Deploying MAC OS Workstation Management Infrastructure with Parallels Management Add-on for SCCM 2007/2012
- From the sandbox
- Tutorial
Hello readers of this post. I want to share a little experience that I was lucky enough to acquire at my work. At one time, the task was set to clean up the network, namely to restrain MAC OS users and impose on them at least part of the corporate policies of our wonderful company. After investigating the problem, many of the shortcomings of such systems became clear. For normal implementation, it was necessary to purchase a huge amount of equipment and licenses, while there were a lot of shortcomings in these systems (in order not to make advertising and anti-advertising, I do not want to name these products).
And then a completely satisfying product began to emerge - Parallels Management Addon forMS SCCM 2007/2012. When the developers of the company introduced him to us, he was at the stage of strict secrecy and very early testing (I work in an integrator and sometimes we come across similar products to us)
Let's say SCCM is already deployed in the infrastructure (in my case SCCM 2007) We will not affect its deployment and configuration. I will only say implicit settings that are necessary for the operation of our system.
- in the properties of the Distribution point, anonymous access via HTTPS must be enabled
- in the DNS properties of the DHCP server in the subnets in which the clients are located, you must enable:
a) Always dynamically update DNS A and PTR records.
b) Dynamic DNS update and PTR records for DHCP clients that do not require updating.
The service works as follows:
We have SCCM and a proxy through which this SCCM communicates with MAC OS clients (in my case, these are 2 separate servers, but it doesn’t interfere with installing the product on a server with SCCM), as well as add-ons to the console that add new features to the SCCM console.
I had a build for the developer at my disposal, and it was not tied to licensing, so the installation may slightly differ from the purchased version, but I think not much.
- double-click on PMA-version_number.exe on the server designed to play the proxy role (the OS on the server can be either Win server 2008 R2-2012), click next, done.
- launch the Configuration Utility located at the following address: C: \\ Program Files (x86) \ Parallels \ Parallels Management Add-on for SCCM
- enter the name / ip address of the SCCM server or indicate that SCCM is located on the same computer
- in the next window, the username / password of the user who has administrator rights to SCCM itself is entered (since I can not use Photoshop and can not overwrite users in this window I will not apply the screen).
- On the computer from which the control will be performed, you need to start the console extension installation from the same installer (on the screen, the checkmark will be active if the console is installed)
Done.
We have 3 methods for adding client computers to the system
- manually install the software (the agent is located at your_proxy_hostname@yourdomainname.ru : 8001 / files / pma_agent.dmg)
the dmg itself contains the distribution kit (it is
installed very simply on and on, ready) After installation there will be a window of the agent asking you to enter the PROXY hostname for SCCM
Enter the address - and you're done, you don’t need to drive anything else on the client computer.
- autodiscover. If you have the console extension installed, an additional Parallels Management Add-on item will appear in the console.
Select it and see the Parallels Network Diskovery option. Double click and see the following window:
In this window, we can enable the discovery itself, configure its schedule and subnets in which the discovery will be performed. in the Accounts option, we can enter a local administrator account on clients (or several) under which the agent will be installed. Of course, the disadvantage is that we need to know the administrator of the poppy, and moreover, SSH access must be enabled on each client. This method is convenient only if our poppies are in the domain and the account of one of the admins domain is guaranteed by the local administrator on each computer. Also, we will manually need to enable SSH access on each poppy. For me, this method was extremely inconvenient, since we were eager to introduce poppies into our domain (we did not see the point). therefore, we used the 1st method of installing agents. By the way, if you don’t enter any data into Accounts, then the discovery will work anyway, but with another benefit for us: The discovery utility itself will look for all the poppies on the network (nmap is used there and will add them to the collection of All Mac OS Systems as an unmanagment system. This is useful if we want to know how many poppies there are in our network, without our policies. I’ll say right away that he doesn’t add all the poppies in this way, there’s a small chance that it will be a completely Windows-based computer, and if the name of the poppy does not resolve in DNS then it will get there just an ip address, and if this poppy is on a wi-fi network then he will most likely receive a different ip address in the next discovery, and again will be added to the collection under a different ip address.) The discovery utility itself will look for all the poppies on the network (nmap is used there and will add them to the collection of All Mac OS Systems as an unmanagment system. This is useful if we want to find out how many poppies are on our network without our policies. I’ll say right away that it adds such not all poppies, there is a small chance that this will be a completely Windows-based comp, and if the poppy name does not resolve in DNS, then just the ip address will go there, and if this poppy is on a wi-fi network, it will most likely get another ip in the next disk address, and again will be added to the collection under a different ip hell ECOM). The discovery utility itself will look for all the poppies on the network (nmap is used there and will add them to the collection of All Mac OS Systems as an unmanagment system. This is useful if we want to find out how many poppies are on our network without our policies. I’ll say right away that it adds such not all poppies, there is a small chance that this will be a completely Windows-based comp, and if the poppy name does not resolve in DNS, then just the ip address will go there, and if this poppy is on a wi-fi network, it will most likely get another ip in the next disk address, and again will be added to the collection under a different ip hell ECOM).
- Well, the third way is to pour the poppies in turn of the deploy server with the agent already installed. (I won’t describe the ways since there is information about this sea on the Internet)
Next, we start working with poppies, just as if they were computers running windows. There will be only some reservations.
We will automatically create a collection of All Mac OS Systems in which all our customers will be. On this collection we can roll deploy almost any software, Scripts, Policies. how to do this is described in great detail in the admin guid, which will be automatically installed on the computer with proxy. I will only describe the most delicious.
- Software installation. We create any package in Software Distribution as well as for windows computers, but the difference is only in the executable command. There are 3 main mac os scripts, namely PKG, DMG with APP, DMG with pkg and these 3 main commands for installing
PKG - installer -pkg 'Install.pkg' -target /
DMG -: JavaForOSX.dmg / JavaForOSX.pkg: :
APP -: Skype.dmg / Skype.app: / Applications:
the 1st option will install the Install.pkg program with default settings
; the 2nd option will mount the image in the dmg system and start the installation of JavaForOSX.pkg with the same command as in the first option
3 option mounts the image to the dmg system and copies Skype.app to the Applications folder.
These commands are entered when creating the distribution programs, in the command line option.
- Execution of any script. I needed to make settings that are simply not available in the profile manager from apple, namely, the value of the proxy server in the system and its exceptions. and here's how to get out of this problem.
Create a script, let's say a.sh. We write the following lines there:
networksetup -setsecurewebproxy ethernet proxy.company.ru 8000
networksetup -setsecurewebproxy Wi-Fi proxy.company.ru 8000
networksetup -setwebproxy ethernet proxy.company.ru 8000
networksetup -setwebproxy Wi-fi proxy.company.ru 8000
networksetup -setproxybypassdomains ethernet * .local 169.254 / 16 127. * 10. * 192.168. * 172.
systemsetup -settimezone Europe / Moscow
Copy this file to SCCM and create a software distribution package from it. We give the command to install chmod + x a.sh && sh a.sh and here is what we get at the output: we run a script on the poppy that is configured on the system on Wi-Fi and ethernet proxies with * .local 169.254 / 16 exceptions 127 . * 10. * 192.168. * 172. and sets the time zone on all computers! Really great?
- Apply the profile on the user's computer: One of the most important features of this system is the ability to apply profiles on poppies (for those who do not know this kind of policy) For this, we go here - Site Database / Computer Management / Desired Configuration Management / Configuration Items. Right-click on Configuration Items and select Create Parallels Configuration Item from the pop-up menu. In the window that appears,
specify a name, a note and select the profile itself created in the profile manager on the mac os server. After creating the profile, we apply it to any collection as a baseline and that’s it, now this profile will be applied on poppies.
- Another extremely important and unique opportunity the product has: This is the use of disk encryption through FileVault. The process there is very long and very well described in the product documentation, so I will not describe it. But believe me, almost no analogue has such an opportunity.
- We can connect to any client via ssh / vnc directly from the console. To do this, we need to right-click on the desired client and select the appropriate menu item from the pop-up window
In our infrastructure, we use this particular solution, which I advise you. We deploy password complexity policies and the path for the corporate update server through profiles, time zone and proxy server settings through scripts, ms office installation, Symantec antivirus, java, citrix, Parallels Desktop through software distribution, We make the hard drive encrypted through disired configuration management.
Thanks for attention. If you have any questions, write in the comments, I will try to answer.
And then a completely satisfying product began to emerge - Parallels Management Addon forMS SCCM 2007/2012. When the developers of the company introduced him to us, he was at the stage of strict secrecy and very early testing (I work in an integrator and sometimes we come across similar products to us)
Infrastructure preparation
Let's say SCCM is already deployed in the infrastructure (in my case SCCM 2007) We will not affect its deployment and configuration. I will only say implicit settings that are necessary for the operation of our system.
- in the properties of the Distribution point, anonymous access via HTTPS must be enabled
- in the DNS properties of the DHCP server in the subnets in which the clients are located, you must enable:
a) Always dynamically update DNS A and PTR records.
b) Dynamic DNS update and PTR records for DHCP clients that do not require updating.
The service works as follows:
We have SCCM and a proxy through which this SCCM communicates with MAC OS clients (in my case, these are 2 separate servers, but it doesn’t interfere with installing the product on a server with SCCM), as well as add-ons to the console that add new features to the SCCM console.
Installation
I had a build for the developer at my disposal, and it was not tied to licensing, so the installation may slightly differ from the purchased version, but I think not much.
- double-click on PMA-version_number.exe on the server designed to play the proxy role (the OS on the server can be either Win server 2008 R2-2012), click next, done.
- launch the Configuration Utility located at the following address: C: \\ Program Files (x86) \ Parallels \ Parallels Management Add-on for SCCM
- enter the name / ip address of the SCCM server or indicate that SCCM is located on the same computer
- in the next window, the username / password of the user who has administrator rights to SCCM itself is entered (since I can not use Photoshop and can not overwrite users in this window I will not apply the screen).
- On the computer from which the control will be performed, you need to start the console extension installation from the same installer (on the screen, the checkmark will be active if the console is installed)
Done.
Adding Client Computers
We have 3 methods for adding client computers to the system
- manually install the software (the agent is located at your_proxy_hostname@yourdomainname.ru : 8001 / files / pma_agent.dmg)
the dmg itself contains the distribution kit (it is
installed very simply on and on, ready) After installation there will be a window of the agent asking you to enter the PROXY hostname for SCCM
Enter the address - and you're done, you don’t need to drive anything else on the client computer.
- autodiscover. If you have the console extension installed, an additional Parallels Management Add-on item will appear in the console.
Select it and see the Parallels Network Diskovery option. Double click and see the following window:
In this window, we can enable the discovery itself, configure its schedule and subnets in which the discovery will be performed. in the Accounts option, we can enter a local administrator account on clients (or several) under which the agent will be installed. Of course, the disadvantage is that we need to know the administrator of the poppy, and moreover, SSH access must be enabled on each client. This method is convenient only if our poppies are in the domain and the account of one of the admins domain is guaranteed by the local administrator on each computer. Also, we will manually need to enable SSH access on each poppy. For me, this method was extremely inconvenient, since we were eager to introduce poppies into our domain (we did not see the point). therefore, we used the 1st method of installing agents. By the way, if you don’t enter any data into Accounts, then the discovery will work anyway, but with another benefit for us: The discovery utility itself will look for all the poppies on the network (nmap is used there and will add them to the collection of All Mac OS Systems as an unmanagment system. This is useful if we want to know how many poppies there are in our network, without our policies. I’ll say right away that he doesn’t add all the poppies in this way, there’s a small chance that it will be a completely Windows-based computer, and if the name of the poppy does not resolve in DNS then it will get there just an ip address, and if this poppy is on a wi-fi network then he will most likely receive a different ip address in the next discovery, and again will be added to the collection under a different ip address.) The discovery utility itself will look for all the poppies on the network (nmap is used there and will add them to the collection of All Mac OS Systems as an unmanagment system. This is useful if we want to find out how many poppies are on our network without our policies. I’ll say right away that it adds such not all poppies, there is a small chance that this will be a completely Windows-based comp, and if the poppy name does not resolve in DNS, then just the ip address will go there, and if this poppy is on a wi-fi network, it will most likely get another ip in the next disk address, and again will be added to the collection under a different ip hell ECOM). The discovery utility itself will look for all the poppies on the network (nmap is used there and will add them to the collection of All Mac OS Systems as an unmanagment system. This is useful if we want to find out how many poppies are on our network without our policies. I’ll say right away that it adds such not all poppies, there is a small chance that this will be a completely Windows-based comp, and if the poppy name does not resolve in DNS, then just the ip address will go there, and if this poppy is on a wi-fi network, it will most likely get another ip in the next disk address, and again will be added to the collection under a different ip hell ECOM).
- Well, the third way is to pour the poppies in turn of the deploy server with the agent already installed. (I won’t describe the ways since there is information about this sea on the Internet)
What's next?
Next, we start working with poppies, just as if they were computers running windows. There will be only some reservations.
We will automatically create a collection of All Mac OS Systems in which all our customers will be. On this collection we can roll deploy almost any software, Scripts, Policies. how to do this is described in great detail in the admin guid, which will be automatically installed on the computer with proxy. I will only describe the most delicious.
- Software installation. We create any package in Software Distribution as well as for windows computers, but the difference is only in the executable command. There are 3 main mac os scripts, namely PKG, DMG with APP, DMG with pkg and these 3 main commands for installing
PKG - installer -pkg 'Install.pkg' -target /
DMG -: JavaForOSX.dmg / JavaForOSX.pkg: :
APP -: Skype.dmg / Skype.app: / Applications:
the 1st option will install the Install.pkg program with default settings
; the 2nd option will mount the image in the dmg system and start the installation of JavaForOSX.pkg with the same command as in the first option
3 option mounts the image to the dmg system and copies Skype.app to the Applications folder.
These commands are entered when creating the distribution programs, in the command line option.
- Execution of any script. I needed to make settings that are simply not available in the profile manager from apple, namely, the value of the proxy server in the system and its exceptions. and here's how to get out of this problem.
Create a script, let's say a.sh. We write the following lines there:
networksetup -setsecurewebproxy ethernet proxy.company.ru 8000
networksetup -setsecurewebproxy Wi-Fi proxy.company.ru 8000
networksetup -setwebproxy ethernet proxy.company.ru 8000
networksetup -setwebproxy Wi-fi proxy.company.ru 8000
networksetup -setproxybypassdomains ethernet * .local 169.254 / 16 127. * 10. * 192.168. * 172.
systemsetup -settimezone Europe / Moscow
Copy this file to SCCM and create a software distribution package from it. We give the command to install chmod + x a.sh && sh a.sh and here is what we get at the output: we run a script on the poppy that is configured on the system on Wi-Fi and ethernet proxies with * .local 169.254 / 16 exceptions 127 . * 10. * 192.168. * 172. and sets the time zone on all computers! Really great?
- Apply the profile on the user's computer: One of the most important features of this system is the ability to apply profiles on poppies (for those who do not know this kind of policy) For this, we go here - Site Database / Computer Management / Desired Configuration Management / Configuration Items. Right-click on Configuration Items and select Create Parallels Configuration Item from the pop-up menu. In the window that appears,
specify a name, a note and select the profile itself created in the profile manager on the mac os server. After creating the profile, we apply it to any collection as a baseline and that’s it, now this profile will be applied on poppies.
- Another extremely important and unique opportunity the product has: This is the use of disk encryption through FileVault. The process there is very long and very well described in the product documentation, so I will not describe it. But believe me, almost no analogue has such an opportunity.
- We can connect to any client via ssh / vnc directly from the console. To do this, we need to right-click on the desired client and select the appropriate menu item from the pop-up window
Total
In our infrastructure, we use this particular solution, which I advise you. We deploy password complexity policies and the path for the corporate update server through profiles, time zone and proxy server settings through scripts, ms office installation, Symantec antivirus, java, citrix, Parallels Desktop through software distribution, We make the hard drive encrypted through disired configuration management.
Thanks for attention. If you have any questions, write in the comments, I will try to answer.