General Requirements for Parallels MAC management with SCCM 2012 R2
Currently supported SCCM Versions are;
Microsoft System Center Configuration Manager 2012
Microsoft System Center Configuration Manager 2012 R2
You must have the latest service packs and critical updates for your SCCM server.
Supported Windows Versions
To manage MACs with SCCM, Parallels confirmed that all of Windows OS’s that are supported by System Center will supported by Configuration Manager 2012 and 2012 R2.
Supported Apple OS X Versions
• OS X 10.6 Snow Leopard
• OS X 10.7 Lion
• OS X 10.8 Mountain Lion
• OS X 10.9 Mavericks
• OS X 10.10 Yosemite
Parallels Configuration Manager Proxy Requirements
To install the Parallels Configuration Manager Proxy, you must installed the
.Net 4.0 and also needs to change the SCCM server, distribution server role settings to Specify how client computers
Communicate with this distribution point group. Basically via HTTP or HTTPS. If you are using Public Key Infrastructure
(PKI) for authentication, you need to select HTTPS.
In my case I have selected the HTTP and I have checked the Allow clients to connect anonymously option as indicating in the Figure 1.0.
Also make sure that in the IIS Settings on the Distribution Point Server, under Default Web Site check the Authentication in IIS settings and verify that the Windows Authentication is enabled. Also in Default Web Site and double-click Authorization Rules in IIS and verify that authorization is allowed to all users. Check the below Figures 2.0 and 3.0.
Note– In this post I am using one SCCM 2012 R2 Primary server, One Domain controller, SQL 2012 SP1 and all the Operating Systems are running on Windows 2012 R2. In case if you are using Windows 2008 as your operating system in you DP, then there is an additional setting which you need to do in its IIS settings which is not cover in this post.
Network Ports Used by Parallels to manage the Macs using SCCM 2012 R2
Note – In addition to the above ports, make sure to open RPC protocol to enable the WMI and RPC traffic.
After you verify that the above prerequisites are completed, now will start the setup steps from the scratch.
On the below Part 1, I am going to cover the required setting need to configure in the Active Directory server.
User Rights Permissions which required for Parallel Mac management configurations
First we need to assign the User Rights Permissions which required for Parallel Mac management configurations
Step1: Assign the User Rights Permissions which required for Parallel Mac management configurations
Create a domain user in AD
The newly created user is the one who is installing and configuring Parallels Mac Management.
In my case I am using my service account.
After you create the user, you need to assign the user to a DCOM user group.
I. Go to Computer Management in your parallel management installation server (In my case I am installing everything in my SCCM primary server) and Under Local User and Groups.
II. Select Groups and Select Distributed COM Users.
III. Right Click on it and Add the Created domain user in to the group. Figure 4.0 indicates how you need to do it.
Step 5: Grant the user permissions to write to WMI
I. Go to Computer Management, navigate to Configuration / WMI Control.
II. Right-click WMI Control and select Properties menu.
III. Select the Security tab in the WMI Control Properties page. Refer to Figure 5.0
IV. Under the Namespace page, select Root / SMS / site_<site-code> (in my case I have select my site code as MET) and then click the Security button. Refer to Figure 6.0
V. Click the Add button, find your user and click OK. The user will appear in the Group or user names list. Refer to Figure 7.0
VI. Grant the user Full Write permissions. Refer to Figure 8.0
VII. Click OK to close the dialog.
VIII. Then Add the User account you created to the Administrator Group in the server which you are installing the Parallel Configuration Manager Proxy. Refer to Figure 9.0
Step 6: Grant the user administrative rights in Configuration Manager
I. Open the Configuration Manager (SCCM) console.
II. Navigate to Administration / Overview / Security. Refer to Figure 10
III. Right-click Administrative Users and select Add User or Group in the menu. Refer to Figure 11
IV. In the Add User or Group dialog, click Browse, find the domain user that you created earlier and click OK.
V. Click the Add button in the Assigned security roles section.
VI. In the Available security roles list, select Full Administrator and click OK .Refer to Figure 12
VII. Click OK to close the Add User or Group dialog.
Step 7: Create container in Active Directory and grant the user permissions to write to it
I. Go to Active Directory and click Start > Administrative Tools > Open ADSI Edit
II. In the ADSI Edit pane, navigate to Default naming context /DC=<domain>,DC=<com>/
CN=System. Refer to Figure 13
III. Right-click CN=System and select New > Object… in the context menu. Refer to Figure 14
IV. In the Select a class list, select container and click Next. Refer to Figure 15
V. In the value field, type “ParallelsServices” and click Next to Finish. Make sure You typed the name without the quotes. Refer to Figure 16
(This container is used to store the connection URL of the Configuration Manager Proxy service. If a Mac client loses the Proxy connection, it can retrieve the connection URL from this container)
VI. After the creation of the Container, in ADSI Edit window, right-click CN=ParallelsServices and then select Properties / Open the Security tab.
VII. Then Add the domain user that you have created earlier and grant the user Read, Write, and Create all child objects permissions as shown in the below Figure 17.
VIII. Once the above steps done, same way we need to create the “Parallels Management Suite” container as well.
This container is used for storing the Parallels Mac Management role-based access control information (RBAC).
IX. Go to Active Directory, click Start > Administrative Tools > Open ADSI Edit
X. In the ADSI Edit pane, navigate to Default naming context /DC=<domain>,DC=<com>/
CN=System. Refer to Figure 18
XI. Right-click CN=System and select New > Object… in the context menu. Refer to Figure 19
XII. In the Select a class list, select container and click Next. Refer to Figure 20
XIII. In the value field, type “Parallels Management Suite” and click Next to Finish. Make sure you typed the name without the quotes. Refer to Figure 21
XIV. After the creation of the Container, in ADSI Edit window, right-click CN= Parallels Management Suite and then select Properties / Open the Security tab.
XV. Then Add the domain user that you have created earlier and grant the user Read, Write, and Create all child objects permissions as shown in the below Figure 22.
Step 7: Grant the user permissions to read/write Service Principal Name
We need the read/write service principal name permissions because these rights are required for the RBAC functionality. The Parallels Configuration Manager Proxy service account must have a registered Service Principle Name (SPN) for Kerberos connections.
Here we are going to use the same user which we used earlier to install and to run the Parallels Configuration Manager Proxy service. So in my case it is the CMSVC user account.
I. Go to ADSI Edit window, navigate to the CN=Users node and select the user that will be used to run the Parallels Configuration Manager Proxy service
II. Then Right-click the user, select the Properties menu and then click the Security tab in the user properties dialog box
III. Select the user under the user list and Click the Advanced button in the Permissions section.
IV. After that select Advanced Security Settings and select the user that will be installing and configuring Parallels Mac Management and click the Edit button as shown in the below Figure 23.
V. In the Apply to drop-down list, select This object only. Refer to Figure 24
VI. In the Permissions list, select the following permissions:
• Read servicePrincipalName
• Write servicePrincipalName
Please Refer to Figure 25
VII. Click OK three times to close all dialogs.
Step 8: Grant the user permissions in MSSQL
The next stage is about Add the user who runs the Parallels Configuration Manager Proxy configuration utility to the
dbcreator server. The below steps guide you how to do it. J
I. Open the SQL Server Management Studio from Start > All Programs > SQL Server
Management Studio. Refer to Figure 26.
II. Navigate to Security > Logins. Make sure that the user who will (In my case it is “CMSVC”) configure Parallels Configuration Manager Proxy exists. If the user is not exist, just add the user. Refer to Figure 27
III. Next Go to Server Roles, right-click the dbcreator role, and then click Properties. Refer to Figure 28
IV. Under the Server Role Properties dialog, click Add and Next Select Logins dialog, click Browse to search for the user that will configure Parallels Configuration Manager Proxy and select the user. Refer to Figure 29.
V. Click OK 3 times to close all dialogs.
Step 9: Part 1- User Rights Required for Running Parallels Configuration Manager Proxy Service
Parallels Configuration Manager Proxy runs as a service. When you are configuring Parallels Configuration Manager Proxy, you’ll be asked to specify a user account who has specific permissions to run the service such as, must be a domain user Permissions to write to the SMS Provider (full write WMI permissions). Also need to have permissions to use DCOM objects on a server where the SMS Provider is installed (in this case the user must be a member of the Distributed COM Users group). Finally need to have an admin rights in SCCM server and the Admin rights of the server where the service is running.
How to Add the User to the Distributed COM Users Group
I. In the Server Manager window, right-click the domain user that you created and select Add to a group.
Refer to Figure 30
II. Add the user to the Distributed COM Users group. Refer to Figure 31
III. To Grant the User Permissions to Write to WMI, Go to in the computer management window, Expand the Services and Applications menu and navigate to Configuration / WMI Control and Right-click WMI Control and select Properties in the context menu. Refer to Figure 32.
IV. Next stage Select the Security tab in the WMI Control Properties dialog. In the Namespace navigation tree, select Root / SMS / site_<site-code> and then click the Security button. Refer to Figure 33.
V. Click Add, find your user, and click OK. The user will appear in the Group or user
Names list and Grant the user Full Write permissions and Click OK to close the windows. Refer to Figure 34.
VI. Next close the WMI Control Properties dialog.
Part 2 – Grant the User Administrative Rights in Configuration Manager
Make sure to the user is having the Full Administrator Rights in SCCM console and also the member of the Local Administrator Group in the server which