Parallels Mac Management for SCCM–Software Update Point

As of Parallels Mac Management 4.5 there are great new features – such as the new role Software Update Point.

The addition of this role is to enable managed updates for the OSX-devices within your environment and it acts as a bridge between the Apple Software Update Server (or the able service) and the Configuration Manager environment which PMM integrates into. All of these products will now integrate in a (sort of) seamless way and PMM can now enable its new role (PMM SUP) to inject updates into Microsoft WSUS, which ConfigMgr then uses to publish content. The Apple SUS is optional and if one is setup you can leverage this to further control updates.

Most of this knowledge is based on the Parallels Mac Management for SCCM (bad acronym right there..) Admin guide

Prerequisites

To start using the PMM for SCCM Software Update Point it is required to have a Microsoft WSUS server installed and leveraged for the ConfigMgr environment. Most likely this is already in place if you are already managing updates for Windows-devices.

Allow locally published content

It is required to configure clients to trust locally published content from WSUS. Complete instructions are available from Microsoft, however a quick way to verify if this is setup is to check the following registry key.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
AcceptTrustedPublisherCerts – 1

image

In addition the signing certificate setup for WSUS needs to be trusted by the client.

WSUS server

The PMM for SCCM SUP should be installed on server that has WSUS installed (top server in a hierarchy). Before completing that installation a few things needs to be verified. A service account has to be used and configured for the SUP-role, and this has to be a member of the local administrator-group on the server. In addition the service account has to be a member of the local group WSUS Administrators.

image

Choose Update Server

There are three options when choosing what type of source the Apple Updates should be retrieved from. Basis are:

  • Apple Software Updates (public)
    Users can choose what updates to install, able to postpone installation and restarts.
    Updates will be downloaded from Apple
    • Local Update Server (intranet source)
      Users can choose what updates to install, able to postpone restarts
    • Local Update Server (intranet source) – filtered
      Administrators deploys updates

My personal preference is the Apple Software Updates, but incase you want to avoid WAN traffic and potentially more control of updates for your devices the option is a local Apple Software Update Server (or – Local Update Server as stated above). The Apple Software Update Server is part of OSX Server (which can be purchased from Apple Store). Like all other things – this role can be enabled and setup pretty easily. However, it does require an OSX-instance that is running as a server in your environment.

Apple Software Update Server

Once the Apple Software Update Server is setup the PMM for SCCM SUP needs to be configured to direct all requests to this server. A simply registry key edit will finalize the configuration.

These items are only requried to change if you want to use the Apple SUS.

Node: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pmm_sup_service\Pa rameters

Server Address: SusCatalogBaseUrl
Port: HttpServerPort.
Server settings update interval: InfoUpdateIntervalSeconds
Catalog check: CatalogRefreshIntervalSeconds

The log-file for any activity is generated in the following log-file;

%Windir%\Logs\pmm\pmm_sup_service.log

ConfigMgr configuration

ConfigMgr needs to be configured to synchronize the new Apple Updates. First, update Classifications on the synchronizations properties of the ConfigMgr Software Update Point.

image

In addition the Apple product needs to be selected.

image

Client settings

If one is using the public Apple Software Updates there isn’t a need to configure the PMM for SCCM agent as the agent is set to use this source by default. There are three options that can be configured in the following options file:

/Library/Preferences/com.parallels.pma.agent.plist

This matches the previous suggested routes;

0 — Apple Software Update server (default).
1 — Local update server.
2 — Local update server with selected updates.

Set the option :SuCatalogMode to the desired choice in case you need to update it. PMM has realized that their provided Configuration Items are sub-par so in the admin-guide there are script examples (page 134-135) that you can use to create your own Configuration Items.

Summary

Within an environment that already has ConfigMgr, WSUS and PMM setup – the addition of PMM for SCCM SUP isn’t a lot of extra work to enable management of OSX Updates.

Apple itunes 11.1.4 and Software License agreement (and Process Monitor)

After discussing the an upgrade of iTunes throughout the organization and the implications of suppressing the forced Software License Agreement within iTunes on the initial launch I decided to go on a discovery with the iTunes application.

Previously all packagers have surpressed the Software License Agreement by providing the iTunesPrefs.xml file within the package and placed a copy within both %APPDATA% and %LOCALAPPDATA%. During an upgrade the fact that such a file would be replaced of course overwrites any user preferences. Potentially we could provide some additional scripting to crack open the files and replace any particular value that would tell iTunes that the Software License Agreement is accepted. The value (for 11.1.4) looks like this in %APPDATA%;


<key>license-agreements</key>

<dict> <key>EA1068</key> <true/>

</dict>

Thats a lot of work. And I am lazy.

Let’s review the start-up process of iTunes, without having accepted the Software License Agreement in Process Monitor

The actual license-agreement is obtained from a file called License.rtf, so we can easily search for this file within Process Monitor to see just about where iTunes is deciding to show the Software License Agreement.

image

If we review the activity above we can spot that pre-reading the License.rtf file (sv.lproj is for Swedish – so I am getting a Swedish license agreement) it checks a few registry keys and the file iTunesPrefs.xml. Obviously the checking of the iTunesPrefs.xml-file is to check wether or not this particular user had accepted the license agreement. However, the check for the registry key within HKEY_LOCAL_MACHINE was a bit unexpected. Actually it is looking for the registry value SLA – Software License Agreement. Unfortunately there is no documentation of this value anywhere. Obvious one is just to create a DWORD with a value of either 1 or 0. Neither changes the behavior of iTunes, however it can be confirmed that iTunes does read the value. Creating a string (REG_SZ) with a 1,0,Yes,No,Accepted, iTunes or any other value doesn’t change anything.

It seems to be a perfect fit though? The name SLA seems to fit the scenario, however what value can actually change the behavior of iTunes? Within %APPDATA%\Apple Computer\iTunes and the file iTunesPrefs.xml there actually is an answer to the question. It seems that setting the same value as located within iTunesPrefs.xml gets iTunes to suppress the presentation of SLA for all users on machine.

image

The value seems to change for every new version of iTunes– so with a new version of iTunes one would have to accept it once manually and extract the necessary value from the iTunesPrefs.xml-file

Final registry key from a Windows 7 x64;


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apple Computer, Inc.\iTunes]
"SLA"="EA1068"

Let’s wrap up a MST-file for easy deployment!

Desktop shortcut

Stops the desktop shortcut from beeing created

Goto the InstallExecuteSequence-table and set the following;

image

Language / Software Update / Suppress reboot / SLA

Forces the language to English, disable the Software Update and suppress any reboot – aswell as allow the installation to complete by accepting SLA

Goto the Property-table and set the following;

image

iTunes lockdown and SLA

Lockdowns any feature you want of iTunes and suppresses the SLA prompt. For a full explanation of the Parental Control feature within iTunes you can read the Apple-published article; How to manage iTunes Control features. The suggested value below will do some basic lockdown such as disabling checks for new versions

Goto the Registry-table;

image

Finally a nice clean installation for iTunes!