Parallels Mac Management: Transition Difficulties

Many sysadmins who work with SCCM would like to be able to manage not only Windows computers, but Macs as well. With this task our product will help to cope - Parallels Mac Management (PMM). In fact, this is an extension for the SCCM system that allows you to control Macs from the familiar System Center console, using already established practices. On the Mac side, our client runs as root, which allows you to fully administer the system. Under the cut, the story of our team-leader Timofey Furyaev about the main difficulties we encountered in developing PMM.

Who is this text for?

For the one who is currently developing products for end users, but wants to wipe the product for small and medium enterprises. And maybe even for the enterprise, what the hell is not joking ?!
')


We were in this situation six years ago, and have accumulated some experience that may be useful to you. And it is rather not even a recipe, but simply a list of problems that you will most likely have to solve. Forewarned is forearmed.

Well, for the system administrator SCCM, who does not know about our wonderful product. There will be a little bit frank advertising of our product - we love to do it very much, and we love it when we buy it :) And so that you cannot (ad) just squander it, I ran it through the text like spoons of tar in a barrel with honey.

Why we do it

Why do we climb into this very corporate segment? It's no secret that Parallels has long and successfully engaged in virtualization of Windows on Macs. Accumulated expertise required an exit in an attempt to make friends these two worlds in terms of system administration.

In many companies, the task of administering a fleet of computers has long been a challenge, and it has been successfully solved by many software solutions, in particular, with the help of System Center Configuration Manager from Microsoft. SCCM allows you to manage computers running Windows, and even Linux. But with OS X (now —macOS) as it did not work out. There are several specialized solutions on the market for centralized management of Macs. But not everyone wants to make a zoo of such decisions.

We decided to tie the control of Macs to the SCCM, so that the admin would not have to relearn, and the company would buy new hardware, or upgrade the existing one.

What you need to think in advance

Anything that can go wrong will go wrong! This is the immutable law of Murphy. To avoid this, apparently, is impossible. But it is desirable to have at least a list of “nekovs” in order to prepare for this. And try to think in advance about different things.



(scene from the film Evolution: “cut the leg!”)

About daily

The concept of Minimum Viable Product ( MVP ) has both its fans and opponents. If you can write your entire product in six months, then MVP is an empty sound for you. But in our case for a full-fledged product it is required to spend many years of work of a large team. You shouldn’t spend these years just to find out that you made a mistake with the choice of functionality at the very beginning, and customers need not what they did.

We need to think about what the immediate problems are customers. Collect them in a pile, then start throwing one at a time until a stalk remains, but still useful. In our case, we have such a set:

Network Discovery — scan a local network using Nmap to detect unmanaged (for now) Macs on a local network and inject them into SCCM.

Inventory Reporting - sending inventory reports that contain a lot of useful information: information about hardware, installed software, etc.

It may seem that two features are frivolous, but this is only the tip of the iceberg. Under the water there are also installers of the product components on Windows and Mac, a system of log rotation, checking for updates, a problem report collector with sending to Parallels server, and much more.

We planned to release the first working version 9 months after the start of development. However, the “birth” was delayed by as much as 1.5 years. Then we spent another year on what the living users asked for, and not on what we ourselves initially thought was important and necessary. This is how the installation of application packages and configuration profiles appeared. If instead of 2 features we started doing 20, then the first users would have appeared much later.

About prospects

For me personally, this was news - corporate customers are buying the prospect. Even if you have far from everything that they need, but there is a good plan for several years to come, your product can already be bought. It sounds encouraging, but there is a downside - you need to have a plan, keep it up to date and, most importantly, fulfill it.

A plan is not just a set of features, it is also the order of their release. It would seem, what could be easier? Take a list of features, and ask your customers (or potential customers) to enter a priority number. It turned out that this task is unbearable for many clients. They just put all the necessary maximum priority.

And here you have to be creative. But what really disappointed us was beta testing. It's all bad at all. We made several approaches to beta testing among our customers, and they all failed miserably. Although the clients themselves readily declared their desire to test, but three “NOT” appeared:

1. NO where - preparation and deployment of laboratory stands takes a lot of time. The stand can consist of five to ten different virtual machines. May require a tricky deployment mechanism. May be afraid of rolling back to clean snapshots.

2. Never - to test something, you need to explore the new functionality. She, by definition, may not work as it should. We'll have to contact us for help. We are happy, but ...

3. No one - nobody took away the current work from the system administrator . Well, you understand.

About security

The desire to implement the task easier and faster is quite understandable. More often it is even correct, but sometimes it goes against the requirements for information security. And then you have to redo something, if it does not happen that worse, like releasing a product with a darling in security. So do not neglect the experience of specially trained specialists, preferably at the design stage.

Somewhere close to security is the question of the confidentiality of data that you can receive from customers. We have a Customer Experience Program subsystem in the product. In short, it sends out impersonal statistics on the use of various features, so that we know what is actually used by customers and what is not.

There are very few recommendations here:

• This should be done with the permission of users.
• No need to collect confidential information (appearances, passwords, etc.)

One episode is associated with this system, which surprised me and finally approved its favor for me. At some point, we really wanted not to bother with the support of older versions of OS X (10.9 and 10.10) when creating a new feature. If you look at the statistics , then such Macs should be about 20%. It seems that, to begin with, one could concentrate on the remaining 80%. But the data of our CEP reports discouraged me - 48% - this is the share of such poppies among our clients. Refreshes, isn't it ?!

About handwork

At first, God made the testing manual. And everything was pretty smooth - there were few features, few platforms, beauty! It is worth noting that at first we only supported SCCM 2007 and only Primary Sites, and Windows Server 2003. Then SCCM 2012, Windows Server 2012, a new SQL Server, came out. There are more features, even more, quite a lot. We began to support different versions of the SCCM hierarchy, such as CAS and Secondary Sites.

There were difficulties with the deployment of test benches. At first, these stands consisted of two virtual machines, and after a short time they began to number up to 5-7 machines. And the number of stands themselves quickly exceeded a couple of dozen. It would have been very difficult for us if we had not made a system of automatic deployment of test benches from virtual machine templates. Later, this system became part of the automatic testing system, and at first it helped me a lot manually.

Then developers began to appear on the server intended for testing. Heavy stands do not really lift on the developer machine. It has become cramped on both disks and processor cores. I had to buy more processors, memory, disks and additional servers. What was there to think about beforehand? Perhaps it would be cheaper to immediately buy servers with the required amount of memory, cores, disks than later to upgrade them. (old parts can not always be attached, but they were worth the money).

But we didn’t stop the deployment of the booths, but filed a distributed auto-testing system that deploys a network of virtual machines, installs components of our product on them, runs test agents there, and synchronizes their work. It may seem strange, but not so difficult to implement such a system, how to allocate time for the implementation of "pens" in the product itself, for which this system pulls. Here, as in a joke - there are no “pens”, there is no jam.

About iron

Now every admin knows about Mobile Device Management ( MDM ). But, probably, not everyone knows about such a wonderful add-on above it, like the Apple Device Enrollment Program . Its essence is that when you buy a new Mac, you can make a list of requirements for its configuration in such a way that even when it is first turned on - even before the user logs in - he will be tied to your system and configured as necessary. And all this will happen automatically.

Support for this functionality appeared in our product relatively recently - in version 5.0. And, of course, demanded a certain brain activity. But one of the difficulties was knocked out of statistics:

• Poppies you bought earlier cannot be used in DEP. This is done for security reasons, to prevent unauthorized configuration of other Macs.
• DEP program is not available in Russia. This means that you can not buy a Mac in the Russian Federation and use the necessary functionality. Need to buy abroad
• And yet, you need to make a certain number of movements to join this program.
• In general, we had to start developing blindly. It was helped by the fact that Apple issues an emulator of its service, with which you can pass the time until you have hardware. And the fact that we are an international company, so the purchase and delivery of the new Macs went relatively quickly

About the eternal

I do not know about you, but we always do not have enough time. Of course, you cannot get more time for yourself, at least in the literal sense. But you can try at least not to spend it on unnecessary things. We try to throw out the maximum number of women. So remain only the most-most necessary.

This is not always possible. For example - at the dawn of the project, we spent quite a lot of time to speed up the search for Macs in the local network and make this process intuitive. Nobody needed that. The search should just work. Time and effort were simply thrown away.
But we continue to try. Yes, and users help not to be distracted from the important.

About support and compassionate sales
Any product requires technical support from users. Well, or users require support, this is from which side to look. For an uneasy product, support is also no simplicity. What technical support engineers need:

• Stands for the development of the product, the complexity of which has already been mentioned
• Training to work with the product. The difficulty here is that you need to know not only Parallels Mac Management, but also SCCM itself. And also need some knowledge of the administration of Windows Server, Active Directory, and so on.
• Acquaintance with new features. The product is actively developing, it is necessary to actively develop and support engineers

There are people like sales engineers. They really sell, and really understand the product. And if they are able to sell (it seems) from birth, then for the "sorting-in-product" it is necessary to make efforts, as is the case with tech-support.

In general, we work closely side by side with customer support and sales engineers to move in the right direction. We make them presentations, demonstrations, master classes. On this, too, need to lay time and effort.

Well, sometimes we ourselves have to ask for help from colleagues. We have such a feature - FileVault2 encryption management on Macs. When testing it on virtual machines, we suddenly had a problem: after enabling encryption, a Mac needs to be restarted in order for the encryption to start. So, after rebooting, the virtual machine “broke down”, at that time Parallels Desktop did not support FileVault2 encryption in the guest system. I had to ask my colleagues from the Parallels Desktop team to implement it. Great to have powerful friends!

Total

Actually, it's too early to talk about the outcome. Our product is 6 years old, which is quite a bit for corporate software. During this time we have implemented many useful things:

★ Search for Macs in AD
★ Run scripts on Macs
★ Self-service portal for installing applications
★ NetBoot with Task Sequence support for installing OS X over the network, with many types of steps.
★ Install OS X updates
★ And much more.

We hope that this article will help you simplify the development of your products. If something is not clear, feel free to ask questions in the comments, we will try to answer them.