Skip to main content
Question

Managing User VMs

WilsonFredonia
Forum|alt.badge.img+4

Hello all,

We are exploring solutions to allow some of our end users to have a local VM (on their daily Mac) that allows them almost full control. The key things we need are:

  • User cannot copy and paste, or file transfer directly between the VM and their daily Mac.
  • Network will be connected to a DMZ through a trunked port.
  • The VM must be configured so that the user cannot modify the settings of the VM to allow defeating of the above protections of the daily Mac and the rest of our infrastructure.
  • User will not be admin on the daily Mac, but will be on the VM, with less restrictions for testing and research purposes.

The VM will likely be macOS in this case, as we have a proper infrastructure for Windows and Linux VMs on VMware, but that might change.

In my quick experimentation, I have found that at least VMware Fusion does require admin privileges to modify the network configuration of the VM, but does not disallow modifying the sharing settings. VirtualBox and UTM do not appear to lock down any of the VM specific settings.

Does anyone know of a way to manage those settings, even though they seem to be tied to the VM itself and not a standard plist? Maybe a different VM solution? I still need to fully look into the virtualization in Xcode, but from a quick glance, it doesn't seem like that would be able to lock down those settings either.

Thanks in advance for any help!

Matt

    4 replies

    jamf-42
    Forum|alt.badge.img+17
    • jamf-42
    • Esteemed Contributor
    • 744 replies
    • May 19, 2023

    not sure you can do all above as user will need r/w access to vmx config file so you can't lock it out..  copy paste needs VMware tools so you can block / remove that. 

    VMware stated they are no going to develop Fusion further, before you invest a load of time in it*

    VMs with Fusion work well on intel, but on ARM its a very poor experience in comparison, lacking even basic functionality expected in VM.

    UTM, VirtualBuddy are great technically, but limited I believe by Apple and what it allows in a VM. 

     

    Maybe Apple will surprise us with macOS 14 ðŸ˜ƒ

     

    *a very sad state of affairs as I use VMs every day, all with ABM / JAMF etc.. and Im not sure what im going to do when they go ðŸ˜±

    AJPinto
    Forum|alt.badge.img+26
    • AJPinto
    • Legendary Contributor
    • 2747 replies
    • May 19, 2023

    Generally speaking this is not a good idea. For Windows and Linux VM's you would manage the VM with solutions that manage those platforms. Client hosted VM's are typically difficult to manage as they are not online consistently, when I allowed this kind of work flow VM's had to have SCCM repaired constantly. For macOS, no MDM platform supports macOS VM's. On Apple Silicon you cannot set a Serial Number for a macOS VM, so most Apple Services dont work (appstore apps for example). JAMF can Manage MacOS VM's, its just not officially supported. 

     

    As far as protecting the config files. If your users are local admins, you wont be able to without very specific security tools. If your users aren't local admins you can take write and modify access away from them for the files. However, if users don't have the ability to modify the files, that means the VM Application they are using also cant modify files which will have fall out consequences. 

    sdagley
    Forum|alt.badge.img+25
    • sdagley
    • Jamf Heroes
    • 3546 replies
    • May 19, 2023

    @WilsonFredonia I don't think there's  good answer for your list of needed restrictions, but you should also be aware that for Apple Silicon Macs running a virtualized macOS instance the VM will not have a valid serial number so you cannot sign in to an Apple ID on it, and that may limit its usefulness for doing development testing.

    pkleiber
    Forum|alt.badge.img+9
    • pkleiber
    • Contributor
    • 60 replies
    • May 24, 2023

    @WilsonFredonia check out Parallels for business edition. I am looking into this as well:
    https://www.parallels.com/products/business/

    For example they have:

    Deploy Parallels with Mac Management Solutions

    Use a deployment package to configure, deploy, and tune Parallels Desktop settings., Add Windows applications to the Dock and enable Single Application Mode using Jamf, In Tune, Kandji, Mosyle, Munki, and other Mac management tools.

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings