Managing Mac computers with Windows ConfigMgr? Yes, you can

System Center Configuration Manager, better known simply as ConfigMgr, has long been the centerpiece of Microsoft’s solution for managing Windows computers. But can it manage Macs, too? That’s the question I put to my colleague Andrew Perchaluk, who is an Associate Infrastructure Solution Architect at the University of Manitoba right here where I live in Winnipeg, Canada. Although I don’t manage Macs myself, I did work together a few years ago with four System Center experts at Microsoft (Rushi Faldu, Manoj Kumar Pal, Andre Della Monica, and Kaushal Pandey) on a book that included a section that demonstrated how to use System Center 2012 R2 to create a workflow for application deployment on Mac clients. The book (available as a free ebook you can download here in PDF, Mobi, or ePub format) included a sample walkthrough of a scenario that involved deploying Adobe Reader to a Mac computer running Mac Book Pro with OS X Mountain Lion 10.8, and it was quite an illuminating experience to learn what was involved in such a deployment scenario. I’m sure, however, that managing Macs in Windows environments has come a long way in the last few years with all the changes and improvements in Windows Intune and the latest version of System Center Configuration Manager, so let’s now see what we all can learn from Andrew as he explains how he’s been using ConfigMgr together with a third-party solution for managing Macs in his university environment.

Apple Device Management with ConfigMgr

Many organizations have a mix of Windows and Mac desktops. A large percentage are using ConfigMgr to manage Windows desktops but the Mac desktops have always been a management problem. Most haven’t been able to fully manage them with a central tool and instead have to dedicate people to visit each Mac as issues arise. In today’s world of vulnerabilities and ransomware, it can be difficult to ensure these Macs are fully patched and compliant with company security policies.

The other state organizations might be in is that they have one tool to manage Windows desktops and a second tool to manage Mac desktops. What if you could use just ConfigMgr for management of both? Things would be so much easier. Is it possible to have a single pane of glass for all your desktops? Can you have the same feature set of management tools that ConfigMgr gives you for Windows desktops but for Macs too? I worked through the process described below to come up with something that does exactly that.

Problem definition

We had no solution to centrally manage Apple devices within our environment. All work such as software installs, security updates, OS installs, and configuration, remote troubleshooting, security configurations were done manually by technicians. This made it very difficult to maintain standard configuration and added additional time and costs in supporting these devices. There was no automated asset management solution for these devices, which means that we had to rely on manual efforts for purchasing decisions and future planning.

Business drivers

This capability if implemented would provide a single pane of glass for managing both Apple products and Windows-based computers in our environment. This would lead to:

  • Improved daily IT support performance.
  • Driving down IT operating costs by reducing duplicate work, incident resolution time, service request completion time, accurate reporting for hardware, and software licenses to make educated business decisions.
  • Automation of software and OS configuration and security configuration.
  • The capability to have a holistic view on software licensing.

Security

  • Single pane of glass for compliance, reporting, & security.
  • Central security patch deployment and reporting for Mac.
  • Common reporting and compliance reports between Mac and Windows.
  • PKI security for Mac clients for encrypted communications between client and SCCM server.
  • Remote wipe capabilities.
  • Ability to enable and manage Mac FileVault 2 encryption.

Technical constraints

  • The solution had to effectively integrate with our existing SCCM infrastructure.
  • The solution did not need to manage iPhones & iPads only Mac OS X 10.7 and newer.
  • Non-domain-joined Mac clients will require a local admin account.
  • If the firewall is enabled in macOS, a message is displayed asking you if pma_agent.app should be allowed to accept incoming connections.

Quality attributes

  • Scalability — Hosting all components on virtual servers would allow for growth and performance tuning as required.
  • Maintainability — The system was able to run on existing SCCM components in our infrastructure.
  • Upgradeable — Preferred if the solution meets business needs out of the box. No customizations required would allow a simplified upgrading process.
  • Auditability.

Evaluation

We researched and looked at demos of various products and determined that Parallels Mac Management for SCCM was the best fit and its functionality would enable our IT department to make large improvements in managing the Mac environment.

Initially, we installed Parallels in our test environment and then shortly after into our production SCCM environment. Then we added the 25 pilot Mac systems to SCCM, which included one device per OS version to validate functionality.

Some design considerations

  • This solution will tie in seamlessly with ConfigMgr enabling it to effectively manage the Apple environment.
  • This solution will utilize existing SCCM server infrastructure and no new virtual servers would be required.
  • This solution is in line with the vendors’ reference architecture.
  • This solution will support end-to-end PKI security for Mac clients just as we had with Windows SCCM clients.
  • This solution will allow adding of Mac clients to SCCM even if they are not Active Directory domain joined

Parallels components design

We installed the Parallels components on top of our SCCM servers in our environment as per the diagram below.

Parallels components

Configuration Manager Proxy: The Parallels application that acts as a proxy between SCCM and Mac computers

Configuration Manager Console Extensions: Set of dynamic libraries that extend Configuration Manager Console providing a graphical user interface enabling you to manage OS X. Component must be installed on the computer where the Configuration Manager console is installed. This plugin can be installed on any server or user desktop that is running the SCCM administrative client and requires the ability to manage Mac.

OSX Software Update Point: Allows you to manage Apple software updates (patches) for OS X using the native SCCM functionality. The component requires Windows Server Update Services (WSUS) and must be installed on the same server as WSUS.

Netboot Server: The Parallels Netboot component enables Mac computers to boot from a network and is required for deploying OS X images to Mac computers. The Netboot component must be installed on an SCCM distribution point server. Because Mac clients will be on a different subnet then the Netboot and DHCP servers an IP address helper configuration will be required on all building routers. This will forward DHCP traffic from Mac clients to the Netboot server.

Reporting: Gain the ability to query and generate reports on all aspects of Mac desktops in your environment. Gather hardware and software inventory of your Mac computers. Report information about user logons. Leverage native Microsoft SCCM reports for details on Mac computers.

Natively SCCM only supports very minimal Mac features with Parallels installed a wide feature array is supported allowing you to fully manage your Mac desktops from SCCM.

Useful reference links

Photo credit: Apple

Mitch Tulloch

Mitch Tulloch is Senior Editor of both WServerNews and FitITproNews and is a widely recognized expert on Windows Server and cloud technologies. He has written more than a thousand articles and has authored or been series editor for over 50 books for Microsoft Press and other publishers. Mitch has also been a twelve-time recipient of the Microsoft Most Valuable Professional (MVP) award in the technical category of Cloud and Datacenter Management. He currently runs an IT content development business in Winnipeg, Canada.

Share
Published by
Mitch Tulloch

Recent Posts

WordPress vulnerability puts 300,000 at risk for attack

A WordPress vulnerability that could affect 300,000 users has been identified and patched. By if admins don’t update, they remain…

1 hour ago

PowerShell jobs — because you have better things to do than wait

If you run PowerShell commands that take a while to complete, consider using PowerShell jobs, which will allow the command…

4 hours ago

Validating virtual networks rules in a Storage Account using PowerShell

Here’s a TechGenix Quick Tip on how to use PowerShell to retrieve a list of virtual network rules in a…

21 hours ago

Dell launches selection of new PCs, displays, and software

A line of new Dell PCs, with innovative tech capabilities like AI and 5G, are aimed at both personal and…

1 day ago

Exchange 2010 upgrade: Migrate or export mail to PST and start fresh?

If you’re on Exchange 2010, you will have to upgrade soon. And while starting from scratch with a new 2016…

1 day ago

How to repair PST files and import data back to Outlook or Office 365

If your business relies on Outlook, you can’t risk losing mailbox data because of PST files corruption. Here’s how to…

4 days ago