Professional Documents
Culture Documents
VMware Fusion
A Practical Guide to Planning, Deploying, and
Managing Windows on the Mac
May 2009
Sponsored by VMware
Mass Deployment of VMware Fusion
318
Section 4.03
Embedding Volume License Key into the VMware Fusion
Package
15
Page 2 of 64
Mass Deployment of VMware Fusion
318
Section 5.04 Modifying the Virtual Machine for Mass Deployment 27
Section 6.01
Microsoft Tools for Patch Management and Updates
32
(a)
Microsoft Windows Server Update Services
33
(b)
Group Policy
33
(c)
System Center Configuration Management (SCCM)
33
Page 3 of 64
Mass Deployment of VMware Fusion
318
Section 8.06 Facilitating Managing the VM, Your Macs, and PCs 49
Section 9.03
Deploying VMware Fusion During the Imaging Process
55
(a)
To create a script to trigger a policy at reboot:
55
(b)
Next, create a policy similar to the one above with the following
changes:
56
(c)
Finally, to deploy VMware Fusion when imaging you have two options:
57
Page 4 of 64
Mass Deployment of VMware Fusion
318
Supporting this reality, a 2008 Yankee Group survey of 750 global IT administrators revealed
that nearly 80% of businesses are managing Macs on their network—up from 47% in the 2006
survey. Even more telling, 21% of respondents noted having more than 50 Macs on their
networks. The ability to run Windows on a Mac is a large part of this, with 50% of the
respondents confirming that they are running Windows on their Macs.
From department-based deployments of Macs, to employee and contractor owned Macs, and
even “Macs as a standard,” deploying Windows on a Mac with VMware Fusion opens the door
to an easier, less complex way of managing Macs in your environment using your existing
Windows application infrastructure.
VMware virtualization is industry-proven, with tens of millions of users worldwide, including 100
of the Fortune 100 and 92% of the Fortune 1000 counted as customers.
The task of simultaneously mass deploying multiple operating systems to a given host can be
an even more complicated endeavor. You still have all the same requirements for the host
operating system, but in most cases you end up doubling the effort required in order to deploy
each subsequent operating system. Then, if you are deploying a system in a Virtual Machine
(VM) you end up also having to factor in specifics for deploying the software used to run and
manage the guest operating system and increased footprint of a second operating system both
in terms of network infrastructure and licensing costs. All of this leads to an increased reliance
on centralized management caused by the sprawl or a higher staff count to deal with support
tickets.
In this paper we will focus on first defining the methods, tools and software packages used for
mass deploying an application in Mac OS X. Once we have defined the tools we will move on
to explaining aspects of deployment that are unique to the VMware Fusion application. Then
we will explain how to deploy a Windows-based VM and various aspects used to manage of the
actual VM. Once the VM has been deployed we will move into patch management of the VM
itself and end with more advanced topics such as leveraging NetBoot services with VMware.
Page 5 of 64
Mass Deployment of VMware Fusion
318
The second method used is commonly referred to as package based imaging. When you are
using package-based images you push out an image as a collection of .pkg files. Each package
is a part of the overall image, with the first package being the base operating system (also
known as the bare metal installation). For example, the base operating system would be a
package or .dmg file and each piece of software required or preference change would also be
an additional package.
Using a package based approach is more complicated by nature and requires more time to
initially deploy but ends up saving time long-term as subsequent updates to the image require
drastically less effort. With this method, you can push out only the software needed per
workstation and when you need to perform an update to the operating system or a software
component you can choose to either make a new package for the item being deployed or
augment the existing package to include it. A typical way to go about creating a package-based
image might be to use a tool such as Composer by JAMF Software to create your packages and
then the JAMF JSS server to distribute them.
Page 6 of 64
Mass Deployment of VMware Fusion
318
(b) NetInstall
NetInstall is a service that is built into Mac OS X Server. NetInstall can be activated and
configured by opening Server Admin and enabling the NetBoot service. Once enabled you
would add the image and clients can install directly from the image files hosted by the server.
NetInstall can perform any of the pre-flight or post-flight tasks (eg – formatting a drive, installing
a package, etc) that were defined using System Image Utility. NetInstall can be run on Mac OS
X Server.
Page 7 of 64
Mass Deployment of VMware Fusion
318
focus on here is the ability to deploy packages, as would be the case if you already have a
number of systems deployed that you will likely want to deploy a package (or two) as part of
your VMware Fusion mass deployment.
(e) PackageMaker
PackageMaker is a tool used to build packages for Mac OS X. PackageMaker can use
snapshots or files and folders that have been manually selected to create packages.
PackageMaker can also use pre-flight scripts to be run before the files and folders that make up
the package are installed as well as post-flight scripts which can be run following the installation
of the files and folders. PackageMaker does have a slight learning curve and so many of the
third party tools look to ease the transition to creating packages by providing an easier user
interface to get acclimated with.
The Casper Suite has other features, but for the purpose of this paper Composer will be our
focus.
(b) LANrev
LANrev is similar to the Casper Suite. LANrev is a management suite with a component called
InstallEase, which allows and administrator to quickly create packages using snapshots.
InstallEase does not have the granularity that a tool such as Composer has, in regard to the
snapshot process. However, it is freely distributed and so makes a fairly compelling product to
those who do not want to purchase Composer. You can still use packages created through
LANrev’s free InstallEase to deploy the packages through ARD and as post-flight installers
through NetInstall and NetRestore.
(c) NetRestore
NetRestore is a free application from Bombich Software that can be used to perform asr
restores of monolithic images. Additionally, you can have NetRestore run a script (or collection
of scripts) prior to installation or post-installation. One of the core features of NetRestore is now
the ability to partition a drive for both Mac OS X and Microsoft Windows and place a Microsoft
Windows image on that partition. This Boot Camp installation of Windows can then be
accessed using VMware Fusion or using BootCamp.
Page 8 of 64
Mass Deployment of VMware Fusion
318
(d) InstaDMG
InstaDMG is an application that uses a collection of packages to create an automated installer.
Using InstaDMG you can quickly create a monolithic image from a collection of smaller
elements. Therefore, you can continue to use monolithic imaging tools to deploy an image, but
use InstaDMG to generate that image.
(e) Ghost
Ghost is a Windows-centric application from Symantec that can be used to image systems. You
can use Ghost to image Mac OS X using a monolithic image. Ghost can be useful if you
already have plenty of experience with it and wish to image multiple Macs that will dual-boot
between Mac OS X and another operating system using BootCamp. The additional operating
system can then be accessed using VMware Fusion from within Mac OS X.
The VMware Fusion 2 installer is distributed as a package file inside an installer application. As
such, you can use this package to deploy VMware Fusion without customizations. However, if
you are going to customize the application then you may want to create your own package to do
so. Or, if you are going to deploy the software as one package and have a separate license file
you can actually deploy VMware Fusion as two separate packages. By deploying VMware
Fusion as two packages you will not have to replace the license file with each subsequent
update.
First, start off by mounting the VMware Fusion disk image or optical media on the system, which
will show you the introductions screen, as can be seen below:
Page 9 of 64
Mass Deployment of VMware Fusion
318
Click on the Install VMware Fusion icon, which is an application bundle and at the Welcome to
the VMware Fusion Installer screen click on the Continue button, as seen here:
At the Software License Agreement screen, read the license agreement and click Continue as
can be seen below:
Page 10 of 64
Mass Deployment of VMware Fusion
318
This will bring up a dialog box prompting you to accept the license agreement. If you agree with
the licensing terms then click on Agree to continue, as can be seen below:
At the Mount Virtual Disk Support screen you can choose whether to install MacFUSE, as can
be seen below:
Page 11 of 64
Mass Deployment of VMware Fusion
318
If you would like to be able to browse the virtual disks that VMware will create then leave
MacFUSE checked, otherwise you can uncheck it. Click Continue to bring up the Standard
Install on screen. Here, you can change which disk the software will be installed on, or click on
the Install button, as can be seen below to install VMware Fusion into the /Applications folder of
your boot volume.
Page 12 of 64
Mass Deployment of VMware Fusion
318
Page 13 of 64
Mass Deployment of VMware Fusion
318
Once the installation is complete you will be prompted for a license key as seen below. Here,
you will type in your Volume License Master serial number and click on the Continue button.
If you see the Installation Completed Successfully screen, then VMware Fusion will be ready to
open for the first time.
Page 14 of 64
Mass Deployment of VMware Fusion
318
Here you can open the Contents folder and then the Resources folder to see the “Install
VMware Fusion.pkg” file. Copy this package to another location and you will have the
installation package for VMware Fusion.
First, see section 4.0.2 on “Creating the VMware Fusion package” on how to find the VMware
Fusion installation package. You will need this package on a locally available disk in order to
customize it.
To create a VMware Fusion installation package that is bundled with a license file, create a text
file named “license.txt” that contains only the VMware Fusion serial number for your
organization.
Next, you will embed the license file into the VMware Fusion installation package. Browse to
your “Install VMware Fusion.pkg” file and right-click (or control-click) on the copied “Install
VMware Fusion.app” and click on Show Package Contents as seen in the following image:
Page 15 of 64
Mass Deployment of VMware Fusion
318
From here open the Contents folder and then the Plugins folder. In the Plugins folder you will
see a file called licensingPane.bundle. Here, right-click (or control-click) on the file and click on
Show Package Contents as seen below:
Page 16 of 64
Mass Deployment of VMware Fusion
318
Next, browse to the Contents folder and then the Resources folder of the bundle and place your
license.txt file into the Resources folder as can be seen here:
Page 17 of 64
Mass Deployment of VMware Fusion
318
NOTE: Since a .app, .pkg file and a .bundle file are just folders to the command line, you can
also simply copy the file to the correct location from the command line using the following
command (assuming the VMware Fusion installation package is on the desktop):
Page 18 of 64
Mass Deployment of VMware Fusion
318
Using this customized installer package, you can deploy it through Apple Remote Desktop or
whichever patch management solution you prefer and the installer will not ask the end user for a
serial number.
To start, open Composer on the computer you will be installing VMware Fusion on. Then, set
the Look For: field to New and Modified and click on Take Snapshot as can be seen here:
While the snapshot is running do not perform any other tasks. When it is complete, then you
will see the green arrow move to Install and configure your software. At this point, follow the
instructions from Section 3.01 to install VMware Fusion. When you are complete, click back into
Composer and provide a name for the package in the Package Name: field.
Note: You can choose to embed the license key in the installer at this point or capture a base
snapshot one more time after the installation and then insert the license key and then create a
package with just the files pertaining to licensing VMware Fusion.
Once you are satisfied with the name for your installer, click on the Build Package button as can
be seen below:
Page 19 of 64
Mass Deployment of VMware Fusion
318
When you click on the Build Package Composer will go through a second lengthy scan. At this
point it will be taking a second snapshot of the operating system and will compare the two
snapshots to produce a list of what the image (.dmg) or package (.pkg) will consist of. When it
is complete you can click on the Verify Contents button to customize what will be a part of the
installer, as can be seen below:
Page 20 of 64
Mass Deployment of VMware Fusion
318
At this point, you will want to remove any extraneous information from the package. Keep an
eye out for any items that are not specific to VMware as configuration files for the computer you
are installing VMware Fusion onto can be captured here. Take extra caution to ensure that you
exclude any machine-specific system configuration files that are not specific to VMware Fusion.
Anything being deployed to /System, /etc or /var warrants particular consideration before
inclusion into your package with the possible exception of anything that specifically references
VMware or Fusion in the file name. However pushing out a file that overwrites /etc/authorization
for example could cause systems to not accept logins in the future.
Once you are satisfied that all of the items for VMware Fusion are listed, and only those items
then click on the Close button and then select a type of installer from the Package Type: field.
This could be a read-only dmg file, a read/write dmg file, a pkg, etc. When you are ready to
save the package, click on the Save To… button and then select a location to save the file. At
this point you have customized your installer. There are several benefits to creating an installer
in this manner.
- One is that you can remove the licensing information from the package and move it into
a separate installer, as described later in this document.
Page 21 of 64
Mass Deployment of VMware Fusion
318
- Another is that you can add a Virtual Machine to VMware Fusion and populate VMware
Fusion’s Virtual Machine Library list prior to taking the second snapshot and pushing out
the package. While this would make your installer larger and provide less flexibility with
regard to how you populate this information, it can be quicker than the alternatives listed
in Article V of this document.
This will bring up the Install Packages screen, as can be seen below. Here, click on the + icon
and select the VMware Fusion installation package created previously. You can use the
standard package or a customized package that includes a master license key if you desire.
Page 22 of 64
Mass Deployment of VMware Fusion
318
Next, select whether you want to restart after the installation using the After installation: field. In
this case there is likely no need to restart. Next, select whether you would like to run the
installer using your system or using a Task Server. Then, select whether to stop the installation
on the target computers if there are any problems in the If a problem occurs: field. Additionally
use the Security: field to select whether or not to encrypt the data and the Network usage: field
to throttle bandwidth if desired. Finally, click on Schedule… to schedule a time for the
installation or Install to install it immediately.
If the installer completed as expected then you will see a message similar to the following just
below the toolbar:
Page 23 of 64
Mass Deployment of VMware Fusion
318
When you are setting up your Virtual Machine there are a few settings that can be useful to help
maximize the performance of your systems.
By default, VMware Fusion’s settings for memory, processors, and hard disk are designed to
balance the needs of performance for both Windows and Mac applications.
In addition to virtual hardware settings, there are additional features to consider enabling:
- Shared Folders
- Mirrored Folders
- Shared Applications
- Printing
- Adding Comment in the Virtual Machine Library
Once your virtual machine is setup the way you desire, next install any desired Windows
applications.
NOTE: If you are using a corporate modified or custom-built Windows XP/Vista installation
media or disk image, you should NOT use Windows Easy Install, which assumes a default
Microsoft provided Windows installation media. Make sure to uncheck “Use Easy Install” in the
New Virtual Machine Assistant in this case and install Windows manually.
After initial deployment, you can leverage a solution such as Microsoft System Center
Configuration Manager (SCCM), LANdesk, or LANrev to deploy additional Windows software to
your Windows virtual machine as you would do with many of the solutions available for Mac OS
Page 24 of 64
Mass Deployment of VMware Fusion
318
X. In other words, the same monolithic versus package based deployment options are
available, just using different solutions to get the job done.
After installing any desired Windows applications, one of the first things you will want to do with
the Virtual Machine is to assign it a new Windows name. This will prevent multiple Virtual
Machines on the network from occupying a conflicting namespace. There are two traditional
ways to rename a system in Windows.
- Sysprep
- Run script on the computer (or in the virtual machine in this case)
The first is to setup sysprep to rename a host as a part of the installation answer file
(sysprep.inf). Sysprep can be downloaded at the following URL:
http://support.microsoft.com/?kbid=838080
Sysprep can automatically assign names to computers. When you run the setupmgr.exe tool,
one of the options will be whether you want to Fully Automate This Install. This setting pertains
to whether you will require someone to manually accept the EULA for Windows. Another option
though, is Automatically Generate Computer Name. Using this option, sysprep will handle
computer naming for you.
The second way is to run a script against the Virtual Machine that renames the computer. For
this, you could use a script as simple as the following, which would change a computer name to
NEWCOMPUTER:
' ------ SCRIPT CONFIGURATION ------
strComputer = "."
strNewName = "NEWCOMPUTER"
' ------ END CONFIGURATION ---------
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")
Set colComputers = objWMIService.ExecQuery ("Select * from
Win32_ComputerSystem")
For Each objComputer in colComputers
errReturn = ObjComputer.Rename(strNewName)
WScript.Echo "Computer successfully renamed"
Next
If you save the above script as, for example, rename.vbs then it would rename the machine to
NEWCOMPUTER when run. This script can be saved anywhere on the system (eg in a
C:/scripts directory and then the script itself can later be removed (important if you put any
passwords into the script). You can then take your naming convention and apply it’s logic
through Visual Basic by changing what the strNewName variable is set to. For example, you
would use something similar to the following to grab the MAC address of a system and then add
it to the end of strNewName to append a MAC address to the computer name:
Page 25 of 64
Mass Deployment of VMware Fusion
318
MACAddress=objAdapter.MacAddress
Scripts to change names and the like can be activated through SysPrep, through startup items
or using the vmrun command. If you wanted to use the vmrun command, for example, you
could create a second package that gets installed after your VMware Fusion package and
Virtual Machine package. In this package you could put a command (or script) that uses vmrun
to open the Virtual Machine and run the renaming script:
vmrun -T ws -gu administrator -gp MyPassword runScriptInGuest "c:\my VMs\myVM.vmx"
"c:\Installers\myscript.vbs"
Using the runScriptInGuest (or runProgramInGuest if your script has been compiled or if you’ll
be using an application) that is available through VMware Fusion offers a variety of options not
otherwise available if you were using sysprep. DOS batch files (.bat) will not run using the
runScriptInGuest parameter, but you can invoke Visual Basic scripts through the vmrun
interface (depending on the version, you may need to also specify a path to the interpreter).
This allows you to potentially send variables to the script that contain the desired computer
name, guest password, etc. If you are more comfortable writing scripts for your mass
deployment through Mac OS X scripting tools than you would be scripting through Visual Basic
then you can simply pass the parameters of your script to the client system using a file that is
copied locally or using the positional parameters available with your scripting language. This
added flexibility can be very useful in a deployment scenario where you are not using sysprep.
Rather than use the runScriptInGuest or runProgramInGuest you can also use the workstation’s
built-in auto-login options. These can be altered in the registry by using keys located in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. The
keys to enable automatic logon are DefaultUserName, AutoAdminLogon and DefaultPassword.
More Windows centric organizations will want to first rename computers and then bind them into
Active Directory. Binding can be done in the same script or in a separate one. The bind will
typically require another restart after the rename and require not only TCP/IP connectivity to the
network but also valid DNS for Active Directory to properly use. One way to join to a domain
would be to use the JoinDomainOrWorkgroup method with WMI (Windows Management
Instrumentation), as Microsoft describes at the following site:
http://msdn.microsoft.com/en-us/library/aa392154(VS.85).aspx
Finally, there is one other unique identifier associated with each Windows computer that needs
to be updated in Windows. Windows has a Security Identifier, or SID. Even if two computers
have independent network addresses (MAC), if the SID is the same, one won't be able to
access the network as effectively as it would otherwise be able to do. You may use a tool like
NewSID to update the SID of a deployed Windows virtual machine or write a script to do so.
NewSID is available at the following URL:
http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx
These are the basic methods for the deployment of Windows systems. Like the deployment of
Mac systems, this is a full time position in many organizations and therefore there is a wide
variety of information on the Internet and in printed form that is geared to preparing and sharing
information on sysprep and Visual Basic scripting. Many organizations will likely have an
Page 26 of 64
Mass Deployment of VMware Fusion
318
existing infrastructure for their Windows deployments and require little retooling for scripts and
methods to work in a VMware Fusion environment.
Unique Identifers
Computers have various unique identifiers that serve a similar purpose, and if these identifiers
conflict, they might not be able to communicate with each other. A common identifier is the MAC
(short for Media Access Control) address. Every network adapter has one of these. VMware
virtual machines have another identifier called the UUID - this isn't important to the guest, but is
how Fusion (or other VMware products) keeps track of virtual machines.
These settings are stored in the Virtual Machines settings file, which is known as the .vmx file.
To take the virtual machine you created and configured earlier and make it applicable for
distribution, you need to edit the virtual machine settings file (.vmx) to remove machine specific
identifiers. Once they are removed, VMware Fusion will create them on first launch on the
deployed computer.
To do this, right click on the virtual machine bundle and select Show Package Contents. Find
the Virtual Machine Settings .vmx file and open it TextEdit or your favorite text editor.
The aspect of the Virtual Machine that needs to be changed from the VMware Fusion
perspective is to remove lines in this file that localize the Virtual Machine to the system it was
created on.
To do so, remove the lines that begin with the following from the .vmx file that is associated with
each VM you will be deploying:
ethernet0.addressType =
uuid.location =
uuid.bios =
ethernet0.generatedAddress =
ethernet0.generatedAddressOffset =
Page 27 of 64
Mass Deployment of VMware Fusion
318
Shared and Mirrored folders provide great value to your users allowing them to access
documents stored on the Mac directly from Windows. Shared and Mirrored Folders rely on
specific path names to the desired shared directories.
To take the virtual machine you created and configured earlier and make it applicable for
distribution, you need to edit the virtual machine settings file (.vmx) to change absolute paths to
relative paths that will be expanded on first launch on the end users Mac.
To do this, right click on the virtual machine bundle and select Show Package Contents. Find
the Virtual Machine Settings .vmx file and open it TextEdit or your favorite text editor.
sharedFolder1.hostPath = "/Users/pat"
sharedFolder1.hostPath = "~"
Once you have made these changes to the virtual machine, do NOT power on this VM. If you
power on the VM, the settings will be reset to user specific settings and will need to be changed
again.
skipAntivirusCheck = "TRUE"
If your policy prevents users from installing the bundled antivirus, you might want to remove the
bundled antivirus image entirely. The antivirus iso is located in /Library/Application
Support/VMware Fusion/isoimages/. You could remove it during the custom packaging steps
described in Section 4.03 and 4.04.
Finally, you will also want to setup the VM to automatically rename the Operating System on
first run and if you are using the Virtual Machine with Directory Services (such as Active
Directory) you may wish to automate the binding process. These options are explored further in
Article V of this document.
Optionally, there are a variety of other options that you can push out by editing your .vmx file.
These include customizing the folder that shared folders points to, enabling and disabling
drives, customizing the number of virtual CPUs, etc. This can be done prior to pushing out the
.vmx file or by using commands to push out changes to .vmx files to workstations through, for
example, Apple Remote Desktop or SSH.
When you are customizing a .vmx file it’s important to remember the following:
Page 28 of 64
Mass Deployment of VMware Fusion
318
• Shared Folders path should be set to a relative path before deployment. This is done by
replacing the paths with “~”, which will be expanded to the full path of the current user on
first launch
• The UUID and MAC address setting that are removed manually will recreate themselves
automatically
• After making the changes above, do NOT launch the virtual machine again as this will
overwrite the settings desired for deployment
To start, install the Mac OS X Developer Tools by inserting your installation media and running
the Xcode Tools installation package. Once installed, open PackageMaker from
/Developer/Applications/Utilities/PackageMaker. At the Install Properties screen, type the name
of your organization with a prefix of com. and choose a minimum version of the operating
system for this package to be able to get installed on, as seen below:
At the next screen, supply a name for your package and choose the drive that the package
contents (the Virtual Machine) will get deployed into.
Page 29 of 64
Mass Deployment of VMware Fusion
318
Click on the cog wheel icon in the lower left corner of the screen and click Add Contents… to
bring up a standard browse window. Here, select the Virtual Machine you would like to deploy
and then click on OK. This will bring you back to your package creation screen where you can
enter the folder you would like the Virtual Machine to be placed into using the Destination: field.
You can also enter a version number in the Package Version: field, as seen here.
Page 30 of 64
Mass Deployment of VMware Fusion
318
You can now click on the Scripts directory and define any postflight actions you would like to
perform, such as populating the VMware Fusion Virtual Machine Library with deployed VM, as
described in Section 5.06 If you have no further customizations to perform then you can click
on the Build icon in the top left corner of the screen to bring up a screen that allows you to save
a copy of your package to an easily accessible location as can be seen here:
Once you have created your installer package then you can push the package out through
Remote Desktop as mentioned previously or through the patch and configuration management
solution you are using in your environment.
Page 31 of 64
Mass Deployment of VMware Fusion
318
You can read the list of current Virtual Machines accessible by VMware Fusion using the
following command:
The following command will add a Virtual Machine named "Windows XP" to the Virtual Machine
Library (assuming that the Virtual Machine is located at "/VM/WindowsXP.vmwarevm"
You can also replace an existing list of Virtual Machines in the library by using the following
command:
In the above command we edited the com.vmware.fusion preference by adding an array that
lists the Virtual Machines to be added. By adding additional lines you can create more entries in
your favorites list. An example of another item to place at the end of this command would be to
add a Virtual Machine called Windows Vista that is located at /VM/WindowsVista.vmwarevm
using the following:
In order to deploy this through ARD, Casper, or another app, you would need to generate a new
package with the preferences file. Alternately, you could leave the preferences file in place and
then manually script the addition using your pattern matching commands of choice.
Page 32 of 64
Mass Deployment of VMware Fusion
318
WSUS isn’t just for Windows desktop operating system updates though. WSUS also has
updates for all of the various flavors of Windows Server (and there are a lot of them), Microsoft
Office, Microsoft Forefront, Microsoft Expression and even the Zune. The management for
WSUS is a little more granular than that of the Mac OS X Server Software Update Server.
Products are broken down into categories to ease the administrative burden and updates are
classified so that you can choose which categories to download and which classifications
(Critical, Definition, Security, Updates, Service Packs, etc) to be released without administrative
intervention.
Unless you control all patch deployment from a centralized location, WSUS is a must have for
any sizeable Windows deployment. To obtain WSUS, see the following link:
http://www.microsoft.com/downloads/details.aspx?FamilyId=C8FA2FD1-72F6-4F19-A1B0-
F689DAE14BE6&displaylang=en
Information on scripts that can be used to extend WSUS can be found at the following location:
http://www.microsoft.com/technet/scriptcenter/scripts/sus/default.mspx?mfr=true
Policies in Active Directory are pushed out to workstations (and servers) through the use of a
Group Policy Object, configurable through the Group Policy Management Console of Windows
Server. GPOs allow you to push out Windows updates but also to push out updates to installed
third party software using custom installers (eg - .msi, .mst files). You can also use the same
framework to push out new installations of Microsoft software and third party packages. This
allows you to push out a lean guest operating system and then granularly control what software
is installed from a central location; think package based management.
Page 33 of 64
Mass Deployment of VMware Fusion
318
To open GPO Editor click on start then click run and then type gpedit.msc. Now you will be
looking at two sections, Computer Configuration and User Configuration. Computer
Configuration controls global settings such as password policies and Log on Locally as can be
seen below:
Page 34 of 64
Mass Deployment of VMware Fusion
318
The User Configuration will show a folder called Administrative Templates. Open this and you
will see Windows Components, which are Windows XP applications, such as Terminal Services
(RDC), Windows Media Player, Windows Update, Windows Explorer, etc. An example of
setting these policies is to use the Windows Media/Playback/Prevent Codec Download policy to
prevent the downloads of Windows Media Player Codecs. Start Menu and Taskbar can be
used to configure settings in the start menu and task bar (seems pretty straight forward, right?).
For example, you can use the Remove Run Menu from Start Menu to configure the system not
to show a run dialog box in the Start Menu. Some other items you can do here include locking
the taskbar, showing users the classic Start Menu, disable history of recently opened
documents or remove Run/My Pictures/My Music/My Network Places/Favorites from the start
menu.
User Configuration also allows you to configure the Desktop using the Desktop subfolder. For
example, the Properties dialog box can be removed from My Documents, My Computer or
Recycle Bin. Or you could remove My Computer, My Documents or Recycle Bin from the
Page 35 of 64
Mass Deployment of VMware Fusion
318
desktop completely. You can also block users from adjusting desktop toolbars or hide the
Network Places and/or Internet Explorer Icon on the desktop.
User Configuration is also where you can allow or disallow specified groups of users access to
the Control Panel using the Control Panel sub-set of folders. Control Panel not only includes
the Control Panel but also includes Printing, Language, Add/Remove Programs, etc. You can
limit which Control Panel items are displayed to end users or just prohibit any users from
accessing any Control Panels. You can also perform more finely grained access control for
certain Control Panel items. For example, you can allow a user access to the Display Control
Panel and allow them to enable a Screen Saver there but disable the ability to change the
wallpaper. You could also force a password to wake a system from Screen Saver mode.
The Add or Remove Programs sub-folder will allow you to limit users from being able to install
software or allow you to limit certain options within the software installation wizard. Through the
Printers sub-folder you can limit whether a user can add or delete printers, or limit them from
being able to browse to printers. Shared Folders can be used to disable a users ability to share
folders. Network can be used to limit users from changing TCP/IP, NIC or other items that
involve the network stack. Network can also be used to set offline file caching settings. System
has a number of settings that can be configured, including profile quota's (under User Profiles),
login script behavior (under Scripts), Task Manager and computer locking (under Ctrl+Alt+Del
Options), the ability to start programs at login (under Logon), GPO controls such as refresh
intervals (under Group Policy - although many of these will not be enforceable if you are not
using a domain) and finally Movie Maker and HTTP printing (using Internet Communications).
There are a lot of policies. If you're curious about what a specific policy will do then you can use
the Extended view (by clicking on Extended on the bottom navigation bar). Using the Extended
view, system requirements (version of Windows, etc) will be listed and a description of what the
policy will do will be displayed on the left hand side of the screen. If you are comfortable with
what a policy will be doing, you can double-click on the policy and configure the settings for it.
Options in poledit.exe for Computers include a variety of settings. One of the more important
here is the Local Computer->Network->System Policies Update->Remote Update which can be
used to identify where the system will be getting policy updates and how they will be updated.
To set/create the policy file (Ntconfig.pol), first remove all #if version and #endif statements from
the System.adm, Inetres.adm and conf.adm files on the local workstation in order to prevent the
unintended loading of these files by the Poledit.exe tool. This isn’t absolutely necessary.
Next, save your policy settings as Ntconfig.pol. Save the file to the Netlogon share of the
Windows NT 4.0 domain controller. But, what if you do not have a Netlogon share or a
Page 36 of 64
Mass Deployment of VMware Fusion
318
replication service to replicate between shares. Well, create the share by adding the following
lines to your SMB config:
[netlogon]
comment = Network Logon Service
path = /path
guest ok = Yes
browseable = No
# If you have problems, try adding the following line
# acl check permissions = no
Using the above, you would replace the /path with the actual directory you will store the data on
your server. This directory needs to allow everyone read only access and be accessible by all
hosts that will be controlled using these policies. Copy the ntconfig.pol file into this directory
and you will now be pushing the policy out to your local Windows workstations that are bound
into the PDC.
Options in poledit.exe for users include policies dealing with Control Panels (restrict access to
display), Desktop (wallpaper and color scheme), Shell (Start Menu controls and Network
Neighborhood controls), System (Run Dialog), Windows NT Network ($ hidden shares),
Windows NT Printers (beeps and priorities), Windows NT Remote Access (dialup networking),
etc.
One final way to manage policies is through the login scripts option available to Windows
workstations that log into your PDC. Using the login scripts you could script the import of a
policy and apply it to the user or computer using gpupdate.exe.
If you are already familiar with Windows scripting then we would also recommend getting
prepared to learn as much shell scripting and AppleScript as possible. This will only help you to
further automate your deployment. However, if you are already familiar with scripting for the
Mac then we would recommend that you familiarize yourself with WMI and Visual Basic to help
automate Windows-oriented tasks.
In many environments where multiple operating systems are presented to end users,
organizations will attempt to unify the environment that is presented to their users. For
example, using a combination of features within VMware Fusion and GPOs you can allow your
users to see the same Documents folder whether they are in Windows or Mac OS X and then
synchronize this folder with your servers using Mobility or have the folder live on the server
using Network Home Folders. You can also synchronize other directories or use aliases,
symbolic links, shortcuts, etc. to unify the environment. However, this is an area that requires
Page 37 of 64
Mass Deployment of VMware Fusion
318
extensive planning and testing as small GPO policy changes or changes to features within a
product can cause profound differences in how the data is presented to the user, potentially
jeopardizing the perception of your entire deployment.
Finally, the additional footprint of multiple operating systems will establish a greater need for
security for your environment. It is strongly recommended that considerations for how to secure
each operating system en masse be handled separately and be well thought out. Training is
essential to making sure that your environment is as secure as possible. This extends beyond
the operating systems in use and into each application that is deployed.
Page 38 of 64
Mass Deployment of VMware Fusion
318
About 318:
About VMware:
VMware (NYSE: VMW) is the global leader in virtualization solutions from the desktop to the
datacenter. Customers of all sizes rely on VMware to reduce capital and operating expenses,
ensure business continuity, strengthen security and go green. With 2007 revenues of $1.3
billion, more than 120,000 customers and nearly 18,000 partners, VMware is one of the fastest
growing public software companies. Headquartered in Palo Alto, California, VMware is majority-
owned by EMC Corporation (NYSE: EMC) and on the web at www.vmware.com.
Page 39 of 64
Mass Deployment of VMware Fusion
318
This appendix describes an alternative workflow to deploy of VMware Fusion using LANDesk
Management Suite. The entire section is provided and copyrighted by Avocent Corporation.
VMware Fusion enables users to experience the best of both Mac and Windows worlds.
Unfortunately, IT teams often lack the means to deploy and manage these guest operating
systems easily and effectively. However, Avocent’s LANDesk Management Suite not only
extends your deployment and management capabilities to VMware Fusion guest operating
systems, it enables you to control your entire environment of Macs, PCs, and other platforms
from a single centralized workstation console.
Page 40 of 64
Mass Deployment of VMware Fusion
318
The following sections of the document provide insights on how LANDesk can help you
accomplish this, enabling you to end up with a Mac that is completely manageable from the
LANDesk console, and a Windows guest operating system or virtual machine (VM) running on
the same machine that is completely manageable from that same console as well. These
sections will direct you through how LANDesk Management Suite can help you easily automate
and execute the following main steps:
Page 41 of 64
Mass Deployment of VMware Fusion
318
Figure 1- With the LANDesk agent installed, Mac devices can be easily managed from the LANDesk console
Before you deploy VMware Fusion, you must obtain a distribution package for the application.
You can use the package file provided by VMware, or you can create a custom one using
LANDesk Management Suite. In either case, refer to section 4.02 of this guide for details on
how to obtain the package, as well as how to embed the VMware Fusion license keys into the
package. To facilitate package creation, you should copy the package files to your LANDesk
core server into the directory /ldlogon/mac/.
To create a package file from within the LANDesk console, simply click Tools| Distribution |
Distribution Packages and select New Macintosh package. The LANDesk interface makes it easy
to specify the files and settings necessary to successfully install the package, including any
dependencies, prerequisites, command-line parameters, or additional files needed for the
install. Once you’ve created a VMware Fusion distribution package in LANDesk, it is compressed
and stored in the LANDesk core server database where it can be easily accessed for
deployment.
Page 42 of 64
Mass Deployment of VMware Fusion
318
Figure 2 - VMWare Fusion distribution packages can easily be created with LANDesk
The Microsoft Setup Manager utility (SETUPMGR.EXE) creates the SYSPREP.INF answer file
that Sysprep uses for the images you deploy. After you sysprep your image, you need to zip the
resulting files and copy them to the /ldlogon/mac/ directory on your LANDesk core server. Then
to create the distribution package, once again you select New Macintosh package from Tools|
Distribution | Distribution Packages from within the LANDesk console and then browse to the
location of the zipped Windows VM image.
Page 43 of 64
Mass Deployment of VMware Fusion
318
Figure 3 - LANDesk facilitates the creation of distribution packages for sysprep'd Windows VM images
Note: If you’re not familiar with sysprep, you can find more information on it at
http://support.microsoft.com/?kbid=838080, as well as in section 5.03 of this guide. The
LANDesk Management Suite user documentation also has information on how to use sysprep in
conjunction with deploying Windows images.
You can create the script using the vi editor on Mac OSX. (Note: You cannot create the script
with a text editor in Windows or DOS because the LANDesk Mac agent won’t be able to
interpret it correctly). The script you create might look something like the following (please note
that the format wrapping is due to the document and is not the way the script should be written):
Page 44 of 64
Mass Deployment of VMware Fusion
318
#!/bin/bash
lastUser=`last -t console -1 | awk '{print $1}'`
cp -r "/Library/Application Support/LANDesk/sdcache/XP" "/Users/${lastUser}/Documents/Virtual Machines"
"/Library/Application Support/VMWare Fusion/vmrun" start "/Users/${lastUser}/Documents/Virtual
Machines/XP/Windows XP Professional.vmx"
"/Library/Application Support/VMWare Fusion/vmrun" -gu Administrator -gp AdminPW copyFileFromHostToGuest
"/Users/${lastUser}/Documents/Virtual Machines/XP/Windows XP Professional.vmx"
/Users/${lastUser}/Documents/XPAgent.exe "c:\\Documents and Settings\\${lastUser}\\Desktop\\XPAgent.exe"
"/Library/Application Support/VMWare Fusion/vmrun" -gu Administrator -gp AdminPW runProgramInGuest
"/Users/${lastUser}/Documents/Virtual Machines/XP/Windows XP Professional.vmx" "c:\\Documents and
Settings\\${lastUser}\\Desktop\\XPAgent.exe"
"/Library/Application Support/VMWare Fusion/vmrun" -gu Administrator -gp AdminPW deleteFileInGuest
"/Users/${lastUser}/Documents/Virtual Machines/XP/Windows XP Professional.vmx" "c:\\Documents and
Settings\\${lastUser}\\Desktop\\XPAgent.exe"
Page 45 of 64
Mass Deployment of VMware Fusion
318
In this script, the –gu and –gp parameters are respectively the admin username and password
for the Windows VM. These must be valid credentials, or the script will not be able to
authenticate correctly and carry out the script.
This script line simply tells the file XPAgent.exe to run. Since installing the agent requires
administrator rights, the script must supply the appropriate Windows administrator credentials
for the VM. Once the agent is installed, the Windows VM will appear in the LANDesk console as
a device that can now be managed.
Page 46 of 64
Mass Deployment of VMware Fusion
318
Figure 4 - LANDesk lets you create custom deployment tasks that leverage scripts
To do so, click the Create software distribution task toolbar button under Scheduled task. Then,
from the Distribution package page, you can select a Preliminary (#1) distribution package, a
Main (#2) distribution package, and a Final (#3) distribution package. For Preliminary
distribution you’ll use the VMware Fusion distribution package you created. The Main
distribution package will be the one you created for the Windows VM image. The Final
distribution package will be the package containing the scripts.
After you select the distribution packages, you need to select a delivery method for the task,
which can be any of the following:
Page 47 of 64
Mass Deployment of VMware Fusion
318
• Push - The LANDesk core server immediately deploys and installs the packages onto the Mac, or to
multiple Macs using multicast.
• Policy - When managed devices check in with the core server, the packages are automatically
installed according to the policies that you define.
• Policy-supported push – Immediately pushes out the distributions according to the policies you
define.
• Multicast – Enables the packages to be deployed simultaneously to multiple managed devices in a
manner that minimizes network bandwidth consumption.
At this time you can also specify the devices that need to receive the distribution packages and
when the task should run, which can be immediate or at a later date. Also, if you don’t want to
specify the target devices at this time, you can simply save the distribution task for now.
If you look at the properties of the distribution task in the LANDesk console, it will likely appear
similar to the following:
Figure 5 - LANDesk lets you create a single distribution task that uses multiple distribution packages to
seamlessly install VMWare Fusion, copy and load your Windows VM image, and install the LANDesk agent
into your Windows VM environment
Page 48 of 64
Mass Deployment of VMware Fusion
318
When you’re ready to execute the distribution task, you can simply drag the targeted managed
Mac or Macs onto the task in the Scheduled tasks window, and then schedule the task for
deployment. In just minutes from when it is deployed, VMware Fusion will be installed, the
Windows VM will be loaded, and the LANDesk agent will be installed into the Windows VM
environment, enabling you to easily manage both its Windows VM and Mac environments from
the LANDesk console.
Figure 6 - LANDesk not only facilitates the deployment of Windows VMs, it facilitates management of Mac,
Windows VM, and Windows environments
Note: In addition to being able to deploy VMware Fusion as a software distribution package,
you can leverage LANDesk to simplify the creation and deployment of OS images for mass
distribution to your Macs. For details on how to properly include an installed version of VMware
Fusion in OS images for mass distribution, refer to section 4.01 of this guide.
Section 8.06 Facilitating Managing the VM, Your Macs, and PCs
®
While LANDesk Management Suite can help you automate the deployment of the VMware
Fusion Windows environment onto your Macs, its capabilities don’t stop there. Once the
Page 49 of 64
Mass Deployment of VMware Fusion
318
Additionally, the following elements of the LANDesk solution cater specifically to the needs of
organizations that plan to install Apple hardware with the intent of running Microsoft Windows as
VMware Fusion guests on those machines:
Remote Control
• Remote control enables remote problem resolution and maintenance with high render rates and low
latency.
• Update user systems from your platform of choice, as the Mac remote control client allows you to
update from a PC or a Mac.
Windows Client
• LANDesk provides similar functionality for Windows platforms (physical and virtual) as it does for the
Mac.
From OS deployment through remote control, patch management, software distribution and
software license monitoring, LANDesk provides you comprehensive management of your Mac,
Windows, and guest Windows environments. For more information, please visit
www.landesk.com or call 1-800-982-2130.
Copyright © 2008, Avocent Corporation. All rights reserved. Avocent, LANDesk and Touchpaper and their respective logos are
among the registered trademarks or trademarks of Avocent Corporation, its subsidiaries or its affiliated companies in the United
States and/or other countries. *Other brands and names are the property of their respective owners.
Page 50 of 64
Mass Deployment of VMware Fusion
318
Article IX. Appendix: Deploying VMware Fusion 2 with JAMF Casper Suite
This appendix describes alternative workflows to deploy of VMware Fusion using JAMF Casper
Suite. The entire section is provided and copyrighted by JAMF Software.
Once you have created the necessary packages, you can now easily deploy the VMware Fusion
application, settings, and Virtual Machines to Macs on your network using the Casper Suite.
Casper offers four primary methods of distributing VMware Fusion to your managed Macs, all of
which can be enabled at the same time:
Page 51 of 64
Mass Deployment of VMware Fusion
318
The Casper Remote application can be used to immediately deploy VMware Fusion and
associated Virtual Machine(s) to you managed Macs. This method is best for an immediate
deployment. However, it will overwrite any existing VMware Fusion installation and also
requires the target system to be connected to the network.
1. Launch Casper Remote and authenticate to your JAMF Software Server (JSS).
2. In the Computers tab, select the target systems to which VMware Fusion will be deployed.
3. In the packages tab, select the VMware Fusion installer package, the VMware Fusion
settings package, and the Virtual Machine you wish to deploy.
4. Ensure that the VMware Fusion settings package has the options selected to “Fill User
Templates (FUT)” and “Full Existing User Home Directories (FEU)”.
Page 52 of 64
Mass Deployment of VMware Fusion
318
Policies allow you to automatically install VMware Fusion along with a Virtual Machine onto a
specific group of computers based on a certain trigger such as startup, login, or a particular
timed event such as a known maintenance window.
8. Click the Scope tab and choose which computers, groups, departments, or buildings will
receive VMware Fusion. It is highly recommended that in addition to a department or
building you also scope the policy to a specific Smart Computer Group that is set to the
minimum hardware requirements and disk space required for VMware Fusion. If
necessary, limit the installation to a particular network segment. For example; you could
exclude your wireless or VPN network segment to only allow the installation when the
client system is physically plugged into the network.
Page 53 of 64
Mass Deployment of VMware Fusion
318
9. In the packages tab, click “Add Package” and choose the Install action for the VMware
Fusion installation package, the settings file, and at least one Virtual Machine.
10. Click “Add Package(s)” to add the packages to the policy.
11. Ensure that the VMware Fusion settings package has the options selected to “Fill User
Templates (FUT)” and “Full Existing User Home Directories (FEU)”
Page 54 of 64
Mass Deployment of VMware Fusion
318
13. Click the Save Policy button at the bottom of the browser window.
When a client meeting the scope criteria (group membership, network segment, department,
etc) checks in with the JSS on the specified trigger, it will automatically pull down the VMware
Fusion packages and log the action to the JSS when the installation is complete.
VMware Fusion can be deployed when a Mac is imaged with Casper Imaging. However, the
VMware Fusion installer can only be run when the computer is booted off the primary drive. To
automate this process you will need to create a script to call a policy as soon as the computer
reboots. This ensures VMware Fusion is installed on the correct drive and still allows the
imaging process to be automated.
1. In TextEdit, create a new file called “FirstBoot.sh” containing the following lines:
#!/bin/bash
Page 55 of 64
Mass Deployment of VMware Fusion
318
(b) Next, create a policy similar to the one above with the following
changes:
1. In the General tab, set the Triggered by: drop down menu to “other” and enter “firstboot” in
the run action field.
2. In the Execution Frequency drop down menu, choose “Ongoing” to allow the option to
install VMware Fusion again if the computer is ever re-imaged.
Page 56 of 64
Mass Deployment of VMware Fusion
318
3. In the Scope tab, you can choose “Assign to All Computers” as the deployment will be
specified with a configuration in Casper Admin or at image time with Casper Imaging.
(c) Finally, to deploy VMware Fusion when imaging you have two
options:
1. Drag the FirstBoot script into the desired configuration in Casper Admin so as to be
automatically applied to any Mac imaged with that configuration.
OR
Page 57 of 64
Mass Deployment of VMware Fusion
318
2. When using the Casper Imaging application, click the Scripts tab and select the FirstBoot
script. Ensure it is set to run At Reboot.
Page 58 of 64
Mass Deployment of VMware Fusion
318
By configuring a policy to be triggered by Self-Service, your users can install VMware Fusion
and Virtual Machines on demand without assistance from IT. This offers the flexibility of also
allowing the users to choose exactly when the installation will occur, as well as allowing them to
reinstall a corrupt Virtual Machine or upgrade to a new one.
(a) Create a Self Service policy for the VMware Fusion application:
8. Click “Scope” and choose which computers, groups, departments, or buildings will receive
VMware Fusion. You will still want to make special note of the scoping options to
ensure only appropriate computers are able to install the software.
9. Click “Self Service” and choose Allow this Policy to be used for Self Service.
10. Enter a brief description of the VMware Fusion application along with the current version you
are deploying.
11. Click “Choose File...” and locate an icon to represent VMware Fusion. This icon can be a
PNG, JPEG, or ICNS file. (You can find the actual icon file in /Applications/VMware
Page 59 of 64
Mass Deployment of VMware Fusion
318
13. In the Packages tab, click “Add Package” and choose the Install action for the VMware
Fusion installation package and settings file.
14. Click “Add Package(s)” to add the packages to the policy.
15. Ensure that the VMware Fusion settings package has the options selected to “Fill User
Templates (FUT)” and “Full Existing User Home Directories (FEU)”
Page 60 of 64
Mass Deployment of VMware Fusion
318
16. In the Advanced tab, check the box next to “Update Inventory (Recon)”.
(b) Create a Self Service policy for a VMware Fusion Virtual Machine:
8. Click “Scope” tab and choose which computers, groups, departments, or buildings will
receive the Virtual Machine. You will still want to make special note of the scoping
options to ensure only appropriate computers are able to install the software. If you
are deploying a Virtual Machine that requires a specific version of VMware Fusion,
be sure to consider that selection criteria in the Smart Computer Group along with
Page 61 of 64
Mass Deployment of VMware Fusion
318
available disk space. If you are introducing a new virtual machine to your
environment, you can simply create a Smart Computer Group containing only those
computers that have VMware Fusion already installed.
9. Click Self Service and choose Allow this Policy to be used for Self Service.
10. Enter a brief description of the Virtual Machine you are deploying.
11. Click “Choose File...” and locate an icon to represent the virtual machine. This can be in the
format of a PNG, JPEG, or ICNS file. Upload the selected file and you will be returned to the
Self Service tab.
12. If you would like this policy to appear on the first page presented to the user when they
launch the Self Service application, click the box next to “Feature this Policy on the Main
Page”. Otherwise choose “Display” and/or “Featured” for the policy to appear in the VMware
Fusion category inside the Self Service application.
Page 62 of 64
Mass Deployment of VMware Fusion
318
13. In the Packages tab, click “Add Package” and choose the Install action for the Virtual
Machine.
14. Click “Add Package(s)” to add the packages to the policy.
Page 63 of 64
Mass Deployment of VMware Fusion
318
When users launch the Self Service application, they will be presented with the VMware Fusion
and Virtual Machine policies and can install them without local administrator rights to their
computer.
Page 64 of 64