Hi folks, I’m back! The past two weeks our new born son claimed all my time and energy, so no way I could focus on any tech related matter 🙂
To get back into the blogging activity, let’s start with something easy, yet very handy for those who are regularly testing MDM deployments.
Automated MDM Enrolment and VMWare Fusion: configure a virtual machine to behave like one of your “DEP” devices. This is nothing new, but from time to time I talk to people who are not aware of the possibility, so let’s have a look at how to do this.
Note: Apple recently changed the name of what we all know as “DEP” to “automated MDM enrolment”, so let’s start to embrace this name change.
For this blog I’ll limit this tutorial to VMWare Fusion. The idea behind this workflow for Parallels Desktop is similar, but a bit different in view of how Parallels works. I’ll confirm my workflow with Parallels and add another post with the Parallels workflow later.
Pre-reqs:
- Serial number of a device which is listed in your Apple School/Business Manager: e.g. C02N49ZVXXXX
- Model number of the device: e.g. MacBookAir6,1
- VM Ware Fusion installed on your Mac. (I’m currently using Fusion 11, but I’ve been using v10 with the same workflow before)
- App Store download of the macOS installer (Mojave OK)
- VMware Fusion: Download the trial here.
So, let’s go! First we’ll create our VM:
DO NOT hit “Finish” right now! Go via “Customise Settings” to avoid launching the VM immediately. We need to change some items in the .vmx file before the first boot of the VM. (Clicking “Finish” here would start the VM immediately, which we want to avoid).
Before starting the VM for the first time, we need to tweak the .vmx file of the virtual machine. Navigate to the location where you saved the VM and ctrl-click on the VMWare file. Choose “Show Package Contents”.
Locate the .vmx file and open it in your preferred text editor.
Add the following lines to the .vmx file. Change the serial number with the actual serial number of a physical device (test device listed in your Apple School/Business Manager), as well as the model number.
! Make sure not to make any typo's and don't leave any empty lines. (VMWare will change the order of the lines on next boot, hence empty lines will break the config file.) !serialNumber.reflectHost = "FALSE"serialNumber = "C02N49ZVXXXX"hw.model.reflectHost = "FALSE"hw.model = "MacBookAir6,1"smbios.reflectHost = "FALSE"
Save the file and start your VM:
Next, install macOS as usual:
After installing macOS, when you are presented with the “Welcome” screen, you need to power off / shutdown the virtual machine. This is necessary to keep the serial number in the configuration.
After shutting down the VM, you can prepare your MDM to handle the “Automated MDM Enrolment”. For Jamf Pro: create a “prestage enrollment” and add the serial number to the scope.
Note: before starting your virtual machine again, create a snapshot! This will allow you to quickly, and efficiently, test your enrolment workflows over and over again, without re-installing macOS (or creating new VM's).
MDM (Jamf Pro Prestage), and snapshot ready? Launch your VM again!
Have fun testing your enrolment workflows, even when on the go, without the need of a physical test device! Deploy, test, restore, change!
That’s all folks! I’ll now test and confirm my Parallels Desktop workflow and share similar steps asap!
grtz,
TTG
Apple ecosystem enthusiast, geek, tech gadget freak, Belgian living in the Netherlands
Senior Enterprise Support Engineer | Jamf
Hi,
It is me again Peder – quite funny you just have some stuff written that I am struggling with at the moment
I followed the exact description. The VM has the serial and hardware model of my other machines, so everything looks correct(and removed my other machine from JAMF mdm if there is any conflict that is already exist. But when trying to enroll the device it just show up “profile installation failed” MDMresponsestatus 500 error
I have found various description on how to solve this but not yet managed to get this working even the hardware and serial number is recognized as a real mac
just have to add doing user initated enrollment – not dep
Hi Peder! What VM software are you using? Parallels? Fusion? And which version?
Have you checked if there is a [NO Name] device appearing in the inventory of MOBILE devices in Jamf Pro?
Hi,
Thank you so much!!. I removed the “no name” devices in mobile devices and now it works. I have not seen anyone mention this as it for me also sounds a bit strange it is placed in “mobile device” and not computers.
Awesome! Yeah, the fact that the devices tried to enroll as mobile device might have been due to one of your previous test where the serial number and model might not have been recognized correctly. Hence it tries to enroll as mobile device which confused Jamf Pro. Once those are removed and the VM is correctly recognized as Mac it works.
How do I add the virtual machine to the prestage enrollement ? – I try to go to business manager, but unable to add a serial manually
Can It be added direct in jamf somehow?
Hi Peder. You can’t. Device serial numbers can only be added to DEP ar purchase by Apple or by your reseller post purchase if they participate in DEP and if the device was purchased after 1st of March 2011.
For virtual machines you will need an existing DEP serial number which you add to the config of the VM as explained in my post.
Hence the VM will behave like the physical DEP machine. No way to add a virtual serial number or any other non DEP serial number to DEP. Not in business manager, not via any other way (Jamf).
Hi, Thank you for your guide!
I am in the process to test our jamf cloud trial with your solution.
I tried this guide and installed vmfusion 11.5 and created a vm with mojave how you described.
The DEP dosn’t recognize the machine whether my serialnumber and the modell i entered in the vmx file. When i start the vm and check the “about this mac” the serialnumber is diplayed with the “” and the modeltype i entered in the vmx file “MacBookPro15,1” is displayed only as Mac.
From my tests with the physical MacBook i know, that my mdm setup works.
Hi Jacek, this could be either a typo or a orphaned blank line in the vmx file or the fact that VMWare did not keep the serialnumber. The steps with shutting down the VM at precise moments in the guide have to be respected exactly as described.
Hi,
Does this awesome description that you have done also apply for Catalina, cause I can’t get to work? I am running VMware Professional Version 11.5.1 (15018442). mdm Jamf version 0.15.1-t1569637051. Verified the that the iMac serial is in ASM, synced down to the Jamf on premise and got it`s Prestage Enrolment set. Restarting the VM after been shutdown and done the snapshot and rebooted the VM starts as a Mac not connected to any mdm. Anya ideas would be appreciated.
/Gandalf
Hi Micke,
Yes, I just tried again to be 100% sure and it works like a charm.
If you did take the step about customizing the VM into account, as well as shutting down the VM after it installed the OS (when you see the window to select the Country) all is fine.
Shut down, restart, take a snapshop and it offered me the Remote Management.
Make sure you have no empty lines in your VMX file when you add the additional keys (and no typo’s).
I can always have a look at the .vmx file if you want.
Brgds, TTG
I just followed this process to build our new Catalina (10.15.2) template VM, which works like a charm.
One question though, have you ever run into issues utilizing the snapshot when testing Pre-stage enrollments? We’ve been seeing some weirdness that closely resembles the weirdness that using `tmutil makelocalsnapshot` creates, like stale Pre-Stage Enrollment profile usage. I’ve noticed I need to use my pre-install snapshot every time I’m testing a PSE Profile, as opposed to what I was doing which was post-install, right before Country selection/DEP Enrollment.
What brought this to light was trying to test the new Enrollment Customization feature in Jamf, and even when I deleted the Customization, and assigned my device to our Dev server, I was still getting the PSE Profile with the Enrollment Customization. It wasn’t until I did a completely clean install that it forgot the customization.
Hi Neil. Yes, from time to time it happens. I always take the VM snapshot at the first screen where you select the language. Doing so, it seems to give consistent result in the majority of my cases. Even when changing prestage assignment. Any snapshot taken at a further point in the setup assistant keeps the prestage. However, I have seen it from time to time but in most cases hitting “reset VM” fixes it. If not I spin up a new VM, which takes 5 minutes via the vFuse script. Apart from that, I do see some inconsistencies when using prestage enrolment on a vFuse / ESXI VM with Catalina. Doesn’t seem to happen on Fusion VM’s. E.g. skip account creation not being honored.
Hi,
I have been trying to get thing work but it fails with ‘unable to create the installation medium’ after adding Catalina app. I tried following other articles to solve this issue but it still fails, i tried moving the app from Application to Homke screen, downloaded from app store and ejected from disk utility but nothing helps.
Only iSO file works. Will there be any difference if I use iso and not the app file directly?
Just reboot your Mac once 🙂 should fix it.
Thank you for this fantastic guide, it worked as advertised. We are working remotely and this will enable us to test DEP, Prestage Enrollment, bootstrap tokens, etc. over the VPN. Great stuff!
I just have to say how grateful I am for stumbling across this tutorial. I’ve tried everything to get this to work and your guide was the one thing that worked!
Cheers Mate!
Hi Matthew! Happy it was useful! cheers!
I am pretty sure I followed the steps exactly as you laid out… eddited the .vmx file before the initial OS install by pasting the those lines with the appropriate values at the end of the file.
However, I am having trouble getting it to the PreStage page. It goes directly to “Data & Privacy” and the rest of the macOS basic setup.
I noticed the following alert when I booted the Catalina VM:
Value ” “False”” for variable “smbios.reflectHost” is not a valid boolean value.
Using value “False”.
Value ” “False”” for variable “serialNumber.reflectHost” is not a valid boolean value.
Using value “False”.
Value ” “False”” for variable “hw.model.reflectHost” is not a valid boolean value.
Using value “False”.
Do these alerts raise any concerns?
To add, the serial numbers are in ABM DEP and assigned to a Prestage deployment in Jamf.
I get the following error after the remote management screen
“Unexpected error MDMResponseStatus: 401”
Must be something wrong with the .vmx file… jamf not accepting the enrolment. Either blank line, model, serial, …
Hi,
What an excellent guide!
But I do have a question – what about when using “Windows 10”
Is there something similar that can be used?
Thanks for your reply.
Apple’s Terms and Conditions only allows macOS to be virtualized on Apple hardware.
Hi,
Thanks for your reply. But I think I may not clear about I was asking. Let me retry, if you don’t mind 🙂
I am referring about running a Windows 10 (or Linux) VM in VMware Fusion. I there a similar tweak to change these values (serial nr, manufacturer, hw model) ?
Thanks in advance for you reply
Oh! Yeah sorry for the confusion. To be honest, never tried that as I don’t do anything related managing Windows or Linux computers. I only use those as tools or servers.
Great guide! Thanks! I have a question though! How come we need to set the serial number to successfully enrol into Jamf? I don’t have to do this with other MDM providers, what is the technical reason behind it? I would love to know
That is only needed for automated enrolment. Not needed in Jamf for manual enrolment either, but there is no way other MDM providers can auto enrol a device without serial number. The device, even a VM, contacts Apple servers during the setup assistant. If the serial number is recognized as being listed in Apple Business / School Manager, the device is instructed to contact the linked MDM server. Without serial this is impossible.
The other keys are necessary for Jamf to identify the VM as a Mac however, but serial is not needed for manual enrolment.
Hi from France. Did you succeed to build a DEP enabled macOS 11 VM running under macOS 11 / VMware Fusion 12 ? The VM itself runs, it displays the targeted serial number but I don’t have Remote Management at Setup Assistant and profiles show -type enrollment returns Error fetching Device Enrollment configuration : Client is not DEP enabled.
Hi Frank. Since Catalina I ended up not using VM’s much anymore. I need to test too much things where VM’s proved to be unreliable… custom enrolment, Jamf Connect, skipping or showing prestage screens,…
But for the fun of it, I’ll give it a try
Hi Frank!
Got it working, by doing exactly what is described in this post. The only problem I had was that I got the error message saying “failed to create installation medium” when selecting the installer. I had to create an ISO manually in Terminal instead of using the installer, and use that to crete the VM. I’ll add that to a new blog post, but it’s a known issue with Fusion at the moment it seems.
Next all was fine. Make sure to select ‘customise the VM’ to avoid it auto starts after initial creation. Then change the .vmx file before first boot, and when you reach the first screen where you select your country shut it down again before proceeding in the Setup Assistant.
Final thought: make sure your VM Ware Fusion network is set to ‘Bridge’, not NAT, to avoid double-NAT as this made mine skip the Remote Enrolment.
That all said, it works fine:
Hi. I’m building another one and I write all the steps. At the step “After installing macOS, when you are presented with the “Welcome” screen, you need to power off / shutdown the virtual machine. This is necessary to keep the serial number in the configuration.”, is there anything specific you do ?
Just “shut down” from the Virtual Machine menu. Nothing more. Apart from that make sure the .vmx file is 100% correct, no empty lines etc…
Hi.
So I’m one step further. For the first time it works after a significant change. I associated the serial number to the targeted ABM virtual MDM and to the targeted DEP profile even before building the VM. And there I have the Remote Management pane. Previously I was building the VM whereas those 2 actions were not done. But there’s an issue. I moved the serial number to another ABM virtual MDM / DEP profile and the VM still offers to enroll to the first MDM (where as the bootstrap profile currently stored at Apple points correctly to the second one). That suggests that in the process of building the VM, the DEP profile, reachable or not reachable is stored locally and is very persistent. Something I never had using AutoDMG + vfuse because it was a “nether booted” VM. When you build yours, was your serial number associated to your Jamf Pro / Prestage enrollment while building ?
Hi Frank, yes the serial number was already assigned to a prestage prior to creating the VM. Just like with physical machines you need to make sure that the machine does not proceed past the initial ‘select your country’ screen before the prestage is correctly synced. On physical machines you still need to connect to the wifi but if you are using ethernet, or here with a VM, the Mac is already talking to Apple when you start the setup assistant. That makes the VM pick up the assigned prestage IMO.
https://travellingtechguy.blog/macos-big-sur-on-vmware-fusion-12/
Hi. Ok, that is what I thought. In the above article (not the new one), you wrote : “After shutting down the VM, you can prepare your MDM to handle the “Automated MDM Enrolment”. For Jamf Pro: create a “prestage enrollment” and add the serial number to the scope.”. That’s the reason why I was hoping that it was somewhat possible to build a VM which would be used with any combination of MDM / DEP Profiles like I had before. So I guess that now (until I have an alternative to Auto-DMG/vfuse), I need one VM for each combination of MDM / DEP Profile I need. So it’s a regression for my testings. But I will do with that. Thank you for your insights ! Franck
Yeah, in the past I made a snapshot at the select country screen… but I think you are 100% right on the fact that VM’s don’t really play nice with re-assigning the prestage. However, you can reset it on a physical Mac… never tried it on a VM: https://grahamrpugh.com/2020/02/21/resetting-dep-without-reinstalling.html
Hi Frank, Thank YOU for making me rethink something. I added ‘disconnect the network connectivity’ in my new article! This should allow you to take a snapshot and re-assign the VM to another pre-stage before enabling connectivity again. I updated the new article: https://travellingtechguy.blog/macos-big-sur-on-vmware-fusion-12/
Check in JAMF, and make sure there is no identical machine entry under Devices.
I saw in Terminal the same error message as you in when I tried to run our JAMF QuickAdd.pkg on a new MBP.
Thanks to a tip shown in above comments, I found the MBP was somehow also listed under ‘Devices’ in JAMF, so deleted that, and it now enrols correctly.
above for @mastervodawagner
Hi TTG,
If the physical device is already enrolled in jamf via user initiated enrolment , will the prestage enrolment screen will appear as per your guide ?
I tried twice, still the prestage screen isnt loading for me . Im not sure what Im missing
Hi Bala. Yes, I have done that multiple times. Jamf Pro does not identify devices based on Serial Number. Jamf Pro uses UDID to uniquely identify devices. UDID of each device is unique and so it is for VM’s so the VM will have same serial but different UDID and be “another” device is Jamf.
Hi TTG,
I was able to get it work after second install . Nice blog this is .
Awesome! Thank you!
Hi
Are this tested already with VMWare Fusion Client on a BigSur MacBook.
I set up now 3 VM’s with WMWF and no one will be connected to our preStages in jamf PRO. The same tests with Parallels works fine.
I prefera to go ahead with WMWare Fusion because i have the capability to create multiple VM’s on one physical host.
At the moment i need to test Catalina, BigSur MacBooks and also the M1 MacBook Models.
Will do the test afternoon on a physical Catalina Machine and report back.
WMWare Fusion client is the latest i downloaded and the installation of the VM went fine. Except the DEP.
I checked the vmx file if i done some typos, but it looks everything correct.
Hi John, yes, as per: https://travellingtechguy.blog/macos-big-sur-on-vmware-fusion-12/
But that said, I stopped using VM’s for a lot of workflows. Some work fine, some result in very inconsistent behaviour. And this since Catalina. Mostly custom enrolment and Jamf Connect related.
That al said, as per the other link DEP in general works with Big Sur.
Just want confirm to all. I tried the steps once again on a catalina local MacBook and created two vm’s (1 Bigsur and 1 Catalina). Both went fine and was connected fine to our DEP.
Then I tried the steps once again on a local MacBook with BigSur installed. Created also the same VM’s and everything went fine. Dont know what the issue was last week.
So i can confirm. VMWareFusion Version 12.1.0 installed on a BigSur MacBook function properly.
Was able to create VM’s for DEP without issues
This does not seem to work with Fusion 11.5.3 on MacOS Mojave and using Catalina as the VMware OS.
There is no way to get the MDM screen on startup. I’ve followed the points and testing 10 times at least. I’ve tested my prestage with real hardware and it works.
Anyone else had problems with the same versions?
haha scratch that comment out. Its now working. Wohooooo!!
Thanks
Ah nice!
Hmm never tested that combo. But Catalina VM on a Mojave host, I think that could be problematic indeed.