• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Mass Deployment of VMware Fusion
 

Mass Deployment of VMware Fusion

on

  • 1,786 views

 

Statistics

Views

Total Views
1,786
Views on SlideShare
1,786
Embed Views
0

Actions

Likes
0
Downloads
19
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Mass Deployment of VMware Fusion Mass Deployment of VMware Fusion Document Transcript

    • Mass Deployment of VMware Fusion 
 A Practical Guide to Planning, Deploying, and Managing Windows on the Mac 
 May 2009
 Charles Edge, Director Technology, 318, Inc. Sponsored by VMware
    • Mass Deployment of VMware Fusion 318 
 ARTICLE I. 
VMWARE FUSION AND RUNNING WINDOWS ON THE MAC
 5
 ARTICLE II. 
SOFTWARE DEPLOYMENT CHALLENGES
 5
 ARTICLE III. 
TOOLS FOR SOFTWARE DEPLOYMENT ON MAC OS X
 6
 Section 3.01
 Apple Products for Mass Deployment
 6
 (a)
 System Image Utility
 6
 (b)
 NetInstall
 7
 (c)
 Apple Software Restore (asr)
 7
 (d)
 Apple Remote Desktop
 7
 (e)
 PackageMaker
 8
 Section 3.02
 Third Party Tools
 8
 (a)
 The Casper Suite
 8
 (b)
 LANrev
 8
 (c)
 NetRestore
 8
 (d)
 InstaDMG
 9
 (e)
 Ghost
 9
 ARTICLE IV. 
VMWARE FUSION SPECIFICS FOR DEPLOYMENT ON MAC OS X
 9
 Section 4.01
 Installing VMware Fusion for Monolithic Image Deployment 
 9
 Section 4.02
 Creating the VMware Fusion Package
 14
 Section 4.03
 Embedding Volume License Key into the VMware Fusion Package
 15
 Section 4.04
 Custom Installation Packaging with Composer 
 19
 Section 4.05
 Deploying an Installation Package
 22
 ARTICLE V. 
CREATING WINDOWS VIRTUAL MACHINES FOR MAC USERS
 24
 Section 5.01
 Creating the Virtual Machine
 24
 Section 5.02
 Install any necessary Windows applications 
 24
 Page 2 of 64
    • Mass Deployment of VMware Fusion 318 Section 5.03
 Prepping Windows for Mass Deployment
 25
 Section 5.04
 Modifying the Virtual Machine for Mass Deployment 
 27
 Section 5.05
 Deploying Windows Virtual Machine to Macs
 29
 Section 5.06
 Populating the Virtual Machine Library with Deployed VM 
 32
 ARTICLE VI. 
SYSTEMS MANAGEMENT: MANAGING WINDOWS WITH AD OR OD
 32
 Section 6.01
 Microsoft Tools for Patch Management and Updates 
 32
 (a)
 Microsoft Windows Server Update Services
 33
 (b)
 Group Policy
 33
 (c)
 System Center Configuration Management (SCCM)
 33
 Section 6.02
 Policies Without Active Directory
 34
 (a)
 Managing Policies for a Single Workstation
 34
 (b)
 Pushing Out Policies
 36
 ARTICLE VII. 
CONCLUSION
 37
 ARTICLE VIII. 
APPENDIX: DEPLOYING AND MANAGING VMWARE FUSION VIRTUAL MACHINES WITH LANDESK MANAGEMENT SUITE
 40
 Section 8.01
 Simplifying Deployment of VMware Fusion and Windows VMs 
 40
 Section 8.02
 Create a VMware Fusion Distribution Package 
 42
 Section 8.03
 Create a Distribution Package for Sysprep Windows VM Image
 43
 Section 8.04
 Create a Distribution Package for Custom Deployment Tasks
 44
 (a)
 Discover the Mac’s User Information
 45
 (b)
 Copy the Windows VM Image to the Mac
 45
 (c)
 Load the Windows VM Image
 45
 (d)
 Copy the LANDesk Agent into the Windows VM Environment
 45
 (e)
 Install the LANDesk Agent into the Windows VM Environment
 46
 (f)
 Remove the Self-Extracting Agent Executable
 46
 (g)
 Packaging the Script
 46
 Section 8.05
 Create Scheduled Distribution Task
 47
 Page 3 of 64
    • Mass Deployment of VMware Fusion 318 Section 8.06
 Facilitating Managing the VM, Your Macs, and PCs 
 49
 ARTICLE IX. 
APPENDIX: DEPLOYING VMWARE FUSION 2 WITH JAMF CASPER SUITE
 51
 Section 9.01
 Deploying VMware Fusion with Casper Remote 
 52
 Section 9.02
 Deploying VMware Fusion with a Policy
 53
 Section 9.03
 Deploying VMware Fusion During the Imaging Process 
 55
 (a)
 To create a script to trigger a policy at reboot:
 55
 (b)
 Next, create a policy similar to the one above with the following changes:
 56
 (c)
 Finally, to deploy VMware Fusion when imaging you have two options:
 57
 Section 9.04
 Deploying VMware Fusion with the Self Service Application
 59
 (a)
 Create a Self Service policy for the VMware Fusion application:
 59
 (b)
 Create a Self Service policy for a VMware Fusion Virtual Machine:
 61
 
 Page 4 of 64
    • Mass Deployment of VMware Fusion 318 
 Article I. VMware Fusion and Running Windows on the Mac While historically considered a more consumer-focused solution, of late, Mac hardware has been gaining greater and greater traction in the Enterprise. The drivers around this are varied, but a primary force has been the rise of virtualization—running Windows on the Mac—to solve application compatibility challenges. Windows-based business critical applications, peripherals, and web applications, which previously blocked the uptake of Mac hardware are now easily accessible, thanks to technologies like VMware Fusion, which allows Windows applications and Mac applications to run side-by-side. Supporting this reality, a 2008 Yankee Group survey of 750 global IT administrators revealed that nearly 80% of businesses are managing Macs on their network—up from 47% in the 2006 survey. Even more telling, 21% of respondents noted having more than 50 Macs on their networks. The ability to run Windows on a Mac is a large part of this, with 50% of the respondents confirming that they are running Windows on their Macs. From department-based deployments of Macs, to employee and contractor owned Macs, and even “Macs as a standard,” deploying Windows on a Mac with VMware Fusion opens the door to an easier, less complex way of managing Macs in your environment using your existing Windows application infrastructure. VMware virtualization is industry-proven, with tens of millions of users worldwide, including 100 of the Fortune 100 and 92% of the Fortune 1000 counted as customers. Article II. Software Deployment Challenges The mass deployment of a single imaged operating system in many larger environments can be a difficult task. When you take into account the licensing required for each piece of software, the directory services binding required for systems, renaming the systems, the patch management for future software, the settings (and by host settings) and all the other details, imaging a large quantity of systems can be a difficult task. The task of simultaneously mass deploying multiple operating systems to a given host can be an even more complicated endeavor. You still have all the same requirements for the host operating system, but in most cases you end up doubling the effort required in order to deploy each subsequent operating system. Then, if you are deploying a system in a Virtual Machine (VM) you end up also having to factor in specifics for deploying the software used to run and manage the guest operating system and increased footprint of a second operating system both in terms of network infrastructure and licensing costs. All of this leads to an increased reliance on centralized management caused by the sprawl or a higher staff count to deal with support tickets. In this paper we will focus on first defining the methods, tools and software packages used for mass deploying an application in Mac OS X. Once we have defined the tools we will move on to explaining aspects of deployment that are unique to the VMware Fusion application. Then we will explain how to deploy a Windows-based VM and various aspects used to manage of the actual VM. Once the VM has been deployed we will move into patch management of the VM itself and end with more advanced topics such as leveraging NetBoot services with VMware. Page 5 of 64
    • Mass Deployment of VMware Fusion 318 Article III. Tools For Software Deployment on Mac OS X When mass deploying and imaging the Mac there are a number of products that are typically used. There are also two overarching methodologies used; each of the products fall into one or both categories. The first method used is what is commonly referred to as monolithic imaging. In this case, the team charged with the deployment creates an image that includes the operating system, the software and any settings used for the deployment. Once the image is ready it is then pushed out en masse to client systems. Monolithic imaging is a fairly simple process but there are negatives to having one big image: each client needs the entire image, updates to each piece of software are time intensive and occasional hardware incompatibilities can require a multitude of different images. A typical way to go about creating a monolithic image involves using System Image Utility to create the image and then using NetInstall to push the image to client workstations. Tools like NetInstall can also be used with package based imaging, although the quantity of data pushed to the workstation itself at image is monolithic in nature. The second method used is commonly referred to as package based imaging. When you are using package-based images you push out an image as a collection of .pkg files. Each package is a part of the overall image, with the first package being the base operating system (also known as the bare metal installation). For example, the base operating system would be a package or .dmg file and each piece of software required or preference change would also be an additional package. Using a package based approach is more complicated by nature and requires more time to initially deploy but ends up saving time long-term as subsequent updates to the image require drastically less effort. With this method, you can push out only the software needed per workstation and when you need to perform an update to the operating system or a software component you can choose to either make a new package for the item being deployed or augment the existing package to include it. A typical way to go about creating a package-based image might be to use a tool such as Composer by JAMF Software to create your packages and then the JAMF JSS server to distribute them. Section 3.01 Apple Products for Mass Deployment (a) System Image Utility System Image Utility is a tool located in the /Application/Server directory of Mac OS X Server (or a client system with the server tools installed on it) that is used to create images for NetBoot and NetInstall deployments. In Leopard, System Image Utility includes options for creating images, automating the binding of the imaged system to directory services, creating user accounts on imaged workstations, partitioning disks prior to image deployment, adding packages to the image, etc. The collection of tasks you will put into your image then utilizes Automator to create Workflows to perform required steps in the imaging process (eg – partition disk, then put the image on the system then bind to Open Directory), as can be seen in the below screen shot. Page 6 of 64
    • Mass Deployment of VMware Fusion 318 (b) NetInstall NetInstall is a service that is built into Mac OS X Server. NetInstall can be activated and configured by opening Server Admin and enabling the NetBoot service. Once enabled you would add the image and clients can install directly from the image files hosted by the server. NetInstall can perform any of the pre-flight or post-flight tasks (eg – formatting a drive, installing a package, etc) that were defined using System Image Utility. NetInstall can be run on Mac OS X Server. (c) Apple Software Restore (asr) Apple has a built-in image deployment solution that comes bundled with all versions of Mac OS X called Apple Software Restore, commonly referred to as ‘asr’. The asr command line utility can be used to deploy images in a unicast or multicast fashion and prepare images for restoration. While asr is free, it is monolithic in nature and managed through the command line thus making it seem less user friendly than many other solutions available. (d) Apple Remote Desktop Apple Remote Desktop (ARD) is a tool used to control client Mac OS X systems. ARD can be used to send simple terminal commands to clients, share screens and deploy packages to systems. ARD is not used to deploy operating systems but instead it is used to deploy software to the operating systems post-imaging, provided ARD is enabled. The primary aspect we will Page 7 of 64
    • Mass Deployment of VMware Fusion 318 focus on here is the ability to deploy packages, as would be the case if you already have a number of systems deployed that you will likely want to deploy a package (or two) as part of your VMware Fusion mass deployment. (e) PackageMaker PackageMaker is a tool used to build packages for Mac OS X. PackageMaker can use snapshots or files and folders that have been manually selected to create packages. PackageMaker can also use pre-flight scripts to be run before the files and folders that make up the package are installed as well as post-flight scripts which can be run following the installation of the files and folders. PackageMaker does have a slight learning curve and so many of the third party tools look to ease the transition to creating packages by providing an easier user interface to get acclimated with. Section 3.02 Third Party Tools (a) The Casper Suite The Casper Suite, by JAMF Software can be used to image systems, manage patch deployment and manage inventory. Using the Composer application (a part of the Casper Suite) you can create a package or dmg file with the contents of any installation, which gives you the ability to create a more unattended installer for application installers that require human interaction. Composer works by taking a snapshot of the system prior to you performing a set of actions (like installing a piece of software) and then taking a snapshot afterwards. Once the two snapshots have been compared you will be able to customize which files go into the package and once you are satisfied with your choices, create a package installer based on the changes. The Casper Suite has other features, but for the purpose of this paper Composer will be our focus. (b) LANrev LANrev is similar to the Casper Suite. LANrev is a management suite with a component called InstallEase, which allows and administrator to quickly create packages using snapshots. InstallEase does not have the granularity that a tool such as Composer has, in regard to the snapshot process. However, it is freely distributed and so makes a fairly compelling product to those who do not want to purchase Composer. You can still use packages created through LANrev’s free InstallEase to deploy the packages through ARD and as post-flight installers through NetInstall and NetRestore. (c) NetRestore NetRestore is a free application from Bombich Software that can be used to perform asr restores of monolithic images. Additionally, you can have NetRestore run a script (or collection of scripts) prior to installation or post-installation. One of the core features of NetRestore is now the ability to partition a drive for both Mac OS X and Microsoft Windows and place a Microsoft Windows image on that partition. This Boot Camp installation of Windows can then be accessed using VMware Fusion or using BootCamp. Page 8 of 64
    • Mass Deployment of VMware Fusion 318 (d) InstaDMG InstaDMG is an application that uses a collection of packages to create an automated installer. Using InstaDMG you can quickly create a monolithic image from a collection of smaller elements. Therefore, you can continue to use monolithic imaging tools to deploy an image, but use InstaDMG to generate that image. (e) Ghost Ghost is a Windows-centric application from Symantec that can be used to image systems. You can use Ghost to image Mac OS X using a monolithic image. Ghost can be useful if you already have plenty of experience with it and wish to image multiple Macs that will dual-boot between Mac OS X and another operating system using BootCamp. The additional operating system can then be accessed using VMware Fusion from within Mac OS X. Article IV. VMware Fusion Specifics for Deployment on Mac OS X The various requirements for installing an application can be considered a grouping of files and folders and any actions that need to occur to have those run on a computer. This is known as a package, which is a bundle of files that the Mac OS X operating system interprets given the structure and format of the bundle they reside in. The VMware Fusion 2 installer is distributed as a package file inside an installer application. As such, you can use this package to deploy VMware Fusion without customizations. However, if you are going to customize the application then you may want to create your own package to do so. Or, if you are going to deploy the software as one package and have a separate license file you can actually deploy VMware Fusion as two separate packages. By deploying VMware Fusion as two packages you will not have to replace the license file with each subsequent update. Section 4.01 Installing VMware Fusion for Monolithic Image Deployment Adding VMware Fusion to a monolithic Mac OS X image for deployment is simple, just performing a manual installation of VMware Fusion on your base image. If you purchased Volume Licensing for VMware Fusion and you use a single image with your master license key for all of your software for deployment (eg – Using a unicast asr disk image or using a tool like Carbon Copy Cloner) then you can install VMware Fusion using the standard installation package. In this scenario you would install Mac OS X onto a clean system along with any other software you would be deploying. Then you would move on to installing VMware Fusion. First, start off by mounting the VMware Fusion disk image or optical media on the system, which will show you the introductions screen, as can be seen below: Page 9 of 64
    • Mass Deployment of VMware Fusion 318 Click on the Install VMware Fusion icon, which is an application bundle and at the Welcome to the VMware Fusion Installer screen click on the Continue button, as seen here: At the Software License Agreement screen, read the license agreement and click Continue as can be seen below: Page 10 of 64
    • Mass Deployment of VMware Fusion 318 This will bring up a dialog box prompting you to accept the license agreement. If you agree with the licensing terms then click on Agree to continue, as can be seen below: At the Mount Virtual Disk Support screen you can choose whether to install MacFUSE, as can be seen below: Page 11 of 64
    • Mass Deployment of VMware Fusion 318 If you would like to be able to browse the virtual disks that VMware will create then leave MacFUSE checked, otherwise you can uncheck it. Click Continue to bring up the Standard Install on screen. Here, you can change which disk the software will be installed on, or click on the Install button, as can be seen below to install VMware Fusion into the /Applications folder of your boot volume. Page 12 of 64
    • Mass Deployment of VMware Fusion 318 Page 13 of 64
    • Mass Deployment of VMware Fusion 318 Once the installation is complete you will be prompted for a license key as seen below. Here, you will type in your Volume License Master serial number and click on the Continue button. If you see the Installation Completed Successfully screen, then VMware Fusion will be ready to open for the first time. Section 4.02 Creating the VMware Fusion Package VMware Fusion includes a standard Mac OS X package installer that has been bundled inside an installer application. Therefore, installing VMware Fusion using standard package tools simply requires a user or administrator to use the package that is bundled inside the VMware Fusion installer application. The installer package can be invoked through the application or extracted from the application and run stand-alone. To get the package, mount the VMware Fusion disk image or insert your optical media and right-click (or control-click) on the “Install VMware Fusion” icon and click on Show Package Contents, as seen in the figure below: Page 14 of 64
    • Mass Deployment of VMware Fusion 318 Here you can open the Contents folder and then the Resources folder to see the “Install VMware Fusion.pkg” file. Copy this package to another location and you will have the installation package for VMware Fusion. Section 4.03 Embedding Volume License Key into the VMware Fusion Package With VMware Fusion 1.1 and later, you can create a custom installation package with an embedded license key, which is then pre-populated as a part of the installation process. This way, when a user runs the installer package or when you deploy it through Apple Remote Desktop or whichever patch management solution you prefer the installer will not ask the end user for a serial number. First, see section 4.0.2 on “Creating the VMware Fusion package” on how to find the VMware Fusion installation package. You will need this package on a locally available disk in order to customize it. To create a VMware Fusion installation package that is bundled with a license file, create a text file named “license.txt” that contains only the VMware Fusion serial number for your organization. Next, you will embed the license file into the VMware Fusion installation package. Browse to your “Install VMware Fusion.pkg” file and right-click (or control-click) on the copied “Install VMware Fusion.app” and click on Show Package Contents as seen in the following image: Page 15 of 64
    • Mass Deployment of VMware Fusion 318 From here open the Contents folder and then the Plugins folder. In the Plugins folder you will see a file called licensingPane.bundle. Here, right-click (or control-click) on the file and click on Show Package Contents as seen below: Page 16 of 64
    • Mass Deployment of VMware Fusion 318 Next, browse to the Contents folder and then the Resources folder of the bundle and place your license.txt file into the Resources folder as can be seen here: Page 17 of 64
    • Mass Deployment of VMware Fusion 318 NOTE: Since a .app, .pkg file and a .bundle file are just folders to the command line, you can also simply copy the file to the correct location from the command line using the following command (assuming the VMware Fusion installation package is on the desktop): cp ~/Desktop/license.txt ~/Desktop/Install VMware Fusion.pkg/Contents/Plugins/licensingPane.bundle/Contents/Resources Page 18 of 64
    • Mass Deployment of VMware Fusion 318 Using this customized installer package, you can deploy it through Apple Remote Desktop or whichever patch management solution you prefer and the installer will not ask the end user for a serial number. Section 4.04 Custom Installation Packaging with Composer Alternatively, you could install VMware Fusion manually, creating the installation package using a third party utility. This can be particularly helpful if you want to deploy VMware Fusion as a dmg file rather than a .pkg file or if you want to customize it in ways not previously described (some software, such as InstaDMG will use dmg files instead of packages). In this example we will cover doing so with Composer, a part of the Casper Suite by JAMF Software. To start, open Composer on the computer you will be installing VMware Fusion on. Then, set the Look For: field to New and Modified and click on Take Snapshot as can be seen here: While the snapshot is running do not perform any other tasks. When it is complete, then you will see the green arrow move to Install and configure your software. At this point, follow the instructions from Section 3.01 to install VMware Fusion. When you are complete, click back into Composer and provide a name for the package in the Package Name: field. Note: You can choose to embed the license key in the installer at this point or capture a base snapshot one more time after the installation and then insert the license key and then create a package with just the files pertaining to licensing VMware Fusion. Once you are satisfied with the name for your installer, click on the Build Package button as can be seen below: Page 19 of 64
    • Mass Deployment of VMware Fusion 318 When you click on the Build Package Composer will go through a second lengthy scan. At this point it will be taking a second snapshot of the operating system and will compare the two snapshots to produce a list of what the image (.dmg) or package (.pkg) will consist of. When it is complete you can click on the Verify Contents button to customize what will be a part of the installer, as can be seen below: Page 20 of 64
    • Mass Deployment of VMware Fusion 318 At this point, you will want to remove any extraneous information from the package. Keep an eye out for any items that are not specific to VMware as configuration files for the computer you are installing VMware Fusion onto can be captured here. Take extra caution to ensure that you exclude any machine-specific system configuration files that are not specific to VMware Fusion. Anything being deployed to /System, /etc or /var warrants particular consideration before inclusion into your package with the possible exception of anything that specifically references VMware or Fusion in the file name. However pushing out a file that overwrites /etc/authorization for example could cause systems to not accept logins in the future. Once you are satisfied that all of the items for VMware Fusion are listed, and only those items then click on the Close button and then select a type of installer from the Package Type: field. This could be a read-only dmg file, a read/write dmg file, a pkg, etc. When you are ready to save the package, click on the Save To… button and then select a location to save the file. At this point you have customized your installer. There are several benefits to creating an installer in this manner. - One is that you can remove the licensing information from the package and move it into a separate installer, as described later in this document. Page 21 of 64
    • Mass Deployment of VMware Fusion 318 - Another is that you can add a Virtual Machine to VMware Fusion and populate VMware Fusion’s Virtual Machine Library list prior to taking the second snapshot and pushing out the package. While this would make your installer larger and provide less flexibility with regard to how you populate this information, it can be quicker than the alternatives listed in Article V of this document. Section 4.05 Deploying an Installation Package Once the package has been created then you can test running it on a workstation. If it completes as intended then you can move on to testing it through Apple Remote Desktop (or whichever remote installation package you prefer, although we will use Apple Remote Desktop for this example). To push it out through Apple Remote Desktop, first open the Remote Desktop application. Then, highlight the machines you would like to deploy the software to And click on the Manage menu and then click on Install Packages… as can be seen below. This will bring up the Install Packages screen, as can be seen below. Here, click on the + icon and select the VMware Fusion installation package created previously. You can use the standard package or a customized package that includes a master license key if you desire. Page 22 of 64
    • Mass Deployment of VMware Fusion 318 Next, select whether you want to restart after the installation using the After installation: field. In this case there is likely no need to restart. Next, select whether you would like to run the installer using your system or using a Task Server. Then, select whether to stop the installation on the target computers if there are any problems in the If a problem occurs: field. Additionally use the Security: field to select whether or not to encrypt the data and the Network usage: field to throttle bandwidth if desired. Finally, click on Schedule… to schedule a time for the installation or Install to install it immediately. If the installer completed as expected then you will see a message similar to the following just below the toolbar: Page 23 of 64
    • Mass Deployment of VMware Fusion 318 Article V. Creating Windows Virtual Machines For Mac Users At this point you have created a package or installed VMware Fusion on your computers. We will now move on to creating the Virtual Machines themselves and deploying them. In this document we will focus on using Windows, as that is the primary use case for running VMware Fusion on the Mac. Section 5.01 Creating the Virtual Machine To start off we will create a base installation of Windows XP or Windows Vista. To do so, launch VMware Fusion and click New. Insert a Windows installation CD or disk image (.iso) and follow the steps for Windows Easy Install, which will install Windows automatically including all necessary VMware drivers. For more details, refer to the VMware Fusion Help topic “Creating a Virtual Machine with Easy Install”. When you are setting up your Virtual Machine there are a few settings that can be useful to help maximize the performance of your systems. By default, VMware Fusion’s settings for memory, processors, and hard disk are designed to balance the needs of performance for both Windows and Mac applications. In addition to virtual hardware settings, there are additional features to consider enabling: - Shared Folders - Mirrored Folders - Shared Applications - Printing - Adding Comment in the Virtual Machine Library Once your virtual machine is setup the way you desire, next install any desired Windows applications. NOTE: If you are using a corporate modified or custom-built Windows XP/Vista installation media or disk image, you should NOT use Windows Easy Install, which assumes a default Microsoft provided Windows installation media. Make sure to uncheck “Use Easy Install” in the New Virtual Machine Assistant in this case and install Windows manually. Section 5.02 Install any necessary Windows applications When you are deploying a Windows Virtual Machine, you will likely install additional software that is required for your business into the Virtual Machine prior to deployment. Installing such applications now will ease your initial deployment. After initial deployment, you can leverage a solution such as Microsoft System Center Configuration Manager (SCCM), LANdesk, or LANrev to deploy additional Windows software to your Windows virtual machine as you would do with many of the solutions available for Mac OS Page 24 of 64
    • Mass Deployment of VMware Fusion 318 X. In other words, the same monolithic versus package based deployment options are available, just using different solutions to get the job done. Section 5.03 Prepping Windows for Mass Deployment In order to make for an easier Windows deployment, you will want to rename the Windows computer name on each Mac to have a unique network name and then optionally bind that virtual machine to a Windows Active Directory After installing any desired Windows applications, one of the first things you will want to do with the Virtual Machine is to assign it a new Windows name. This will prevent multiple Virtual Machines on the network from occupying a conflicting namespace. There are two traditional ways to rename a system in Windows. - Sysprep - Run script on the computer (or in the virtual machine in this case) The first is to setup sysprep to rename a host as a part of the installation answer file (sysprep.inf). Sysprep can be downloaded at the following URL: http://support.microsoft.com/?kbid=838080 Sysprep can automatically assign names to computers. When you run the setupmgr.exe tool, one of the options will be whether you want to Fully Automate This Install. This setting pertains to whether you will require someone to manually accept the EULA for Windows. Another option though, is Automatically Generate Computer Name. Using this option, sysprep will handle computer naming for you. The second way is to run a script against the Virtual Machine that renames the computer. For this, you could use a script as simple as the following, which would change a computer name to NEWCOMPUTER: ' ------ SCRIPT CONFIGURATION ------ strComputer = "." strNewName = "NEWCOMPUTER" ' ------ END CONFIGURATION --------- Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!" _ & strComputer & "rootcimv2") Set colComputers = objWMIService.ExecQuery ("Select * from Win32_ComputerSystem") For Each objComputer in colComputers errReturn = ObjComputer.Rename(strNewName) WScript.Echo "Computer successfully renamed" Next If you save the above script as, for example, rename.vbs then it would rename the machine to NEWCOMPUTER when run. This script can be saved anywhere on the system (eg in a C:/scripts directory and then the script itself can later be removed (important if you put any passwords into the script). You can then take your naming convention and apply it’s logic through Visual Basic by changing what the strNewName variable is set to. For example, you would use something similar to the following to grab the MAC address of a system and then add it to the end of strNewName to append a MAC address to the computer name: Page 25 of 64
    • Mass Deployment of VMware Fusion 318 MACAddress=objAdapter.MacAddress Scripts to change names and the like can be activated through SysPrep, through startup items or using the vmrun command. If you wanted to use the vmrun command, for example, you could create a second package that gets installed after your VMware Fusion package and Virtual Machine package. In this package you could put a command (or script) that uses vmrun to open the Virtual Machine and run the renaming script: vmrun -T ws -gu administrator -gp MyPassword runScriptInGuest "c:my VMsmyVM.vmx" "c:Installersmyscript.vbs" Using the runScriptInGuest (or runProgramInGuest if your script has been compiled or if you’ll be using an application) that is available through VMware Fusion offers a variety of options not otherwise available if you were using sysprep. DOS batch files (.bat) will not run using the runScriptInGuest parameter, but you can invoke Visual Basic scripts through the vmrun interface (depending on the version, you may need to also specify a path to the interpreter). This allows you to potentially send variables to the script that contain the desired computer name, guest password, etc. If you are more comfortable writing scripts for your mass deployment through Mac OS X scripting tools than you would be scripting through Visual Basic then you can simply pass the parameters of your script to the client system using a file that is copied locally or using the positional parameters available with your scripting language. This added flexibility can be very useful in a deployment scenario where you are not using sysprep. Rather than use the runScriptInGuest or runProgramInGuest you can also use the workstation’s built-in auto-login options. These can be altered in the registry by using keys located in HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon. The keys to enable automatic logon are DefaultUserName, AutoAdminLogon and DefaultPassword. More Windows centric organizations will want to first rename computers and then bind them into Active Directory. Binding can be done in the same script or in a separate one. The bind will typically require another restart after the rename and require not only TCP/IP connectivity to the network but also valid DNS for Active Directory to properly use. One way to join to a domain would be to use the JoinDomainOrWorkgroup method with WMI (Windows Management Instrumentation), as Microsoft describes at the following site: http://msdn.microsoft.com/en-us/library/aa392154(VS.85).aspx Finally, there is one other unique identifier associated with each Windows computer that needs to be updated in Windows. Windows has a Security Identifier, or SID. Even if two computers have independent network addresses (MAC), if the SID is the same, one won't be able to access the network as effectively as it would otherwise be able to do. You may use a tool like NewSID to update the SID of a deployed Windows virtual machine or write a script to do so. NewSID is available at the following URL: http://technet.microsoft.com/en-us/sysinternals/bb897418.aspx These are the basic methods for the deployment of Windows systems. Like the deployment of Mac systems, this is a full time position in many organizations and therefore there is a wide variety of information on the Internet and in printed form that is geared to preparing and sharing information on sysprep and Visual Basic scripting. Many organizations will likely have an Page 26 of 64
    • Mass Deployment of VMware Fusion 318 existing infrastructure for their Windows deployments and require little retooling for scripts and methods to work in a VMware Fusion environment. Section 5.04 Modifying the Virtual Machine for Mass Deployment Similar to Section 5.0.3, there are a number of things that need to be changed in Windows for mass deployment. Finally, you need to modify the virtual machine to make it ready for mass deployment. First, power off the virtual machine so that it is shut down. This is important as there are slight differences in Intel processors that could potentially cause problems if resuming the VM on a older or new computer. Having the machine start from power on will avoid any potential problem in this area. There are three areas that you need to address: - Unique Identifers - User specific settings such as Shared Folders - Surpressing the antivirus warning message Unique Identifers Computers have various unique identifiers that serve a similar purpose, and if these identifiers conflict, they might not be able to communicate with each other. A common identifier is the MAC (short for Media Access Control) address. Every network adapter has one of these. VMware virtual machines have another identifier called the UUID - this isn't important to the guest, but is how Fusion (or other VMware products) keeps track of virtual machines. These settings are stored in the Virtual Machines settings file, which is known as the .vmx file. To take the virtual machine you created and configured earlier and make it applicable for distribution, you need to edit the virtual machine settings file (.vmx) to remove machine specific identifiers. Once they are removed, VMware Fusion will create them on first launch on the deployed computer. To do this, right click on the virtual machine bundle and select Show Package Contents. Find the Virtual Machine Settings .vmx file and open it TextEdit or your favorite text editor. The aspect of the Virtual Machine that needs to be changed from the VMware Fusion perspective is to remove lines in this file that localize the Virtual Machine to the system it was created on. To do so, remove the lines that begin with the following from the .vmx file that is associated with each VM you will be deploying: ethernet0.addressType = uuid.location = uuid.bios = ethernet0.generatedAddress = ethernet0.generatedAddressOffset = User Specific Settings (Shared and Mirrored Folders) Page 27 of 64
    • Mass Deployment of VMware Fusion 318 Shared and Mirrored folders provide great value to your users allowing them to access documents stored on the Mac directly from Windows. Shared and Mirrored Folders rely on specific path names to the desired shared directories. To take the virtual machine you created and configured earlier and make it applicable for distribution, you need to edit the virtual machine settings file (.vmx) to change absolute paths to relative paths that will be expanded on first launch on the end users Mac. To do this, right click on the virtual machine bundle and select Show Package Contents. Find the Virtual Machine Settings .vmx file and open it TextEdit or your favorite text editor. sharedFolder1.hostPath = "/Users/pat" Change the variable to: sharedFolder1.hostPath = "~" Once you have made these changes to the virtual machine, do NOT power on this VM. If you power on the VM, the settings will be reset to user specific settings and will need to be changed again. Antivirus warning message Fusion 2.0 comes bundled with a complimentary 1-year McAfee antivirus subscription. If Fusion detects the user is running a compatible guest OS, it will present a dialog encouraging the user to install the antivirus software. This may not be desirable, especially if your policy forbids installing such software. To work around this, edit the .vmx file to contain the line skipAntivirusCheck = "TRUE" If your policy prevents users from installing the bundled antivirus, you might want to remove the bundled antivirus image entirely. The antivirus iso is located in /Library/Application Support/VMware Fusion/isoimages/. You could remove it during the custom packaging steps described in Section 4.03 and 4.04. Finally, you will also want to setup the VM to automatically rename the Operating System on first run and if you are using the Virtual Machine with Directory Services (such as Active Directory) you may wish to automate the binding process. These options are explored further in Article V of this document. Optionally, there are a variety of other options that you can push out by editing your .vmx file. These include customizing the folder that shared folders points to, enabling and disabling drives, customizing the number of virtual CPUs, etc. This can be done prior to pushing out the .vmx file or by using commands to push out changes to .vmx files to workstations through, for example, Apple Remote Desktop or SSH. When you are customizing a .vmx file it’s important to remember the following: Page 28 of 64
    • Mass Deployment of VMware Fusion 318 • Shared Folders path should be set to a relative path before deployment. This is done by replacing the paths with “~”, which will be expanded to the full path of the current user on first launch • The UUID and MAC address setting that are removed manually will recreate themselves automatically • After making the changes above, do NOT launch the virtual machine again as this will overwrite the settings desired for deployment Section 5.05 Deploying Windows Virtual Machine to Macs Once you have deployed the VMware Fusion software then you will need to deploy the actual Virtual Machines that Fusion will be utilizing. Deploying the Virtual Machines and .vmx files to Mac OS X can be done through a script, package or .dmg file. For this example, we will create a package with the Virtual Machine using PackageMaker. To start, install the Mac OS X Developer Tools by inserting your installation media and running the Xcode Tools installation package. Once installed, open PackageMaker from /Developer/Applications/Utilities/PackageMaker. At the Install Properties screen, type the name of your organization with a prefix of com. and choose a minimum version of the operating system for this package to be able to get installed on, as seen below: At the next screen, supply a name for your package and choose the drive that the package contents (the Virtual Machine) will get deployed into. Page 29 of 64
    • Mass Deployment of VMware Fusion 318 Click on the cog wheel icon in the lower left corner of the screen and click Add Contents… to bring up a standard browse window. Here, select the Virtual Machine you would like to deploy and then click on OK. This will bring you back to your package creation screen where you can enter the folder you would like the Virtual Machine to be placed into using the Destination: field. You can also enter a version number in the Package Version: field, as seen here. Page 30 of 64
    • Mass Deployment of VMware Fusion 318 You can now click on the Scripts directory and define any postflight actions you would like to perform, such as populating the VMware Fusion Virtual Machine Library with deployed VM, as described in Section 5.06 If you have no further customizations to perform then you can click on the Build icon in the top left corner of the screen to bring up a screen that allows you to save a copy of your package to an easily accessible location as can be seen here: Once you have created your installer package then you can push the package out through Remote Desktop as mentioned previously or through the patch and configuration management solution you are using in your environment. Page 31 of 64
    • Mass Deployment of VMware Fusion 318 Section 5.06 Populating the Virtual Machine Library with Deployed VM Once all of your Virtual Machines have been deployed you will want to deploy a preference that populates the VMware Fusion Virtual Machine Library when it is first opened. The Virtual Machine Library is populated using the defaults command. You can read the existing preferences for VMware by running the following command: defaults read com.vmware.fusion You can read the list of current Virtual Machines accessible by VMware Fusion using the following command: defaults read com.vmware.fusion VMFavoritesListDefaults2 The following command will add a Virtual Machine named "Windows XP" to the Virtual Machine Library (assuming that the Virtual Machine is located at "/VM/WindowsXP.vmwarevm" defaults write com.vmware.fusion VMFavoritesListDefaults2 -array-add '{name = "Windows XP"; path = "/VM/WindowsXP.vmwarevm";}' You can also replace an existing list of Virtual Machines in the library by using the following command: defaults write com.vmware.fusion VMFavoritesListDefaults2 -array '{name = “Windows XP"; path = "/VM/WindowsXP.vmwarevm";}' '{name = "Fedora Core"; path = "/VM/Fedora.vmwarevm";}' In the above command we edited the com.vmware.fusion preference by adding an array that lists the Virtual Machines to be added. By adding additional lines you can create more entries in your favorites list. An example of another item to place at the end of this command would be to add a Virtual Machine called Windows Vista that is located at /VM/WindowsVista.vmwarevm using the following: '{name = "Windows Vista"; path = "/VM/WindowsVista.vmwarevm";}' In order to deploy this through ARD, Casper, or another app, you would need to generate a new package with the preferences file. Alternately, you could leave the preferences file in place and then manually script the addition using your pattern matching commands of choice. Article VI. Systems Management: Managing Windows with AD or OD Section 6.01 Microsoft Tools for Patch Management and Updates As with Mac OS X, there are a variety of ways to provide patch management and updates to Microsoft Windows computers. This typically involves one or more products that fill the basic roles typical to a Mac OS X environment. Because we covered deployment in previous Articles, this Section will focus on patches and updates to the operating system and any third party software products installed as a part of your deployment. Page 32 of 64
    • Mass Deployment of VMware Fusion 318 (a) Microsoft Windows Server Update Services Windows Software Update Services (WSUS) is a free add-on for Windows Server 2008 and Windows Server 2003 with Service Pack 1 or higher, provided you are fully licensed for those products. Similar to how Software Update Server on Mac OS X Server works, WSUS downloads updates from Microsoft Update onto a server and then provides them to clients in the environment. This allows administrators control over which updates get deployed to client systems and doesn’t require each computer in your environment to download and cache all of the updates from Microsoft Update, thus reducing overall bandwidth consumption for automatic updates for your Windows deployment. WSUS isn’t just for Windows desktop operating system updates though. WSUS also has updates for all of the various flavors of Windows Server (and there are a lot of them), Microsoft Office, Microsoft Forefront, Microsoft Expression and even the Zune. The management for WSUS is a little more granular than that of the Mac OS X Server Software Update Server. Products are broken down into categories to ease the administrative burden and updates are classified so that you can choose which categories to download and which classifications (Critical, Definition, Security, Updates, Service Packs, etc) to be released without administrative intervention. Unless you control all patch deployment from a centralized location, WSUS is a must have for any sizeable Windows deployment. To obtain WSUS, see the following link: http://www.microsoft.com/downloads/details.aspx?FamilyId=C8FA2FD1-72F6-4F19-A1B0- F689DAE14BE6&displaylang=en Information on scripts that can be used to extend WSUS can be found at the following location: http://www.microsoft.com/technet/scriptcenter/scripts/sus/default.mspx?mfr=true (b) Group Policy Group Policy is the foundation for centralized control over a Windows deployment. Policies are managed through Active Directory and can be used to automate most any task, whether it be controlling access to various resources, controlling settings, pushing out software updates, pushing out WSUS settings, etc. Policies can be pushed out to a site, domain, organizational unit, user, group, etc. Policies in Active Directory are pushed out to workstations (and servers) through the use of a Group Policy Object, configurable through the Group Policy Management Console of Windows Server. GPOs allow you to push out Windows updates but also to push out updates to installed third party software using custom installers (eg - .msi, .mst files). You can also use the same framework to push out new installations of Microsoft software and third party packages. This allows you to push out a lean guest operating system and then granularly control what software is installed from a central location; think package based management. (c) System Center Configuration Management (SCCM) SCCM (System Center Configuration Management) uses GPO, Active Directory, IIS and a few other key pieces of technology to provide a more comprehensive solution to centrally managing a Windows deployment than is available through the use GPOs. SCCM provides Software Page 33 of 64
    • Mass Deployment of VMware Fusion 318 Updates, Asset Management (referred to in SCCM as Asset Intelligence), Configuration Management (similar to the Casper Suite) and operating system deployment, which you are not likely to use in a predominately VMware Fusion environment. Section 6.02 Policies Without Active Directory All of the options in the previous Section referenced solutions reliant on Active Directory. However, it is possible to centrally manage policies for a Windows environment without Active Directory. This can be especially useful in environments running Open Directory where you are using Mac OS X as a PDC (Primary Domain Controller). (a) Managing Policies for a Single Workstation From Windows Server 2003 or Windows XP there are two utilities that can be used to create policies. The first is Group Policy Object Editor, gpedit.msc. The second is secpol.msc. For the purposes of this document we will use gpedit.msc as it provides most of what is available in secpol and far more granular policies for workstation control. To open GPO Editor click on start then click run and then type gpedit.msc. Now you will be looking at two sections, Computer Configuration and User Configuration. Computer Configuration controls global settings such as password policies and Log on Locally as can be seen below: Page 34 of 64
    • Mass Deployment of VMware Fusion 318 The User Configuration will show a folder called Administrative Templates. Open this and you will see Windows Components, which are Windows XP applications, such as Terminal Services (RDC), Windows Media Player, Windows Update, Windows Explorer, etc. An example of setting these policies is to use the Windows Media/Playback/Prevent Codec Download policy to prevent the downloads of Windows Media Player Codecs. Start Menu and Taskbar can be used to configure settings in the start menu and task bar (seems pretty straight forward, right?). For example, you can use the Remove Run Menu from Start Menu to configure the system not to show a run dialog box in the Start Menu. Some other items you can do here include locking the taskbar, showing users the classic Start Menu, disable history of recently opened documents or remove Run/My Pictures/My Music/My Network Places/Favorites from the start menu. User Configuration also allows you to configure the Desktop using the Desktop subfolder. For example, the Properties dialog box can be removed from My Documents, My Computer or Recycle Bin. Or you could remove My Computer, My Documents or Recycle Bin from the Page 35 of 64
    • Mass Deployment of VMware Fusion 318 desktop completely. You can also block users from adjusting desktop toolbars or hide the Network Places and/or Internet Explorer Icon on the desktop. User Configuration is also where you can allow or disallow specified groups of users access to the Control Panel using the Control Panel sub-set of folders. Control Panel not only includes the Control Panel but also includes Printing, Language, Add/Remove Programs, etc. You can limit which Control Panel items are displayed to end users or just prohibit any users from accessing any Control Panels. You can also perform more finely grained access control for certain Control Panel items. For example, you can allow a user access to the Display Control Panel and allow them to enable a Screen Saver there but disable the ability to change the wallpaper. You could also force a password to wake a system from Screen Saver mode. The Add or Remove Programs sub-folder will allow you to limit users from being able to install software or allow you to limit certain options within the software installation wizard. Through the Printers sub-folder you can limit whether a user can add or delete printers, or limit them from being able to browse to printers. Shared Folders can be used to disable a users ability to share folders. Network can be used to limit users from changing TCP/IP, NIC or other items that involve the network stack. Network can also be used to set offline file caching settings. System has a number of settings that can be configured, including profile quota's (under User Profiles), login script behavior (under Scripts), Task Manager and computer locking (under Ctrl+Alt+Del Options), the ability to start programs at login (under Logon), GPO controls such as refresh intervals (under Group Policy - although many of these will not be enforceable if you are not using a domain) and finally Movie Maker and HTTP printing (using Internet Communications). There are a lot of policies. If you're curious about what a specific policy will do then you can use the Extended view (by clicking on Extended on the bottom navigation bar). Using the Extended view, system requirements (version of Windows, etc) will be listed and a description of what the policy will do will be displayed on the left hand side of the screen. If you are comfortable with what a policy will be doing, you can double-click on the policy and configure the settings for it. (b) Pushing Out Policies If you're looking to push policies out from a centralized directory service that is not Active Directory then you will have slightly more work to do. You will be using the poledit.exe utility rather than gpedit.msc. The poledit.exe tool is stored on a Windows 2000 Server CD. If you install the Admin Tools using the driveletteri386adminpak.msi installer then you will be able to build a policy file in adm format that can then be distributed. Once you open the Poledit.exe application you will click on the File menu and then select New New Policy. From here you will see Default User and Default computer (much as with it's successor gpedit.msc). Options in poledit.exe for Computers include a variety of settings. One of the more important here is the Local Computer->Network->System Policies Update->Remote Update which can be used to identify where the system will be getting policy updates and how they will be updated. To set/create the policy file (Ntconfig.pol), first remove all #if version and #endif statements from the System.adm, Inetres.adm and conf.adm files on the local workstation in order to prevent the unintended loading of these files by the Poledit.exe tool. This isn’t absolutely necessary. Next, save your policy settings as Ntconfig.pol. Save the file to the Netlogon share of the Windows NT 4.0 domain controller. But, what if you do not have a Netlogon share or a Page 36 of 64
    • Mass Deployment of VMware Fusion 318 replication service to replicate between shares. Well, create the share by adding the following lines to your SMB config: [netlogon] comment = Network Logon Service path = /path guest ok = Yes browseable = No # If you have problems, try adding the following line # acl check permissions = no Using the above, you would replace the /path with the actual directory you will store the data on your server. This directory needs to allow everyone read only access and be accessible by all hosts that will be controlled using these policies. Copy the ntconfig.pol file into this directory and you will now be pushing the policy out to your local Windows workstations that are bound into the PDC. Options in poledit.exe for users include policies dealing with Control Panels (restrict access to display), Desktop (wallpaper and color scheme), Shell (Start Menu controls and Network Neighborhood controls), System (Run Dialog), Windows NT Network ($ hidden shares), Windows NT Printers (beeps and priorities), Windows NT Remote Access (dialup networking), etc. One final way to manage policies is through the login scripts option available to Windows workstations that log into your PDC. Using the login scripts you could script the import of a policy and apply it to the user or computer using gpupdate.exe. Article VII. Conclusion Windows and Mac mass deployments are fairly similar in nature, in regard to the methodologies used. However, deploying both simultaneously to result in a heterogeneous operating system environment per host can be a fairly complicated task. In this document we have reviewed the steps and procedures for setting up a Virtual Machine deployment infrastructure using VMware Fusion. When you are preparing any system for mass deployment, it is critical to “measure twice and cut once.” The more testing you do, the better off you will be. If you are already familiar with Windows scripting then we would also recommend getting prepared to learn as much shell scripting and AppleScript as possible. This will only help you to further automate your deployment. However, if you are already familiar with scripting for the Mac then we would recommend that you familiarize yourself with WMI and Visual Basic to help automate Windows-oriented tasks. In many environments where multiple operating systems are presented to end users, organizations will attempt to unify the environment that is presented to their users. For example, using a combination of features within VMware Fusion and GPOs you can allow your users to see the same Documents folder whether they are in Windows or Mac OS X and then synchronize this folder with your servers using Mobility or have the folder live on the server using Network Home Folders. You can also synchronize other directories or use aliases, symbolic links, shortcuts, etc. to unify the environment. However, this is an area that requires Page 37 of 64
    • Mass Deployment of VMware Fusion 318 extensive planning and testing as small GPO policy changes or changes to features within a product can cause profound differences in how the data is presented to the user, potentially jeopardizing the perception of your entire deployment. Finally, the additional footprint of multiple operating systems will establish a greater need for security for your environment. It is strongly recommended that considerations for how to secure each operating system en masse be handled separately and be well thought out. Training is essential to making sure that your environment is as secure as possible. This extends beyond the operating systems in use and into each application that is deployed. Page 38 of 64
    • Mass Deployment of VMware Fusion 318 About 318: 318 is a national technology solutions company delivering comprehensive technical support services and software solutions to businesses. At 318, our trained and certified technology professionals know the business of our clients. 318's array of technology services will complement your organization's business logic while allowing you to focus on moving your business forward. Services include mass deployment, directory services, SAN, scripting and other centralized IT technologies for Linux, Windows and Mac OS X. 318 is on the web at www.318.com About VMware: VMware (NYSE: VMW) is the global leader in virtualization solutions from the desktop to the datacenter. Customers of all sizes rely on VMware to reduce capital and operating expenses, ensure business continuity, strengthen security and go green. With 2007 revenues of $1.3 billion, more than 120,000 customers and nearly 18,000 partners, VMware is one of the fastest growing public software companies. Headquartered in Palo Alto, California, VMware is majority- owned by EMC Corporation (NYSE: EMC) and on the web at www.vmware.com. Author: Charles Edge, Director of Technology :: 318 Page 39 of 64
    • Mass Deployment of VMware Fusion 318 Article VIII. Appendix: Deploying and Managing VMware Fusion Virtual Machines with LANDesk Management Suite This appendix describes an alternative workflow to deploy of VMware Fusion using LANDesk Management Suite. The entire section is provided and copyrighted by Avocent Corporation. VMware Fusion enables users to experience the best of both Mac and Windows worlds. Unfortunately, IT teams often lack the means to deploy and manage these guest operating systems easily and effectively. However, Avocent’s LANDesk Management Suite not only extends your deployment and management capabilities to VMware Fusion guest operating systems, it enables you to control your entire environment of Macs, PCs, and other platforms from a single centralized workstation console. Section 8.01 Simplifying Deployment of VMware Fusion and Windows VMs In addition to simplifying management of both Mac and PC environments, LANDesk Management Suite facilitates the deployment of VMware Fusion and guest Windows VMs onto your Mac hardware as illustrated in this diagram. Page 40 of 64
    • Mass Deployment of VMware Fusion 318 The following sections of the document provide insights on how LANDesk can help you accomplish this, enabling you to end up with a Mac that is completely manageable from the LANDesk console, and a Windows guest operating system or virtual machine (VM) running on the same machine that is completely manageable from that same console as well. These sections will direct you through how LANDesk Management Suite can help you easily automate and execute the following main steps: 1. Create the VMware Fusion distribution package 2. Create a distribution package for sysprep Windows VM image 3. Create a distribution package for custom deployment tasks 4. Create a scheduled task that deploys the packages, installs VMware Fusion, copies and loads Windows VM, and deploys a LANDesk agent onto the Windows VM 5. Easily manage both the Mac and the Windows VM running on the Mac Page 41 of 64
    • Mass Deployment of VMware Fusion 318 Section 8.02 Create a VMware Fusion Distribution Package Before deploying VMware Fusion to a Mac, you need to have the LANDesk agent installed on the Mac to allow you to manage it with LANDesk Management Suite. There are a number of ways of installing the agent, but one way is to simply browse to its location on your LANDesk core server. If you browse to it with Safari, the agent’s package will automatically be extracted and the installation will be carried out on the Mac. Once the agent is installed, that Mac will appear in the list of managed devices from within the LANDesk console from where you can perform a variety of management operations on it. Figure 1- With the LANDesk agent installed, Mac devices can be easily managed from the LANDesk console Before you deploy VMware Fusion, you must obtain a distribution package for the application. You can use the package file provided by VMware, or you can create a custom one using LANDesk Management Suite. In either case, refer to section 4.02 of this guide for details on how to obtain the package, as well as how to embed the VMware Fusion license keys into the package. To facilitate package creation, you should copy the package files to your LANDesk core server into the directory /ldlogon/mac/. To create a package file from within the LANDesk console, simply click Tools| Distribution | Distribution Packages and select New Macintosh package. The LANDesk interface makes it easy to specify the files and settings necessary to successfully install the package, including any dependencies, prerequisites, command-line parameters, or additional files needed for the install. Once you’ve created a VMware Fusion distribution package in LANDesk, it is compressed and stored in the LANDesk core server database where it can be easily accessed for deployment. Page 42 of 64
    • Mass Deployment of VMware Fusion 318 Figure 2 - VMWare Fusion distribution packages can easily be created with LANDesk Section 8.03 Create a Distribution Package for Sysprep Windows VM Image To make sure your Windows VM loads with the correct computer name, licensing, domain host, IP address, DNS settings, and other unique attributes, you need to run sysprep on your Windows workstation before imaging it. Sysprep customizes a Windows installation so that when the OS reboots, it looks for an answer file (SYSPREP.INF) and reconfigures itself for the new device. The Microsoft Setup Manager utility (SETUPMGR.EXE) creates the SYSPREP.INF answer file that Sysprep uses for the images you deploy. After you sysprep your image, you need to zip the resulting files and copy them to the /ldlogon/mac/ directory on your LANDesk core server. Then to create the distribution package, once again you select New Macintosh package from Tools| Distribution | Distribution Packages from within the LANDesk console and then browse to the location of the zipped Windows VM image. Page 43 of 64
    • Mass Deployment of VMware Fusion 318 Figure 3 - LANDesk facilitates the creation of distribution packages for sysprep'd Windows VM images Note: If you’re not familiar with sysprep, you can find more information on it at http://support.microsoft.com/?kbid=838080, as well as in section 5.03 of this guide. The LANDesk Management Suite user documentation also has information on how to use sysprep in conjunction with deploying Windows images. Section 8.04 Create a Distribution Package for Custom Deployment Tasks LANDesk Management Suite lets you take advantage of bash scripts to execute custom tasks. You can leverage this scripting capability to simplify the copying and loading of your Windows VM images onto your Macs, as well as deploying the LANDesk management agent into your Windows VM environments. You can create the script using the vi editor on Mac OSX. (Note: You cannot create the script with a text editor in Windows or DOS because the LANDesk Mac agent won’t be able to interpret it correctly). The script you create might look something like the following (please note that the format wrapping is due to the document and is not the way the script should be written): Page 44 of 64
    • Mass Deployment of VMware Fusion 318 #!/bin/bash lastUser=`last -t console -1 | awk '{print $1}'` cp -r "/Library/Application Support/LANDesk/sdcache/XP" "/Users/${lastUser}/Documents/Virtual Machines" "/Library/Application Support/VMWare Fusion/vmrun" start "/Users/${lastUser}/Documents/Virtual Machines/XP/Windows XP Professional.vmx" "/Library/Application Support/VMWare Fusion/vmrun" -gu Administrator -gp AdminPW copyFileFromHostToGuest "/Users/${lastUser}/Documents/Virtual Machines/XP/Windows XP Professional.vmx" /Users/${lastUser}/Documents/XPAgent.exe "c:Documents and Settings${lastUser}DesktopXPAgent.exe" "/Library/Application Support/VMWare Fusion/vmrun" -gu Administrator -gp AdminPW runProgramInGuest "/Users/${lastUser}/Documents/Virtual Machines/XP/Windows XP Professional.vmx" "c:Documents and Settings${lastUser}DesktopXPAgent.exe" "/Library/Application Support/VMWare Fusion/vmrun" -gu Administrator -gp AdminPW deleteFileInGuest "/Users/${lastUser}/Documents/Virtual Machines/XP/Windows XP Professional.vmx" "c:Documents and Settings${lastUser}DesktopXPAgent.exe" 

 (a) Discover the Mac’s User Information The second line of the script facilitates your ability to perform mass deployments of Windows VM images to multiple Macs by discovering who the last user was that logged onto that specific Mac. This user information is then inserted into the substitution variables used later in the script that enables the VM image to be copied to the appropriate directory on the Mac. This script line looks like this: lastUser=`last -t console -1 | awk '{print $1}'` (b) Copy the Windows VM Image to the Mac The
next
line
copies
the
contents
of
the
folder
containing
the
Windows
VM
image
file
to
the
appropriate
 directory
on
the
Mac:
 
 cp -r "/Library/Application Support/LANDesk/sdcache/XP" "/Users/${lastUser}/Documents/Virtual Machines" (c) Load the Windows VM Image The following line takes advantage of the VMRUN utility in VMware Fusion to automatically load the Windows VM image: "/Library/Application Support/VMWare Fusion/vmrun" start "/Users/${lastUser}/Documents/Virtual Machines/XP/Windows XP Professional.vmx" (d) Copy the LANDesk Agent into the Windows VM Environment Once you have your Windows VM running, you’ll want to be able to manage it from your centralized LANDesk console just as easily as you can manage the Mac physical machine itself. To be able to do this, you need to deploy and load a LANDesk Windows agent onto the virtual machine. This line copies the agent from the Mac environment into the Windows VM environment: "/Library/Application Support/VMWare Fusion/vmrun" -gu Administrator -gp AdminPW copyFileFromHostToGuest "/Users/${lastUser}/Documents/Virtual Machines/XP/Windows XP Page 45 of 64
    • Mass Deployment of VMware Fusion 318 Professional.vmx" /Users/${lastUser}/Documents/XPAgent.exe "c:Documents and Settings${lastUser}DesktopXPAgent.exe" In this script, the –gu and –gp parameters are respectively the admin username and password for the Windows VM. These must be valid credentials, or the script will not be able to authenticate correctly and carry out the script. The path "/Users/${lastUser}/Documents/Virtual Machines/XP/Windows XP Professional.vmx" is simply the path to the .vmx file on the Mac. The path /Users/${lastUser}/Documents/XPAgent.exe is the location where the LANDesk agent for Windows happens to be stored on the Mac in this example. In this case, the agent has been preconfigured in LANDesk to be a self-extracting executable installation package. The path "c:Documents and Settings${lastUser}DesktopXPAgent.exe" is the destination inside the Windows VM where you would like to copy the agent. (e) Install the LANDesk Agent into the Windows VM Environment To have the agent automatically install itself, you can add a line to the script similar to the following: "/Library/Application Support/VMWare Fusion/vmrun" -gu Administrator -gp AdminPW runProgramInGuest "/Users/${lastUser}/Documents/Virtual Machines/XP/Windows XP Professional.vmx" "c:Documents and Settings${lastUser}DesktopXPAgent.exe" This script line simply tells the file XPAgent.exe to run. Since installing the agent requires administrator rights, the script must supply the appropriate Windows administrator credentials for the VM. Once the agent is installed, the Windows VM will appear in the LANDesk console as a device that can now be managed. (f) Remove the Self-Extracting Agent Executable With the agent installed, its self-extracting executable installation package is no longer needed. An additional line can be added to the script to automatically delete it from the Windows VM such as the following: "/Library/Application Support/VMWare Fusion/vmrun" -gu Administrator -gp AdminPW deleteFileInGuest "/Users/${lastUser}/Documents/Virtual Machines/XP/Windows XP Professional.vmx" "c:Documents and Settings${lastUser}DesktopXPAgent.exe" (g) Packaging the Script When you finish creating your script, you simply copy it to the /ldlogon/mac/ directory on your LANDesk core server. Then you create a distribution package for it by selecting New Macintosh package from Tools| Distribution | Distribution Packages within the LANDesk console and browsing to the location of the script file. Page 46 of 64
    • Mass Deployment of VMware Fusion 318 Figure 4 - LANDesk lets you create custom deployment tasks that leverage scripts Section 8.05 Create Scheduled Distribution Task Now that you have the three main distribution packages created, you need to create a scheduled distribution task that will deploy the packages in the following order: • VMware Fusion will be installed • The Windows VM will be copied and loaded onto the target Mac • A LANDesk agent will be deployed onto the Windows VM allowing it to be easily managed by LANDesk To do so, click the Create software distribution task toolbar button under Scheduled task. Then, from the Distribution package page, you can select a Preliminary (#1) distribution package, a Main (#2) distribution package, and a Final (#3) distribution package. For Preliminary distribution you’ll use the VMware Fusion distribution package you created. The Main distribution package will be the one you created for the Windows VM image. The Final distribution package will be the package containing the scripts. After you select the distribution packages, you need to select a delivery method for the task, which can be any of the following: Page 47 of 64
    • Mass Deployment of VMware Fusion 318 • Push - The LANDesk core server immediately deploys and installs the packages onto the Mac, or to multiple Macs using multicast. • Policy - When managed devices check in with the core server, the packages are automatically installed according to the policies that you define. • Policy-supported push – Immediately pushes out the distributions according to the policies you define. • Multicast – Enables the packages to be deployed simultaneously to multiple managed devices in a manner that minimizes network bandwidth consumption. At this time you can also specify the devices that need to receive the distribution packages and when the task should run, which can be immediate or at a later date. Also, if you don’t want to specify the target devices at this time, you can simply save the distribution task for now. If you look at the properties of the distribution task in the LANDesk console, it will likely appear similar to the following: Figure 5 - LANDesk lets you create a single distribution task that uses multiple distribution packages to seamlessly install VMWare Fusion, copy and load your Windows VM image, and install the LANDesk agent into your Windows VM environment Page 48 of 64
    • Mass Deployment of VMware Fusion 318 When you’re ready to execute the distribution task, you can simply drag the targeted managed Mac or Macs onto the task in the Scheduled tasks window, and then schedule the task for deployment. In just minutes from when it is deployed, VMware Fusion will be installed, the Windows VM will be loaded, and the LANDesk agent will be installed into the Windows VM environment, enabling you to easily manage both its Windows VM and Mac environments from the LANDesk console. Figure 6 - LANDesk not only facilitates the deployment of Windows VMs, it facilitates management of Mac, Windows VM, and Windows environments Note: In addition to being able to deploy VMware Fusion as a software distribution package, you can leverage LANDesk to simplify the creation and deployment of OS images for mass distribution to your Macs. For details on how to properly include an installed version of VMware Fusion in OS images for mass distribution, refer to section 4.01 of this guide. Section 8.06 Facilitating Managing the VM, Your Macs, and PCs ® While LANDesk Management Suite can help you automate the deployment of the VMware Fusion Windows environment onto your Macs, its capabilities don’t stop there. Once the Page 49 of 64
    • Mass Deployment of VMware Fusion 318 environment is established, LANDesk provides complete management of both environments, including the ability to: • Remote control Macs and PCs from PCs and Macs • Distribute software packages via push, policy, or policy-supported push • Track software usage against purchased licenses • Enforce patching and security compliance Additionally, the following elements of the LANDesk solution cater specifically to the needs of organizations that plan to install Apple hardware with the intent of running Microsoft Windows as VMware Fusion guests on those machines: OS Deployment and Profile Migration • The LANDesk OS Deployment Wizard guides you through the entire OS deployment and migration process. • The task scheduler automates target selection, options and schedules for automated software distribution and configuration tasks. • Web console availability lets you manage any client from any browser that supports NTLM authentication—including Safari under Mac OS X 10.4.x or newer. • Policy-based management uses inventory-based policies to enable automated configuration management. Asset Inventory and Software License Monitoring • Unified database enables easy querying, reporting, targeting and policy creation for all managed computers across the enterprise. • Configurable inventory scanning catalogs hardware and software assets on each machine • Full inventory of Bluetooth devices allows for more complete identification and mapping of corporate assets. Remote Control • Remote control enables remote problem resolution and maintenance with high render rates and low latency. • Update user systems from your platform of choice, as the Mac remote control client allows you to update from a PC or a Mac. Remote Script Execution • The ability to deploy shell scripts as applications gives you complete control over the desktop environment. Windows Client • LANDesk provides similar functionality for Windows platforms (physical and virtual) as it does for the Mac. From OS deployment through remote control, patch management, software distribution and software license monitoring, LANDesk provides you comprehensive management of your Mac, Windows, and guest Windows environments. For more information, please visit www.landesk.com or call 1-800-982-2130. Copyright © 2008, Avocent Corporation. All rights reserved. Avocent, LANDesk and Touchpaper and their respective logos are among the registered trademarks or trademarks of Avocent Corporation, its subsidiaries or its affiliated companies in the United States and/or other countries. *Other brands and names are the property of their respective owners. Page 50 of 64
    • Mass Deployment of VMware Fusion 318 Article IX. Appendix: Deploying VMware Fusion 2 with JAMF Casper Suite This appendix describes alternative workflows to deploy of VMware Fusion using JAMF Casper Suite. The entire section is provided and copyrighted by JAMF Software. Once you have created the necessary packages, you can now easily deploy the VMware Fusion application, settings, and Virtual Machines to Macs on your network using the Casper Suite. Casper offers four primary methods of distributing VMware Fusion to your managed Macs, all of which can be enabled at the same time: • Using Casper Remote, when immediate deployments are required. • Automatically via Casper’s Policy Engine, which allows for unattended, automatic installation when clients appear on the network. • During the imaging process, eliminating further steps to make a computer ready for a user. • User-initiated via the Self Service application, allowing the user to install VMware Fusion or additional Virtual Machines when they need it. Page 51 of 64
    • Mass Deployment of VMware Fusion 318 Section 9.01 Deploying VMware Fusion with Casper Remote The Casper Remote application can be used to immediately deploy VMware Fusion and associated Virtual Machine(s) to you managed Macs. This method is best for an immediate deployment. However, it will overwrite any existing VMware Fusion installation and also requires the target system to be connected to the network. 1. Launch Casper Remote and authenticate to your JAMF Software Server (JSS). 2. In the Computers tab, select the target systems to which VMware Fusion will be deployed. 3. In the packages tab, select the VMware Fusion installer package, the VMware Fusion settings package, and the Virtual Machine you wish to deploy. 4. Ensure that the VMware Fusion settings package has the options selected to “Fill User Templates (FUT)” and “Full Existing User Home Directories (FEU)”. 5. In the Advanced tab check “Update Inventory (Recon)”. 6. Click “Show plan” in the toolbar of the Casper Remote window and verify that the appropriate computers are selected 7. Click Go to begin the installation. Page 52 of 64
    • Mass Deployment of VMware Fusion 318 Section 9.02 Deploying VMware Fusion with a Policy Policies allow you to automatically install VMware Fusion along with a Virtual Machine onto a specific group of computers based on a certain trigger such as startup, login, or a particular timed event such as a known maintenance window. 1. Connect to the web interface of your JSS. 2. Click Management and choose Policies. 3. In the Policies window, click “Create New Policy...” 4. In the General tab, enter something like “Install VMware Fusion” as the Display Name and set the Category to “VMware Fusion”. 5. In the “Triggered by” drop down menu, choose the trigger you would like to begin the installation (“startup” is recommended). 6. In the “Execution Frequency” drop down menu, choose “Once Per Computer”. 7. Choose any days or time range where you do not want the installation process to occur. 8. Click the Scope tab and choose which computers, groups, departments, or buildings will receive VMware Fusion. It is highly recommended that in addition to a department or building you also scope the policy to a specific Smart Computer Group that is set to the minimum hardware requirements and disk space required for VMware Fusion. If necessary, limit the installation to a particular network segment. For example; you could exclude your wireless or VPN network segment to only allow the installation when the client system is physically plugged into the network. Page 53 of 64
    • Mass Deployment of VMware Fusion 318 9. In the packages tab, click “Add Package” and choose the Install action for the VMware Fusion installation package, the settings file, and at least one Virtual Machine. 10. Click “Add Package(s)” to add the packages to the policy. 11. Ensure that the VMware Fusion settings package has the options selected to “Fill User Templates (FUT)” and “Full Existing User Home Directories (FEU)” 12. In the Advanced tab, check “Update Inventory (Recon)”. Page 54 of 64
    • Mass Deployment of VMware Fusion 318 13. Click the Save Policy button at the bottom of the browser window. When a client meeting the scope criteria (group membership, network segment, department, etc) checks in with the JSS on the specified trigger, it will automatically pull down the VMware Fusion packages and log the action to the JSS when the installation is complete. Section 9.03 Deploying VMware Fusion During the Imaging Process VMware Fusion can be deployed when a Mac is imaged with Casper Imaging. However, the VMware Fusion installer can only be run when the computer is booted off the primary drive. To automate this process you will need to create a script to call a policy as soon as the computer reboots. This ensures VMware Fusion is installed on the correct drive and still allows the imaging process to be automated. (a) To create a script to trigger a policy at reboot: 1. In TextEdit, create a new file called “FirstBoot.sh” containing the following lines: #!/bin/bash #### This is a script to automatically run any policies trigged #### by the manual run action of “firstboot”, allowing you to #### install packages that require the Mac to be booted to the #### primary boot volume. /usr/sbin/jamf policy -trigger firstboot 2. Save this file in plaintext and drag it into Casper Admin. 3. Double click on the script inside Casper Admin and click the Options tab. 4. Set the Priority drop down menu to “At Reboot”. Page 55 of 64
    • Mass Deployment of VMware Fusion 318 5. Click OK and save your changes in Casper Admin. (b) Next, create a policy similar to the one above with the following changes: 1. In the General tab, set the Triggered by: drop down menu to “other” and enter “firstboot” in the run action field. 2. In the Execution Frequency drop down menu, choose “Ongoing” to allow the option to install VMware Fusion again if the computer is ever re-imaged. Page 56 of 64
    • Mass Deployment of VMware Fusion 318 3. In the Scope tab, you can choose “Assign to All Computers” as the deployment will be specified with a configuration in Casper Admin or at image time with Casper Imaging. (c) Finally, to deploy VMware Fusion when imaging you have two options: 1. Drag the FirstBoot script into the desired configuration in Casper Admin so as to be automatically applied to any Mac imaged with that configuration. OR Page 57 of 64
    • Mass Deployment of VMware Fusion 318 2. When using the Casper Imaging application, click the Scripts tab and select the FirstBoot script. Ensure it is set to run At Reboot. Page 58 of 64
    • Mass Deployment of VMware Fusion 318 Section 9.04 Deploying VMware Fusion with the Self Service Application By configuring a policy to be triggered by Self-Service, your users can install VMware Fusion and Virtual Machines on demand without assistance from IT. This offers the flexibility of also allowing the users to choose exactly when the installation will occur, as well as allowing them to reinstall a corrupt Virtual Machine or upgrade to a new one. (a) Create a Self Service policy for the VMware Fusion application: 1. Connect to the web interface of your JSS. 2. Click the Management tab and choose Policies. 3. Click “Create New Policy...” 4. In the General tab, enter something like “Install VMware Fusion” as the Display Name and set the Category to “VMware Fusion”. 5. In the “Triggered by” drop down menu, choose “None (or Self Service Only)”. 6. In the “Execution Frequency” drop down menu, choose “Once Per Computer”. 7. Choose any days or time range when you do not want the installation process to occur. 8. Click “Scope” and choose which computers, groups, departments, or buildings will receive VMware Fusion. You will still want to make special note of the scoping options to ensure only appropriate computers are able to install the software. 9. Click “Self Service” and choose Allow this Policy to be used for Self Service. 10. Enter a brief description of the VMware Fusion application along with the current version you are deploying. 11. Click “Choose File...” and locate an icon to represent VMware Fusion. This icon can be a PNG, JPEG, or ICNS file. (You can find the actual icon file in /Applications/VMware Page 59 of 64
    • Mass Deployment of VMware Fusion 318 Fusion.app/Contents/Resources/fusion.icns) Upload the selected file and you will be returned to the Self Service tab. 12. If you would like this policy to appear on the first page presented to the user when they launch the Self Service application, click the box next to “Feature this Policy on the Main Page”. Otherwise choose “Display” and/or “Featured” for the policy to appear in the VMware Fusion category inside the Self Service application. 13. In the Packages tab, click “Add Package” and choose the Install action for the VMware Fusion installation package and settings file. 14. Click “Add Package(s)” to add the packages to the policy. 15. Ensure that the VMware Fusion settings package has the options selected to “Fill User Templates (FUT)” and “Full Existing User Home Directories (FEU)” Page 60 of 64
    • Mass Deployment of VMware Fusion 318 16. In the Advanced tab, check the box next to “Update Inventory (Recon)”. 17. Click “Save Policy” at the bottom of the browser window. (b) Create a Self Service policy for a VMware Fusion Virtual Machine: 1. Connect to the web interface of your JSS. 2. Click “Management” and choose “Policies”. 3. Click “Create New Policy...” 4. Click “General” and enter something like “VM-Windows XP” as the Display Name and set the Category to “VMware”. 5. In the “Triggered by” drop down menu, choose “None (or Self Service Only)”. 6. In the “Execution Frequency” drop down menu, choose “Ongoing” to allow users to reinstall the Virtual Machine if necessary. 7. Choose any days or time range when you do not want the installation process to occur. 8. Click “Scope” tab and choose which computers, groups, departments, or buildings will receive the Virtual Machine. You will still want to make special note of the scoping options to ensure only appropriate computers are able to install the software. If you are deploying a Virtual Machine that requires a specific version of VMware Fusion, be sure to consider that selection criteria in the Smart Computer Group along with Page 61 of 64
    • Mass Deployment of VMware Fusion 318 available disk space. If you are introducing a new virtual machine to your environment, you can simply create a Smart Computer Group containing only those computers that have VMware Fusion already installed. 9. Click Self Service and choose Allow this Policy to be used for Self Service. 10. Enter a brief description of the Virtual Machine you are deploying. 11. Click “Choose File...” and locate an icon to represent the virtual machine. This can be in the format of a PNG, JPEG, or ICNS file. Upload the selected file and you will be returned to the Self Service tab. 12. If you would like this policy to appear on the first page presented to the user when they launch the Self Service application, click the box next to “Feature this Policy on the Main Page”. Otherwise choose “Display” and/or “Featured” for the policy to appear in the VMware Fusion category inside the Self Service application. Page 62 of 64
    • Mass Deployment of VMware Fusion 318 13. In the Packages tab, click “Add Package” and choose the Install action for the Virtual Machine. 14. Click “Add Package(s)” to add the packages to the policy. 15. In the Advanced tab, check “Update Inventory (Recon)”. 16. To ensure this Virtual Machine is listed in the Virtual Machine Library once installed, enter the following command in the “Run Unix Command” field of the advanced tab (this assumes that the Virtual Machine is located at "/Users/Shared/VM/Windows XP Professional”): defaults write com.vmware.fusion VMFavoritesListDefaults2 -array-add '{name = "Windows XP Professional"; path = "/Users/Shared/VM/Windows XP Professional.vmwarevm";}' Page 63 of 64
    • Mass Deployment of VMware Fusion 318 17. Click Save Policy at the bottom of the browser window. When users launch the Self Service application, they will be presented with the VMware Fusion and Virtual Machine policies and can install them without local administrator rights to their computer. Page 64 of 64