Tag Archives: parallels

Parallels Software Update Point–selfsigned certificate

As a continuation of the previous post on howto setup the Parallels Software Update Point (introduced in Parallels Mac Management for SCCM 4.5) – here comes a minor hack howto enable WSUS for selfsigned certificates and leverage this within Parallels SUP

Step 1.

Enable Selfsigned certificates for WSUS

Set the following registry key

HKLM\Software\Microsoft\Update Services\Server\Setup
DWORD: EnableSelfSignedCertificates – 1

Step 2

Open certmgr.msc where WSUS is installed and export the WSUS selfsigned certificate

Export the WSUS Publishers Self-signed certificate from Trusted publishers to a file. Remember to choose to export the private key…


…and all the extended properties…


… and set a password…


Step 3

Run some code provided by Parallels to set the certificate you just exported as the signing certificate. Replace CERTFILE and CERTPW


$updateServer = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer()

$config = $updateServer.GetConfiguration()

$config.SetSigningCertificate("CERTFILE", "CERTPW")

Step 4.

Complete the setup wizard. As you already followed all the previous steps.


Parallels Mac Management for SCCM–Software Update Point

As of Parallels Mac Management 4.5 there are great new features – such as the new role Software Update Point.

The addition of this role is to enable managed updates for the OSX-devices within your environment and it acts as a bridge between the Apple Software Update Server (or the able service) and the Configuration Manager environment which PMM integrates into. All of these products will now integrate in a (sort of) seamless way and PMM can now enable its new role (PMM SUP) to inject updates into Microsoft WSUS, which ConfigMgr then uses to publish content. The Apple SUS is optional and if one is setup you can leverage this to further control updates.

Most of this knowledge is based on the Parallels Mac Management for SCCM (bad acronym right there..) Admin guide


To start using the PMM for SCCM Software Update Point it is required to have a Microsoft WSUS server installed and leveraged for the ConfigMgr environment. Most likely this is already in place if you are already managing updates for Windows-devices.

Allow locally published content

It is required to configure clients to trust locally published content from WSUS. Complete instructions are available from Microsoft, however a quick way to verify if this is setup is to check the following registry key.

AcceptTrustedPublisherCerts – 1


In addition the signing certificate setup for WSUS needs to be trusted by the client.

WSUS server

The PMM for SCCM SUP should be installed on server that has WSUS installed (top server in a hierarchy). Before completing that installation a few things needs to be verified. A service account has to be used and configured for the SUP-role, and this has to be a member of the local administrator-group on the server. In addition the service account has to be a member of the local group WSUS Administrators.


Choose Update Server

There are three options when choosing what type of source the Apple Updates should be retrieved from. Basis are:

  • Apple Software Updates (public)
    Users can choose what updates to install, able to postpone installation and restarts.
    Updates will be downloaded from Apple
    • Local Update Server (intranet source)
      Users can choose what updates to install, able to postpone restarts
    • Local Update Server (intranet source) – filtered
      Administrators deploys updates

My personal preference is the Apple Software Updates, but incase you want to avoid WAN traffic and potentially more control of updates for your devices the option is a local Apple Software Update Server (or – Local Update Server as stated above). The Apple Software Update Server is part of OSX Server (which can be purchased from Apple Store). Like all other things – this role can be enabled and setup pretty easily. However, it does require an OSX-instance that is running as a server in your environment.

Apple Software Update Server

Once the Apple Software Update Server is setup the PMM for SCCM SUP needs to be configured to direct all requests to this server. A simply registry key edit will finalize the configuration.

These items are only requried to change if you want to use the Apple SUS.

Node: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pmm_sup_service\Pa rameters

Server Address: SusCatalogBaseUrl
Port: HttpServerPort.
Server settings update interval: InfoUpdateIntervalSeconds
Catalog check: CatalogRefreshIntervalSeconds

The log-file for any activity is generated in the following log-file;


ConfigMgr configuration

ConfigMgr needs to be configured to synchronize the new Apple Updates. First, update Classifications on the synchronizations properties of the ConfigMgr Software Update Point.


In addition the Apple product needs to be selected.


Client settings

If one is using the public Apple Software Updates there isn’t a need to configure the PMM for SCCM agent as the agent is set to use this source by default. There are three options that can be configured in the following options file:


This matches the previous suggested routes;

0 — Apple Software Update server (default).
1 — Local update server.
2 — Local update server with selected updates.

Set the option :SuCatalogMode to the desired choice in case you need to update it. PMM has realized that their provided Configuration Items are sub-par so in the admin-guide there are script examples (page 134-135) that you can use to create your own Configuration Items.


Within an environment that already has ConfigMgr, WSUS and PMM setup – the addition of PMM for SCCM SUP isn’t a lot of extra work to enable management of OSX Updates.

ConfigMgr, apps and OSX

ConfigMgr offers limited support to manage an OSX-device, however you can extend the capabilities using third-party tooling such as Parallels Mac Management for SCCM.

Parallels Mac Management for SCCM primarily offers something similar to Software Center – namely an interface called Parallels Application Portal that will allow available applications (not the classic package) to be installed or removed through a user interface. Unlike the Windows-applications and their respective deployment types for an application the ability to configure the deployment is rather peculiar.

Some basics

You will need access to an instance of OSX where you can generate the package. As previously described on howto deploy Symantec Endpoint Protection there is a small tool to generate a ConfigMgr compatible package from various different formats available for OSX to install applications.

Once the package is generated it will contain the binary pieces of the application, aswell as a basic command-line to install the application and (optional, but enabled by default) a detection method to verify that the application is installed.


Most likely the command-line will look something like this

/usr/sbin/installer -pkg "Parallels Desktop.pkg"  -target "/" –verboseR

As Parallels Mac Management for SCCM has the ability to also uninstall applications there is a need to specify the command-line for actually removing the application. Using the “:” you can provide the two commands on the same command-line.

Uninstall command-line (more about rm on Mac Developer Library)

rm -rf "/Applications/Parallels Desktop.app"

Combined command-line (notice the : at the start, the middle and the end of the command-line):

:/usr/sbin/installer -pkg "Parallels Desktop.pkg"  -target "/" -verboseR:rm -rf "/Applications/Parallels Desktop.app":

Detection Method

Detection Method will be determined by default (you will need to specify the –c option to avoid having it generated within the ConfigMgr package) when a package is created.


The Package ID can be reviewed within OSX using the pkgutil.

Sample command-line to review if a package is installed or not within OSX

$ pkgutil --pkg-info com.parallels.package

Sample output

$ pkgutil --pkg-info com.apple.pkg.BaseSystem
package-id: com.apple.pkg.BaseSystem
volume: /
location: /
install-time: 1306707387
groups: com.apple.snowleopard-repair-permissions.pkg-group com.apple.FindSystemFiles.pkg-group
$ date -r 1306707387
Sun May 29 15:16:27 PDT 2011

As you can see we request information if a specific package is installed. To list all packages on a volume you can use the following command

$ pkgutil --packages –volume /

Additional command-line

During the uninstall command we technically only remove the application, however the information which we base the detection on is left behind. To remove the package information the following command-line can be used

$ pkgutil --forget com.parallels.package

Using && (and) we can combine our multiple commands for uninstall – both removing the Parallels Desktop.app and the package information.

:/usr/sbin/installer -pkg "Parallels Desktop.pkg"  -target "/" -verboseR:rm -rf "/Applications/Parallels Desktop.app" && pkgutil --forget com.parallels.package:


Unlike the Windows-applications where the install / uninstall scenario are split into two separate command-lines there is a single-command line to handle for OSX. One needs to be familiar with OSX tools to manage applications and the terminal capabilities to successfully manage a successful installation and uninstall of an application.