MDM Enrolling 10.14 Clients on VMWare Fusion 11.0.3

Angelworks
New Contributor II

Is there an easy way to do this? I read an article about using a tool called vfuse, but it didn't seem to like the newer version of Fusion. I get an error 500 from the profile enroll window.

It seems like its just setting the hw.model and serialNumber field in the .vmx file anyhow?

So far I've set the model to one that should work (but I didn't have the serial number for), but it doesn't work, I poured through our surplus models and found a serial of a machine that was disposed of - but it didn't work.

I set the hw.model to the exact same one that the serial number came off of, but then the VM kernel panics on startup (probably because the model isn't compatible with 10.14).

Someone in another post suggested using the host's serial (Macmini7,1) - and incrementing it by one, but that didn't work either.

Thought I would ask on here before contacting VMWare tech support tomorrow.

On a side rant: I don't get why Apple has to do this to me - I manage clients on JAMF and ConfigMgr - and this is not an issue I have on Windows/Linux.

15 REPLIES 15

Brad_G
Contributor II

I can't speak to VMWare Fusion 11 but I'm running Fusion v10 on an iMac and using that machines model and serial number works for my 10.12, 10.13, and 10.14 VMs.

sdagley
Honored Contributor II

@Angelworks You do need a copy of VMware Fusion 10 for vfuse to build a VM (if you're not using the QEMU workaround), but it doesn't have to be a licensed copy, and you can run the VM that's created with Fusion 11.

mark_mahabir
Valued Contributor

All working fine here. I don't use vfuse but just install macOS in the normal way. Then edit the .vmx file and add a line similar to:

serialNumber = uJk8Hu6Vb7cD

i.e. 12 random letters and numbers at the bottom. I don't think this has ever not worked for us.

jwojda
Valued Contributor II

yeah, it sort of works, you gotta use the QEMU workaround listed on the site.

Angelworks
New Contributor II

@mark.mahabir Hmm I tried that exact serial number - I attached a screenshot of the error I get actually. Are you setting the model to anything specific?277c5892275b4b0393f32d8ef216f1cc

scottb
Valued Contributor III

I edited my .vmx file for VMWare 11.0.3 and here's the area of interest:

serialNumber.reflectHost = "FALSE"
serialNumber = "C03VP0U7XXX"
hw.model.reflectHost = "FALSE"
hw.model = "MacBookPro14,3"

Saved and enrolled into JSS no issues.

sharriston
Contributor II

This site has been super helpful to me.

Angelworks
New Contributor II

@sharriston That is a very helpful doc - question you might know the answer to though - I've read on other sites you shouldn't use the serial of another enrolled device like that site is suggesting?

sharriston
Contributor II

So I would definitely recommend that you don't use an enrolled device, you'll have conflicting jamf records and possible dep issues. . We have an old 13" Pro that we aren't currently using and I have just made that my test serial number as the hardware is unusable at this point.

Angelworks
New Contributor II

@sharriston I do have discarded laptops, but none of them so far are dep enrolled - or are new enough to run 10.14 (I found if you put a model number old enough into the vmx config it kernel panics the vm on startup).

mark_mahabir
Valued Contributor

@Angelworks No, I never set a model.

We don’t yet use DEP here however.

scottlep
Contributor

Besides changing the SN and Model Info, I also had to edit the MAC address in the vmx file for my 10.13 and 10.14 VMs. It seems that the hardware has to appear to be Apple in order to be enrolled via MDM. If you are not familiar with MAC addresses, I believe the first 3 sets of numbers are the hardware manufacturer info, then the second set of three numbers are specific to the computer/device. If the hardware doesn't appear to be from Apple based on the first set of numbers it will fail, in my experience. Similar to how I made the fake serial number, I just grabbed the MAC address from my test computer and changed the last digit by a few characters. After that the VM enrolled with no issues. I have done this with several VMs I have build and never had an issue. This makes sense since the computer has to check in with Apple MDM/APNS during the MDM enrollment....so if it talks to Apple and it doesn't have an Apple MAC address Apple would probably reject it causing the enrollment to fail.

Also, if you attempt to enroll with a non-Apple MAC address and it fails with the error you showed, it usually leaves behind a bad record that either shows as "No Name" or just the serial number. This might even show up under mobile devices instead of computers. In my experience I had to delete the bad records before I could enroll the VM with the new fake Apple MAC Address.

~Scott

kerouak
Valued Contributor

I discovered that ; using MacPro5,1 for High Sierra causes a boot loop.

Instead of MacPro5,1, I used a different hardware model ID; MacBookPro8,2, and this worked fine.

Angelworks
New Contributor II

Just to follow up on this issue - working with a co-worker I did solve this.

What happened when I first tried enrolling the VM it got added as a mobile device (even though I got error 500's from the mdm client). After deleting that inventory record - I set the following options in the vmx file:

hw.mode.reflectHost = "FALSE"
hw.model = "blah12,0"

In VMWare Fusion 11 - the default serial number is 12 digits and works just fine. Obviously don't use blah12,0 (maybe that will work?) - I think I just set it to a Macbook model I knew could run 10.14 - and it worked. Keep in mind - its not DEP enrolled, but I don't really need that to simply test policies/packages.

I suspect the core issue is actually a JSS bug - when enrolling the device it doesn't detect it properly as a OSX device and not a IOS device. I'll contact our support rep about it.

gabester
Contributor III

Just a note... I had thought I could simply insert the serial number and info into the VMX file after building the Mac Guest VM... but I encountered the error above when attempting MDM enrollment. (I am not in a DEP scenario for this VM.) If I added the serial number info PRIOR to building the Mac Guest VM then MDM enrollment did indeed succeed. I used a bogus serial number in this case, which I'm sure would be problematic for DEP... and that serial number simply took the trailing digit and iterated it by 1. Part of my issue could have been that I installed Mojave on the Mac Guest VM under VMWare 8.5.10 before upgrading to 11.5.1.