Parallels MDM Server changes in Parallels Mac Management v8.5
Beginning with Parallels Mac Management for Microsoft SCCM v8.5, the Parallels MDM functionality has changed. The older Parallels MDM Server component is no longer used. It was split into Parallels IBCM/MDM Proxy (the Internet facing part) and the new Parallels MDM service (the Intranet part). When upgrading to Parallels Mac Management v8.5, you can migrate the existing MDM setup or you can discard it and then re-enroll Mac computers in MDM using the new functionality from scratch. This article describes possible MDM migration scenarios when upgrading to Parallels Mac Management v8.5.
Upgrading Parallels Mac Management
The first and the simplest option is to upgrade Parallels Mac Management to version 8.5 first and then migrate the older MDM setup. To use this option, follow the steps below:
- Upgrade all Parallels Mac Management components to version 8.5, including the installation of the Parallels IBCM/MDM Proxy component. For details, refer to the Parallels Mac Management IT Administrator's Guide.
- When configuring Parallels ConfigMgr Proxy, on the Prerequisite Checks page you should see a warning message saying that MDM data from the previous version of Parallels Mac Management must be migrated to enable Parallels MDM. Read the note and then continue.
- Later on you will have to choose from the MDM migration options:
- Choose the Skip this step and migrate MDM setup later option and click Next.
- Continue configuring the rest of Parallels Mac Management components.
- When you are done with configuration, make sure that Parallels Mac Management is working properly. The MDM functionality will not work at this time (because we skipped the migration step). To enable MDM, the MDM data must be migrated or you can discard it and re-enroll devices in MDM from scratch. Read on to learn how to do it.
Migrate the older Parallels MDM setup
To migrate the older Parallels MDM setup to the new version you will need to perform the following steps (they are described in detail later in this article):
- Create an MDM data migration package.
- Migrate the data to the new version.
- Configure the MDM link.
- Redirect older MDM clients to the new setup.
Create the MDM data migration package
To create the MDM data migration package:
-
On the server hosting the upgraded Parallels Configuration Manager Proxy, navigate to the following folder:
[PMM_PROXY_INSTALLATION_DIR]/mdmservicemigration
- Copy the entire folder to any place on the host where the old Parallels MDM Server is running.
- On the Parallels MDM Server host, open Command Prompt, go to the folder you just copied and run the pmm_collect_mdm_data.cmd file. The file is a script that collects the existing MDM data and saves it as the pmm-mdm-data.package.zip file in the same folder.
- When the package is created, copy it to any folder on the server where the upgraded Parallels Configuration Manager Proxy is installed.
- Migrate the MDM data (see below).
Migrate MDM data to new version
To migrate the MDM data:
- Run the Parallels Configuration Manager Proxy Configuration Wizard.
- Advance to the Prerequisite Checks page. You should see a warning message saying that MDM data from the previous version of Parallels Mac Management must be migrated to enable Parallels MDM.
- On the next page, select the Migrate MDM setup now option.
- Click the Browse button and select the MDM package file (pmm-mdm-data.package.zip) that you created and copied to this server earlier.
- Follow the onscreen instructions and complete the wizard.
Configure the MDM link
To complete the MDM setup:
- Make sure you have installed and configured Parallels IBCM/MDM Proxy.
- Configure the MDM link in the Configuration Manager console.
- For complete instructions, please refer to the Parallels Mac Management IT Administrator’s Guide.
From this point you will be able to enroll devices in the Configuration Manager using new MDM and manage them using MDM functions.
Please note that the older MDM clients will still try to communicate with the older setup because they have the older MDM URL. Continue reading to learn how to redirect the old URL.
Import MDM Service Certificate
For devices to be able to enroll in MDM, you need to import the Parallels MDM service certificate to the certificate store on the Parallels IBCM/MDM Proxy server.
To import the certificate:
-
Log in to the computer where Parallels Configuration Manager Proxy is installed and export the certificate named Parallels MDM Service (without the private key) from the Local Computer / Personal store. To export the certificate, open the Certificates snap-in (run the certlm command), then navigate to Local Computer / Personal, locate the Parallels MDM Service certificate, right-click it and choose All Tasks > Export.
-
Now log in to the computer where Parallels IBCM/MDM Proxy is installed and import the certificate from the previous step into the Computer / Trusted Root Certificates store. When running the Certificate Import Wizard, select 'Place all certificates in the following store' and choose Trusted Root Certificates in the drop-down list.
Redirect older MDM clients to new MDM using Microsoft Internet Information Server (IIS)
As the final step of Parallels MDM migration you have to redirect older MDM clients to new MDM. This can be done using IIS, which must be installed on the old MDM Server host.
To set up IIS for redirection:
- Install the URL Rewrite extension for IIS. The extension can be downloaded from https://www.iis.net/downloads/microsoft/url-rewrite
- Run Internet Information Services (IIS) Manager.
- In the Connections pane, right-click the Sites node and select Add Web Site.
- In the Add Web Site dialog, enter any name (e.g. PmmMdmRedirect).
- In the Physical path box, specify the physical path to use for the website folder (e.g. C:\PmmMdmRedirect - create this folder on the local drive).
- In the Binding group, specify the Type as https and the Port number which you used for incoming Mac connections on the old Parallels MDM Server.
-
Select the SSL certificate which was used for configuring the older MDM.
-
Click OK to create the custom website.
- In the root folder of the website (C:\PmmMdmRedirect in the example above), put the web.config file with the following content, replacing: {new-mdm-server-host} with actual host name, where the new MDM server is installed; {new-mdm-server-port} with the Port for Internet connections of the MDM Proxy Link configuration; {site-code} with the MDM server site code.
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <rewrite> <rewriteMaps> <rewriteMap name="StaticRedirects"> <add key="/checkin" value="https://{new-mdm-server-host}:{new-mdm-server-port}/ParallelsMacManagement.Mdm/{site-code}?Action=Checkin" /> <add key="/command" value="https://{new-mdm-server-host}:{new-mdm-server-port}/ParallelsMacManagement.Mdm/{site-code}?Action=Command" /> </rewriteMap> </rewriteMaps> <rules> <rule name="Redirect rule" stopProcessing="true"> <match url=".*" /> <conditions> <add input="{StaticRedirects:{REQUEST_URI}}" pattern="(.+)" /> </conditions> <action type="Redirect" url="{C:1}" appendQueryString="false" logRewrittenUrl="true" redirectType="Permanent" /> </rule> </rules> </rewrite> </system.webServer> </configuration>
- Start the created website in IIS.
This concludes the MDM migration part.
Discarding the old MDM data
As was said earlier, you also have an option to discard the existing MDM setup (without migrating it). If you choose this option, you can install Parallels Mac Management, including the necessary MDM components, and then re-enroll devices in MDM from scratch. This can be a viable option if you don’t have a lot of devices enrolled in MDM and if re-enrolling them would be simpler than performing the MDM migration described above.
To discard the MDM data:
- In the Parallels ConfigMgr configuration wizard select the Discard the older MDM setup option:
- Follow the onscreen instructions and complete the configuration wizard.
De-enrolling Previously Enrolled MDM Clients using Microsoft Internet Information Server (IIS)
When you choose to discard the older MDM setup as described above, you need to de-enroll existing devices from the old Parallels MDM Server. This must be done before you enroll them using the new Parallels MDM functionality. De-enrolling can be performed using IIS, which must be installed on the old MDM Server host.
To set up IIS for de-enrollment:
- Ensure that the IIS URL Authorization module is installed.
- Create a custom website for de-enrollment.
- Run Internet Information Services (IIS) Manager.
- In the Connections pane, right-click the Sites node and select Add Web Site.
- In the Add Web Site dialog, enter any name (e.g. PmmMdmDeEnrollment).
- In the Physical path box, specify the physical path to use for the website folder (e.g. C:\PmmMdmDeEnrollment - create this folder on the local drive).
- In the Binding group, specify the Type as https and the Port number which you used for incoming Mac connections on the old Parallels MDM Server.
-
Select the SSL certificate which was used for configuring the older MDM.
- Click OK to create the custom website.
- In the root folder of the website, put the web.config file with the following data in it:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
</security>
</authorization>
<remove users="*" roles="" verbs ="" />
</authorization>
</security>
</system.webServer>
</configuration>
- Start the created web site in IIS.
- When the custom website is created as described above, the devices that are currently enrolled in Parallels MDM will try to access it and will get HTTP response status 401 (Unauthorized). As a result, they will discard their MDM profiles, effectively de-enrolling from MDM. A device restart my be required to completely discard the existing MDM profile. Once all of the devices are de-enrolled, you can remove the website.
Was this article helpful?
Tell us how we can improve it.