Adventures in Macland... my experiences with ConfigMgr 2012 and Macs Part 2
by, 14th May 2013 at 06:19 PM (13637 Views)
I actually started writing this just after I finished my last blog entry. However, a nasty bout of the flu and other things have got in my way since then and I just hadn't gotten around to finishing this post. Well, no more!
In Part One of this blog, I talked about the new Mac client for Microsoft System Center 2012 Configuration Manager SP1 (God, that's a mouthful!). I talked about my impressions of it and how well it's been working so far. I also mentioned that Parallels have been in contact with us and hooked us up with an evaluation version of their own Mac plugin for ConfigMgr called the Parallels Management Agent (hereafter referred to as the PMA). I'm now going to ramble on about that plugin and tell you how it works and how well I've found it to work.
First of all, the product is described on the Parallels website here: Parallels Management-Mac for Microsoft SCCM - Parallels
Like the Microsoft product, this agent can deploy software, configurations and operating system updates. It inventories machines, again just like the MS product. In addition to that, it also has a remote control component and it works with Mountain Lion. Parallels have also made a version which works with ConfigMgr 2007 (requires SP2 or higher) but I'm not going to focus on that as we're no longer using it. It seems to work in much the same way anyway.
So how does it work? This graphic on the Parallels website describes it quite succinctly:
The Parallels product installs a custom ISV proxy which acts as the proxy between the Mac clients and ConfigMgr. The Parallels client on the Macs talk to the ISV proxy which in turn talks to the ConfigMgr management point. Parallels say that it works with both Mixed and Native modes on 2007 and with HTTP and HTTPS enabled sites in 2012.
Installing the product is relatively straightforward. You need to have a server running Windows 2008 SP2 or higher. It can (in theory anyway, I'll come back to this later on) be installed either on an existing server in your ConfigMgr infrastructure or on a completely separate server. You run the installation wizard and it installs the server component plus a plugin for the ConfigMgr console and a little application which sits in your system notification area and reports on the health of the server component. The installer creates a collection inside ConfigMgr for clients that it manages, it adds an additional discovery method to discover Macs on your network and it adds some extra options to the installed ConfigMgr client on the server that you're installing it on.
You also need a client on the Mac itself. The official method of installing it is to download an installer using a web browser of your choice from an HTTP link on the server where the ISV proxy is installed and run it. Unlike the Microsoft product, this has been wrapped up in a proper PKG style installer and doesn't need to be run from an elevated command line. Naturally it will ask you for a admin user name and password when being run but that's standard OS X practice.
So what can it do?
Well, as you would hope it installs software. Obviously you need to add the software to the ConfigMgr repository just like you would with a Windows piece of software. Rather than using Applications to install the software, it uses legacy packages. You don't need to repackage software like you do with the Microsoft client but working out how to get it to deploy from the PMA is a little more complicated. I'll try to explain.
Usually there are three ways you can get a piece of software for the Mac, not counting the App Store:
- You can download the app inside a in a DMG file and copy it from the DMG to the computer's /Applications folder.
- You can download a DMG containing a PKG file to be executed.
- You can download an installer (usually a PKG) to be executed directly.
The PMA supports all three of these deployment methods. So when you create a program for your package inside ConfigMgr, the command line for installation will look something like this:
- :Firefox 19.0.2.dmg/Firefox.app:/Applications:
- :iTunes11.0.2.dmg/Install iTunes.pkg::
The first one mounts the DMG and copys the Firefox.app to /Applications. The second mounts the DMG and executes the Install iTunes.pkg inside the DMG. The third just runs an arbitrary command.
You can deploy operating system updates via this mechanism too.
Once you've created the package and program, you deploy it to a collection in the usual method.
Secondly, it inventories the Mac for you. It can detect what hardware and software is inside the machine and puts that all into the ConfigMgr database. You can then create collections and queries from this information like you would do with a Windows machine. See the screenshot below:
If you think that looks like a standard ConfigMgr inventory, you'd be right. There's not an awful lot more to be said about this.
It has a remote control client. Parallels have baked a VNC client and Putty into their ConfigMgr console plugin. You access it by right clicking on a Mac client inside the console, going to Parallels Management Tools then Connect via VNC or Connect via SSH.
This works in a similar manner to the Microsoft remote tools for the Windows clients. On the Mac side, you will need to assign a VNC password to it for screen sharing to work and you'll need to enable Remote Logon for the SSH client to work.
Again, there's not an awful lot more to be said about this. It works and it's useful.
The final thing that you're going to want to use it for is to configure your Macs. The way that Parallels achieves this is quite interesting and for some things, somewhat more friendly than the Microsoft method. You need a copy of OS X Server to achieve this but considering that it's only £14 these days that's not a big barrier.
You create a profile inside Profile Manager but don't deploy it to any groups. When you've created the profile, download its .mobileconfig file to your computer. Open the ConfigMgr console and go to the Assets and Compliance workspace. Go to Compliance Settings and right click on Configuration Items. Go to Create Parallels Configuration Item then to Mac OS X Configuration Profile:
You can then point it at your .mobileconfig file and say whether it's a system or user setting:
You then create a configuration baseline and assign it to a collection just like you would with a PC.
The last feature that should be mentioned is that this plugin for ConfigMgr has the ability to manage the installed version of Parallels desktop on your client Macs. However, this is not functionality that I've delved into because we're not using our Macs to run Windows so we don't have it.
So all of this describes how it works which is all great in theory but the question you're probably asking me by now is: "How well does it work?"
Well, lets start with the installation. It perhaps didn't go as smoothly as it could have done. First of all, I attempted to install the plugin on the same server as my management point. The installer seemed to run through properly and it installed the plugin in the console, the ISV certificate and the relevant Parallels collections. However, the PMA monitoring tool reported that the proxy hadn't started and I could not get it going. After that, I tried to install it on another ConfigMgr site server (In this case my SUP). First of all the install failed because there was already a pre-existing ISV certificate for Parallels. It couldn't or wouldn't overwrite it and it wouldn't use it either so I had to go to the Googles and find out how to remove ISV certificates by hand. Merely disabling the certificate wasn't enough, it had to go entirely. This isn't a pretty process but I couldn't see another way around it! See this blog entry on how to do it: SCCM 2012: How to delete an ISV Proxy Certificate
Once the ISV cert was removed, I tried to install the proxy again but I ended up with the same issue. In the end, I gave up and created an entirely new VM, installed the ConfigMgr client on it, deleted the ISV certificate again then installed the Mac proxy on this clean machine. After that it worked perfectly.
The other issue that I ran into was a good one. Despite saying that it works with an HTTPS enabled ConfigMgr site, it kind of doesn't really. For the PMA to talk to ConfigMgr, you need to have a management point and a distribution point that both talk HTTP. The Distribution Point also needs to have anonymous access enabled. This meant that I had to set up a new DP for the Mac content and switch my MP to HTTP.
Once all of these niggles are worked out, the agent works remarkably well. Like the Microsoft client there are rough edges. For example, there is no client-side GUI for this plugin so there is no way of telling if the plugin is working or if software is being installed or not without going into the log files and watching them process. Additionally, if a piece of software requires a reboot the PMA doesn't ask to reboot the machine. On the upside, it doesn't arbitrarily reboot it either so at least your user isn't interrupted. Software distribution worked very well. There were a couple of pieces of software I couldn't persuade it to deploy (Flash Player, Office) but these use non-standard installers and to be fair, I couldn't get the MS client to deploy those either.
Parallels tell me that a client-side GUI is going to be included in the next version of the agent so hopefully most of those issues will go away.
DCM works well, you just need to know which settings are user settings and which are system wide. It isn't always obvious and if you get it wrong the rest of the policy seems to fail.
Remote control works as said before, as does the inventory.
So which is better, the Microsoft or the Parallels client? I'm going to put that into Part 3 of this blog because this is already an awful wall of text and hopefully that should help break it up a little! Stay tuned!
Total Trackbacks 0