Managing User VMs

WilsonFredonia
New Contributor III

Hello all,

We are exploring solutions to allow some of our end users to have a local VM (on their daily Mac) that allows them almost full control. The key things we need are:

  • User cannot copy and paste, or file transfer directly between the VM and their daily Mac.
  • Network will be connected to a DMZ through a trunked port.
  • The VM must be configured so that the user cannot modify the settings of the VM to allow defeating of the above protections of the daily Mac and the rest of our infrastructure.
  • User will not be admin on the daily Mac, but will be on the VM, with less restrictions for testing and research purposes.

The VM will likely be macOS in this case, as we have a proper infrastructure for Windows and Linux VMs on VMware, but that might change.

In my quick experimentation, I have found that at least VMware Fusion does require admin privileges to modify the network configuration of the VM, but does not disallow modifying the sharing settings. VirtualBox and UTM do not appear to lock down any of the VM specific settings.

Does anyone know of a way to manage those settings, even though they seem to be tied to the VM itself and not a standard plist? Maybe a different VM solution? I still need to fully look into the virtualization in Xcode, but from a quick glance, it doesn't seem like that would be able to lock down those settings either.

Thanks in advance for any help!

Matt

4 REPLIES 4

jamf-42
Valued Contributor II

not sure you can do all above as user will need r/w access to vmx config file so you can't lock it out..  copy paste needs VMware tools so you can block / remove that. 

VMware stated they are no going to develop Fusion further, before you invest a load of time in it*

VMs with Fusion work well on intel, but on ARM its a very poor experience in comparison, lacking even basic functionality expected in VM.

UTM, VirtualBuddy are great technically, but limited I believe by Apple and what it allows in a VM. 

 

Maybe Apple will surprise us with macOS 14 😃

 

*a very sad state of affairs as I use VMs every day, all with ABM / JAMF etc.. and Im not sure what im going to do when they go 😱

AJPinto
Esteemed Contributor

Generally speaking this is not a good idea. For Windows and Linux VM's you would manage the VM with solutions that manage those platforms. Client hosted VM's are typically difficult to manage as they are not online consistently, when I allowed this kind of work flow VM's had to have SCCM repaired constantly. For macOS, no MDM platform supports macOS VM's. On Apple Silicon you cannot set a Serial Number for a macOS VM, so most Apple Services dont work (appstore apps for example). JAMF can Manage MacOS VM's, its just not officially supported. 

 

As far as protecting the config files. If your users are local admins, you wont be able to without very specific security tools. If your users aren't local admins you can take write and modify access away from them for the files. However, if users don't have the ability to modify the files, that means the VM Application they are using also cant modify files which will have fall out consequences. 

sdagley
Esteemed Contributor II

@WilsonFredonia I don't think there's  good answer for your list of needed restrictions, but you should also be aware that for Apple Silicon Macs running a virtualized macOS instance the VM will not have a valid serial number so you cannot sign in to an Apple ID on it, and that may limit its usefulness for doing development testing.

pkleiber
Contributor

@WilsonFredonia check out Parallels for business edition. I am looking into this as well:
https://www.parallels.com/products/business/

For example they have:

Deploy Parallels with Mac Management Solutions

Use a deployment package to configure, deploy, and tune Parallels Desktop settings., Add Windows applications to the Dock and enable Single Application Mode using Jamf, In Tune, Kandji, Mosyle, Munki, and other Mac management tools.