Page 1
Parallels Mac Management
for Microsoft SCCM 2012
Administrator's Guide
v3.1
Copyright © 1999-2014 Parallels IP Holdings GmbH and its affiliates. All rights reserved.
Page 2
Parallels IP Holdings GmbH
Vordergasse 59
8200 Schaffhausen
Switzerland
Tel: + 41 52 632 0411
Fax: + 41 52 672 2010
www.parallels.com
Copyright © 1999-2014 Parallels IP Holdings GmbH and its affiliates. All rights reserved.
This product is protected by United States and international copyright laws. The product’s underlying technology,
patents, and trademarks are listed at http://www.parallels.com/trademarks.
Microsoft, Windows, Windows Server, Windows NT, Windows Vista, and MS-DOS are registered trademarks of Microsoft
Corporation.
Apple, Mac, the Mac logo, Mac OS, iPad, iPhone, iPod touch, FaceTime HD camera and iSight are trademarks of Apple
Inc., registered in the US and other countries.
Linux is a registered trademark of Linus Torvalds.
All other marks and names mentioned herein may be trademarks of their respective owners.
Page 3
Contents
Introduction ...............................................................................................................7
About This Guide .............................................................................................................. 7
About Parallels Mac Management for Microsoft SCCM 2012 ............................................ 7
Deploying Parallels Mac Management for Microsoft SCCM 2012 ..........................9
Parallels Mac Management Component Overview............................................................. 9
Checking Installation Requirements................................................................................. 10
Checking User Rights Requirements ............................................................................... 14
User Rights Required for Installing and Configuring Parallels Mac Management.................... 14
User Rights Required for Running Parallels Configuration Manager Proxy Service................. 18
Configuring Certificate Authorities and PKI Integration.....................................................20
Certificate Authority and PKI Integration Overview ................................................................. 20
Deploying PKI Certificates ..................................................................................................... 21
Creating Certificate Templates for Parallels Proxy and Macs ................................................. 28
Creating Special Security Group............................................................................................ 30
Installing Parallels Mac Management for Microsoft SCCM 2012 ...................................... 31
Parallels Mac Management for Microsoft SCCM Setup Wizard ............................................. 31
Parallels Configuration Manager Proxy Configuration Wizard................................................. 32
Parallels NetBoot Server Configuration Wizard ...................................................................... 34
Upgrading Parallels Mac Management for Microsoft SCCM 2012 ......................................... 36
Page 4
Contents
Configuring Configuration Manager Boundaries .............................................................. 36
Configuring Windows Firewall.......................................................................................... 37
Viewing Proxy Service Certificate Details ......................................................................... 37
Migrating Configuration Manager Proxy........................................................................... 38
Deploying Parallels Mac Client ............................................................................... 41
Deploying Mac Client via Network Discovery ................................................................... 41
Installing Mac Client Using Interactive Installer ................................................................. 44
Installing Mac Client Using Installation Script ................................................................... 46
Configuring Mac OS X Firewall ........................................................................................47
Verifying Mac Client Deployment ..................................................................................... 48
Updating Parallels Configuration Manager Proxy Connection URL................................... 48
Upgrading Parallels Mac Client........................................................................................ 49
Uninstalling Parallels Mac Client ......................................................................................49
Managing Parallels Mac Client ...............................................................................51
Viewing Parallels Mac Client Properties ........................................................................... 51
Initiating Policy Retrieval .................................................................................................. 53
Sending Problem Reports From Mac Client..................................................................... 55
Parallels Mac Management Features .....................................................................57
Using Configuration Manager 2012 Console ...................................................................57
Understanding Collections in Parallels Mac Management ................................................ 57
Hardware and Software Inventory ................................................................................... 58
Configuring Inventory Settings............................................................................................... 58
Viewing Inventory Data .......................................................................................................... 59
Desired Configuration Management ................................................................................ 59
Deploying OS X Configuration Profile..................................................................................... 59
Enforcing FileVault 2 Encryption ............................................................................................ 66
Enforcing Parallels Desktop Preferences ............................................................................... 79
Enforcing Parallels Desktop VM Settings ............................................................................... 81
Using Scripts to Assess Compliance ..................................................................................... 82
Deploying Configuration Baseline .......................................................................................... 86
Receiving DCM Reports ........................................................................................................ 87
Application Management................................................................................................. 88
Choosing Installation Type..................................................................................................... 88
Page 5
Preparing Mac Application for Configuration Manager........................................................... 89
Creating Configuration Manager Application.......................................................................... 90
Configuring Deployment Type ............................................................................................... 91
Deploying Mac Application .................................................................................................... 93
Installing Application on a Mac .............................................................................................. 95
Using Parallels Application Portal........................................................................................... 96
Software Distribution....................................................................................................... 97
Creating Software Distribution Package ................................................................................ 97
Sending Package to Distribution Point................................................................................. 100
Deploying Software ............................................................................................................. 100
Viewing Status of a Package ............................................................................................... 101
Deploying Mac OS X Images......................................................................................... 101
Deploying Parallels Desktop and Virtual Machines on Macs .......................................... 105
Deploying SCCM Client in Windows Running in a Virtual Machine ................................. 107
Contents
Providing Remote Assistance to Mac Users .................................................................. 109
Problem Reporting and Monitoring................................................................................ 111
Sending Problem Reports Using Configuration Manager Console ....................................... 111
Sending Problem Reports Using Windows Reporting Utility................................................. 112
Sending Problem Reports from Mac Client.......................................................................... 113
Using Problem Monitoring Utility.......................................................................................... 113
Tracking Apple Warranty Status of Macs............................................................................. 116
Technical Reference.............................................................................................. 118
Wizard Pages................................................................................................................ 118
Parallels Configuration Manager Proxy Configuration Wizard............................................... 118
Parallels NetBoot Server Configuration Wizard .................................................................... 124
Software Distribution Wizards.............................................................................................. 128
Property Pages ............................................................................................................. 129
Parallels Discovery Properties.............................................................................................. 129
Dialog Pages................................................................................................................. 134
Desired Configuration Management Dialogs........................................................................ 134
New Subnet Assignment Dialog .......................................................................................... 142
Custom Schedule Dialog ..................................................................................................... 143
Max OS X User Account Dialog........................................................................................... 144
Problem Report for Parallels Mac Management for Microsoft SCCM Dialog........................ 144
Page 6
Contents
Send Problem Report Dialog ............................................................................................... 145
Problem Reports Dialog ...................................................................................................... 145
Appendices............................................................................................................147
Ports Used by Parallels Mac Management .................................................................... 147
Log Files in Parallels Mac Management for Microsoft SCCM ......................................... 148
Changing Log File Rotation Limits ................................................................................. 151
Parallels Mac Management Database ...........................................................................153
Index ......................................................................................................................154
Page 7
C HAPTER 1
Introduction
In This Chapter
About This Guide ..................................................................................................... 7
About Parallels Mac Management for Microsoft SCCM 2012 ................................... 7
About This Guide
This guide contains information about how to deploy and use Parallels Mac Management for
Microsoft SCCM 2012. The guide is intended for IT administrators.
About Parallels Mac Management for Microsoft SCCM 2012
Parallels Mac Management for Microsoft SCCM 2012 is a software product that extends Microsoft
System Center Configuration Manager 2012 and 2012 R2 with support for Mac OS X systems.
With Parallels Mac Management you can manage Mac and Windows computers using
Configuration Manager as your only management system.
Parallels Mac Management adds the following Mac management features to SCCM 2012 and
SCCM 2012 R2:
Feature Description
Network discovery allows to automatically find Mac
Network discovery of Mac computers (p. 41)
Inventory of Mac hardware and installed applications
(p. 58)
Mac OS X image deployment (p. 101)
Mac OS X software and patch distribution (p. 97)
computers on a network and assign them to a
Configuration Manager site.
Mac hardware and software inventory is
automatically collected and can be viewed in the
Configuration Manager console.
Allows to automate the deployment of OS X on
managed Mac computers.
Allows to use the standard Configuration Manager
Software Distribution functionality to install software
and updates on managed Macs.
Parallels Application Portal (p. 88)
Allows Mac users to view and install OS X
applications made available to the user by their
Page 8
Introduction
system administrator.
Mac OS X configuration management via Configuration
Profiles (p. 59)
FileVault 2 Encryption Management (p. 66)
Parallels Desktop and Parallels virtual machine
configuration management (p. 79)
Allows to configure Macs and enforce compliance
with SCCM Desired Configuration Management
functionality.
Allows to use FileVault 2 to encrypt the contents of
disk drives on managed Macs with the ability to set
an institutional or a private recovery key.
Allows to configure Parallels Desktop and Parallels
virtual machines installed on a Mac.
Parallels Mac Management fully integrates with the Configuration Manager console, so IT
administrators can manage Mac and Windows computers using the same familiar graphical user
interface.
8
Page 9
C HAPTER 2
Deploying Parallels Mac Management for Microsoft SCCM 2012
This chapter contains information about how to deploy Parallels Mac Management for Microsoft
SCCM 2012 in an enterprise computing environment.
In This Chapter
Parallels Mac Management Component Overview .................................................... 9
Checking Installation Requirements .......................................................................... 10
Checking User Rights Requirements ........................................................................ 14
Configuring Certificate Authorities and PKI Integration
Installing Parallels Mac Management for
Configuring Configuration Manager Boundaries........................................................ 36
Configuring Windows Firewall................................................................................... 37
Viewing Proxy Service Certificate Details .................................................................. 37
Migrating Configuration Manager Proxy .................................................................... 38
Microsoft SCCM 2012 ............................... 31
.............................................. 20
Parallels Mac Management Component Overview
Parallels Mac Management consists of the following components:
• Parallels Configuration Manager Proxy. This is a Windows service application that acts as a
proxy between SCCM and Mac computers. The application must be installed on a computer
running Windows Server 2008 SP2 or later.
• Configuration Manager Console Extension. This component consists of a set of dynamic
libraries that extend the Configuration Manager console to provide a graphical user interface
enabling you to manage Mac OS X computers. The component must be installed on the
computer where the Configuration Manager console is running.
• NetBoot Server. NetBoot is a technology from Apple that enables Mac computers to boot
from a network. You need to install this component if you plan to deploy Mac OS X images on
Mac computers. The component must be installed on a computer running Windows Server
2008 SP2 or later.
• Parallels Mac Client. This is a client software that enables communication between the Mac
computer on which it is installed and the Parallels Configuration Manager Proxy.
Page 10
Deploying Parallels Mac Management for Microsoft SCCM 2012
Supported SCCM Versions
Parallels Mac Management supports Microsoft System Center Configuration Manager 2012 and
2012 R2. Please make sure that you have the latest service pack and critical updates installed.
Supported Windows Versions
Parallels Mac Management supports all versions of Windows that are supported by System Center
Configuration Manager 2012 and 2012 R2.
Supported OS X Versions
The following versions of OS X operating system are supported:
• OS X 10.6 Snow Leopard
• OS X 10.7 Lion
• OS X 10.8 Mountain Lion
• OS X 10.9 Mavericks
• OS X 10.10 Yosemite
Checking Installation Requirements
Before you install Parallels Mac Management for Microsoft SCCM 2012, use the instructions
provided here to ensure that the installation requirements are met.
Windows computers requirements
Parallels Configuration Manager Proxy and NetBoot Server must be installed on a computer(s)
running Windows Server 2008 SP2 or later. This can be a dedicated server (or two separate
dedicated servers for each component) or a server running Microsoft System Center Configuration
Manager. The Configuration Manager Console Extension component must be installed on a
Windows computer running the Configuration Manager console.
Check the Parallels Configuration Manager Proxy requirements
The computer on which Parallels Configuration Manager Proxy will be installed must have the .NET
Framework 4.0 installed.
Check the NetBoot Server requirements
The computer on which the NetBoot Server will be installed must meet the following requirements:
10
Page 11
Deploying Parallels Mac Management for Microsoft SCCM 2012
• The Distribution Point role is installed on this server.
• The server is a PXE service point.
• WDS is installed and running. If WDS and DHCP are both installed on this server, the Do not
listen on port 67 option must be selected in the WDS service properties.
• BITS 4.0 is installed.
• Verify that the user configuring the NetBoot Server has sufficient privileges. See the following
KB article: http://kb.parallels.com/117937
Verify that the Management Point role is installed
To do so, enter the following URL into a Web browser (substitute http with https if that's what
your Management Point is using):
http://[MPNAME]/sms_mp/.sms_aut?mplist
where [MPNAME] is a fully qualified domain name of the Management Point server.
The URL should open an XML file without an error.
Verify that the Distribution Point role is configured properly
In the Configuration Manager console:
1 Navigate to Administration / Site Configuration / Servers and Site System Roles.
2 Select your site in the right pane.
3 In the Site System Roles pane, right-click the Distribution Point role and then click
Properties in the context menu.
4 In the Distribution Point Properties dialog do the following:
• On the General tab page, select HTTP or HTTPS in the Specify how client computers
communicate with this distribution point group. If you'll be using Public Key Infrastructure
(PKI) for authentication, you need to select HTTPS. The PKI integration is described in detail
in Configuring Certificate Authorities and PKI Integration section (p. 20).
• If you've selected HTTP, check
the Allow clients to connect anonymously option.
Check the Internet Information Services (IIS) settings on the Distribution Point server
In Windows Server 2008:
1 Click Start > Administrative tools > Internet Information Services (IIS) Manager.
2 Open Default Web Site and double-click Authentication in IIS.
3 Check that Windows Authentication is enabled.
4 Open Default Web Site and double-click Authorization Rules in IIS.
11
Page 12
Deploying Parallels Mac Management for Microsoft SCCM 2012
5 Check that authorization is allowed to all users
Verify that WebDAV is enabled
In Windows Server 2008:
1 Click Start > Administrative tools > Internet Information Services (IIS) Manager.
2 Select the server name and expand Sites.
3 Click Default Web Site.
4 Double-click IIS > WebDAV Authoring Rules.
If WebDAV is enabled, the Enable WebDAV action should not be available in the Actions
pane. The central pane should contain the Authoring Rule with the All content, All users and
Read options selected.
5 Select the role and click WebDAV Settings in the Actions pane.
6 In the WebDAV Settings workspace (under Property Behavior) make the following changes:
• Set the Allow anonymous property queries option to True.
• Set Allow Custom Properties to False.
• Set Allow property queries with infinite depth to True.
• If this is a BITS-enabled Distribution Point, then under WebDAV Behavior, set Allow
hidden files to be listed to True.
Verify that Configuration Manager Boundaries are configured properly
In the Configuration Manager console:
1 Check the boundary settings at the following location: Administration / Hierarchy
Configuration / Boundaries.
2 In addition, Boundary Groups must also be configured in SCCM 2012.
For details, see Configuring Configuration Manager Boundaries (p. 36).
Check that the Reporting Point role is installed
Note: The Reporting Point role is not required for Parallels Mac Management installation, but it is needed
for the reporting functions to work.
1 In the Configuration Manager console:
2 Navigate to Administration / Site Configuration / Servers and Site System Roles.
3 Verify that the Reporting services point role exists.
4 Navigate to Monitoring / Reporting / Reports.
12
Page 13
Deploying Parallels Mac Management for Microsoft SCCM 2012
5 Right-click any of the available reports and check that the Run item is available in the pop-up
menu.
Check that the Report Viewer is installed
Note: The Report Viewer is not required for Parallels Mac Management installation, but it is needed for
viewing reports.
On the computer running the Configuration Manager console:
1 Click Start > Control Panel > Programs and Features.
2 Verify that Microsoft Report Viewer Redistributable is installed.
Check that the firewall is configured properly in Windows and OS X
Please see the complete instructions in the Configuring Windows Firewall (p. 37) and
Configuring Mac OS X Firewall (p. 47) sections.
Verify that your network environment is configured properly
See the following KB article: http://kb.parallels.com/118518
Verify that your Mac computers have network access to SCCM site servers and
computers on which you'll install Parallels Mac Management
Use the traceroute command in Mac OS X and tracert in Windows to verify network access.
Access to the following servers needs to be checked:
• A server that will be running Parallels Configuration Manager Proxy.
• The Active Directory server.
• The Management Point role server.
• The Distribution Point role server.
Check the IP address of the DNS server in OS X network preferences on a Mac:
1 In Mac OS X, open System Preferences / Network.
2 Click the Advanced button, click the DNS tab and see the DNS Servers section. Add the DNS
server address if it's missing.
13
Page 14
Deploying Parallels Mac Management for Microsoft SCCM 2012
Check the date and time synchronization
Date and time must be synchronized between the servers running the Configuration Manager,
Configuration Manager Proxy, Active Directory, Management Point, Distribution Point, and the Mac
computers. If that's not done, the Parallels Mac Client registration and the Mac management
operations (specifically, policy downloading and updating) may not work correctly.
Review the ports used by Parallels Mac Management
The ports used by Parallels Mac Management should not be used by other programs. For the list of
ports see Ports Used by Parallels Mac Management (p. 147).
Checking User Rights Requirements
To install and configure Parallels Mac Management for SCMM the user performing the installation
must have sufficient rights. To run the Parallels Configuration Manager Proxy service, its user
account must also have sufficient rights. The following topics describe the required user rights and
provide detailed information on how to verify and to set them.
User Rights Required for Installing and Configuring Parallels Mac Management
To install and configure Parallels Mac Management components on Windows computers, the user
performing the installation and configuration must have specific rights. The following provides a
summary of the requirements and then describes in detail how to verify and to set the necessary
user rights.
Required User Rights Summary
The user installing and configuring Parallels Mac Management must be a domain user with the
following rights:
• Permissions to write to the SMS Provider (full write WMI permissions).
• Permissions to use DCOM objects on a server where the SMS Provider is installed (the user
must be a member of the Distributed COM Users group).
• Administrative rights in Configuration Manager.
• Permissions to make the following changes in Active Directory:
• Create the "CN=ProgramData,CN=Parallels,CN=Parallels Management Suite" container, or
(if the container already exists) create child objects in it.
• Create the "CN=ParallelsServices" container, or (if the container already exists) make
changes to its contents.
14
Page 15
Deploying Parallels Mac Management for Microsoft SCCM 2012
• Permissions to register and unregister Service Principal Names for the user account used to run
the Parallels Configuration Manager Proxy service.
• Administrative rights on the computer where the installation is performed.
The following step-by-step instructions describe how to create a Windows user with the rights
outlined above.
Create a new domain user
Note: You may skip this section if you want to use an existing domain user.
1 On the computer running Active Directory, click Start > Administrative Tools > Server
Manager.
2 In the Server Manager window, navigate to Roles / Active Directory Domain Services /
Active Directory Users and Computers / <domain-name>.
3 Right-click Users and select New > User in the context menu.
4 In the New Object – User dialog, type Full name, User logon name, and click Next.
5 Type and confirm the password in the Password and Confirm password fields.
6 Click Next. Click Finish.
Add the user to the Distributed COM Users group
The user must be a member of the group to work with the SMS Provider through WMI. This is
needed when Parallels Configuration Manager Proxy and the SMS Provider are installed on different
computers.
1 In the Server Manager window, right-click the domain user that you created and select Add to
a group… in the context menu.
2 Add the user to the Distributed COM Users group.
Grant the user permissions to write to WMI
Parallels Configuration Manager Proxy needs rights to alter the SMS WMI workspace by adding
new classes.
1 In the Server Manager window, navigate to Configuration / WMI Control.
2 Right-click WMI Control and select Properties in the context menu.
3 Select the Security tab in the WMI Control Properties dialog.
4 In the Namespace navigation tree, select Root / SMS / site_<site-code> and then click the
Security button.
5 Click the Add button, find your user, and click OK. The user will appear in the Group or user
names list.
15
Page 16
Deploying Parallels Mac Management for Microsoft SCCM 2012
6 Grant the user Full Write permissions.
7 Click OK to close the dialog.
8 Click OK to close the WMI Control Properties dialog.
Grant the user administrative rights on the computer(s) where you’ll be installing
Parallels Configuration Manager Proxy and NetBoot Server
1 Log in to a computer where you’ll be performing the installation of a given component.
2 Open Server Manager and navigate to Configuration / Local Users and Groups / Groups.
3 Right-click the Administrators group and select Properties in the context menu.
4 In the Select Users dialog, click the Add button and add the domain user you've created
earlier.
5 Click OK and then click OK again.
On a computer that will be running the NetBoot Server, the user must also have local and remote
read access to SMS Provider. For the complete information, please read kb.parallels.com/117937
(http://kb.parallels.com/117937 ).
Grant the user administrative rights in Configuration Manager
1 Log in to the computer running the Configuration Manager console and open the console.
2 Navigate to Administration / Overview / Security.
3 Right-click Administrative Users and select Add User or Group in the context menu.
4 In the Add User or Group dialog, click Browse, find the domain user that you created earlier,
and click OK. The user will appear in the User or group name field in the Add User or Group
dialog.
5 Click the Add... button in the Assigned security roles section.
6 In the Available security roles list, select Full Administrator and click OK.
7 Click OK in the Add User or Group dialog.
Create the "CN=ParallelsServices" container in Active Directory and grant the user
permissions to write to it
This container is used to store the connection URL of the Configuration Manager Proxy service. If a
Mac client loses the Proxy connection, it can retrieve the connection URL from this container.
Note: Skip steps 1 through 6 if the container already exists.
1 On the computer running Active Directory, click Start > Administrative Tools > ADSI Edit.
2 In the ADSI Edit window, navigate to Default naming context / DC=<domain>,DC=<com> /
CN=System.
16
Loading...