About allowing incoming connections to PMM Agent

Discussion in 'Parallels Mac Management for Microsoft SCCM' started by ParallelsU61, Mar 28, 2017.

  1. ParallelsU61

    ParallelsU61 Bit poster

    Messages:
    9
    Hi from France.
    The documentation tells that we have to allow incoming connections to PMM Agent.
    My first question is : why (is it a requirement) ? And more subtle, my second question is : when (does it become a requirement) ?
    For the first question, my wish would be that only ascending connections from the client to the proxy occur.
    I have to admit that with a MDM managing Mac, this is possible due to the APNs centerpiece. OK.
    But for the second question, I need to know when allowing incoming connections becomes a requirement. Explanation.
    In my workflow, I have a Configuration Item (configuration profile created with Profile Manager) that starts the Firewall without explicitely allowing connections to PMM Agent (default configuration of the Firewall).
    We should not have to do this setting if the binary was signed (like the McAfee Agent for example).
    Then as soon as my Mac is enrolled in PMM, a package containing multiple scripts is planned to install silently and you guessed it, one of these scripts is responsible to configure the Firewall so incoming connections are allowed to the PMM Agent (and possibly other pieces of non-signed software).
    So it is a 2 steps configuration.
    The reason I asked this question is that in my actual implementation, the packages are hardly installed on the Macs (Baseline installation is ok). Waiting an hour does not make the trick, clicking on the "Connect" button almost constantly drives to a time out (but sometime it works). The beginning of an explanation could be that the Firewall needs to allow incoming connections to the PMM Agent as soon as the Mac is enrolled. But because I don't know why the Proxy may need to contact the Agent to "push" a package (even if the Agent pulls the package), I don't want to find a solution to implement the incoming connections authorization in the Profile Manager configuration profile (I tried to install the PMM Agent temporarily on the Mac but the Profile Manager GUI does not show the PMA Agent as an application to be added to the Firewall exceptions).
    Best regards.
     
  2. Yury Averkiev

    Yury Averkiev Program Manager Member

    Messages:
    73
    Hello, nothing has changed with regards of the Client and firewalls, the current design remains the same since v1.0. Bi-directinal communication is requirement between Proxy and Parallels Mac client. If I'm not mistaken, there is the same requirement when Windows client communicates with SCCM:
    - PMM Proxy pushes policies in response to requests from clients.
    - Push commands from SCCM console require an ability to establish connection to Parallels client on a Mac.
     
  3. ParallelsU61

    ParallelsU61 Bit poster

    Messages:
    9
    Hi. I have edited the Configuration Profile (integrated to the default Baseline) so the pma_agent.app is allowed for incoming connections. We are able to telnet the Mac on their port 8000 from the Parallels Proxy before the Baseline is installed (before PMM registration, Firewall OFF) and after the Baseline is installed (after PMM registration, Firewall ON). Best regards.
     

Share This Page