In Part 1 of the Parallels Mac Management for SCCM series I installed the Parallels Configuration Manager Console Extension. I installed this on my site server ‘ConfigMgr’.

Part 2 focused on the installation of the Parallels Proxy which I installed on a remote server called ‘Parallels’ which I intend to use to install the Parallels roles.

Part 3 of the series concludes the ‘role’ installation, namely the NetBoot Server and OS X Software Update Service.

The Parallels NetBoot server is required for Mac Operating System Deployment. ‘NetBoot is a technology from Apple that enables Mac computers to boot from a network. You need to install this component if you plan to deploy OS X images to Mac computers. The component must be installed on a computer running Windows Server 2008 SP2 or later’ (see http://download.parallels.com/pmm/v4.5/ga/docs/en_US/Parallels-Mac-Management-for-SCCM-Administrators-Guide.pdf)

The OS X Software Update Service ‘allows you to manage Apple software updates
(patches) for OS X using the native SCCM functionality. The component must be installed on a erver where Windows Server Update Services (WSUS) is installed’ (see http://download.parallels.com/pmm/v4.5/ga/docs/en_US/Parallels-Mac-Management-for-SCCM-Administrators-Guide.pdf)

As with the installation of the proxy in Part 2, certain pre-requisites are required, one being the standard Distribution Point role that is added in the SCCM console as NetBoot requires PXE to be enabled.

Pre-Requisites

The following pre-requisites need to be installed on the server that will host the NetBoot server:

  • .Net Framework 3.5
  • SCCM Distribution Point
  • PXE Point enabled on DP
  • WDS installed
  • BITS 4 installed

The following pre-requisites need to be installed on the server that will host the OS X Software Update Service:

  • WSUS installed
  • User account running the OS X Software Update Service added to the WSUS Administrators group
  • A WSUS Code Signing certificate is required from PKI

Installation

Start the installation by installing .Net Framework 3.5, I had already installed this feature as part of the pre-reqs for the Parallels Proxy.

Next, install the pre-requisites required to install the Distribution Point role. The SCCM Current Branch Supported Configuration documentation states the following are needed:

Distribution point

Windows Server roles and features:

  • Remote Differential Compression

IIS configuration:

  • Application Development:
    • ISAPI Extensions
  • Security:
    • Windows Authentication
  • IIS 6 Management Compatibility:
    • IIS 6 Metabase Compatibility
    • IIS 6 WMI Compatibility

Once installed I then added in URL Authorization from the Web Server>Security section.

2017-01-24-22_19_27-add-roles-and-features-wizard

BITS was then added.

2017-01-24-22_19_41-add-roles-and-features-wizard

After the Roles and Features are added load up ‘Internet Information Services (IIS) Manager’ from Administrative Tools and navigate down the ”Default Web Site’. In the main pane double click ‘Authentication’ and then enable ‘Windows Authentication’

2017-01-24-22_15_11-internet-information-services-iis-manager

Back in the main pane double click ‘Authorization Rules’

2017-01-24-22_20_41-internet-information-services-iis-manager

Ensure ‘Allow Users’ is set

2017-01-24-22_20_45-internet-information-services-iis-manager

WSUS Installation

Next re-run ‘Add Roles and Features’ in Server Manager and add in WSUS

2017-01-24-22_21_38-add-roles-and-features-wizard

I’ve removed the WID selection and highlighted Database.

2017-01-24-22_21_50-add-roles-and-features-wizard

I have selected to store the WSUS downloads in C:\WSUS

2017-01-24-22_22_14-add-roles-and-features-wizard

At this stage I have pointed the WSUS configuration to use the site database on my site server.

2017-01-24-22_22_23-add-roles-and-features-wizard

Once the role is installed remember that the Post Installation tasks need to be run from Server Manager – note the exclamation mark. Click and run the tasks.

2017-01-24-22_26_16-server-manager

WSUS Certificate

One of the pre-reqs required for the OS X Software Update service is to install a WSUS code signing certificate. This can be obtained from the certificate authority in your environment.

In Certificate Authority Console right-click Certificate Templates>Manage.

2017-03-19 21_40_13-Greenshot.jpg

In the Certificate Templates Console right-click Code Signing>Duplicate Template.

2017-03-19 21_40_32-Greenshot.jpg

Set the following properties on the template:

In the Compatibility tab:

  • set Certificate Authority to Windows Server 2003
  • set Certificate recipient to Windows XP / Server 2003

3-cert-options-compatibility.png

In the General tab:

  • set the Template display name

2017-03-19 21_41_20-Properties of New Template.jpg

In the Request Handling tab:

  • Check Allow private key to be exported
  • Check Prompt the user during enrollment

2017-03-19 21_41_54-Properties of New Template.jpg

In the Subject Name tab:

  • set Subject name format to Common name:

2017-03-19 21_42_11-Properties of New Template.jpg

In the Extensions tab, double click on Key Usage and uncheck ‘Make this extension critical’

2017-03-19 21_42_35-Edit Key Usage Extension.jpg

2017-03-19 21_42_44-Properties of New Template.jpg

In the Security tab:

  • select Authenticated Users and grant Read and Enroll permissions

2017-03-19 21_42_58-Properties of New Template.jpg

Once these options are set click OK and close the Template Console window.

In Certificate Authority Console right click Certificate Templates>New>Certificate Template to Issue.

2017-03-19 21_43_40-Greenshot.jpg

Select the newly created template and click OK.

2017-03-19 21_43_46-Enable Certificate Templates.jpg

The template will become available to use.

2017-03-19 23_09_18-certsrv - [Certification Authority (Local)_internal-DC-CA_Certificate Templates].jpg

Now go to the server where WSUS has just been installed, in my instance the Parallels server and run MMC.

Click File>Add/Remove Snap-in…

2017-03-19 21_44_36-Greenshot.jpg

In the left pane of Add or Remove Snap-in window select Certificates and click the ‘Add >’ button.

2017-03-19 21_44_45-Add or Remove Snap-ins.jpg

select ‘My user account’ and click Finish.

2017-03-19 21_45_01-Certificates snap-in.jpg

Navigate to Certificates – Current User and right click Personal. Select All Tasks>Request New Certificate…

2017-03-19 21_45_27-Greenshot.jpg

Click Next.

2017-03-19 21_45_31-Certificate Enrollment.jpg

At the Select Certificate Enrollment Policy screen click Next.

2017-03-19 21_45_53-Certificate Enrollment.jpg

Select the WSUS certificate and click ‘Enroll’

2017-03-19 21_45_58-Certificate Enrollment.jpg

Click Finish to complete.

2017-03-19 21_46_03-Certificate Enrollment.jpg

Export the certificate, to do this navigate to Certificates – Current User>Personal>Certificates. Right click on the issued certificate and choose All Tasks>Export…

2017-03-19 21_46_36-Greenshot.jpg

Click Next.

2017-03-19 21_46_39-Certificate Export Wizard.jpg

At the Export Private Key window check Yes, export the private key and then click Next.

2017-03-19 21_46_53-Certificate Export Wizard.jpg

At the Export File Format window check Export all extended properties and then click Next.

2017-03-19 21_47_06-Certificate Export Wizard.jpg

Enter a password and click Next.

2017-03-19 21_47_20-Certificate Export Wizard.jpg

Export the file to a relevant location.

2017-03-19 21_47_53-Certificate Export Wizard.jpg

Click Finish to complete the process.

2017-03-19 21_47_57-Certificate Export Wizard.jpg

Click OK

2017-03-19 21_48_00-Certificate Export Wizard.jpg

On the server running WSUS, again the Parallels server in my case, run the following PowerShell commands as administrator.

[Reflection.Assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$updateServer = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer()
$config = $updateServer.GetConfiguration()
$config.SetSigningCertificate("<Path to pfxFile>", "<PFX file password>")

2017-03-19 22_55_00-Administrator_ Windows PowerShell.jpg

Then issue the command

$config.Save()

2017-03-19 23_31_38-Administrator_ Windows PowerShell.jpg

Finally we need to set up the update server and clients for locally-published updates.

To do this we need to export the certificate added via the PowerShell previously.

Open up a MMC console. Choose File>Add/Remove Snap-in…

2017-03-19 22_03_10-Greenshot.jpg

Select Certificates and click ‘Add>’

2017-03-19 22_03_16-Add or Remove Snap-ins.jpg

Select Computer Account and click Next.

2017-03-19 22_03_20-Certificates snap-in.jpg

Click Finish.

2017-03-19 22_03_24-Select Computer.jpg

Navigate to WSUS>Cerificates and highlight the Code Signing certificate. Right click and choose All Tasks>Export…

2017-03-19 23_33_12-Greenshot.jpg

Click Next.

2017-03-19 23_33_25-Certificate Export Wizard.jpg

Do not export the private key and click Next.

2017-03-19 23_33_30-Certificate Export Wizard.jpg

Export as a .cer and click Next.

2017-03-19 23_33_33-Certificate Export Wizard.jpg

Export to the relevant location and click Next.

2017-03-19 23_33_45-Certificate Export Wizard.jpg

Click Finish to complete the process.

2017-03-19 23_33_48-Certificate Export Wizard.jpg

Click OK.

2017-03-19 23_33_50-Certificate Export Wizard.jpg

Now, navigate to the Trusted Root Certification>Certificates folder, right click and select All Tasks>Import…

2017-03-19 23_34_27-Greenshot.jpg

Click Next.

2017-03-19 23_34_30-Certificate Import Wizard.jpg

Locate the .cer and import. Click Next.

2017-03-19 23_34_38-Certificate Import Wizard.jpg

Click Next.

2017-03-19 23_34_43-Certificate Import Wizard.jpg

Click Finish.

2017-03-19 23_34_45-Certificate Import Wizard.jpg

The certificate will be imported into the store.

2017-03-19 23_34_52-Console1 - [Console Root_Certificates (Local Computer)_Trusted Root Certificatio.jpg

Repeat the process for the Trusted Publishers folder.

2017-03-19 23_35_06-Console1 - [Console Root_Certificates (Local Computer)_Trusted People_Certificat.jpg

If your SMS Provider is remote, and in my case it resides on my site server, ConfigMgr, then repeat the process of importing the .cer into the Trusted Root Certification and Trusted Publishers folders  on that server as well.

DP Installation

Now go to the site server and in the SCCM Console go to the Administration workspace>Site Configuration>Servers and Site System Roles, right click and choose ‘Create Site System Server.

2017-01-23-21_12_18-greenshot

Add in the server to the the site system and choose the Site code from the drop down.

2017-01-23-21_13_51-create-site-system-server-wizard

No proxy is required at this stage

2017-01-23-22_07_39-create-site-system-server-wizard

Select the Distribution Point role.

2017-01-23-22_21_20-create-site-system-server-wizard

The DP will be HTTP in this instance. Ensure the ‘Allow clients to connect anonymously’ checkbox is ticked to allow Macs to talk anonymously to the DP. Note in this image it hasn’t been but it MUST.

parallelsanon-001

Assign the relevant drive letters for content location

2017-01-23-22_29_42-create-site-system-server-wizard

This will not be a Pull DP.

2017-01-23-22_29_48-create-site-system-server-wizard

On this screen, enable PXE, allow DP to responded to incoming PXE requests and enable unknown computer support. I haven’t selected ‘Require a password…’

2017-01-23-22_30_09-create-site-system-server-wizard

Click Yes when warned about Port requirement – make a note if you need to open up firewall ports on the network.

2017-01-23-22_29_58-review-required-ports-for-pxe

Click through the wizard to completion.

Install the Parallels components

Now it’s time to run the Parallels installation file and add in the components that are needed.

When prompted select the NetBoot Server and OS X Software Update Point. Click Next.

2017-01-24-23_11_55-parallels-mac-management-for-microsoft-sccm-setup

Click Install

2017-01-24-23_12_02-parallels-mac-management-for-microsoft-sccm-setup

Click Finish but ensure the checkbox to configure is selected.

2017-01-24-23_12_27-parallels-mac-management-for-microsoft-sccm-setup

First up is the configuration of the NetBoot Server. As mentioned previously I have not installed a SMS Provider locally on my Parallels server so I have to point back to the SMS Provider on my site server at this stage. Click Next.

2017-01-24-23_17_16-parallels-netboot-server-configuration-wizard

Enter the details of the service account to run the NetBoot Server service. For the rights required for this account see the following KB article http://kb.parallels.com/uk/117937

2017-01-24-23_17_29-parallels-netboot-server-configuration-wizard

Select a path to store the NetBoot images. The default is pmmimages. Click Next.

2017-01-24-23_17_34-parallels-netboot-server-configuration-wizard

Click Next at the summary screen.

2017-01-24-23_17_38-parallels-netboot-server-configuration-wizard

Click Finish when complete

2017-01-24-23_17_42-parallels-netboot-server-configuration-wizard

Finally the configuration of the OS X Software Update service is required.

Select an account to run the service. The account you choose must have administrative right on the local server and must be a member of the WSUS Administrators group.

So add the account to that group.

2017-01-24-23_18_37-wsus-administrators-properties

then enter the details into the configuration wizard. Click Next.

2017-01-24-23_17_59-parallels-os-x-software-update-service-configuration-wizard

A pre-requisite check will be performed. Address any issues and re-run if necessary. Click Next.

2017-03-19 23_57_42-Parallels OS X Software Update Service Configuration Wizard.jpg

Click Finish at the summary screen.

2017-01-24-23_18_59-parallels-os-x-software-update-service-configuration-wizard

You’ll be notified that your configuration has been applied.

2017-01-24-23_19_04-parallels-os-x-software-update-service-configuration-wizard

Now re-run the PowerShell commands, run previously, as administrator.

[Reflection.Assembly]::LoadWithPartialName("Microsoft.UpdateServices.Administration")
$updateServer = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer()
$config = $updateServer.GetConfiguration()
$config.SetSigningCertificate("<Path to pfxFile>", "<PFX file password>")

2017-03-19 22_55_00-Administrator_ Windows PowerShell.jpg

Then issue the command

$config.Save()

2017-03-19 23_31_38-Administrator_ Windows PowerShell.jpg

You can re-run each configuration wizard, including the proxy config from Part 2 from the Parallels menu

2017-01-24-23_19_21-greenshot

MDM Server?

You may have noticed a MDM Server option when installing the Parallels Mac Management solution and that we un-ticked this previously.

2017-01-24-23_11_55-parallels-mdm

The Parallels MDM Server enables you to deploy and enroll new Mac computers in SCCM using the Apple Device Enrollment Program. This component must be installed on a server located in DMZ.  I will not be covering this role in this series.

Now that we have all our roles installed I’ll be taking a look, in Part 4, at how we can licence Parallels, discover Macs in the environment and get the Parallels Mac client installed on a device.

 

Advertisements