Locking down Parallels after it's already deployed

catfeetstop
Contributor II

Good Day All,

So we already have Parallels Desktop Business Edition deployed to a number of our clients but when it was deployed none of the settings were locked down. Our users are not admins but currently they can still create virtual machines as they please. I want to change the settings in Parallels to only allow administrators to have the ability to create new VMs and add existing VMs. Basically, I want to check all of these "Require Password" boxes on:
9921b48bf222458c947276ed9e113fb9

I found this older script on the Parallels website and I am able to modify it to do what I want, sort of. Here's the script I'm working on:

#!/bin/bash

vmdirectoryfile="/Library/Preferences/Parallels/vmdirectorylist.desktop.xml"
  #Locking Snapshots
  stringA='<CommonLockedOperations dyn_lists="LockedOperation"/>'
  stringB='<CommonLockedOperations dyn_lists="LockedOperation">
  <LockedOperation>24</LockedOperation>
  <LockedOperation>8</LockedOperation>
  <LockedOperation>7</LockedOperation>
  <LockedOperation>44</LockedOperation>
  </CommonLockedOperations>'
  #sed -iE 's|$stringA|$stringB|g' $vmdirectoryfile #Locking down
  perl -pi -w -e "s|$stringA|$stringB|g;" $vmdirectoryfile
#   stringA="<LockedSign>0</LockedSign>"
#   stringB="<LockedSign>1</LockedSign>"
#   sed -i -e "s|$stringA|$stringB|g" $vmdirectoryfile

Basically, I'm able to do the find and replace going from stringA to stringB. The problem is that this will only work if the XML file doesn't already have any LockedOperations set. Some of our users might already have some LockedOperations. I need a way to always replace whatever they might already have set with what I want to be set. Does that make any sense?

Does anyone have any clues? I need some sort of wild cards and need a way for sed or perl to work with newlines.

1 ACCEPTED SOLUTION

catfeetstop
Contributor II

I figured it out. This has been tested on Parallels Desktop version 11. I'll test it on other versions soon. If anyone is interested, here you go:

#!/bin/bash

# location of the XML file with the preferences to lock down
vmdirectoryfile="/Library/Preferences/Parallels/vmdirectorylist.desktop.xml"

# variables containing items to change
stringA='<CommonLockedOperations dyn_lists="LockedOperation"/>'
stringB='<CommonLockedOperations dyn_lists="LockedOperation">
        <LockedOperation>24</LockedOperation>
        <LockedOperation>8</LockedOperation>
        <LockedOperation>7</LockedOperation>
        <LockedOperation>44</LockedOperation>       
    </CommonLockedOperations>'
stringC='<CommonLockedOperations dyn_lists="LockedOperation">'

# Exit Parallels if it's currently open
osascript -e 'tell application "Parallels Desktop" to quit'
sleep 10

# If nothing is currently locked down then lock it down
    if grep -q "$stringA" $vmdirectoryfile
        then
            echo "nothing is currently set, setting it now"
            perl -pi -e "s|$stringA|$stringB|g" $vmdirectoryfile
    fi


# If something is currently locked down then lock down our specific settings
    if grep -q "$stringC" $vmdirectoryfile
        then
            echo "something is currently set, adding our locked settings"
            perl -i -p0e "s|<CommonLockedOperations dyn_lists="LockedOperation">.*?</CommonLockedOperations>|$stringB|s" $vmdirectoryfile
    fi

# Makes sure the padlocks are locked
stringA="<LockedSign>0</LockedSign>"
stringB="<LockedSign>1</LockedSign>"
  sed -i -e "s|$stringA|$stringB|g" $vmdirectoryfile

  sed -i -e "s|<LockedSign>0</LockedSign>|<LockedSign>1</LockedSign>|g" /Library/Preferences/Parallels/dispatcher.desktop.xml

View solution in original post

3 REPLIES 3

catfeetstop
Contributor II

I figured it out. This has been tested on Parallels Desktop version 11. I'll test it on other versions soon. If anyone is interested, here you go:

#!/bin/bash

# location of the XML file with the preferences to lock down
vmdirectoryfile="/Library/Preferences/Parallels/vmdirectorylist.desktop.xml"

# variables containing items to change
stringA='<CommonLockedOperations dyn_lists="LockedOperation"/>'
stringB='<CommonLockedOperations dyn_lists="LockedOperation">
        <LockedOperation>24</LockedOperation>
        <LockedOperation>8</LockedOperation>
        <LockedOperation>7</LockedOperation>
        <LockedOperation>44</LockedOperation>       
    </CommonLockedOperations>'
stringC='<CommonLockedOperations dyn_lists="LockedOperation">'

# Exit Parallels if it's currently open
osascript -e 'tell application "Parallels Desktop" to quit'
sleep 10

# If nothing is currently locked down then lock it down
    if grep -q "$stringA" $vmdirectoryfile
        then
            echo "nothing is currently set, setting it now"
            perl -pi -e "s|$stringA|$stringB|g" $vmdirectoryfile
    fi


# If something is currently locked down then lock down our specific settings
    if grep -q "$stringC" $vmdirectoryfile
        then
            echo "something is currently set, adding our locked settings"
            perl -i -p0e "s|<CommonLockedOperations dyn_lists="LockedOperation">.*?</CommonLockedOperations>|$stringB|s" $vmdirectoryfile
    fi

# Makes sure the padlocks are locked
stringA="<LockedSign>0</LockedSign>"
stringB="<LockedSign>1</LockedSign>"
  sed -i -e "s|$stringA|$stringB|g" $vmdirectoryfile

  sed -i -e "s|<LockedSign>0</LockedSign>|<LockedSign>1</LockedSign>|g" /Library/Preferences/Parallels/dispatcher.desktop.xml

bpavlov
Honored Contributor

@catfeetstop Life sure is funny sometimes. I happen to be doing some research on deploying virtual machines. I was naturally leaning towards VMware Fusion because I've deployed it before and it works. But then I read this thread and didn't even know such a feature existed. I checked and nothing like it comes up for Fusion so now I'm going to evaluate Parallels. VMware should really add this. Like you, I want to deploy this VM but I don't want end users (who don't have admin rights on their machine to begin with) to use the VM as a way around admin access (the user in the VM will not have admin access either). So this is a really neat enterprise friendly-feature. Thanks for sharing and answering your thread.

catfeetstop
Contributor II

@bpavlov I bet you can do something similar with Fusion though I've never tried. It seems like most things you do in applications preferences write to a text/xml file somewhere on the computer. If you can find those files then you can probably write a script to edit those files with the settings you want. I was able to hunt down these text files using the fs_usage command in the terminal. Not sure if you've ever used fs_usage but it's kind of similar to the old fseventer app. Very handy stuff. Good luck with things!