Enabling User-Level MDM for Macs Enrolled Before PMM v8.7

2 users found this article helpful

Introduction

Parallels Mac Management for SCCM v8.7 introduces support for user-level MDM on macOS 11 Big Sur for the user configuration profile deployment. Starting from version 8.7, all Macs, which will be enrolling in Parallels MDM, will have the user-level MDM enabled by default.

For Macs, which were enrolled in MDM or DEP using any previous version of PMM, additional actions are necessary in order to enable user-level MDM. This article provides step-by-step instructions on how to automate these actions.

Prerequisites

Before following the instructions below, please make sure that:

Enabling User-level MDM for Macs Automatically

User-level MDM for Macs can be enabled automatically using a configuration item with the specific discovery and remediation scripts:

  1. The discovery script will check whether user-level MDM is enabled for the Mac.
  2. If not, then the remediation script will initiate the following actions: 
    • On Macs that were enrolled via DEP: 
      • the MDM profile will be reinstalled without re-enrollment.
      • All installed configuration profiles will stay intact.
      • No user interaction will be required.
    • On MDM-enrolled Macs the re-enrollment will be performed. 
      • The MDM profile will be removed, which will lead to the removal of all configuration profiles installed via MDM. Configuration profiles will be reinstalled on the next evaluation according to their schedule.
      • Then this Mac will be immediately enrolled back to MDM automatically. 
      • On macOS 11.0 and newer the user interaction is required to install the MDM profile back again.
      • On macOS 10.13.4 - 10.15 the user interaction is required to approve the installed MDM profile.
      • On macOS 10.13.3 and older no user interaction is required.

Create a Configuration Item With Scripts for Enabling User-level MDM

  1. In the SCCM Console, navigate to \Assets and Compliance\Overview\Compliance Settings\Configuration Items.
  2. Choose the Create Configuration Item action.
  3. On the General page enter the Name of the configuration item, select the type of the configuration item – Mac OS X (custom), and click Next button.  

     
  4. On the Supported Platforms page, leave the Select All option checked, and click Next button. 

     
  5. On the Settings page, click the New... button. 
     
     
  6. In the Create Setting dialog, set the Setting type to Script and the Data type to String. Then click the Edit Script... button in the Discovery script section.

     
  7. In the Edit Discovery Script dialog, click Open... and choose the discover.sh file.
    • NOTE: Because of Unix line endings, the script may look unformatted in the editor. Nonetheless, the script will be saved with the correct line endings when you click OK.
    • Click OK to save the discovery script and close the dialog.
       
  8. Then click Add Script... button in the Remediation script section. 

     
  9. In the Edit Remediation Script dialog click Open... and choose the remediate.sh file.
    • Click OK to save and close the dialog.
  10. Choose the Compliance Rules tab and click the New... button. 
    • In the Create Rule dialog, choose the Equals rule type and Yes as the value. 
    • Set the Run the specified remediation script when this setting is noncompliant checkbox.
    • Then click OK to save and close the dialog.
       
  11. Click OK to save and close the Create Setting dialog.
  12. Then go through the following pages of the Create Configuration Item Wizard, clicking the Next button: 


     
    • Click Close button to complete the creation of the configuration item.

Create a Configuration Baseline for the Configuration Item

  1. In the SCCM Console, navigate to \Assets and Compliance\Overview\Compliance Settings\Configuration Baselines.
  2. Choose the Create Configuration Baseline action.
  3. In the Create Configuration Baseline dialog
    • Enter the baseline name.
    • Add the configuration item to the baseline using the Add button and then Configuration Items action.
    • Click OK to save and close the dialog.
    • Click OK to save baseline and close the dialog.

Deploy the configuration baseline

  1. Choose the baseline created on previous step.
  2. Choose the Deploy action.
  3. In the Deploy Configuration Baseline
    • Use the Browse... button to select a collection of Macs.
    • Use controls in the Schedule section to specify the compliance evaluation schedule. 
      NOTE: We recommend the "Run every day" schedule. Choosing more frequent schedule is not recommended, because it will increase the load on the Parallels Configuration Manager Proxy service. 
  4. Click OK to save and close the dialog.

Remove Deployment When User-level MDM Enabled on All Macs

  1. Use the standard SCCM monitoring capabilities to track the progress.
  2. Remove deployment when all Macs will be compliant with this baseline.

Attachments

The discover.sh and remediate.sh scripts.

Was this article helpful?

Tell us how we can improve it.