Deploying Device-based Configuration Profiles with ConfigMgr and Parallels Mac Management

When using Parallels Mac Management, we can utilize Mac OS X Configuration Profiles, which can be deployed to managed Mac Devices using a Configuration Baseline.

As you see on the second Screenshot, we deploy this specific Profile, which is stored in a ConfigMgr Configuration Item, to a Device Collection, called “All Mac OS X System”.  With this in mind we would expect that the Profile is applied in the System- and not in the User Context, right?

Well, not really unfortunately. As soon as you force a Policy Update on a Managed Mac Device and the Configuration Profile gets applied, you receive a User / Password Prompt.

When entering the Credentials, the Configuration Profile is successfully applied.

To break this further down, when performing a new login on the same Mac with a Second User, the Prompt re-appears again. If  this User now doesn’t have Local Admin Rights, he will be unable to add the Configuration Profile. To make things even more interesting, when you delete the Deployment, which will remove the Configuration Profile, you need to authenticated again with a Local Administrator.

Here we basically come to the conclusion, that those Configuration Profiles are applied to every User on the System instead of the System itself, even though with have a Device-based Deployment of the Configuration Profile / Baseline.

Now, let’s have a look on how we can really apply the Configuration Profile fully unattended to the System.

Manually creating a Configuration Profile

Open the App Store on a Mac Device and Download the Apple Configurator App.

Create a new Profile, by selecting File -> New Profile.

Specify the Configuration Profile Information, as you did in the Parallels Wizard before. The last two options are specifically interesting. I normally like to prevent that a User, even though he has Local Admin Rights, can remove the Configuration Profile.

In this example, we configure the same Passcode Settings as before in the Parallels Configuration Item Wizard.

Save the Profile and copy it to a Location, which is accessible by the ConfigMgr Console.

Importing the Configuration Profile in ConfigMgr

Open the Assets and Compliance Workspace, Select Configuration Items and Create a New Mac OS X Configuration Profile from File.

Specify a Name for the Configuration Profile and the Path to the exported profile.

Here we finally see an Option to choose between a User- and a System profile type! Choose System profile.

Click OK, to close the Mac OS X Configure Profile Wizard.

Select Configuration Baselines and Click on Create Configuration Baseline.

Specify a Name for the Baseline and add the previously added Configuration Item, which contains the imported Configuration Profile.

Select the created Baseline and click Deploy.

As before, I deploy the Baseline to the All Mac OS X Systems Device Collection.

When now triggering a Policy Update on the Mac, the Configuration Profile will be applied without any User / Password Prompt and completely unattended.

To further verify this, we can change User Accounts and the Profile is still visible, which wasn’t the case before.

I hope, I could shed some light into handling Configuration Profiles with Parallels Mac Management and ConfigMgr. I don’t really like the way how this is currently implemented. As proven above, Device-based Configuration Profiles are possible from a technical aspect, so I can’t really understand why this doesn’t work with Profiles, which are directly created in the Parallels Wizard.

At last, I’d like to give credits to the following Parallels Forum thread: Configuration Baseline and Profile installation Permissions

Deploying Device-based Configuration Profiles with ConfigMgr and Parallels Mac Management
Rate this post

Leave a Reply