System Center Configuration Manager, better known simply as ConfigMgr, has long been the centerpiece of Microsoft’s solution for managing Windows computers. But can it manage Macs, too? That’s the question I put to my colleague Andrew Perchaluk, who is an Associate Infrastructure Solution Architect at the University of Manitoba right here where I live in Winnipeg, Canada. Although I don’t manage Macs myself, I did work together a few years ago with four System Center experts at Microsoft (Rushi Faldu, Manoj Kumar Pal, Andre Della Monica, and Kaushal Pandey) on a book that included a section that demonstrated how to use System Center 2012 R2 to create a workflow for application deployment on Mac clients. The book (available as a free ebook you can download here in PDF, Mobi, or ePub format) included a sample walkthrough of a scenario that involved deploying Adobe Reader to a Mac computer running Mac Book Pro with OS X Mountain Lion 10.8, and it was quite an illuminating experience to learn what was involved in such a deployment scenario. I’m sure, however, that managing Macs in Windows environments has come a long way in the last few years with all the changes and improvements in Windows Intune and the latest version of System Center Configuration Manager, so let’s now see what we all can learn from Andrew as he explains how he’s been using ConfigMgr together with a third-party solution for managing Macs in his university environment.
Apple Device Management with ConfigMgr
Many organizations have a mix of Windows and Mac desktops. A large percentage are using ConfigMgr to manage Windows desktops but the Mac desktops have always been a management problem. Most haven’t been able to fully manage them with a central tool and instead have to dedicate people to visit each Mac as issues arise. In today’s world of vulnerabilities and ransomware, it can be difficult to ensure these Macs are fully patched and compliant with company security policies.
The other state organizations might be in is that they have one tool to manage Windows desktops and a second tool to manage Mac desktops. What if you could use just ConfigMgr for management of both? Things would be so much easier. Is it possible to have a single pane of glass for all your desktops? Can you have the same feature set of management tools that ConfigMgr gives you for Windows desktops but for Macs too? I worked through the process described below to come up with something that does exactly that.
Problem definition
We had no solution to centrally manage Apple devices within our environment. All work such as software installs, security updates, OS installs, and configuration, remote troubleshooting, security configurations were done manually by technicians. This made it very difficult to maintain standard configuration and added additional time and costs in supporting these devices. There was no automated asset management solution for these devices, which means that we had to rely on manual efforts for purchasing decisions and future planning.
Business drivers
This capability if implemented would provide a single pane of glass for managing both Apple products and Windows-based computers in our environment. This would lead to:
- Improved daily IT support performance.
- Driving down IT operating costs by reducing duplicate work, incident resolution time, service request completion time, accurate reporting for hardware, and software licenses to make educated business decisions.
- Automation of software and OS configuration and security configuration.
- The capability to have a holistic view on software licensing.
Security
- Single pane of glass for compliance, reporting, & security.
- Central security patch deployment and reporting for Mac.
- Common reporting and compliance reports between Mac and Windows.
- PKI security for Mac clients for encrypted communications between client and SCCM server.
- Remote wipe capabilities.
- Ability to enable and manage Mac FileVault 2 encryption.
Technical constraints
- The solution had to effectively integrate with our existing SCCM infrastructure.
- The solution did not need to manage iPhones & iPads only Mac OS X 10.7 and newer.
- Non-domain-joined Mac clients will require a local admin account.
- If the firewall is enabled in macOS, a message is displayed asking you if pma_agent.app should be allowed to accept incoming connections.
Quality attributes
- Scalability — Hosting all components on virtual servers would allow for growth and performance tuning as required.
- Maintainability — The system was able to run on existing SCCM components in our infrastructure.
- Upgradeable — Preferred if the solution meets business needs out of the box. No customizations required would allow a simplified upgrading process.
- Auditability.
Evaluation
We researched and looked at demos of various products and determined that Parallels Mac Management for SCCM was the best fit and its functionality would enable our IT department to make large improvements in managing the Mac environment.
Initially, we installed Parallels in our test environment and then shortly after into our production SCCM environment. Then we added the 25 pilot Mac systems to SCCM, which included one device per OS version to validate functionality.
Some design considerations
- This solution will tie in seamlessly with ConfigMgr enabling it to effectively manage the Apple environment.
- This solution will utilize existing SCCM server infrastructure and no new virtual servers would be required.
- This solution is in line with the vendors’ reference architecture.
- This solution will support end-to-end PKI security for Mac clients just as we had with Windows SCCM clients.
- This solution will allow adding of Mac clients to SCCM even if they are not Active Directory domain joined
Parallels components design
We installed the Parallels components on top of our SCCM servers in our environment as per the diagram below.
Parallels components
Configuration Manager Proxy: The Parallels application that acts as a proxy between SCCM and Mac computers
Configuration Manager Console Extensions: Set of dynamic libraries that extend Configuration Manager Console providing a graphical user interface enabling you to manage OS X. Component must be installed on the computer where the Configuration Manager console is installed. This plugin can be installed on any server or user desktop that is running the SCCM administrative client and requires the ability to manage Mac.
OSX Software Update Point: Allows you to manage Apple software updates (patches) for OS X using the native SCCM functionality. The component requires Windows Server Update Services (WSUS) and must be installed on the same server as WSUS.
Netboot Server: The Parallels Netboot component enables Mac computers to boot from a network and is required for deploying OS X images to Mac computers. The Netboot component must be installed on an SCCM distribution point server. Because Mac clients will be on a different subnet then the Netboot and DHCP servers an IP address helper configuration will be required on all building routers. This will forward DHCP traffic from Mac clients to the Netboot server.
Reporting: Gain the ability to query and generate reports on all aspects of Mac desktops in your environment. Gather hardware and software inventory of your Mac computers. Report information about user logons. Leverage native Microsoft SCCM reports for details on Mac computers.
Natively SCCM only supports very minimal Mac features with Parallels installed a wide feature array is supported allowing you to fully manage your Mac desktops from SCCM.
Useful reference links
Photo credit: Apple
