, you have an option to specify a discovery
script and a remediation script. The discovery script is used to obtain the value of a setting on a
Mac to be assessed for compliance. The remediation script is used to remediate a non-compliant
value if needed (creating a remediation script is optional).
When a discovery script returns a value, it is assessed for compliance using the compliance rules
defined for it. If the value is non-compliance and a remediation script exists, the value is passed to
the script so that the necessary modifications can be done on the Mac. If a remediation script
doesn't exist, the assessment stops and a noncompliance is reported to SCCM. Each discovery
script can assess a single value, but multiple scripts with their own compliance rules can be added
to a given configuration item.
106
Using Parallels Mac Management for Microsoft SCCM
General Page
Select the OS X versions to which this configuration item should be applicable. Please note that this
selection will be ignored in the future releases of Parallels Mac Management. If at that time you'll
need to exclude a particular OS X version, you can create multiple Mac collections based on the
OS X version criteria and then selectively deploy the configuration item to them.
Settings Page
The Settings page is used to create a set of settings representing the conditions to assess for
compliance on Mac computers. In our case, each setting will evaluate a particular value on a Mac.
107
Using Parallels Mac Management for Microsoft SCCM
8 When you are finished specifying scripts and compliance rules, click OK in the Create Setting
dialog and then click Next on the Settings page of the wizard.
The Compliance Rules page lists the compliance rules that you've created earlier. You can review
and modify them if necessary. You can also create new rules here if needed. Click Next when
ready.
Review the configuration item summary and click Next when ready. Wait for the configuration item
to be created. Review the info on the Completion page and click Close to exit the wizard.
To evaluate Mac computers for compliance, you need to add the configuration item to a baseline
and then deploy it to a Mac collection. See Deploying Configuration Baseline (p. 110) for more
information.
The script can be written in any scripting language supported by OS X, such as Bash, Python,
Apple Script, etc. See Specifying Script Interpreter (p. 109) for additional information.
You can type (or copy and paste) the script into the Script edit box. If you have the script saved in
a file, click the Open button to browse for it.
A discovery script is used to find and return a value to be assessed for compliance on a Mac. The
value can be of any data type supported by Configuration Manager, but must be returned by the
discovery script as a string. Write the script to obtain the value of a desired setting on a Mac and
return it as a string via standard output. The returned value is evaluated using the compliance rules
defined for this configuration item setting. If the value is non-compliance and a remediation script
exists (p. 108), the value is passed to the remediation script for evaluation. If the remediation script
doesn't exist, the assessment stops and noncompliance is reported to SCCM.
Please note that a discovery script will run in OS X with root privileges. Please also note that you
cannot access OS X GUI components from a discovery script. For example, you cannot open a
dialog to be displayed to the Mac user.
The script can be written in any scripting language supported by OS X, such as Bash, Python,
Apple Script, etc. See Specifying Script Interpreter (p. 109) for additional information.
You can type (or copy and paste) the script into the Script edit box. If you have the script saved in
a file, click the Open button to browse for it.
A remediation script is used to remediate non-compliance setting values found on a Mac. The non-
compliance value is passed to the script as an input parameter after obtaining it with the discovery
script and assessing it using the compliance rules. A remediation script should return 0 (zero) as a
string via standard output.
When the remediation script returns, the discovery script is executed again to obtain the updated
value. The value is then evaluated using the compliance rules. If the value complies, the
assessment finishes with success. If the value is still non-compliance, a noncompliance is reported
to SCCM.
Please note that a remediation script will run in OS X with root privileges. Please also note that you
cannot access OS X GUI components from a remediation script. For example, you cannot open a
dialog to be displayed to the Mac user.
The first line of the script should begin with shebang and have the following format:
where:
109
Using Parallels Mac Management for Microsoft SCCM
You can create more than one rule for a given configuration item setting. If there's more than one
rule, they will be connected using the logical AND operator. Therefore, for a value to be compliant,
all rules must evaluate as TRUE.
The new configuration baseline will appear in the Configuration Baselines list. You can click
Refresh on the toolbar to refresh the list.
To enforce a policy, the IT administrator creates a configuration item, adds it to a baseline, and
then deploys the baseline to a Mac collection. When the baseline runs, each configuration item is
applied to a Mac and modifies a corresponding configuration according to the rules that it contains.
After the configuration changes are made to the Mac, the following reports are generated on the
Mac side:
• A report for each configuration item applied to a Mac (a configuration baseline can contain
more than one configuration item, so a report is generated for each individual item).
• A summary report for the baseline after all configuration items are applied to a Mac.
As soon as a report is generated, the Parallels Mac Client sends it to the Configuration Manager
Proxy, which sends it to the Configuration Manager. When the Mac evaluation for compliance
completes, the IT administrator can view the reports in the Configuration Manager console. If the
Parallels Mac Client cannot establish a connection with the Configuration Manager Proxy, the
reports are saved locally on the Mac and the transfer is resumed as soon as the connection
becomes available.
To view the evaluation reports in the Configuration Manager console, you need a reporting point set
up on your Configuration Manager site. If you don't have a reporting point, set it up in the
Configuration Manager console using the standard Configuration Manager functionality.
111
Using Parallels Mac Management for Microsoft SCCM
Please note that Parallels Mac Management supports Configuration Manager Package and
Application deployment models. This section describes how to distribute software via SCCM
Package deployment. For Application deployment, please see Deploying Software via SCCM
Application Deployment. (p. 117).
You create a package and a program using the standard Create Package and Program Wizard
in the Configuration Manager console. Once the package is created, you can set additional
package and program properties that are not available in the wizard. These properties can be used
to better manage the package installation on a Mac computer.
112
Using Parallels Mac Management for Microsoft SCCM
113
Using Parallels Mac Management for Microsoft SCCM
• To run an installer command (OS X package installer tool), use the following syntax:
:<package_path>::
where <package_path> is the name and path of the package. When the client encounters
this command, it will invoke installer(8) passing the package name to it as a parameter. For
example, command line
:MySoft/MySoft-1.0.dmg/packages/mysoft_v1.pkg::
will mount the MySoft-1.0.dmg image to a temporary mount point, make it current directory,
and execute the following command:
$ /usr/sbin/installer -pkg "packages/mysoft_v1.pkg" -target /
The following example will similarly mount an .iso image file:
:MySoft/MySoft-1.0.iso/packages/mysoft_v1.pkg::
3 Specify whether you want to allow Mac users to interact with the program installation.
• To enable user interaction, in the Run mode drop-down list, select Run with user's rights
or select the combination of the Run with administrative rights and Allow users to view
and interact with the program installation options.
• To disable user interaction, set the Run mode option to Run with administrative rights
and clear the Allow users to view and interact with the program installation option.
If you allow user interaction, a dialog will be displayed in OS X during program installation giving
the user a choice to continue or to postpone installing the program. The message in the dialog
will say whether an additional action, such as computer restart or user log-off, will be required
(or may be required) after the program installation finishes. Based on this info, the user can
decide whether to continue or to postpone the program installation. Please note that if a
program installation is postponed, no other program can be installed before this one is installed
first.
4 Click Next.
Once the package is created, you can set additional package and program options that are not
available in the wizard. The following subsections describe these options.
114
Using Parallels Mac Management for Microsoft SCCM
You can configure the package program to restart a Mac or log off the user after the package
installation finishes. Use these options when the software that you are distributing to Mac
computers requires such actions to complete the installation.
To send a copy of the package to a distribution point, right-click the package of interest and click
Distribute Content in the context menu. Use the Distribute Content Wizard to specify a
distribution point to which you want to send the package.
Please make sure that the distribution point is properly configured as described in the Configuring
a Distribution Point section.
115
Using Parallels Mac Management for Microsoft SCCM
Deploying Software
After you've sent the package to a distribution point, you can deploy the software.
1 In the Configuration Manager console, right-click the package and then click Deploy in the
context menu. The Deploy Software Wizard opens.
2 On the General page, click the Browse button next to the Collection field and select the
collection containing the desired Mac resources (e.g. All Mac OS X Systems). Click OK and
then click Next.
3 On the Content page, verify the distribution point info and click Next.
4 Click Next on the Deployment Settings page.
5 On the Scheduling page, specify the schedule for this deployment. Click New to specify the
assignment schedule. When done, click Next.
6 Use the default values on the rest of the wizard pages and complete the wizard.
The software will be advertised to Mac computers in the specified collection and will be distributed
to them according to the schedule that you specified.
116
Using Parallels Mac Management for Microsoft SCCM
Silent Installation
If you configure the application to install silently, it will be delivered to a Mac and installed without
giving the user any control over the installation process. The only operation that the user will be
asked to confirm is restarting the Mac if it is required by a particular application. The options that
must be set in order to perform a silent installation are highlighted in the corresponding topics
describing the application deployment steps.
Interactive Installation
An interactive installation informs the Mac user that the application is available for installation and,
depending on the deployment configuration, gives the user full or limited control over the installation
process.
When preparing an application for interactive installation, you can specify the following options:
117
Using Parallels Mac Management for Microsoft SCCM
• An application can be either required to be installed or the user can be given a choice whether
to install it or not.
• The application installer can be displayed on the screen allowing the user to control the
installation process, or the installer can run in the background thus performing an unattended
installation. In both scenarios the user can choose whether to run the installer as soon as the
application is available or to postpone it to a later time.
The options that must be set in order to perform an interactive installation are highlighted in the
corresponding topics describing the application deployment steps.
1 Download the ConfigmgrMacClient.msi file from the Microsoft Download Center using the
following URL:
• https://www.microsoft.com/en-us/download/details.aspx?id=47719
2 Run the downloaded file on your Windows computer to extract the macclient.dmg file.
3 Copy the macclient.dmg file to a Mac computer.
4 Double-click the file to see its contents. Extract the Tools folder from the file by dragging and
dropping it to a folder on your Mac.
CMAppUtil supports the .dmg, .pkg, .mpkg, .app file formats.
1 Copy the OS X package to the folder where you extracted to Tools folder.
2 Navigate to the Tools folder and enter the following command-line:
./CMAppUtil <properties>
For example, to convert an Apple disk image file named MySoftware.dmg stored in the user's
home folder to the .cmmac format:
./CMApputil –c /Users/ <User Name> /MySoftware.dmg -o /Users/ <User Name>
118
Using Parallels Mac Management for Microsoft SCCM
The command above creates a .cmmac installation file compatible with Configuration Manager.
The -c option specifies the source file being converted. The -o option specifies the output path.
For the complete list of options, please consult the Microsoft CMAppUtil documentation.
When you have the .cmmac file, copy it to a network share where it can be accessed from the
Configuration Manager console.
The new application will appear in the Applications list in the Configuration Manager console.
The application properties described here determine how the application will be displayed in the
Parallels Application Portal on a Mac. If you would like to configure the application to be installed
silently (you will choose the installation type later), you may skip this sub-section.
1 Right-click the application that you've created in the previous step and click Properties in the
context menu. This will open the application properties dialog.
2 Click the Application Catalog tab and set the following properties:
• Selected language — select the language from the drop-down list. Click Add/Remove to
add additional languages if needed.
• Localized application name — specify the localized application name.
119
Using Parallels Mac Management for Microsoft SCCM
• User categories — click Edit to specify user categories that the users of Parallels
Application Portal can use to filter and sort the available applications. The Edit button opens
the User Categories dialog. Select an existing category or click Create to create a new
category.
• Icon — click Browse to select an icon for this application.
• Display this as a featured app and highlight it in the company portal — if you select
this option, the application will be listed in the Featured Applications list in Parallels
Application Portal.
3 If the application that you are creating is an upgrade or a replacement for an existing application
in the Parallels Application Portal, then you can specify a supersedence relationship on the
Supersedence tab page. Select the Allow users to see deployments for this an all
applications that it supersedes... option if you want to display all versions of the application in
the Application Portal. If the option is cleared, only the top application will be shown.
4 Click OK to close the Properties dialog.
1 Select the Deployment Types tab at the bottom of the Applications workspace.
2 Right-click the deployment type and click Properties in the context menu.
3 The <application_name> - Mac OS X Properties dialog opens.
Use the following instructions to modify the deployment type properties as needed.
To specify the command that you want to use to install, and optionally uninstall, the application on
a Mac, click the Programs tab. The Installation program field is used to specify the command
line. The field is populated automatically and should already contain the installation command for
the application. You can modify the command line as needed.
If you've configured the application for the Parallels Application Portal, you can optionally specify an
uninstallation command for it. This will enable the Remove button in the Application Portal and will
provide a convenient method for removing an application from a Mac. To add the uninstallation
command line, use the following syntax:
120
Using Parallels Mac Management for Microsoft SCCM
The <Installation command> and <Uninstallation command> parts should contain the installation
and uninstallation commands respectively. You have to find out what the actual uninstallation
command line for a given application is yourself.
As an example, the following command line contains the installation and uninstallation commands
for Firefox (please note the colon characters, which are required):
When you add the uninstallation command to the command line, the Remove button in the
Parallels Application Portal becomes available once the application is installed on a Mac. If you
don't include an uninstallation command, the Remove button will be disabled for the given
application.
To force a mandatory Mac restart after the application is installed on it, click the User Experience
tab. In the Action drop-down list, select the action from the following options:
• No action — The Mac will be restarted only if the application installer requires it.
• Configuration Manager client will force a mandatory device restart — The Mac will be
restarted regardless of whether the application installer requires it or not.
The Detection Method tab page allows you to specify how Configuration Manager determines
whether this deployment type is already present on a Mac. This information is automatically
imported when you convert the OS X installation image to a .cmmac file.You can modify the
imported information, if needed, by editing the existing clause or creating a new one.
The Requirements tab page allows you to specify system requirements that must be met to allow
the application to be installed. The only requirement that can be currently specified is the OS X
version.
121
Using Parallels Mac Management for Microsoft SCCM
122
Using Parallels Mac Management for Microsoft SCCM
• As soon as possible — Mac users will be required to install the application as soon as it is
available. If a user fails to install the application right away, he/she will be reminded again in
24 hours. If the application is still not installed after that, it will be installed automatically.
• Schedule at — Mac users will be required to install the application before the date and time
specified here. If a user fails to install the application, it will be installed automatically.
11 Click Next.
12 On the User Experience page, select a notification type in the User notification drop-down
list. Depending on the option selected, the following will happen when the application is ready
to be installed on a Mac:
• Display in Software Center and show all notifications — The user will be asked to install
the application and will have an option to start or postpone the installation. If the application
is configured as Available (i.e. not required, see step 8 above) the user will have a choice
not to install it. The application will be added to the Parallels Application Portal where the
user will be able to install it later. The installer graphical user interface will be displayed to the
user providing full control over the installation process. When the installation is finished, the
user will be asked to reboot the Mac if necessary.
• Display in Software Center and only show notifications for computer restarts — This
option is similar to the Display in Software Center and show all notifications option
(above) with one exception: the installer will run in the background, so the user will have no
control over the installation process. The user will still be given a choice to install the
application or to postpone the installation, and to restart or postpone restarting the Mac if it
is required.
• Hide in Software Center and all notifications — The user will NOT be informed that the
application is available for installation. The installation will be performed completely silently
and transparently to the user. The application will NOT be added to the Parallels Application
Portal. If the installation requires Mac restart, the user will be asked to restart it and will be
given an option to postpone restarting.
13 Complete the wizard using the default values and close it when done.
Read on to learn how the application can be installed on a Mac after it's been deployed.
Installation is Optional
If the application is not required (the Deploy Software Wizard | Deployment Settings | Purpose
is specified as Available), a dialog will be displayed to the user describing the application and
providing the following choices:
• Show in Application Portal — Clicking this button will open the Parallels Application Portal
where the user can view the application and install it if desired.
123
Using Parallels Mac Management for Microsoft SCCM
• Install now — Clicking this button will download the application and will run the application
installer. The installer GUI will be displayed or hidden depending on the setting specified on the
User Experience page of the Deploy Software Wizard.
• Close — Clicking this button will close the dialog. The user will be able to install the application
later from the Application Portal.
Installation is Required
If the application is required (the Deploy Software Wizard | Deployment Settings | Purpose is
specified as Required) and an interactive installation type was specified, a dialog will be displayed
to the user with the following options:
Postpone — This button allows the user to postpone the installation. The Remind me in drop-
down list allows the user to select the postponement period.
Depending on the installation deadline setting (set in the Deploy Software Wizard | Scheduling
page), the following rules apply:
• If the policy was downloaded prior to the installation deadline, the deadline will stay in effect.
• If the policy was downloaded after the deadline has passed, the effective deadline will be set to
the time of the policy download plus 24 hours.
Install now — Clicking this button will close the dialog and will run the application installer.
Installation is Silent
If the installation type was specified as silent (the Deploy Software Wizard | User Experience
page | Hide in Software Center and all notifications option was selected), no message asking
the user to install the application will be displayed, and the installation will be performed silently as
soon as the policy is delivered to a Mac.
In all three scenarios above, after the application is installed, the user will be asked to reboot the
Mac if the installer requires it or if the Action on the User Experience page of the Mac OS X
Properties dialog is set to force a mandatory restart.
124
Using Parallels Mac Management for Microsoft SCCM
To start Parallels Application Portal on a Mac, navigate to Finder > Applications and double-click
Parallels Application Portal.
When Parallels Application Portal starts, it should contain the list of installed and available
applications. If a Mac is not assigned to a Configuration Manager site, the application list will be
empty.
125
Using Parallels Mac Management for Microsoft SCCM
• Publishers list — Contains the names of software vendors that the user can select to filter the
application lists.
• Install button — Displayed for applications that are available for installation. Clicking this button
will download an application to the Mac and install it.
• Remove button — Displayed for an application already installed on a Mac. Allows the user to
remove the application from the Mac. Please note that this button will only be available for
applications that were configured in Configuration Manager as "Available" (i.e. optional, as
opposed to required) and for which the uninstallation command line was specified. For more
info about the installation/uninstallation command line, see Configuring the Deployment Type
> Specify the Installation Command Line (p. 120).
126
Using Parallels Mac Management for Microsoft SCCM
• If the NetBoot Server and target Mac computers are running in different subnets, DHCP
forwarding must be set up. For the complete information about setting up the network
environment for NetBoot, please read the following KB article: http://kb.parallels.com/118518.
• The reference Mac computers that will be used to capture OS X images must have a Recovery
HD partition.
OS X Version Support
The reference Mac must be running OS X 10.9 or later. Older versions of OS X are not supported.
3 Copy and paste the URL into a text editor. Replace the "pma_agent.dmg" part with
"PmmOsdImageBuilder.dmg".
127
Using Parallels Mac Management for Microsoft SCCM
4 On the reference Mac, open the resulting URL in a web browser to download the
PmmOsdImageBuilder.dmg file. When done, mount the image in OS X.
1 Open Terminal and change directory to the PmmOsdImageBuilder.dmg image mount point
(e.g. /Volumes/Parallels OSD Image Builder 5.0.xxxx.yyyyyy).
2 Execute the following command in Terminal:
sudo ./pmm_osd_image_builder netboot -n [output-dir] --ntp-servers
[ntp_servers] --ssh-authkeys [ssh_keys_file] --ignore-version-
mismatch
The parameters in the command above are:
-n [output-dir] — The name of a directory where you want the boot image to be created.
--ntp-servers [ntp_servers] — (optional) Comma-separated NTP (Network Time
Protocol) server hostnames or IP addresses. The time on a Mac will be synchronized with your
domain controller using the specified server(s). If the parameter is omitted, no time
synchronization will be performed, in which case you need to use other means to make sure
that the time is in sync.
--ssh-authkeys [ssh_keys_file] — (optional) A path to a file with an SSH public key in
the authorized_keys format. The key will be installed in the NetBoot image to allow root
SSH access to a Mac when it's booted from the network. If this parameter is omitted, no SSH
access to a Mac will be available. For more info, see http://kb.parallels.com/123466.
--ignore-version-mismatch — (optional) A flag to ignore OS X version mismatch
between the active boot partition and the recovery partition. The OS X version must be the
same on both partitions. If there's a version mismatch and this parameter is not included, you
will receive an error. In such a case you'll have to either upgrade OS X on the recovery partition
or use a different Mac. If you include this parameter, the error will be ignored and the image will
be created, but doing so may result in a malfunction of the resulting boot image. If you don't
know whether the OS X versions match on the two partitions, run the utility first without
including the parameter. If you receive the error, you'll know that they don't, so you can take
appropriate actions.
3 Copy the entire resulting [output-dir] directory to a location on the computer running the
Configuration Manager console, so you can add it later to SCCM.
128
Using Parallels Mac Management for Microsoft SCCM
2 Right-click Operating System Images and then click Add OS X Boot Image.
129
Using Parallels Mac Management for Microsoft SCCM
4 In the Path to the OS X boot image directory field, specify the path to the OS X boot image
folder. The other field should contain name and path where you want the image file (.wim) to be
created.
5 Click Next.
6 Specify an OS X image name and version and click Next.
7 Wait for the image to be converted to the .wim format.
8 Click Finish.
130
Using Parallels Mac Management for Microsoft SCCM
1 In the Configuration Manager console, right-click the OS X boot image item and choose
Distribute Content in the context menu.
2 In the Distribute Content wizard, select the distribution point where the Parallels NetBoot
server is installed and complete the wizard.
3 You can monitor the content status in the NetBoot image Summary pane. You must wait for
the circle to turn green (as shown in the picture below) before proceeding to the next step.
Press F5 to refresh the view.
Note: If you already have an OS X boot image that you created with Parallels Mac Management v4.0 or
earlier, you MUST create a new boot image using the current Parallels Mac Management version. Older
boot images are incompatible with this functionality.
132
Using Parallels Mac Management for Microsoft SCCM
6 Click the Verify button next to the Password field. If everything checks out, the red icon next to
the button (and the red icon in front of the task sequence name) will change to the green check
mark icon.
7 Click OK to close the dialog. The new task sequence will appear in the task sequence list
(press F5 to refresh the list).
If you need to modify the task sequence, right-click it and choose Edit Task Sequence for Macs
in the context menu.
When specifying a network path for the image file, the required free disk space can be calculated
as a combined size of the used space on the source volume and the Recovery HD volume,
multiplied by two. Consider the following example:
1 The used space on the source volume from which you capture the OS X image is 15 GB.
2 The Recovery HD volume size is about 650 MB.
3 (15 GB + 0.65 GB) * 2 = 31.3 GB. This is what your network drive should have available to
store the OS X image on it.
You can use the following variables when configuring the Capture OS X Image step.
Variable Description Example Status
Specifies a Windows
account name that has guest
OSDCaptureAccount permissions to save the PUBLIC
captured image on a pmm12.dom\Administrator
network share.
Specifies the password for
the Windows account used
PmmOSDCaptureAccountPassword secret PUBLIC
to store the captured image
on a network share.
Specifies the destination
OSDCaptureDestination network share for the image \\server\files PUBLIC
directory.
Specifies the name of the
PmmOSDCaptureDestinationDir directory for storing the OSX-10.11-C12L3390FFT0 PUBLIC
captured image.
Specifies the device node of
PmmOSDSourceDisk the source disk that has OS /dev/disk0s2 INTERNAL
X installed.
133
Using Parallels Mac Management for Microsoft SCCM
Capture an OS X Image
OS X Version Support
The source partition on a reference Mac must have OS X 10.8 or a later version installed. Older
versions of OS X are not supported.
Before using the Image Builder utility, you must create an additional bootable partition on your
Mac's hard drive and install OS X on it. The partition must have OS X 10.9 or a later version
installed. The inactive partition from which you'll capture the image can have OS X 10.8 or a later
version installed.
134
Using Parallels Mac Management for Microsoft SCCM
2 In the right pane, right-click the Mac Client installation package download URL item and
then click Properties.
3 Copy and paste the URL into a text editor. Replace the "pma_agent.dmg" part with
"PmmOsdImageBuilder.dmg".
4 On the reference Mac, open the resulting URL in a web browser to download the
PmmOsdImageBuilder.dmg file. When done, mount the image in OS X.
5 Open Terminal and change directory to the PmmOsdImageBuilder.dmg image mount point
(e.g. /Volumes/Parallels OSD Image Builder 5.0.xxxx.yyyyyy).
6 Execute the following command in Terminal:
sudo ./pmm_osd_image_builder netrestore -s [source-vol] –o [output-
dir]
where [source-vol] is the source volume mount point; [output-dir] is a path where you
want to create the image file.
7 Copy the resulting image file to a location on the server running the Configuration Manager
console.
After you captured the OS X image, you need to add it to Configuration Manager. To do so:
135
Using Parallels Mac Management for Microsoft SCCM
2 In the Distribute Content wizard, select the distribution point where the Parallels NetBoot
server is installed and complete the wizard.
136
Using Parallels Mac Management for Microsoft SCCM
3 You can monitor the content status in the OS X image Summary view. You must wait for the
circle to turn green (as shown in the picture below) before proceeding to the next step. Press
F5 to refresh the view.
Once the image is distributed, the Parallels NetBoot service will create a corresponding package in
the location specified during the NetBoot configuration process.
Processing of an OS X system image takes some time. Before deploying the image to Mac
computers, you can verify that the image is ready. To do so, on the computer running the Parallels
NetBoot server, navigate to the C:\Windows\Logs directory and open the
pma_netboot_service.log file. A successful image processing should have the "New image
distributed: xxxxx" entry at the end (or close to it) in the file.
Once the image is distributed, you need to create a task sequence that will deploy the OS X image
on Mac computers. Read on to learn how to do it.
3 On the General tab page, specify a task sequence name and an optional description.
4 Click the Steps tab and then click Add > Apply OS X Image.
5 Click the Browse button and select the OS X system image that you distributed earlier.
6 Click OK to close the dialog. The new task sequence will appear in the task sequence list
(press F5 to refresh the view).
If you need to modify the task sequence, right-click it and choose Edit Task Sequence for Macs
in the context menu.
You can add other steps to the task sequence that will perform additional actions. These steps are
described in the sub-sections that follow this one.
You can also use task sequence variables to configure settings for task sequence steps and to
define conditions that must be evaluated before running a task sequence. Task sequence variables
are described in the Using Task Sequence Variables section (p. 143).
Join Domain
The Join Domain task sequence step allows you to add a Mac to a domain after an OS X image
has been deployed on it.
1 In the Task Sequence Editor for Macs dialog, click the Steps tab.
2 Click Add > Join Domain.
3 On the Properties tab page, specify a step name and an optional description.
4 In the Domain field, click Browse and then select a domain to join.
5 If you want your Mac computers to be a part of an organizational unit, click Browse in the
Organizational unit field and select an OU container.
6 Specify an account that has permissions to join the domain and the account password.
7 To grant domain users and groups administrative privileges on a Mac, add them to the Allow
administration for groups list.
8 Select the Create mobile accounts at login option to create a mobile account. An account will
be created when a Mac user logs into a Mac for the first time using a domain account.
9 You may customize the step on the Options tab page where you can define conditions and
other options. For more info about conditions, please see Using Task Sequence Variables (p.
143).
138
Using Parallels Mac Management for Microsoft SCCM
Install Package
The Install Package task sequence step is used to install software packages on a Mac as part of a
task sequence execution.
Before adding this step to a task sequence, you need to create a software package as described in
the Creating a Software Package section (p. 112). When preparing a software package to be
used in a task sequence, the program within a package must meet the requirements as described
below.
139
Using Parallels Mac Management for Microsoft SCCM
1 In the Task Sequence Editor for Macs dialog, click the Steps tab.
2 Click Add > Install Package.
3 Specify a step name and an optional description.
4 In the Package field, specify the software package that the step should install.
5 You may customize the step on the Options tab page where you can define conditions and
other options. For more information about conditions, please see Using Task Sequence
Variables (p. 143).
140
Using Parallels Mac Management for Microsoft SCCM
Set Hostname
You can use the Set Hostname task sequence step to set a Mac's hostname.
1 In the Task Sequence Editor for Macs dialog, click the Steps tab.
2 Click Add > Set Hostname.
3 Specify a name for the step and an optional description.
4 In the Hostname field, specify a hostname to be assigned to Mac computers. To assign a
unique hostname to each individual Mac, you can use a task sequence variable as a value. For
example, you may use the %OSDComputerName% built-in variable. Before using the variable
here, you must assign it to a device collection or to individual Mac resources. If you leave the
value of the variable blank, a Mac user will be prompted to enter a hostname when the step is
executed on a Mac. If you assign a value, it will be used to set the Mac's hostname.
5 You may customize the step on the Options tab page where you can define conditions and set
other options. For more info about conditions, please read Using Task Sequence Variables
(p. 143).
1 In the Task Sequence Editor for Macs dialog, click the Steps tab.
2 Click Add > Apply Configuration Profile.
3 Specify a name for the step and a description. The description is optional but highly
recommended (see the information at the end of this section).
4 Click the Import Profile button and select a configuration profile (a file with the ".mobileconfig"
extension).
5 You may customize the step on the Options tab page where you can define conditions and set
other options. For more information about conditions, please read Using Task Sequence
Variables (p. 143).
141
Using Parallels Mac Management for Microsoft SCCM
After you import a configuration profile into the task sequence step and click OK in the Task
Sequence Editor for Macs dialog, the profile data is saved in the task sequence. Please note that
when you open the dialog later, no functionality is provided to preview the configuration profile data.
For this reason, you should enter a meaningful description when creating an Apply Configuration
Profile task sequence step. You can also click the Export Profile button to export the profile
saved in the task sequence to a file. This can come handy if you don't have the original
.mobileconfig file anymore, but would like to review the setting stored in the profile. Once you
export the profile, you can open the resulting .mobileconfig file in the OS X Server's Profile
Manager.
Execute Script
You can use the Execute Script task sequence step to run a script of your choice on Mac
computers during the task sequence execution.
1 In the Task Sequence Editor for Macs dialog, click the Steps tab.
2 Click Add > Execute Script.
3 Specify a name for the step and an optional description.
4 Enter a script into the Script box (type or paste it) or click Load Script and select a file
containing your script. Please note that the total size of the script that you can enter is limited to
16 KB.
5 You may customize the step on the Options tab page where you can define conditions and set
other options. For more information about conditions, please read Using Task Sequence
Variables (p. 143).
When you click OK in the Task Sequence Editor for Macs dialog, the script is saved in the task
sequence. If you need to modify the script later, simply open the dialog again and change it
according to your needs.
Te Execute Script step does not use a default script interpreter, so you must specify it explicitly.
To do so, use a shebang at the beginning of a script:
#! /bin/bash
#! /bin/sh
#! /usr/bin/python
#! /usr/bin/perl
#! /usr/bin/ruby
142
Using Parallels Mac Management for Microsoft SCCM
etc.
If you need to modify a task sequence variable from your script, please use the examples below.
1 In the Task Sequence Editor for Macs dialog, click the Steps tab.
2 Click Add > Group.
3 Specify a name for a group and an optional description.
4 If you want to disable a group and all steps in it, select Disable this step on the Options tab
page.
5 To continue to the next task sequence step outside the group when one of the steps within a
group fails, select the Continue on error option. Please note that if a step within a group fails
and you want to continue to the next step in the same group, the first step must have Continue
on error selected, otherwise the task sequence will continue to the next step outside the group.
6 To add an existing step or a group to an existing group, select the step (or a group) and use the
Move Up and Move Down icons.
7 To add a new step or a subgroup to an existing group, select the group and then click Add >
<step_type> or Add > Group.
8 You can define conditions for the group on the Options tab page. For more info about
conditions, please read Using Task Sequence Variables (p. 143).
143
Using Parallels Mac Management for Microsoft SCCM
A task sequence has many settings that are stored as task sequence variables. Configuration
Manager has built-in task sequence variables that you can evaluate or modify in a task sequence,
and you can create your own task sequence variables.You can define task sequence variables for a
device collection, an individual device, or you can add a variable to a task sequence using the Set
Variable task sequence step.
Task sequence variables in Configuration Manager don't inherit values from their ancestors, which
means that a device collection variable overrides the built-in Configuration Manager variable with
the same name; an individual device variable overrides the device collection variable; and a variable
that is defined in a task sequence overrides them all.
When you define a variable for a collection, individual device, or task sequence, you can specify a
value for it or you can leave it blank. Leaving the value blank is useful if you want Mac users to
specify their own values when a task sequence is executed on a Mac. If you use a variable in a task
sequence that has no value, the Mac user will be prompted to specify it during the task sequence
run.
When specifying a variable in the Task Sequence Editor for Macs, enclose the variable name by
percent sign, i.e %OSDJoinDomainName%.
When you add a step to a task sequence, you can specify certain step properties using task
sequence variables. This enables you to define variables with different values for different device
collections or individual devices and automatically use those values when the task sequence is
deployed to a particular collection or a device.
The following tables list task sequence properties that you can specify using task sequence
variables. The Built-in Variable column lists the corresponding task sequence variables that are
defined in Configuration Manager. When specifying one of the listed task sequence properties
using a variable, you can use these built-in variables. Ultimately, you can define your own variables
for a device collection, device, or a task sequence.
144
Using Parallels Mac Management for Microsoft SCCM
For example, to define the OSDJoinDomainName built-in variable for the Unknown Mac OS X
Systems collection:
The following example demonstrates how you can use the OSDJoinDomainName variable in a
task sequence after it's been defined for the collection:
You can add conditional statements to a task sequence step using task sequence variables. If a
conditional statement evaluates to True, the task sequence step will run. If the statement evaluates
to False, the step will not run.
• In the Task Sequence Editor for Macs, select a step (or create a new one) and then click the
Options tab.
• Click Add > If Statement. This must be the first statement in every condition.
• In the drop-down list, select any, all, or none depending on the logic that you consider.
• Click Add > Task Sequence Variable.
• In the Task Sequence Variable dialog, specify a variable name, a condition (logical operator),
and a value. The variable that you specify must exist either on a device collection level,
individual device level, or in the Set Variables step in the task sequence.
• To add another variable at the same level, click Add > Task Sequence Variable.
• To nest a condition in a condition, select an If statement and click Add > If Statement. The
new condition will appear as nested in the first one.
• To move statements and variables up and down the list, use the Move Up and Move Downs
icons.
Using the provided logical statements and operators you can create conditional statements as
complex as you desire.
One thing to remember is that before you use a variable in a condition, you must make sure that
the variable will be within a scope of the task sequence when it runs. This specifically applies for the
variables defined in the Set Variables step.
In addition to defining task sequence variables for device collections and devices, you can define a
variable for a task sequence. If the variable that you are defining has been defined for a device
collection or individual device, the value that you specify here will override the other two.
1 In the Task Sequence Editor for Macs dialog, click the Steps tab.
2 Click Add > Set Variables.
3 On the Properties tab page, click Add Variable.
4 Specify the variable name and value.
5 Select the Secret value field if you want to hide it in the dialogs.
6 You can add more than one variable to a single Set Variables step.
7 Use the Options tab page to define conditional statements for the step.
You can create a shell script that will run as part of a task sequence. This is especially useful when
you want to read or modify task sequence variables when the task sequence runs on a Mac.
146
Using Parallels Mac Management for Microsoft SCCM
The command-line utility will run inside the task sequence runtime environment.
The path to the utility is made available using the PMM_TS_VARIABLE_UTIL environment variable.
To read task sequence variables, add the --get argument to the command:
a=`"${PMM_TS_VARIABLE_UTIL}" --get a`
The following command reads two variables at once (it can be more than 2):
The following command modifies the values of two variables at once (it can be more than two):
As we mentioned earlier, you can specify a property of a task sequence step using a variable that
has no value. When the task sequence is executed on a Mac, the Mac user will be prompted to
specify a value for such a variable.
Here's how it will look on a Mac during the task sequence execution:
1 The Edit Task Sequence Variables dialog opens. The list contains the task sequence
variables with empty values.
147
Using Parallels Mac Management for Microsoft SCCM
148
Using Parallels Mac Management for Microsoft SCCM
3 On the General page, click the Browse button next to the Collection field and select the target
device collection. If you are deploying OS X on Mac computers that are not enrolled in
Configuration Manager, select the Unknown Mac OS X Systems collection.
4 Click Next.
5 Use the default values on the rest of the pages and complete the wizard.
149
Using Parallels Mac Management for Microsoft SCCM
5 As the last step, the Mac will be enrolled in Configuration Manager and you'll be prompted to
log into OS X.
The following topics describe each step in detail.
1 Start up a Mac to boot from the network (hold down the N key on the keyboard while the Mac
boots).
2 If you added more than one OS X boot image to SCCM, you'll be prompted to choose the one
to boot from.
3 Upon successful boot, the Parallels Task Sequence Wizard will start (some delay is possible
while the Mac establishes a network connection).
4 On the Log In page, enter an AD domain name and your login credentials.
5 Click Continue.
6 On the Select a Task Sequence page, select the task sequence to execute. If the list is empty,
make sure that you deployed the task sequence to the correct collection.
7 Click Continue.
8 The Edit Task Sequence Variables pages will only show up if one or more task sequence
variables used in a task sequence step have empty values (see Set Hostname (p. 141) for an
example).
9 Double click the variable to assign a value to it.
10 Click OK and then click Continue to advance to the next wizard page.
11 On the Select a Destination page, select a destination volume for the OS X image
deployment.
Warning: Clicking Continue on this page will start OS X deployment immediately. You cannot go back.
12 The task sequence will first deploy the OS X system image to the selected volume.
150
Using Parallels Mac Management for Microsoft SCCM
13 Once the OS X is deployed, the Mac will be automatically rebooted from the volume to which
the OS X image was applied. Once it boots back up, the task sequence execution will continue
with the rest of the task sequence steps.
Once network is configured, you will see the Parallels Task Sequence Wizard once again.
If you've added one of each of the available task sequence steps, they'll be executed as follows
(the actual order will depend on how you configured it in the task sequence editor):
1 Join Domain. The step will add the Mac to the specified domain and (if specified) to an
organizational unit.
2 Install Package. This step will silently install the software that you configured it to install.
3 Set Hostname. This step will set the Mac's hostname.
4 Install Parallels Mac Client. This step is added to a task sequence automatically. It installs
Parallels Mac Client on a Mac and enrolls the Mac in Configuration Manager.
Once the task sequence run is complete, you'll be prompted to log into OS X. Once logged in, you
can verify that the Mac has been enrolled in Configuration Manager as part of OS X deployment. To
do so, open System Preferences, then click the Parallels Mac Management icon.
151
Using Parallels Mac Management for Microsoft SCCM
In the dialog that opens, view the Parallels Mac Client properties. If you see properties and values
similar to what is shown in the picture below, the enrollment was successful.
Troubleshooting
The following log becomes available when a Mac boots from the network:
• /Library/Logs/pmm_tswizard.log
You can view the log file in Terminal which can be opened from the Utilities menu. Please note
that after the OS X image is deployed and the Mac is rebooted, the log file will be moved to the
deployed OS partition.
The following logs become available when the Mac is rebooted after the OS X image deployment
step:
• /Library/Logs/pmm_launchd_helper.log
• /Library/Logs/pmm_ts_executor.log
The logs are finalized when the task sequence execution completes. You can view them when
you log into the Mac. To view these logs while the task sequence is executing, connect to the
Mac via SSH and view the logs in the SSH terminal.
152
Using Parallels Mac Management for Microsoft SCCM
Configuration Options
Parallels Mac Management provides you with a number of configuration options that you can use
to deploy OS X updates to Mac computers. This section describes these configurations.
When this configuration is used, OS X updates are installed on Mac computers as follows:
1 Parallels OS X Software Update Point downloads software update catalogs from Apple's
servers and then imports them into WSUS.
2 WSUS is synchronized with SCCM, so the administrator can view and deploy OS X updates
using the Configuration Manager console.
3 The SCCM administrator selects which updates they want to install on Mac computers and
deploys them.
4 Mac computers download deployed updates from Apple's servers, after which the updates are
silently installed on them. If an update requires a Mac restart, the Mac user will have a choice to
postpone the installation.
153
Using Parallels Mac Management for Microsoft SCCM
5 A Mac user can also check for updates available from Apple using the standard OS X
functionality and install any of them.
For the information on how to configure SCCM and deploy OS X updates to Mac computers,
please see Configuring SCCM and Deploying OS X Updates (p. 162).
When this configuration is used, OS X updates are installed on Mac computers as follows:
1 OS X software update catalogs and packages are hosted by a local web server (see Hosting
OS X Update Locally and Setting the Download URL below).
2 Parallels OS X Software Update Point downloads software update catalogs from the local web
server and then imports them into WSUS.
3 WSUS is synchronized with SCCM, so the administrator can view and deploy OS X updates
using the Configuration Manager console.
4 The SCCM administrator selects which updates they want to install on Mac computers and
deploys them.
5 Mac computers download software update catalogs from Parallels OS X Software Update Point
and then download software update packages from the local web server.
6 The deployed updates are silently installed on a Mac. If an update requires a Mac restart, the
Mac user will have a choice to postpone the installation.
7 A Mac user can also check for available updates using the standard OS X functionality and
install any of them. Please note that in this scenario the OS X Software Update service running
on a Mac will use update catalogs that were downloaded from Parallels OS X Software Update
Point (not the catalogs from Apple's servers). Software update packages will be downloaded
from the local web server.
Parallels Mac Management allows you to use locally hosted software update catalogs and
packages, but does not include functionality that replicates them on a local server. To host
software update catalogs and packages locally, you will need to use the Apple's OS X Server or a
third-party software that can replicate them. Replicated catalogs and packages can then be served
by a local web server, so Mac computers can download them via HTTP.
Depending on the software that you are using to replicate software update catalogs and packages,
the local URL for downloading them may be different. For example, if you are using the Apple's OS
X Server (a physical Apple computer with OS X Server as the operating system), the URL may look
like the following:
154
Using Parallels Mac Management for Microsoft SCCM
http://myhost.example.com:8088/index.sucatalog
A third-party software will typically allow you to replicate Apple's software update catalogs and
packages in a folder on your local computer. You will then have to set up a local web server that
will serve this folder, so the URL to it may look lise this:
http://myhost.example.dom/repo/custom-catalog/
Once you have software update catalogs and packages hosted locally and know the download
URL, you need to configure Parallels OS X Software Update Point to use them:
1 Open the Windows registry editor (regedit.exe) on the computer where Parallels OS X Software
Update Point is installed.
2 Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pmm_sup_service
\Parameters
3 Add a String value to the Parameters subkey and name it SusCatalogBaseUrl.
4 Assign the download URL as the SusCatalogBaseUrl value data. The URL will be used by
Parallels OS X Software Update Point to download software update catalogs. Mac computers
will download software update packages using the URL specified in the catalogs, which will
also point to a location on the local web server (the URL inside a catalog is configured by the
software that performs the replication).
5 Finally, you need to restart the Parallels OS X Software Update Point service
(pmm_sup_service) for the changes to take effect.
If later you decide to go back to the default configuration (downloading updates from Apple's
servers), you can simply delete the SusCatalogBaseUrl value from the Parameters subkey.
You now need to configure Parallels Mac Clients to download software update catalogs from
Parallels OS X Software Update Point. To do so, create an SCCM Configuration Item with
discovery and remediation scripts (for instructions on how to use scripts in Configuration Items,
please see Using Scripts to Assess Compliance (p. 106)). When adding scripts, use sample
scripts below to create your own.
Discovery script:
#! /bin/bash
PLIST="/Library/Preferences/com.parallels.pma.agent.plist"
MODE=$(/usr/libexec/PlistBuddy -c "Print :SuCatalogMode" $PLIST 2>/dev/null)
if [ $? != 0 ]; then
MODE=0
fi
echo $MODE
155
Using Parallels Mac Management for Microsoft SCCM
The script above determines which software update configuration the Parallels Mac Client running
on a Mac is currently using. The MODE variable is assigned the value that we are looking for. If
there's an error (e.g. the SuCatalogMode key is absent in the plist file), the MODE variable is
assigned the value of 0 (zero). Finally, the value is returned as a string and passed to the
compliance rule for evaluation.
Compliance rule:
The compliance rule must be set up as shown on the following screenshot (note the properties
marked in red):
156
Using Parallels Mac Management for Microsoft SCCM
Note that the rule evaluates the value returned by the discovery script to be equal to 1 (one), which
is the mode that we are setting up (see below for other possible modes). If the value complies, the
Configuration Item simply exits without modifying anything. If the value doesn't comply (is not equal
to 1), then the compliance rule executes the remediation script that will set it to 1.
The script above sets the value of the SuCatalogMode key to 1, thus configuring Parallels Mac
Client to download software update catalogs from Parallels OS X Software Update Point.
When finished creating or modifying the Configuration Item, add it to a Configuration Baseline and
then deploy it to a collection containing your Mac computers.
For the information on how to configure SCCM and deploy OS X updates to Mac, please see
Configuring SCCM and Deploying OS X Updates (p. 162).
When this configuration is used, OS X updates are installed on Mac computers as follows:
1 Parallels OS X Software Update Point downloads OS X update catalogs from Apple's servers or
the local server (depending on the configuration) and then imports them into WSUS.
2 WSUS is synchronized with SCCM, so the administrator can view and deploy OS X updates
using the Configuration Manager console.
3 The SCCM administrator selects which updates they want to install on Mac computers and
deploys them.
4 Mac computers download full software update catalogs from Apple's servers or Parallels OS X
Software Update Point (depending on the configuration). The catalogs are then filtered to
include only the updates that the administrator has deployed in SCCM. If a Mac user now
checks for available updates using the standard OS X functionality, they will see only the
updates that were deployed.
157
Using Parallels Mac Management for Microsoft SCCM
5 Mac computers download software update packages from the location specified in a catalog
(Apple's servers or a local server).
6 The deployed updates are silently installed on a Mac. If an update requires a Mac restart, the
Mac user will have a choice to postpone the installation.
7 If a Mac user now checks for updates using the standard OS X functionality, they will see only
the updates that were deployed (or none at all if the updates have already been installed on this
Mac).
To configure Parallels Mac Clients to use this scenario, create an SCCM Configuration Item with
discovery and remediation scripts (for instructions on how to use scripts in Configuration Items,
please see Using Scripts to Assess Compliance (p. 106)). When adding scripts, use sample
scripts below to create your own.
Discovery script:
#! /bin/bash
PLIST="/Library/Preferences/com.parallels.pma.agent.plist"
MODE=$(/usr/libexec/PlistBuddy -c "Print :SuCatalogMode" $PLIST 2>/dev/null)
if [ $? != 0 ]; then
MODE=0
fi
echo $MODE
The script above determines which software update configuration the Parallels Mac Client running
on a Mac is currently using. The MODE variable is assigned the value that we are looking for. If
there's an error (e.g. the SuCatalogMode key is absent in the plist file), the MODE variable is
assigned the value of 0 (zero). The value of the MODE variable is then returned as a string and
passed to the compliance rule for evaluation.
Compliance rule:
158
Using Parallels Mac Management for Microsoft SCCM
The compliance rule must be set up as shown on the following screenshot (note the properties
marked in red):
Note that the rule evaluates the value returned by the discovery script to be equal to 2 (two), which
is the mode that we are setting up. If the value complies, the Configuration Item simply exits without
modifying anything. If the value doesn't comply (is not equal to 2), then the compliance rule
executes the remediation script that will set it to 2.
Remediation script:
#! /bin/bash -s -
PLIST="/Library/Preferences/com.parallels.pma.agent.plist"
MODE=2
159
Using Parallels Mac Management for Microsoft SCCM
The script above sets the value of the SuCatalogMode key to 2, thus configuring Parallels Mac
Client to use the scenario described in this section.
When finished creating or modifying the Configuration Item, add it to a Configuration Baseline and
then deploy it to a collection containing your Mac computers.
For the information on how to configure SCCM and deploy OS X updates to Mac, please see
Configuring SCCM and Deploying OS X Updates (p. 162).
Hosting software update catalogs and packages locally is optional when using the configuration
described above. You may consider it if you want to minimize the Internet traffic in your
organization.
Please note that Parallels Mac Management allows you to use locally hosted update catalogs and
packages, but does not include functionality that replicates them on a local server. To host catalogs
and packages locally, you will need to use the Apple's OS X Server or a third-party software that
can replicate OS X software update catalogs and packages on a local server. Replicated catalogs
and updates can then be served by a local web server, so Parallels OS X Software Update Point
and Mac computers can download them via HTTP.
Depending on the software that you are using to replicate software update catalogs and packages,
the URL for downloading them may be different. For example, if you are using the Apple's OS X
Server (a physical Apple computer with OS X Server as the operating system), the URL may look
like the following:
http://myhost.example.com:8088/index.sucatalog
A third-party software will typically allow you to replicate OS X catalogs and packages in a folder on
your local server. You will then have to set up a local web server that will serve this folder, so the
URL to it may look lise this:
http://myhost.example.dom/repo/custom-catalog/
Once you have the updates hosted locally and know the download URL, do the following:
1 Open the Windows registry editor (regedit.exe) on the computer where Parallels OS X Software
Update Point is installed.
2 Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pmm_sup_service
\Parameters
3 Add a String value to the Parameters subkey and name it SusCatalogBaseUrl.
4 Assign the download URL as the SusCatalogBaseUrl value data.
160
Using Parallels Mac Management for Microsoft SCCM
5 Finally, you need to restart the Parallels OS X Software Update Point service
(pmm_sup_service) for the changes to take effect.
If later you decide to go back to the default configuration (i.e. downloading updates from Apple's
servers), you can simply delete the SusCatalogBaseUrl value from the Parameters subkey.
1 Log into the computer where Parallels OS X Software Update Point is installed.
2 Open the Registry Editor (regedit.exe) and navigate to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pmm_sup_service\Pa
rameters
By default, the Parameters subkey doesn't contain any values. To modify the Parallels OS X
Software Update Point configuration, you need to add the appropriate values to the Parameters
subkey as described in the following subsections.
161
Using Parallels Mac Management for Microsoft SCCM
To switch back to a dynamic port, delete the HttpServerPort value from the key.
162
Using Parallels Mac Management for Microsoft SCCM
%Windir%\Logs\pmm\pmm_sup_service.log file.
If you already have a synchronization scheduled, you can either wait for it to complete or you can
start it manually. This is necessary for the Apple option to appear in the Software Update Point
Component Properties dialog, as you will see later in this topic.
163
Using Parallels Mac Management for Microsoft SCCM
3 Wait for the synchronization to complete. You can monitor the process in the Monitoring /
Overview / System Status / Component Status / SMS_WSUS_SYNC_MANAGER.
164
Using Parallels Mac Management for Microsoft SCCM
4 In the message viewer, you will see the "WSUS Synchronization done" record.
You now need to configure the Software Update Point role to synchronize Apple software updates.
To do so, follow these steps:
1 Navigate to Administration / Overview / Site Configuration / Sites.
165
Using Parallels Mac Management for Microsoft SCCM
2 Right-click your site and choose Configure Site Component > Software Update Point.
166
Using Parallels Mac Management for Microsoft SCCM
167
Using Parallels Mac Management for Microsoft SCCM
Note: If the Apple product is not present on the Products tab page it's because the software update
point did not synchronize with WSUS after the Apple software updates were imported. In such a case
try repeating the steps described in this topic from the beginning.
168
Using Parallels Mac Management for Microsoft SCCM
169
Using Parallels Mac Management for Microsoft SCCM
2 You will see available OS X updates in the Software Library / Overview / Software Updates /
All Software Updates.
To deploy the updates, create a Software Update Group and then deploy it to a collection of Mac
computers. Mac computers will process policies according to the policy polling interval. When
policies with software update assignments are delivered to a Mac, the Parallels Mac Client running
on it will evaluate assignments and install assigned updates if necessary. If an update requires a
restart, the Mac user will have a choice to postpone the installation. A restart will NOT be
performed without user's approval, even if the deadline for an assignment has been reached.
170
Using Parallels Mac Management for Microsoft SCCM
A Mac doesn't have to be enrolled in SCCM to deploy a script to it. A connection with a Mac is
established vis SSH regardless of whether it is enrolled in SCCM or not.
1 In the Configuration Manager console, navigate to the collection containing your Mac
computers.
2 Select a Mac or multiple Mac computers using the Ctrl key, or select the entire collection if
needed. Right-click the selection and choose Execute Script in the context menu.
3 The Execute Script On Macs dialog opens.
4 Browse for and select a script file to be deployed or enter the script into the Edit script box.
5 Click Next.
6 On the next screen, specify whether you want to run the script on a Mac with administrative
privileges and the timeout value.
7 Click Next.
8 The next screen allows you to configure an SSH connection. You need to specify a user
account that should be used to establish a connection with individual Mac computers. You
have the following choices:
• Use account from Parallels Mac Client Push Installation properties. With this option
selected, an SSH connection will be established using the account that you specified in
Parallels Mac Client push installation properties (p. 59).
• Use this account. Select this option and then specify an account name and password.
9 Click Next to deploy the script.
10 A dialog will open displaying a progress bar (number of processed Mac computers). If a
connection with a Mac cannot be established, the information about it can be viewed by
clicking the Details button. The list that opens will contain only the Mac computers that could
not be reached. You can right-click a Mac in the list for more options, which include viewing
Mac computers properties and copying the Mac information to the clipboard.
11 You can click Hide to hide the progress dialog and continue the deployment process in the
background. To cancel deployment, click Cancel.
171
Using Parallels Mac Management for Microsoft SCCM
172
Using Parallels Mac Management for Microsoft SCCM
6 To specify enrollment details, you need to create one or more enrollment profiles and assigning
them to selected Mac computers.
7 When a newly purchased Mac is started for the first time, it will be configured according to the
enrollment profile assigned to it, and will then be enrolled in SCCM automatically.
If at the time of the initial setup a Mac is not connected to your organization's network, Parallels
Mac Client will be installed on it, but the Mac will not be enrolled in SCCM. As soon as the Mac
is connected to the network, Parallels Mac Client will connect to Parallels Proxy and will enroll
the Mac in SCCM.
Read on to learn how to configure Parallels Mac Management for Microsoft SCCM to enable the
DEP functionality and how to use it.
Export a certificate
To export a certificate:
1 Log in to the server where you have the Parallels Proxy installed (that's where the local DEP
server is automatically installed).
2 Run the Microsoft Management Console (mmc.exe).
3 In the console, click File > Add/Remove Snap-in in the main menu.
4 In the Add or Remove Snap-ins dialog, select Certificates in the Available snap-ins list.
5 Click the Add button.
6 On the Certificates snap-in wizard page, select Computer account and click Next.
7 On the Select Computer page, select Local computer and click Finish.
8 Click OK to close the Add or Remote Snap-ins dialog.
173
Using Parallels Mac Management for Microsoft SCCM
9 In the console, navigate to Certificates (Local Computer) > Personal > Certificates.
10 Right-click a certificate where the Issued To column says "Parallels DEP Service" and choose
All Tasks > Export in the context menu.
11 In the Certificate Export Wizard, click Next.
12 On the Export Private Key page, select No, do not export the private key and click Next.
13 On the Export File Format page, select DER encoded binary X.509 (.CER) and click Next.
14 Specify a file name and click Next.
15 Click Finish.
After you've exported the certificate, you need to import it to the MDM Server. To do so:
1 Log in to the computer where you have Parallels MDM Server installed and copy the exported
certificate file to it.
2 Open the Microsoft Management Console (mmc.exe).
3 In the console, click File > Add/Remove Snap-in in main menu.
4 In the Add or Remove Snap-ins dialog, select Certificates in the Available snap-ins list.
5 Click the Add button.
6 On the Certificates snap-in wizard page, select Computer account and click Next.
7 On the Select Computer page, select Local computer and click Finish.
8 Click OK to close the Add or Remote Snap-ins dialog.
9 In the console, navigate to Certificates (Local Computer) > Personal > Certificates.
10 Right-click on Certificates and click All Tasks > Import in the context menu.
11 In the Certificate Import Wizard, click Next.
12 On the File to Import page, click Browse and select the certificate file.
13 Click Next.
14 On the Certificate Store page, make sure the Place all certificates in the following store
option is set to Personal and click Next.
15 Click Finish.
175
Using Parallels Mac Management for Microsoft SCCM
14 The list of Mac computers assigned to DEP will now be retrieved from the DEP account. You
can view these Mac computers in the Configuration Manager console at the following location:
Administration / Parallels Mac Management / Device Enrollment Program / Devices. We'll
talk more about managing devices in Deploying and Managing Devices (p. 178).
To view the properties of a DEP link, right-click it and choose Properties. The DEP Link
Properties dialog opens displaying the information. If you need to reconfigure a DEP link to pair
with another virtual MDM server or with another Parallels MDM server, click the Configure button
on the DEP Link Properties dialog. A warning message will be displayed to prevent accidental
changes. You can then repeat the steps described above to reconfigure the link.
You now need to create an enrollment profile and assign it Mac computers. Read on to learn how
to do it.
Parallels Mac Management provides you with the functionality to create enrollment profiles right in
the Configuration Manager console. This section describes how to use this functionality.
General Information
1 Specify the profile name, so it can be easily identified in the Configuration Manager console and
on the DEP website.
2 Specify the support phone number, email address, and department name if needed (these
properties are optional).
3 Supervise devices. If selected, the device supervision during the enrollment process will be
allowed.
176
Using Parallels Mac Management for Microsoft SCCM
4 Allow profile removal. If cleared, a user will not be able to remove the profile from a Mac. Note
that this option can be cleared only if the Supervise devices option (above) is selected. By
default, this option is selected (i.e. users will be able to remove the profile).
5 This profile is mandatory. If selected, a user will be required to apply the profile on a Mac.
6 When done, click Next to continue.
User Experience
On this page, select the steps to exclude from the Setup Assistant, which will run during the
enrollment process. These are the standard DEP enrollment steps. When done, click Next to
continue.
MDM Profile
This page allows you to specify an OS X Configuration Profile to use as an MDM profile. Do the
following:
1 Click the Upload Profile button and select a profile (a file with the ".mobileconfig" extension).
2 When the profile is uploaded, the contents of the profile will be displayed in the read-only text
field as raw XML.
Note that if a profile contains the MDM payload, it will be replaced with the automatically
generated MDM payload containing specific settings.
3 Click Next to create an enrollment profile and push it to the Apple DEP. A progress bar is
displayed while the profile is uploaded.
4 Click Finish to close the wizard.
Please note that you cannot edit an existing device enrollment profile, because editing is not
supported by the Apple DEP.
If needed, you can create multiple enrollment profiles and then assign different profiles to different
groups of Mac computers according to your needs.
177
Using Parallels Mac Management for Microsoft SCCM
5 Note that except for downloading a profile, you cannot change any settings in this dialog. The
reason for this is Apple doesn't support editing of device enrollment profiles.
To delete a profile, right-click it and choose Delete. If a profile was already used in the past, a
warning message will be displayed to prevent an accidental removal of a valid and potentially useful
enrollment profile.
1 Select one or more Mac computers, then right-click on the selection and choose Assign Site.
The Device Site Assignment dialog opens.
2 Select a desired site in the list and click OK to assign the selected devices to this site.
To view the properties of a Mac computer, right-click it and choose Properties. The Device
Properties dialog opens displaying the following properties:
• Assigned SCCM site: the name of the site to which this device is assigned.
• Enrollment status: displays one of the following:
Not assigned — no enrollment profile is assigned to the device.
Assigned — a profile is assigned but the device is not enrolled in SCCM.
Enrolled — a profile is assigned and the device is enrolled in SCCM.
Disowned — the device disowned and removed from SCCM (not reversible).
178
Using Parallels Mac Management for Microsoft SCCM
• OS: The device’s operating system: "iOS" or "OSX". This option is valid in X-Server-Protocol-
Version 2 and later.
• Device family: Apple product family (iPad, iPhone, iPod, or Mac). This option is valid in X-
Server-Protocol-Version 2 and later.
• Serial number: The device serial number.
• Model: Model name.
• Description: - Device description.
• Color: The color of the device (string).
• Asset tag: The device’s asset tag (string).
• Device assigned by: The email of the person who assigned this device.
• Device assigned date: A time stamp in ISO 8601 format indicating when the device was
assigned to the MDM server.
• Profile status: Profile installation status. Can be one of the following:
empty (if this value is displayed, no other profile fields are shown)
assigned
pushed
removed
• Profile uuid: The unique ID of the assigned profile.
• Profile assign time: A time stamp in ISO 8601 format indicating when a profile was assigned
to the device.
• Profile push time: A time stamp in ISO 8601 format indicating when a profile was pushed to
the device.
179
Using Parallels Mac Management for Microsoft SCCM
Parallels Mac Management for Microsoft SCCM enables you to deploy Parallels Desktop to Mac
computers. Deploying Parallels Desktop is similar to deploying other software: you create a
distribution package, add a program to it, copy the package to a distribution point, and create an
advertisement (see Deploying Software via SCCM Package Deployment (p. 112)). Parallels
Desktop deployment adds a few extra steps, which are described below.
Note: The instructions below describe the Mass Deployment feature, which is only supported by
Parallels Desktop for Mac Business Edition. Other Parallels Desktop editions do not support it.
Parallels provides a special software package that can be used to mass deploy Parallels Desktop to
many Mac computers at once.
http://download.parallels.com/desktop/tools/pd-autodeploy.zip
2 Unzip the file. You should see the Parallels Desktop Business mass deployment
package vx.x.x folder (where x.x.x is the package version number).
3 Open the folder and navigate to Parallels Desktop Autodeploy.pkg\Parallels
folder, which should contain the deploy.cfg file.
4 Open the file in WordPad (or other advanced text editor), find the License section and type
your Parallels Desktop license number as a value of the license_key variable. Save the file.
5 Copy the Parallels Desktop installation disk image (.dmg file) to the Parallels Desktop
Autodeploy.pkg\Parallels folder where the deploy.cfg file is residing.
If you would like to distribute one or more virtual machines together with Parallels Desktop, you
have to add them to the deployment package. To include a virtual machine, locate the virtual
machine bundle (the file with the .pvm extension) and copy it to the Parallels Desktop
Autodeploy.pkg\Parallels folder.
Parallels Desktop and a source virtual machine can be configured before deployment in a number
of ways according to your requirements. This includes the general virtual machine configuration
parameters, such as the number of CPUs, available RAM, hard disk size, etc., as well as additional
configuration options. For the complete information on how to customize Parallels Desktop and
virtual machines before the deployment, please read the Parallels Desktop Business Edition for
IT Administrators guide.
The Parallels Desktop deployment package is distributed to Mac computers using the standard
Configuration Manager functionality:
1 In the Configuration Manager console, navigate to Software Library / Overview / Application
Management / Packages.
2 On the toolbar, click Create Package. Use the Create Package and Program Wizard to
create a software distribution package and program.
3 On the Package page, specify the package name and an optional description, manufacturer,
language, and version information. Select the This package contains source files option and
click Browse. Select the folder that contains the Parallels Desktop Autodeploy.pkg
folder. Please note that you must select the parent folder of the Parallels Desktop
Autodeploy.pkg folder, NOT the .pkg folder itself.
4 Click Next.
5 On the Program Type page, select the Standard program item and click Next.
6 On the Standard Program page, specify the information about the program. You can create a
package that will require user interaction or a package that will install automatically.
181
Using Parallels Mac Management for Microsoft SCCM
• To create a package requiring user interaction, type the following in the Command line
field:
chmod 700 "Parallels Desktop
Autodeploy.pkg/Contents/Resources/postflight" &&
/System/Library/CoreServices/Installer.app/Contents/MacOS/Installe
r "Parallels Desktop Autodeploy.pkg"
Specify the Run mode as Run with administrative rights and select the Allow user to
view and interact with the program installation option.
• To create a package that will install automatically, the command line should be:
chmod 700 "Parallels Desktop
Autodeploy.pkg/Contents/Resources/postflight" && installer -pkg
"Parallels Desktop Autodeploy.pkg" -target /
DO NOT select the Allow user to view and interact with the program installation option.
7 When done specifying the program information, click Next.
8 Click Next on the Requirements page.
9 Review the summary and click Next to create the package.
To send a copy of the package to a distribution point, right-click the package of interest and click
Distribute Content in the context menu. Use the Distribute Content Wizard to specify a
distribution point to which you want to send the package.
Please make sure that the distribution point is properly configured as described in the Configuring
a Distribution Point section.
1 In the Configuration Manager console, right-click the package and then click Deploy in the
context menu. The Deploy Software Wizard opens.
2 On the General page, click the Browse button next to the Collection field and select the
collection containing the desired Mac resources (e.g. All Mac OS X Systems). Click OK and
then click Next.
3 On the Content page, verify the distribution point info and click Next.
4 Click Next on the Deployment Settings page.
5 On the Scheduling page, specify the schedule for this deployment. Click New to specify the
assignment schedule. When done, click Next.
6 Use the default values on the rest of the wizard pages and complete the wizard.
182
Using Parallels Mac Management for Microsoft SCCM
The package will be advertised to Mac computers in the specified collection and will be distributed
to them according to the schedule that you specified.
See also Viewing the Status of a Package (p. 116) for the information on how to see the package
distribution results.
The native Configuration Manager client software can be deployed to Windows virtual machines
using the Parallels Mac Management software distribution feature. The steps are as follows:
1 Configure a distribution point.
2 Create a software distribution package.
3 Create a program.
4 Send the package to the distribution point.
5 Deploy the software.
The rest of this section describes how to create a software distribution package (step 2 in the list
above) and a program containing instructions to install the client software in Windows (step 3). The
rest of the steps have no specific requirements and are performed normally.
Prerequisites
Before creating a package, verify that the following requirements are met:
• Windows running in a Parallels virtual machine is a member of the same domain as the
Configuration Management site.
• Windows has Parallels Tools installed.
A software distribution package is a container for an application, file, or information that need to be
applied to client computers. In this instance, the package will contain the Configuration Manager
client software and a special file containing command-line instructions that you have to create prior
to creating a package.
183
Using Parallels Mac Management for Microsoft SCCM
To create a command line file, on the computer running the Configuration Manager console,
navigate to the C:\Program Files (x86)\Microsoft Configuration
Manager\Client directory. The directory should contain the Configuration Manager client
software. Create a text file in the directory and name it install_agent_for_vm.cmd. Copy and
paste the following instructions into the file:
The command line above uses two variables: <sitecode> and <mp hostname>. Substitute the
variables as follows:
Create a distribution package and a program as described in the Software Distribution section.
When creating a package, specify the Configuration Manager client agent directory as the source.
When specifying the command line for a program, use the following line:
:::osname=^Windows.*$!vmname=^.*$!checkversion=%SYSTEMROOT%\CCM\LSInter
face.dll|4.0.6487.2177!cmdline= install_agent_for_vm.cmd
When the package is created, send it to a distribution point and specify the deployment settings.
See Deploying Software via SCCM Package Deployment (p. 112) for details.
After you install the Configuration Manager client agent in a Windows virtual machine, the machine
can be managed from the Configuration Manager console. Please note that depending on the
networking mode used by the virtual machine, some of the standard SCCM management functions
may not work. Please read the explanation below.
A Parallels virtual machine can be configured to operate in one of the following networking modes:
• Host-only. This networking mode completely hides the virtual machine from the outside world,
so it cannot be managed by the Configuration Manager.
• Bridged. This mode makes the virtual machine appear on your local network and the Internet
as a standalone computer, so it can be fully managed by the Configuration Manager just like a
physical Windows machine.
184
Using Parallels Mac Management for Microsoft SCCM
• Shared. A machine that operates in this mode has full network access, but cannot be
accessed by other computers on your network. This means that the Configuration Manager
features that need to connect to the virtual machine will not work. For example, the Remote
Tools feature will not work. However, the SCCM client agent running in a virtual machine can
communicate with the Configuration Manager, so features like software distribution, compliance
settings, hardware and software inventory will work. In general, if a management task is initiated
and performed by the client agent, it will work. If a task is initiated on the Configuration Manager
site and then tries to connect to the client agent running in a virtual machine, it will not work.
To set the networking mode for a Parallels virtual machine, open the virtual machine in Parallels
Desktop, select Virtual Machine in the Parallels Desktop menu, and click Configure. In the virtual
machine configuration dialog, click the Hardware tab and then select Network 1 (or the network
adapter of interest) in the list. Use the Type drop-down list box to set the network type.
To use the Remote Assistance feature, open the Configuration Manager console, find a Mac that
you want to connect to and right-click it. In the context menu, point to Parallels Management
Tools, and click one of the following connection options:
• Connect via VNC. This option uses the Virtual Network Computing graphical desktop sharing
system, which lets you remotely control the OS X desktop.
• Connect via SSH. This option uses the Secure Shell (SSH) protocol to access a shell account
on a remote Mac and execute commands in OS X.
Parallels Mac Management uses third-party VNC and SSH client utilities that are installed in
Windows automatically when you install the Configuration Manager Console Extension component.
A VNC server and an SSH server are included in every edition of OS X and are installed on a Mac
by default. The following describes how to set up and use each connection option.
Before using this feature, the OS X Remote Management service must be enabled on each
individual Mac.
185
Using Parallels Mac Management for Microsoft SCCM
4 In the Service list, select Remote Management and enable it by selecting the On checkbox.
5 Click the Computer Settings button and then select the VNC viewers may control screen
with password checkbox.
6 Choose a VNC password and enter it in the field provided. You will later use the password to
establish a VNC connection with the Mac. Whether you choose the same VNC password for all
Mac computers in your organization (for simplicity) or a unique password on each Mac depends
on your security policies.
7 Click OK.
8 Close System Preferences.
When you select the Connect via VNC option in the Configuration Manager console, the VNC
viewer application starts and asks you to enter the Mac user ID and the VNC password. If the
credentials are valid, a window is displayed where you can remotely control the OS X desktop.
Before using this feature, the SSH service must be enabled on each individual Mac.
To enable SSH in OS X:
1 Log into a Mac.
2 Open System Preferences.
3 Choose View > Sharing, or click Sharing.
4 In the Service list, select Remote Login and enable it by selecting the On checkbox.
5 Close System Preferences.
When you select the Connect via SSH option in the Configuration Manager console, the SSH
client application starts and asks you to enter the Mac user ID and password. If the credentials are
valid, an SSH window opens where you can type and execute commands in OS X.
186
Using Parallels Mac Management for Microsoft SCCM
1 In the Configuration Manager console, navigate to the Mac you're having a problem with (or any
Mac if you can't pinpoint it), right-click it and select Parallels Management Tools > Send
Problem Report.
2 In the Problem Report for Parallels Mac Management for Microsoft SCCM dialog, type a
message that will be appended to the report and then click Send Report.
3 A window with a progress bar will open informing you of the information gathering progress.
The problem report data gathering consists of the following steps (transparent to the user):
1 The Configuration Manager Console Extension information is collected and is sent to the
Parallels Configuration Manager Proxy together with the selected Mac identifier.
2 The Parallels Configuration Manager Proxy collects its own data and then requests the data
from the specified Mac computer.
3 The Parallels Mac Client collects its data and sends it back to the Configuration Manager Proxy.
4 The Configuration Manager Proxy merges individual reports into a single one and sends it to
Parallels Support.
The final report will contain combined information gathered from all three components: Parallels
Configuration Manager Proxy, Console Extension, and the Mac that was selected. After the
problem report is sent to Parallels, a dialog will open displaying the report ID. If you would like to
request help with the issue, you can submit a ticket to Parallels Support and include this ID for
reference.
If you receive an error while using the reporting feature, make sure that the Configuration Manager
Proxy and the Mac are running and accessible. If for some reason you cannot start or access the
Configuration Manager Proxy or the Mac, you can use the available standalone reporting utilities,
which are described in the following section.
To run the utility, go to Start > Apps > Parallels and click the Send Problem Report application.
The Send Problem Report dialog opens and the data gathering process begins. Once the report
is generated, a message is displayed in the dialog specifying a temporary location on the local hard
drive where the report file was saved. In the dialog, do one of the following:
• Click the Send button to send the report to Parallels Support. After the report is sent, a
message box containing the problem report number is displayed. You can use this number for
future reference. The report file is automatically deleted from the temporary location.
187
Using Parallels Mac Management for Microsoft SCCM
• Click Cancel to close the dialog without sending the report. If the utility is run on the computer
where the Parallels Configuration Manager Proxy is installed, the report file will be forwarded to
Configuration Manager Proxy, which will notify the Problem Monitor about it. You can then use
the Problem Monitor to view the report summary and to send it to Parallels Support. For the
information about Problem Monitor, see Using Problem Monitoring Utility (p. 188). If the utility
is run on the computer where only the Configuration Manager Console Extension is installed,
the report file will be deleted from the temporary directly and no other actions will be performed.
The problem monitor runs in the background with a notifier in the Windows taskbar notification area
(also called the "system tray"). It receives problem report notifications from the Configuration
Manager Proxy and notifies the IT administrator when the reports are available. The following list
describes how the monitor interacts with the Configuration Manager Proxy and the administrator:
1 If there's a problem with Parallels Mac Management, the Parallels Configuration Manager Proxy
generates a report, saves it to a local file, and sends a notification to the problem monitor that a
new report is available.
2 The problem monitor receives the notification and displays a balloon tip in the notification area
informing the administrator of a new report.
3 The administrator can open the problem report list, which is populated with the names of the
available reports and some basic info about them.
4 The administrator can then send a report to Parallels Support, delete it, or close the list and
return to it later.
The rest of this section describes how to use the problem monitor.
188
Using Parallels Mac Management for Microsoft SCCM
The monitor starts automatically after you complete the Parallels Mac Management installation. It
also starts automatically when the computer is rebooted and a user logs in to Windows. If the user
is not authorized to access the computer where the Parallels Configuration Manager Proxy is
running, a dialog is displayed asking the user to enter a user name and password. After the
problem monitor is connected to the Configuration Manager Proxy, it adds a notifier to the taskbar
notification area.
To terminate the problem monitor, right click its icon in the notification area and select Exit from the
context menu. To manually start the monitor, go to Start / Apps / Parallels and click Problem
Monitor. When the monitor starts, it immediately requests problem report information from the
Configuration Manager Proxy. If there are new problem reports, a balloon tip is displayed.
By default the problem report icon in the notification area is hidden. To make it always appear,
right-click the notification area and select Customize notification icons in the context menu.
Change the behavior of the Problem monitor utility to "Show icons and notifications".
Depending on the problem monitor status, its icon will be one of the following:
To view the problem report list, click the balloon to open the Problem Reports dialog. If the
balloon is not currently displayed, right-click the problem monitor icon and select Show Problem
Reports from the context menu (or you can simply click the icon).
Each row in the list contains information about an individual report and has the following columns:
• Created — contains the date and time when the report was created.
• Proxy info — if set to "Yes", indicates that the report contains the information related to the
Parallels Configuration Manager Proxy.
• Mac info — if set to "Yes", indicates the the report contains the information related to a
managed Mac computer.
189
Using Parallels Mac Management for Microsoft SCCM
• Description — specifies whether the report was generated automatically or manually by a user.
If there are no problem reports on the server, the list will be empty.
To perform an action on a report, select the report of interest from the list and click one of the
available buttons:
• Click Send to send the selected problem report to Parallels Support. After the report is sent, it
is removed from the server on which it resides.
• Click Delete to delete the selected report from the list and the server on which it resides.
• Click Close to closes the dialog. The reports will remain in the problem monitor report list and
the report files will remain in their original locations.
The problem monitor maintains an activity log, which contains the information about the operations
that were performed on the reports. To view the problem report activity log, right-click the problem
monitor icon in the notification area and select Problem Reports Log from the context menu. The
Problem Report Operations Log dialog opens. Each entry in the log describes an individual
operation that was performed on a report. This is a read-only information provided as a reference. If
a report operation included sending it to Parallels Support, the entry will include the report ID, which
can be used when following up on the report with Parallels Support.
190
Using Parallels Mac Management for Microsoft SCCM
While the collection or individual Mac computers are selected, right-click on them and then click
Parallels Management Tools > Machine Policy Retrieval and Evaluation Cycle in the
context menu.
3 The Requesting Mac Clients to Download Policies dialog opens and the policy retrieval
initiation operation begins automatically. The progress bar informs you of how many Mac
computers have been processed.
4 While the operation is in progress, you can hide the dialog by clicking the Hide button or by
simply closing the dialog. The policy retrieval operation will continue to run in the background. If
you want to cancel the operation, click Cancel.
5 You can initiate another policy retrieval operation while the current operation is still in progress.
To do so, simply repeat the steps above. Additional Mac computers that you select this time will
be added to the list of the currently processed Mac computers and the operation will continue
uninterrupted.
6 When all Mac computers are processed, you can view the results of the operation by clicking
the Details button. If the button is disabled, it means that all Mac computers were processed
successfully. This means that the policy retrieval operation has been initiated on all selected
Mac computers. If the button is enabled, clicking it displays the list of Mac computers that the
Parallels Configuration Manager Proxy was unable to connect to. The Status column of the list
will contain one of the following:
• Offline — the Mac is turned off or unreachable.
• Connection refused — the Mac was reachable but the connection was refused by it.
• No client installed — the Mac doesn't have the Parallels Mac Client installed on it.
• Not a Mac — the resource is not a Mac computer.
You can sort the list by Resource Name or Status by clicking the corresponding column
header.
191
CHAPTER 6
Appendices
In This Chapter
Logging.................................................................................................................. 192
Changing Log File Rotation Limits ........................................................................... 196
Parallels Mac Management Database ..................................................................... 197
Logging
Parallels Mac Management maintains its own log files which capture information about its
processes. The log files are created and maintained for each component including Parallels
Configuration Manager Proxy, Configuration Manager Console Extension, and clients running on
individual Mac computers. Some information about Parallels Mac Management processes is also
recorded in the System Center Configuration Manager log files. You can use the information
contained in the log files to help you troubleshoot issues that might occur in the Parallels Mac
Management for Microsoft SCCM.
The Parallels Mac Management log files are located in the following directories:
The following table describes the Parallels Mac Management for Microsoft SCCM log files:
Component Log File Name Log File Description
Parallels Configuration pma_setup.log This log file is created during the SCCM Proxy
Manager Proxy installation. It contains information about the
installation procedures and the changes they
make to the system.
Please note that when the SCCM Proxy and
the SCCM Console Extension components
are installed on the same computer, the
pma_setup.log is shared between them.
Appendices
193
Appendices
Some of the Parallels Mac Management process information is recorded in the SCCM log files. You
may examine these files in addition to the log files described above. Please note that SCCM creates
these files on the fly and not all of them may actually exist.
The following table describes the Site Server log files which are located in the
<SCCM_InstallationPath>\LOGS folder. The files may contain information about the SCCM
Proxy component.
Log file Log file description
Colleval.log Records activities when collections are created, changed, and deleted by the
Collection Evaluator.
Dataldr.log Processes Management Information Format (MIF) files and hardware inventory in
the Configuration Manager database.
Ddm.log Saves DDR information to the Configuration Manager database by the Discovery
Data Manager.
Distmgr.log Records package creation, compression, delta replication, and information
updates.
Offermgr.log Records advertisement updates.
Offersum.log Records summarization of advertisement status messages.
Policypv.log Records updates to the client policies to reflect changes to client settings or
advertisements.
Smsprov.log Records WMI provider access to the site database.
statesys.log Records the processing of state system messages.
The following table describes the Management Point log files, which are located in the
%ProgramFiles%\SMS_CCM\Logs folder. The files may contain information about the SCCM
Proxy component.
Log file Log file description
MP_CliReg.log Records the client registration activity processed by the management point.
194
Appendices
MP_Ddr.log Records the conversion of XML.ddr records from clients, and copies them to the
site server.
MP_Framework.log Records the activities of the core management point and client framework
components.
MP_GetAuth.log Records the status of the site management points.
MP_GetPolicy.log Records policy information.
MP_Hinv.log Converts XML hardware inventory records from clients and copies the files to the
site server.
MP_Location.log Records location manager tasks.
MP_OOBMgr.log Records the management point activities related to receiving OTP form a client.
MP_Policy.log Records policy communication.
MP_Relay.log Copies files that are collected from the client.
MP_Retry.log Records the hardware inventory retry processes.
MP_Sinv.log Converts XML software inventory records from clients and copies them to the site
server.
MP_SinvCollFile.log Records details about file collection.
MP_Status.log Converts XML.svf status message files from clients and copies them to the site
server.
The following table describes the Admin UI log files, which are located in the
<SCCM_InstallationPath>\AdminUI\AdminUILog directory. The files may contain
information about the Configuration Manager Console Extension component.
Log file Log file description
ResourceExplorer.log Records errors, warnings, and information about running the Resource Explorer.
SMSAdminUI.log Records the local Configuration Manager console tasks when you connect to the
Configuration Manager site.
In addition to log files, crash dumps may be generated if a Parallels Mac Management component
terminates abnormally. The crash dumps are generated for the Configuration Manager Proxy
component and for Parallels Mac Clients running on individual Macs. Please note that crash dumps
may not be created every time a component crashes. If a dump doesn't exist in the directories
specified below, it can be found in the problem report, which will be generated instead.
Parallels Mac Management for Microsoft SCCM implements log file rotation that ensures that the
log files don't grow in size indefinitely. The amount of data contained in an individual log file and the
total size of all logs are kept at a reasonable limit. Log file rotation is enabled by default.
Parallels Mac Management for Microsoft SCCM consists of a number of executables including
services, graphical user interface, and utilities. Each executable creates its own log file named
<exec_name.log>, where "exec_name" is the executable file name. The following table lists
Parallels Mac Management executables and their corresponding log file names and locations:
Executable Name Operating System Log File Name and Path
A log file is populated with data when an executable is running and performing its tasks. When the
size of a log file exceeds a predefined limit, the file is archived and a new empty log file is created in
its place. This creates a log file rotation set consisting of the current log file and archived files. A log
file rotation set is managed using the following rules:
• Log files are archived using the zlib compression library.
• The archived files in the set are named as follows:
<exec_name.1.log.gz>, <exec_name.2.log.gz>, <exec_name.3.log.gz>, etc.
The <exec_name.1.log.gz> file is the most recently archived log segment. The file with the
largest sequential number in its name is the oldest. When the current log file is archived, it is
named <exec_name.1.log.gz>. The existing archives are renamed by incrementing the
sequential number in their names by 1. The maximum number of files in a rotation set can be
configured (see Changing Log File Rotation Limits below). When the number of files exceeds
the predefined limit, the oldest file is deleted.
• Rotation of each log is performed independently from other logs.
196
Appendices
Log file rotation limits are configured similarly on both Windows and OS X computers. The following
rules apply when specifying the limits:
• Log file size limit. The default value is 1 MB (specified in bytes). The minimum allowed value is
200 KB. The maximum allowed value is 4 MB. If a value is not set, the default value is used. If
the specified value falls outside the min/max interval, the minimum or the maximum value is
used respectively.
• Maximum number of files in a rotation set. The default value is 10. The minimum value is 1.
The maximum value is 20. If a value is not set, the default value is used. If the specified value
falls outside the min/max interval, the minimum or the maximum value is used respectively.
On Windows computers the log rotation limits are stored in the system registry. To modify the
limits:
• Run "regedit" and search for HKEY_LOCAL_MACHINE\SOFTWARE\Parallels\Parallels
Management Suite for Microsoft SCCM\Preferences.
• To set the log file size limit, modify the value of the "LogFileSizeLimit" parameter. The size is
specified in bytes.
• To set the maximum number of files in a rotation set, modify the value of the
“MaxNumberOfSavedLogs” parameter.
On OS X computers, the log rotation limits are stored in the
/Library/Preferences/com.parallels.pma.agent.plist file. To modify the limits:
PMM_<site_name>
Where, PMM_ is used as-is and <site_name> is the name of the primary SCCM site.
197
Appendices
At the time of this writing, the database is used to store the FileVault 2 disk encryption information
and recovery keys. Other security related data may be stored in the database in the future.
The system administrator should backup the database regularly in order to ensure the data safety.
198
Index
Index
Creating a Task Sequence for Deploying OS Download Updates From Apple's Servers -
X on Mac Computers - 137 153
Creating and Managing Enrollment Profiles -
E
176
Creating and Managing Sublicenses - 49 Enabling Remote Access on Mac Computers
Creating Certificate Templates for Parallels - 58
Proxy and Mac Computers - 26 Encrypting a Mac with FileVault 2 - 93, 100
Creating Compliance Rules - 110 Enforcing FileVault 2 Encryption - 88
Creating FileVault 2 Configuration Item - 89, Enforcing Parallels Desktop Preferences -
96 103
Creating FileVaultMaster Keychain - 89 Enforcing Parallels Desktop VM Settings -
Creating OS X Configuration Profile from 104
.mobileconfig File - 85 Enrolling Mac Computers in SCCM - 180
Creating OS X Configuration Profile Using the Exceeding the License Limit - 54
Profile Editor - 81 Execute Script - 142
Customer Experience Program - 34 Executing Scripts on Mac Computers - 171
Executing Task Sequence Steps - 151
D
F
Date and Time Synchronization - 14
DCOM Remote Activation Permission - 18 FileVault 2 Encryption with Institutional
Deactivating Parallels Mac Management - 55 Recovery Key - 89
DEP Deployment Overview - 172 FileVault 2 Encryption with Personal Recovery
Deploy the Application - 122 Key - 96
Deploy Updates to Mac Computers - 170
G
Deploying a Task Sequence to a Collection -
148 General Requirements - 12
Deploying and Managing Devices - 178 Generate an APNs Certificate - 37
Deploying Configuration Baseline - 110
H
Deploying OS X Configuration Profile - 80
Deploying Parallels Desktop to Mac Handling Expired Certificates - 28
Computers - 180 Hardware and Software Inventory - 77
Deploying SCCM Client in Windows Running
in a Virtual Machine - 183
I
Deploying Software - 116 IIS Settings on the Distribution Point Server -
Deploying Software via SCCM Application 13
Deployment - 117 Import a DEP Certificate to Parallels MDM
Deploying Software via SCCM Package Server - 173
Deployment - 112 Import OS X Software Updates - 162
Device Collections in Parallels Mac Initiating Policy Retrieval from a Mac - 73
Management - 76 Initiating Policy Retrieval from SCCM - 190
Distribute Content of the OS X Boot Image - Install and Configure an MDM Server - 173
130 Install Package - 139
Distributing the OS X System Image in SCCM Installation and Configuration - 29
- 135 Installation Options Overview - 57
Distribution Point Role Configuration - 13 Installation Overview - 29
Download Updates From a Local Server - Installation Requirements - 12
154 Installing Parallels Mac Client Using a Script -
65
Index
Installing Parallels Mac Client Using Discovery Parallels OS X Software Update Point
Methods - 58 Requirements - 15
Installing the Application on a Mac - 123 Permissions for Running Parallels OS X
Integrating Parallels Mac Management with Software Update Point - 23
PKI - 25 Permissions for Running Parallels Proxy
Introduction - 8 Configuration Wizard - 17
Permissions for Running Parallels Proxy
J
Service - 22
Join Domain - 138 Permissions in Active Directory - 19
Permissions to Read/Write Service Principle
L
Name - 20
Licensing and Activation - 44 PKI Integration Overview - 26
Limitations and Known Issues - 170 Pre-Installation Checklist - 11
Local Administrator Rights - 18 Pre-Installation Procedures - 10
Logging - 192 Prepare a Mac Application for Configuration
Manager - 118
M
Prerequisites Check - 32, 39
Maintenance and Upgrade - 40 Prerequisites for Deploying OS X on Mac
Manually Upgrading Parallels Mac Client - 71 Computers - 126
Microsoft SQL Server Permissions - 20 Problem Reporting and Monitoring - 186
Migrating Configuration Manager Proxy - 41 Prompting Users to Set Empty Variables
During Task Sequence Execution - 147
N Providing Remote Assistance to Mac Users -
Network Configuration - 14 185
Purchasing a Subscription - 44
O Push Install or Update Parallels Mac Client -
Obtaining a Trial License - 45 66
Operating System Deployment - 126
R
OS X Software Update Management - 153
Receiving Compliance Settings Reports - 111
P Recovering Encrypted Disk Using a Password
Parallels Client Certificate Management - 93, 100
Settings - 32 Recovering Encrypted Disk Using Institutional
Parallels Configuration Manager Proxy Key - 94
Requirements - 13 Recovering Encrypted Disk Using Personal
Parallels Mac Client Deployment - 57 Key - 101
Parallels Mac Management Component Register a Subscription - 48
Overview - 10 Reporting User Logon Information - 78
Parallels Mac Management Database - 197 Restrict Which Updates a Mac User Can
Parallels Mac Management Features Install - 157
Overview - 8 Role-Based Security - 33
Parallels Mac Management Licensing - 44 Running a Task Sequence on a Mac - 149
Parallels MDM Server Location - 36 Running Configuration Wizards - 31
Parallels MDM Server Requirements - 15 Running Parallels Mac Client Installer on a
Parallels MDM Service Account - 36 Mac - 64
Parallels MDM Web Server Certificate - 36 Running Parallels Network Discovery - 63
Parallels NetBoot Server Requirements - 14 Running Shell Scripts as Part of a Task
Sequence Step - 146
Index