Reality check - MDM capability with virtual machine?

Taylor_Armstron
Valued Contributor

Suspect I know the answer to this after thinking about it, but just to make sure:

Is there any method to enabling the MDM capability of a virtual machine? I usually do most of my initial testing on VMWare images running 10.11 and 10.12, but was attempting to test some new configuration profiles and my VM's won't show up in the list of machines to scope the policy to. Once I thought about it, I'm assuming it won't work and I need to find a physical box to test on, but just making sure...

25 REPLIES 25

hkabik
Valued Contributor

MDM works on my Virtual Machines without any issues. I do almost all of my testing with Mac VMs.

I even do DEP testing on VM's by spoofing an existing Serial Number onto the VM.

Taylor_Armstron
Valued Contributor

Thanks @hkabik ... I think the serial # issue was why I was suspecting it wouldn't work. I'll keep working on it - I basically stopped when I realized it was showing up in the inventory as not supporting it and hadn't tried anything else, so now I know it is worth spending some time on to resolve.

Appreciate it!

chriscollins
Valued Contributor

@Taylor.Armstrong I also find it works more reliably if you also set the model identifier to match the machine the original serial number belongs too. This is very easy to set up with VMWare Fusion.

emily
Valued Contributor III
Valued Contributor III

vfuse is great for spoofing the serial number and hardware model for things like MDM and especially DEP. Just use the -s flag to use a serial number that is MDM/DEP capable and --hw-model to specify the model type (e.g., MacBookPro13,3). Works beautifully.

rtrouton
Release Candidate Programs Tester

@Taylor.Armstrong, are you setting your VMs to use one processor core, or more than one?

The reason I'm asking is that I've seen MDM not work on one-processor VMs. Assigning another processor core to the VM fixes the problem.

frechr76
New Contributor

Sometimes it works, sometimes it doesn't. I haven't researched very much yet on what's actually failing in the JAMF binary. You might try checking out the jamf.log in /var/log

Best thing about a VM is the Snapshot ability and getting your base image built to your needs

For me, my company provides IT services to multiple K12 school districts, and I'm constantly reverting my MAC VM to a base snapshot and re-enrolling in to the several completely different JAMF's I manage. My biggest challenge is making sure my VM is inside the school districts network(Usually can be completed by using the schools DNS and domain)

I found what works best for me is building out the enrollment Quick Add PKG in Casper Recon.

Keep track of your VM's though, when your companies JAMF renewal comes up, it takes in to account how many devices are enrolled

MatG
Contributor III

@emily

I'm not getting the syntax right of creating a VM with serial and hw, can you help me out? I've tried a few things but a bit stuck...

/usr/local/vfuse/vfuse -s MYSERIALNUMBER --hw-model -i /osx_updated_170623-10.12.5-16F73.hfs.dmg

I got it --hw-model MacBook9,1

elmerlin
New Contributor

Hi @emily @MatG

/usr/local/vfuse/vfuse -s MYSERIALNUMBER --hw-model -i /osx_updated_170623-10.12.5-16F73.hfs.dmg

I do not see the -s flag option on the github page
https://github.com/chilcote/vfuse

is it necessary for us to use a valid Serial Number? can we use other alternatives such as hardware UDID?

emily
Valued Contributor III
Valued Contributor III
usage: vfuse [-h] [-i INPUT] [-o OUTPUT] [-n NAME] [-w HW_VERSION]
             [-m MEM_SIZE] [-s [SERIAL]] [-t TEMPLATE] [-e] [-p PACKER]
             [--hw-model HW_MODEL] [--start [START]] [--stop STOP]
             [--reset RESET] [--use-qemu]

The -s flag is documented in the usage. Yes, you need a serial number and hardware model for Apple to recognize its DEP assignment and subsequently for Jamf to follow your configured PreStage Enrollment.

jbygden
New Contributor III

Anyone know what might cause this?:

/usr/local/vfuse/vfuse -s SERIAL -w MacBookPro11,5 -i images/Sierra_170202-10.12.1-16B2657.hfs.dmg
usage: vfuse [-h] [-i INPUT] [-o OUTPUT] [-n NAME] [-w HW_VERSION]
             [-m MEM_SIZE] [-s [SERIAL]] [-t TEMPLATE] [-e] [-p PACKER] [-d D]
             [--hw-model HW_MODEL] [--start [START]] [--stop STOP]
             [--reset RESET] [--use-qemu] [--recovery]
vfuse: error: argument -w/--hw-version: invalid int value: 'MacBookPro11,5'

Chris
Valued Contributor

You want --hw-model for this, -w/--hw-version applies to the Hardware version of the VM.

vao
New Contributor III

Has anyone been able to successfully do this with High Sierra?

sjmosher
New Contributor II

@vao Just did it tonight and it worked beautifully using the same instruction set.

guidotti
Contributor II

I don't have a copy of VMWare Fusion here. Do any of you lovely folks use this process for DEP with Virtualbox, instead?

vao
New Contributor III

Here's the instructions I used.

https://www.rderewianko.com/how-to-create-a-vm-thatll-work-with-dep-on-vmware-fusion/

emily
Valued Contributor III
Valued Contributor III

guidotti
Contributor II

I've got a VM running on High Sierra 10.13.2, no issue.
I just need to know how to inject the serial and model number into the VM.
I'll play around with vfuse, thanks.

adaraghmeh
New Contributor II

I am running a new 10.13 VM in Oracle VM VirtualBox, its freeware. Their latest release is version 5.2.6.
Once you run the quick add pkg. the JSS picks up on the VM machine and it works well!
What I need to now learn is how to get it talking to DEP.4e6a5dd53bce4771b2a897bf317484e6

rderewianko
Valued Contributor II

If anyones interested there's also a how to for parallels published aswell (not by me)
Here

BillGallop
New Contributor

I'm a little bit further along than adaraghmeh. I have the VM talking to DEP, it gets the PreStage Enrolment but then it fails to pull down the profile as it says that (null) wants administer it a2fc973d1a164ff0b81ca94c29967910

If I skip the enrolment the OS can access the internet but refuses to connect to the JSS at all, it can resolve the DNS entry for the JSS but refuses to ping it by either FQDN or IP address.

Something, somewhere in the network configuration is stopping it getting to the JSS

bentoms
Release Candidate Programs Tester

@BillGallop Is this virtual box too? Have you tried VMWare?

BillGallop
New Contributor

@bentoms works fine in Parallels so I know the server end is fine, something funky at the VirtualBox side. I'm needing to use VirtualBox as I want to do some recordings of the DEP deployment for a presentation and with VirtualBox I can set the resolution of the VM to something 16:10 whereas with both Parallels and VMware I can only do something other than 1024x768 once I've got the OS up and running and have installed the relevant drivers for the virtualisation app

guidotti
Contributor II

I've gotten everything to work in VMWare Fusion 8.5, but now I'm having an issue where inserting the lines:

serialNumber = "blahblahblah"
hw.model = "MacBookPro14,2"

Doesn't seem to work every time after a snapshot restore.
It's driving me crazy.

mvught
Contributor

@guidotti sudo ./vfuse -i /Users/ladmin/Desktop/1013.5.dmg -n DEP_yourname -s SNHERE --hw-model "iMac 20 - inch"
But I have version Professional Version 10.1.1 and it works fine.

dshore-mcoe
New Contributor

@guidotti I've run into that too. For me the issue was I had taken the snapshot before setting up the SN/HW stuff, so it kept resetting it when I reset the VM. Not saying yours is the same problem, but might be worth a quick sanity check.