For end-users, activating their copies of Parallels Desktop for Mac Enterprise Edition is much easier by signing in with their usual set of corporate login credentials. If your organization already runs an identity provider service (e.g., Microsoft Entra ID, Okta, or Ping Identity), you can benefit from the Single Sign-On (SSO) activation method by setting up the integration. This method has the added benefit of automatically disabling the licenses of employees leaving your organization, freeing up their quota.

This chapter represents a migration plan that will not affect your existing per-device (license key) activations while you continue to run them in parallel with the new per-user (SSO) test group.

If your current Parallels Desktop for Mac deployment uses the license key activation method but you would like to switch to SSO, follow these steps:

Step 1: Setup

At this stage, your goal is to set up the integration between Parallels and your identity provider (IdP) and validate that it works for your test group. Once this goal is achieved, you can make the SSO activation method default for all new users of Parallels Desktop for Mac in your organization.

Start the integration process on this page of Parallels My Account and follow the instructions from this chapter.

Throughout this process, your new SSO setup will not affect your existing users of Parallels Desktop for Mac.

Step 2: Testing and Enabling for New Users

Download a copy of Parallels Desktop for Mac on a computer that doesn't have it and attempt to activate it using the SSO method. Make sure to allow Parallels Desktop access to the Downloads folder.

Alternatively, choose an existing non-critical Parallels Desktop seat, deactivate it using the following Terminal command:

prlsrvctl deactivate-license,

restart Parallels Desktop, and try to activate again using SSO. Expand the test to a small group of users.

Once everything is successfully tested, you can either:

• Update your company's documentation to instruct all new users to activate via SSO only or

• If you have a Mac management tool, deploy a configuration profile to all new Macs that forces the SSO login window to pop up at the app launch until it has been activated.

Step 3: Migration

Once you have successfully completed the previous steps, it's time to expand the SSO activation to your organization's wider Parallels Desktop user base. Start by proactively notifying them of the upcoming switch to per-user (SSO) activation. Your email may also suggest the following steps:

1. Making sure their copies of Parallels Desktop have been updated to version 20.1.0 or newer;

2. Opening the Parallels Desktop Control Center and using the Parallels Desktop drop-down menu in the macOS menu bar to open the Account & License... window;

3. Using the Continue with SSO option in that window (bottom left corner).

However, there will always be users who routinely ignore such emails. If you have a Mac management tool at your disposal, you could force selected users to re-activate with SSO by following these steps:

1. Update all Parallels Desktop for Mac seats to version 20.1.0 or newer;

2. Execute the following commands:

prlsrvctl deactivate-license

sudo -u $(stat -f%Su /dev/console) defaults write "com.parallels.Parallels Desktop" ActivationExperience -string "sso"

sudo -u $(stat -f%Su /dev/console) defaults write "com.parallels.Parallels Desktop" "isSSOExperienceForced" -bool FALSE

Step 4: Monitoring Progress

You can monitor per-user (SSO) activations using the following path in Parallels My Account: click on the Business Profile link in the top-right corner. On that page, click on the Users (N) link, also in the top-right corner. From the first drop-down menu, select the Users: With product licenses option. The resulting list will contain all the Parallels Desktop users who have activated their copies using SSO.

Continue to monitor the user count on this page for the next few weeks to ensure progress.

The steps that you, as the system administrator, need to take to migrate your Parallels Desktop for Mac Business Edition setup to Enterprise Edition depend on the type of activation in your existing Business Edition setup:

• Per-device, when you activate a copy of Parallels Desktop on each individual Mac using a sublicense key that you have created in Parallels My Account or

• Per-user, when each user activates their copy of Parallels Desktop by signing in with their corporate credentials using the standard SSO procedure via your organization's identity provider.

Organizations with existing per-device Business Edition licenses

If your existing Parallels Desktop setup is activated on a per-device basis using license keys, you will have to take the following steps:

1. Contact your sales representative using Parallels My Account and purchase an upgrade;

2. Ask them to convert your existing Business Edition license to an Enterprise Edition one (the recommended path). If your organization has multiple Business Edition licenses, tell your sales representative which one to convert.

3. Make sure the name of the license in My Account has changed from Business to Enterprise;

4. [OPTIONAL] Configure Golden Images using the Parallels Management Portal;

5. [OPTIONAL] Set up or verify the existing sublicenses and configure or reassign policies accordingly;

6. Make sure that all Parallels Desktop for Mac users in your organization have upgraded to at least version 20.1.0 or newer to enable communication with the Management Portal;

7. Verify that all your end-user installations remain activated;

8. Check the monitoring tab in the Management Portal and see it populated with virtual machines on your network.

As a result of this:

• The Business Edition product card of your choice on your My Account page will change to an Enterprise Edition product card, while the Enterprise Edition trial license will be suspended;

• You will not have to reactivate your end-users' copies of Parallels Desktop for Mac unless you have decided to split them into groups using sublicense keys (step 5 above);

• Your Golden Images from the trial license will be saved and offered to the users on your new Enterprise Edition license.

[NOT RECOMMENDED] Converting a trial Enterprise Edition license to a permanent one with an existing Business Edition per-device setup

This is not a recommended scenario. However, if you choose it, you will need to follow these steps:

1. Contact your sales representative using Parallels My Account and purchase an extension;

2. Explicitly tell them that you wish to convert your trial Enterprise Edition license to a permanent one. Your Business Edition users will remain activated with their Business Edition license;

4. [OPTIONAL] Configure Golden Images using the Parallels Management Portal;

5. [OPTIONAL] Configure or reassign policies to groups according to your preferences;

6. Make sure that all Parallels Desktop for Mac users in your organization have upgraded to at least version 20.1.0 or newer to enable communication with the Management Portal;

8. Verify that all seats have been activated;

9. Check the monitoring tab in the Management Portal and see it populated with virtual machines on your network.

As a result of this:

• The Enterprise Edition trial license product card on your My Account page will be replaced with the permanent license card;

• You will not have to manually migrate all the users to the new setup and activate their licenses (Step 7 above);

• Your Golden Images from the trial license will be saved and offered to the users on your new Enterprise Edition license.

Organizations with existing per-user Business Edition licenses (SSO)

If your existing Parallels Desktop setup is activated on a per-user basis (SSO activation), you will have to take the following steps:

1. Contact your sales representative using Parallels My Account and purchase an upgrade;

2. Make sure that all Parallels Desktop for Mac users in your organization have upgraded to at least version 20.1.0 or newer to ensure communication with the Management Portal;

3. Make sure the name of the license in My Account has changed from Business to Enterprise;

4. [OPTIONAL] Configure Golden Images using the Parallels Management Portal;

5. [OPTIONAL] Your SSO setup in the Business Edition license did not involve multiple user groups. If you would like to benefit from the flexibility it provides, follow the instructions in this chapter;

6. Verify that all your end-user installations remain activated;

7. Check the monitoring tab in the Management Portal and see it populated with virtual machines on your network. The end-user copies of Parallels Desktop for Mac refer to the server to verify their licenses every seven days. If you would like your users to reactivate their copies sooner, you could use your device management solution to run this command remotely:

prlsrvctl deactivate-license

As a result of this:

• The Business Edition product card of your choice on your My Account page will change to an Enterprise Edition product card, while the Enterprise Edition trial license will be suspended;

• Your end-users' copies of Parallels Desktop for Mac will eventually get in touch with the server and update their licensing information (Step 7 above);

• Your Golden Images from the trial license will be saved and offered to the users on your new Enterprise Edition license.

What will happen with password protections

What will happen with configuration profiles

Your new setup will continue to respect any policies (like a specific local update server or policy or default virtual machine image) delivered via configuration profiles. However, this functionality will be removed in the future. For all new setups, we strongly recommend making the best use of the Parallels Management Portal's functionality.

For virtual machine images, the Management Portal currently supports providing one for Intel Macs and one for Apple Silicon Macs. In the future, as we remove support for configuration profiles, we will introduce support for providing multiple virtual machine images for each architecture, and you will be able to target specific user groups with each one.

Blocking major Parallels Desktop version upgrades can currently be achieved via the Policies section of the Parallels Management Portal.

There are three main ways to install Parallels Desktop: manually, via email invitations, and as part of a mass deployment procedure.

As an organization, you can choose what type of license you want to use: a per-device one where you activate each individual installation with a product key, or a per-user (available later in Fall 2024) one that requires signing in with SSO.

To learn more, we suggest that you read Parallels Desktop Licensing Guide

Manual Installation

1. Download the installation image from here;

2. Use your license key from your My Account dashboard to activate.

Installation via Email Invitations

You can invite users to install Parallels Desktop directly by sending out group emails. Do the following:

1. In your My Account dashboard, go to the Parallels Desktop Enterprise Edition card and click on Invite Users;

2. Choose one of the license keys/subkeys available for the product and click Next;

3. Fill out the fields in the invitation window:

   1. Choose the language of inviation;

   2. Set the expiration (between 3 days and 1 month);

   3. Add individual email addresses to the group using the Add button, or use the Select File button to add a CSV list instead;

   4. Click Send Invitations.

As a result of this procedure, your users will receive an email that looks like this:

Mass Deployment of Parallels Desktop

To learn about the mass deployment procedure using MDM solutions, refer to this section of the guide.

When you purchase a Parallels Desktop Enterprise Edition license, you must register it with a Parallels Business Account to activate Parallels Desktop installations with it.

To create a Parallels Business Account, go to this page and select the I am a new user option. Once you log into your customer dashboard, select the Register Key option in the top-right corner. Enter your purchased key, add a display name, and click Register.

The information about your Parallels Desktop Enterprise Edition license and setup will appear in your dashboard, and you can proceed with the deployment process.

In large organizations with multiple Macs, there may be groups of Parallels Desktop users with very different needs in terms of capabilities and restrictions, from a software engineer who develops for multiple platforms and needs a dozen virtual machines to test every possible scenario to a back-office staff who would benefit the most from Single Application Mode.

The best way to maintain flexible arrangements is by dividing users into groups, each of which would require a sublicense. To create a sublicense, follow these steps:

1. Go to Parallels My Account and select Dashboard in the top-right corner;

2. In your Parallels Desktop Enterprise Edition card, click on the Subscription Renewal line;

3. Scroll down to the License Keys card and click Create License Key in its top-right corner;

4. Click on the key name at the top and change it to reflect the name of the group;

If you want your users to activate their copies of Parallels Desktop for Mac using license keys, you could send them invitations to activate, which will contain automatically generated individual activation keys. To do that, use the Invite Users button on the product card in Parallels My Account.

If you want to group Parallels Desktop for Mac installations, activating them with sublicense keys is not the only way. If your organization uses an identity provider (e.g., Microsoft Azure/Entra ID or Okta), you could benefit from creating user groups in your identity provider and mapping them to Parallels Desktop sublicense keys, benefitting from groups with custom policies and restrictions. Learn more here.

Integration between Parallels My Account and corporate Identity Providers (IdP) like Microsoft Entra ID, Okta, or Ping Identity enables Single Sign-On (SSO) login to Parallels My Account and automatic provisioning and revocation of Parallels product licenses to end users in your organization. The organization’s business account admins can log into using their company's standard authentication procedure, while the end-users can activate Parallels products on their devices via Single Sign-On.

Even if your organization does not use Parallels Desktop for Mac Business or Enterprise Edition, you may benefit from the SSO integration with My Account. Such integration provides more control over the users with administrative access to the Parallels product licenses stored in the organization’s business account registered with Parallels.

Once the integration is configured, you can grant access to the organization’s business account to administrators by adding them to the Parallels Business Account Admins group in your Identity Provider’s directory. At the same time, deleting or blocking an administrator account in your Identity Provider automatically deprives them of access to Parallels My Account.

In this section, we provide detailed instructions on how to set up the SSO integration with Microsoft Azure/Entra ID, Okta, and Ping Identity. Even if your corporate identity provider is not on the list, you can still try setting up the integration, provided your service of choice supports SAML 2.0 and SCIM 2.0 protocols.

Once the integration is completed, the administrators will be able to sign into the company's My Account page using the Continue with SSO button at , while the Parallels Desktop for Mac users will be able to activate their local copies of the app using the SSO option.

This section explains everything you need to know to start using Parallels Desktop Enterprise Edition as quickly as possible.

You can read about each individual step in the respective chapters of this section, but the overall outline is:

1. Register your license using your .

   Your license must be registered to a Parallels Business Account before it may be used to activate Parallels Desktop. Registration is critical to:

   • Protect the ownership of your license.

   • Unlock features that make the lives of IT administrators easier.

   • Access Premium Support and get visibility into your open tickets;

2. Download the latest version of the Parallels Desktop ;
3. Install Parallels Desktop Enterprise Edition, following one of the ways outlined in ;

4. Create and configure a virtual machine golden image, complete with all the required software and settings, and upload it to an accessible location that allows direct file links;

5. Deploy Parallels Desktop for Mac using one of the methods described in the ;

6. Make use of the main advantage of Parallels Desktop Enterprise Edition, the Parallels Management Portal, as outlined in of the guide.

Before you proceed with the SSO integration, make sure the following conditions have been met:

1. You must be logged into the Parallels My Account and have access to your organization’s business account, where the license key has been previously registered. See for more details.

2. You must understand what email domain(s) your end-users will use for SSO.

3. You must either have admin access to the DNS host(s) of the corresponding domain(s) to be able to add a verification TXT record(s) or be able to ask your IT service for assistance.

4. You must either have admin access, which enables you to configure enterprise applications in your IdP Directory, or be able to request support from the IT admin who has the required permissions.

Once the above requirements are met, proceed to the next step.

If you have an existing Parallels Desktop for Mac Business Edition setup where end-users activate their copies of Parallels Desktop using Single Sign-On (SSO), you can trial the same setup on the Enterprise Edition concurrently. You will have to take the following steps:

1. Contact your sales representative using Parallels and request a trial license key;

2. Register the received key in My Account;

3. On the side of your organization's identity provider (IdP), register a new group and include in it trial users;

   1. If your IdP supports group hierarchy, make sure the trial group is a child of the main Parallels Desktop user group mapped in My Account as part of the (i.e., your mapping should be Parallels Desktop app registered with your IdP <- Parallels Desktop users group <- Enterprise Edition trial users group) and add the Enterprise Edition trial users to it;

   2. Otherwise, make sure to include those users in the main Parallels Desktop users group as well (i.e., your mapping should be Parallels Desktop app registered with your IdP <- Parallels Desktop users group AND Parallels Desktop app registered with your IdP <- Enterprise Edition trial group), make sure to include trial users in both user groups;

4. Make sure the end users with trial accounts have activated their copies via SSO;

5. Explore the capabilities.

Follow the steps below one by one to integrate Parallels My Account with Ping Identity.

(1) Configure Organization's Domains

A domain is a part of the email addresses (after the @ symbol) used by the end users in your organization. When end users try to log in to Parallels My Account using SSO, they are prompted to enter their work email address. Parallels My Account checks the domain part of the email address and recognizes that the user belongs to your organization. Click on the title of Step 1 to expand it, and read the instructions carefully.

• Add one or more domains your organization uses.

• Each domain must be unique and can only be registered to one business account that your organization has registered with Parallels.

• Make sure to add only the domains your organization can control.

The Parallels My Account service verifies the domain ownership by checking a specific TXT record that must be added to the DNS host of the corresponding domain. Make sure that all domains added to the list are verified before proceeding with the next steps.

Depending on the software and/or provider, a TXT record may take up to 72 hours to propagate. You can check whether it's been configured using the following command:

$ dig TXT {yourdomain}.{com}

(2) Register Parallels Enterprise App and Configure SAML Settings

Registering the Parallels enterprise application (required for integrating with the Parallels My Account service) in the IdP Directory allows you to configure the SSO-related parameters and correctly provision the integration between your IdP and the Parallels My Account service.

The description below illustrates the registration procedure for Ping Identity. It is assumed that you have the permissions required to register and configure enterprise applications with Ping Identity. To register a Parallels enterprise application with Ping Identity:

1. Log into Ping Identity here using an account that has privileges for registering and configuring enterprise applications for your organization.

2. On the Start page, choose the Administrators environment to open the Ping Identity console page.
3. To register the Parallels enterprise application in Ping Identity, navigate to the Connections tab on the sidebar, click on the Applications link, and click on the + button.
4. Type the name of the application (the actual name remains at your discretion), add a short description, choose the SAML Application option, click Configure, and wait while the enterprise application is being created. You will end up on the SAML Configuration page.

5. Switch to your IdP integration page in My Account, scroll down to, and expand Step 4 ("Configure SAML integration"). Under Service Provider Settings, click on Download a metadata file link to download a metadata.xml file.

6. Return to the SAML Configuration page, check Import metadata, and click Select a file to upload your downloaded metadata.xml file. Click Save.

Once the registration of the Parallels enterprise application in the IdP Directory is completed, switch back to the integration configurator page at Parallels My Account, expand the section of Step 2 and select the Configuration in the IdP Directory is done option at the bottom of the section. Then move on to the next step.

(3) Configure User Groups Mapping

You must create user groups associated with the Parallels enterprise application in your IdP Directory. Later, you will add users to those groups to let Parallels My Account know which users should be able to activate their copies of Parallels Desktop for Mac Enterprise Edition via Single Sign-On (SSO) and which should have business account admin privileges in the Parallels ecosystem.

At least one user group is required for adding users with admin access to your organization’s business account registered with Parallels. Once the group is created, you should add the group's name and ID in Step 3 of the integration configurator page in Parallels My Account.

Start with creating the group in the IdP Directory. To do so, switch to your IdP management portal and follow the standard procedure of creating a user group and associating it with the Parallels enterprise application, as provided by your Organization’s IdP. The description below illustrates the registration procedure for Ping Identity. It is assumed that you have appropriate permissions that allow you to manage user groups in Ping Identity. If your organization uses a different IdP service, follow the instructions provided in the admin guide specific to your IdP of choice.

To create a user group for the Parallels enterprise application in Ping Identity:

1. Log into the Ping Identity portal using the account which has privileges for managing user groups and configuring enterprise applications.

2. On the Start page choose Administrator environment (or any other environment what you could create before) to open the Ping Identity console page.

3. Navigate to Identities and switch to the Groups tab.

4. You need to create two groups, one for the users who are supposed to be granted the admin permissions to access your organization’s business account registered with Parallels, and another for the regular Parallels Desktop users who are expected to sign into their copies of Parallels products via SSO.

5. Click the + icon to launch the group creation wizard, and type in the group name and description. Click Save and wait while the group is being created.
6. Copy the name of the group that you have specified to Parallels My Account. To do so, switch back to the integration configuration page at Parallels My Account, expand the Step 3 section, paste the name of the group in both corresponding input fields of the section Parallels Business Account Admins, and click Save.

Once the group is created, it’s necessary to configure attribute mapping. To do so, navigate to the Application tab and click on the application that has been created in the previous step (2) Register Parallels enterprise app. Open the Attribute Mappings tab and add four more mapping attributes which will associate the PingOne user attributes to the SAML attributes in the application. Add the attributes as follows:

displayname -> Expression: {user.name.given + ' ' + user.name.family}

groups -> Group Names

name -> Email Address

objectidentifier -> User ID

To add displayname value please click on the icon labelled Advanced expression.

There, you’ll see the following window:

Under Expression, delete the current expression and add the following: {user.name.given + ' ' + user.name.family}

Click the Test Expression button. Expect the Verification Successful note, as depicted below in green. Click Save.

At this point, you should be able to see the following table:

Please note that the fields are case-sensitive.

Make sure you have configured both groups: for the Parallels Desktop users and for the Parallels business account admins. If everything is set, click Save at the bottom and proceed to the next step.

(4) Configure SAML Integration

SAML 2.0 integration between Parallels My Account and your organization’s IdP allows your organization's users to activate their copies of Parallels Desktop for Mac Enterprise Edition using Single Sign-On (SSO) while your admins can use it to log into the business account registered with Parallels using their main corporate login credentials.

To complete this step, you must copy some parameters from your Parallels My Account to the settings section of the Parallels enterprise application registered in the IdP Directory and then copy certain data provided in the IdP Directory to the Parallels My Account admin panel.

The following description illustrates the procedure for Ping Identity. It is assumed that you have appropriate permissions that allow you to configure enterprise applications in Ping Identity. If your organization uses a different IdP service, follow the instructions provided in the chapter specific to your IdP of choice.

Expand the section of Step 4 on the integration configurator page in Parallels My Account. Note that there are two groups of parameters in the section. The first group has two values, Service Provider Entity ID and Assertion Consumer Service URL which must be copied from Parallels My Account to the IdP Directory. The second group includes three parameters – Identity Provider Entity ID, Identity Provider SSO URL, and Public Certificate. The values for these parameters must be copied from your IdP Directory to Parallels My Account.

Parameters can be copied between Parallels My Account and the IdP Directory either via metadata files (assuming your IdP software supports transferring those parameters via external files) or manually.

The first group of parameters, Service Provider Entity ID and Assertion Consumer Service URL (both values are pre-set automatically and cannot be changed), is already copied from Parallels My Account to the IdP Directory during the creation of Enterprise Application in Step 2.

To transfer the second set of parameters from Ping IdP to My Account:

1. Navigate to the Application tab and click on the application that has been created in the previous step (2) Register Parallels enterprise app. Proceed to the Configuration tab and click Download Metadata under Connection Details.

2. Switch to the IdP integration page in My Account, scroll down and expand Step 4 ("Configure SAML integration"). Under Identity Provider Settings, click on the Upload a metadata file link and select the downloaded XML file.

3. Select the Configuration in the IdP Directory is done option at the bottom of the section and click Save.
4. Return to the Application tab in Ping IdP and close the Configuration tab, after which enable User Access to the application by flipping the switch.

Proceed to the next step.

(5) Configure SCIM Integration

SCIM 2.0 integration between Parallels My Account and your Organization’s IdP allows you to keep user identity information in Parallels My Account in constant sync with the updates made to user identities in the IdP Directory.

It is assumed that your IdP software supports SCIM. For this reason, the SCIM Support option in the Step 5 section on the integration configurator page in the Parallels My Account is enabled by default. If your IdP does not support SCIM, disable the option and move on to the next step.

The following description is based on the assumption that SCIM is supported.

To configure provisioning via SCIM, you must copy two parameters: SCIM Base URL and Bearer Token (both values are pre-set automatically and cannot be changed) from the Step 5 section of the integration configurator in Parallels My Account to the IdP Directory.

The description below illustrates the procedure for Ping Identity. It is assumed that you have appropriate permissions that allow you to configure enterprise applications in Ping Identity. If your organization uses a different IdP service, follow the instructions provided in the admin guide specific to your IdP of choice.

To configure SCIM settings at the IdP management portal:

1. Go to Connections → Provisioning.

2. Click + and then click New connection.

3. Select Identity Store, and in the opened list select SCIM, scroll down and click Next.

4. Enter a name and description for this provisioning connection (the actual name and description remain at your discretion). The connection name will appear on the list once you have completed and saved the connection.

5. Click Next.

6. On the Configure authentication screen, enter the following:

   • SCIM Base URL. The fully qualified URL to use for the SCIM resources is https://account.parallels.com/scim.

   • Select the authentication method to use: Bearer Token.

   • Copy the contents of the Bearer Token from Parallels My Account and paste it into the appropriate field.

7. Click Test Connection to save the changes and click Continue.

8. On the next page click Finish.

9. Turn on SCIM by toggling the switch.

Once the provisioning settings in the IdP Directory have been saved, switch back to Parallels My Account and select the Configuration in the IdP Directory is done option at the bottom of the section to confirm that you have finished the configuration procedure in the IdP Directory. Then continue to the next step.

(6)Add Users to the Application Groups

Add users to the groups created in Step 3 (described earlier) to enable end users to activate their copies of Parallels Desktop for Mac Enterprise Edition using SSO and grant administrators permission to log into your organization’s business account registered with Parallels.

To do so, navigate to the Start page and choose Administrator environment (or any other environment that you might have created before) to open the Ping Identity console page. Navigate to Identifies, then Users, and create users by clicking the Add User button. Once it is done, or if you plan to add users later, select the Configuration in the IdP Directory is done option at the bottom of the section.

Once users have been created, you need to add them to the groups created above. To do so, navigate back to the Identifies tab and switch to the Groups tab. Click on the group name and add users to it.

(7) Configure Backup Login

The backup login can be used to access your organization’s business account registered with Parallels, bypassing Single Sign-On in the event of an SSO malfunction. By default, the backup login is set to the email address of the currently logged-in user. If you want to define a different backup login, add more users first on the Users page of the Business Profile section in Parallels My Account. The new user must log into the business account at least once before they can be designated as a backup login

Parallels Desktop Installation Image

To mass deploy Parallels Desktop Business Edition, you will need the Parallels Desktop for Mac installation image file (.dmg) and a Parallels Desktop for Mac Business Edition license key.

You can download the installation image from .

Parallels Desktop Autodeploy Package

The Parallel Desktop autodeploy package is used to configure the deployment of Parallels Desktop. .

Please note that if you already have a configured autodeploy package from an earlier version (or build) of Parallels Desktop, don't use it because it may not be compatible with your build of Parallels Desktop. Always download the latest version of the package from the Parallels website using the link above.

Supported Guest OS Versions

If you are deploying one or more virtual machines together with Parallels Desktop, please keep in mind the differences in supported guest operating systems between Mac computers with Apple Silicon and Mac computers powered by Intel processors. For the latest information, see system requirements at .

Kernel Extensions

If your organization's Macs run macOS Mojave or macOS Catalina, their users may need to approve kernel extensions before they can launch Parallels Desktop. For more information, please read the following KB article: .

Follow the steps below one by one to integrate Parallels My Account with Okta.

(1) Configure Organization’s Domains

A domain is a part of the email addresses (after the @ symbol) used by the end users in your organization. When end users try to log in to Parallels My Account using SSO, they are prompted to enter their work email address. Parallels My Account checks the domain part of the email address and recognizes that the user belongs to your organization. Click on the title of Step 1 to expand it and read the instructions carefully.

• Add one or more domains your organization uses.

• Each domain must be unique and can only be registered to one business account that your organization has registered with Parallels.

• Make sure to add only the domains your organization can control.

The Parallels My Account service verifies the domain ownership by checking a specific TXT record that must be added to the DNS host of the corresponding domain. Make sure that all domains added to the list are verified before proceeding with the next steps.

Depending on the software and/or provider, a TXT record may take up to 72 hours to propagate. You can check whether it's been configured using the following command:

(2) Register Parallels Enterprise App and Configure SAML Settings

Registering the Parallels enterprise application (required for integrating with the Parallels My Account service) in the IdP Directory allows you to configure the SSO-related parameters and correctly provision the integration between your IdP and the Parallels My Account service. The description below illustrates the registration procedure for Okta. It is assumed that you have the permissions required to register and configure enterprise applications with Okta. If your organization uses a different IdP service, follow the instructions provided in the admin guide specific to your IdP of choice. To register a Parallels enterprise application with Okta:

1. Log into the Okta management portal using an account that has privileges for registering and configuring enterprise applications for your organization.

2. On the portal’s landing page, expand the Applications section and choose the Applications item from the left-hand side panel to open the page with the list of enterprise applications registered for your organization.

3. Click the Create App Integration button, which is located above the list of registered applications. It opens the popup dialog titled Create a new app integration.

4. In the Create a new app integration dialog, choose SAML 2.0 as your sign-in method, then click Next.

5. On the next page, type the name of the application (the actual name remains at your discretion) in the App name field, then select the Do not display application icon to users option. Click Next to proceed with configuring the SAML settings for the application. SAML 2.0 integration between Parallels My Account and your organization’s IdP allows your users to activate their copies of Parallels Desktop for Mac Enterprise Edition using Sing Sign-On (SSO) and your system administrators to use it to log into your organization’s Parallels business account. To complete this step, you must copy certain parameters from Parallels My Account and save them in the settings of the Parallels enterprise application registered with Okta, then copy some data provided by Okta and save it in Parallels My Account.
6. Switch to the of Parallels My Account. Expand the Step 4 section on the integration configurator page. Note that there are two sets of parameters in the section. The first set has two values, Service Provider Entity ID and Assertion Consumer Service URL, that must be copied from Parallels My Account to Okta. The second set includes three parameters—Identity Provider Entity ID, Identity Provider SSO URL, and Public Certificate. The values for these parameters must be copied from Okta to Parallels My Account.

7. On Okta’s Create SAML Integration page (this page should have opened after completion of Step 5, as described above), insert the values into the Single sign-on URL and Audience URI (SP Entity ID) fields, as specified below:

   1. The Assertion Consumer Service URL value from Parallels My Account (in the Step 4 section of the integration configurator) must be copied to the Single sign-on URL input field in Okta.

   2. The Service Provider Entity ID value from Parallels My Account (in the section of Step 4 of the integration configurator) must be copied to the Audience URI (SP Entity ID) input field in Okta.

8. Keep the Use this for Recipient URL and Destination URL option enabled (it is enabled by default). Leave the parameters in the General section set to the defaults.

9. Scroll the page down to the section Attribute Statements (optional). Add the following attributes to the list (keep the text values and punctuation marks exactly as specified):

   1. objectidentifier (Name format: Unspecified) > user.id

   2. name (Name format: Unspecified) > user.login

   3. displayName (Name format: Unspecified) > user.displayName

10. Scroll down the page to the section Group Attribute Statements (optional). Add the following attribute to the list (use the name of the value and punctuation mark exactly as specified):

    1. groups (Name format: Unspecified) > (Filter: Matches regex), set the value to .*
11. Scroll to the bottom of the page and click Next. It opens the section Help Okta Support understand how you configured this application. Choose the option I’m an Okta customer adding an internal app, and then, once the additional section App type opens, choose the option This is an internal app that we have created.

12. Finally, click Finish, and once the registration process finishes, you will end up on the application’s home page.

13. Switch back to the at Parallels My Account, expand the Step 2 section (“Register Parallels enterprise app”), and select the option Configuration in the IdP Directory is done.

Once the registration of the Parallels enterprise application with Okta is completed, you must transfer three parameters from Okta to Parallels My Account. To do so, follow these steps:

1. Switch back to the Okta management portal. When on the enterprise application’s home page in Okta, ensure the currently selected tab is Sign On. Locate the View SAML Setup Instructions button on the right side of the page. Clicking the link opens the page How to Configure SAML 2.0 for %1 Application, where %1 is the name of the enterprise application registered previously. The page contains the three parameters that must be transferred to Parallels My Account. The same three parameters can also be found in the Metadata Details section of the SAML 2.0 card under More details.

2. 1. The value Identity Provider Issuer from Okta must be copied to the input field Identity Provider Entity ID.

   2. The value Identity Provider Single Sign-On URL from Okta must be copied to the input field Identity Provider SSO URL.

   3. The content of the X.509 Certificate from Okta must be copied to the input field Public Certificate.

   Instead of copying and pasting these values manually, you can download the metadata in the Okta interface and then upload the resulting XML file using the Upload a metadata file link in the Parallels My Account interface.

   1. In the SAML 2.0 card section, locate Metadata URL under the Metadata Details section.
   2. Copy and paste the Metadata URL into a new browser tab or window.

   3. Use Ctrl/Cmd+S to save the metadata as an XML file.

   4. Switch to Parallels My Account interface, open the Step 4 Identity Provider Settings, click Upload a metadata file, and choose the newly created XML file.

(3) Configure User Groups Mapping

You must create user groups associated with the Parallels enterprise application in your IdP Directory. Later, you will add users to those groups to let Parallels My Account know which users should be able to activate their copies of Parallels Desktop for Mac Enterprise Edition using SSO and which ones should have business account admin privileges in the Parallels ecosystem. At least one user group is required for adding users with admin access to your organization’s business account registered with Parallels. Once the group is created, you should add the group's names in Step 3 of the integration configurator page in Parallels My Account.

Start with creating the group in the IdP Directory. To create a user group for the Parallels enterprise application in Okta:

1. Log into the Okta management portal using the account with privileges for managing user groups and configuring enterprise applications.

3. Click the Add Group button placed above the list of groups, which opens the Add group popup dialog.

4. Type in the name and the group description, and click Save.

5. Make sure you have repeated steps 3 and 4 three times and created three separate groups as specified above.

Write down the name of the group created for the Parallels Business Account Admins. You must transfer these values to Parallels My Account later.

Next, assign the Parallels enterprise application registered with Okta to the transit group that you have created before. Make sure you are on the page with the list of the groups at the Okta management portal. To assign the application to the transit group, follow the instructions below:

1. Find the transit group in the list of groups.

2. Click on the group’s item in the list to open the page with the details of the group.

3. Click the Applications tab at the top to open the list of the applications assigned to the group. Since the group is new, the list is supposed to be empty.

4. Click the Assign Applications button to launch the popup dialog titled Assign Applications to %1, where %1 is the name of the transit group.

5. Locate the Parallels enterprise application that has been registered with Okta before and click Assign.

6. Click Done to save the assignment. You will now see the Parallels enterprise application on the list of the assigned applications of the transit group.

After that, you must create a rule to push members from the groups created for the Parallels Administrators to the Parallels enterprise application through the transit group. Make sure you are on the Okta admin portal’s page with the list of the groups. To create the rule, follow these steps:

1. When on the page with the list of the groups, click Rules at the top of the list to open the list of the rules created for the groups.

2. Click Add Rule to create a new rule. It opens the popup dialog titled Add Rule.

3. Type the name of the rule (use whatever name you find suitable).

4. Choose the Use basic condition option, then select Group membership from the list below.

5. In the input field below, type the name of the group that has been created for the Parallels Administrators.

6. In the THEN Assign to input field, type in the name of the transit group.

7. Click Save to save the rule. Now you will see the new rule in the list of rules.

Once the rule has been created, activate it by clicking on the Actions drop-down menu on the right and then Activate.

Before proceeding, make sure that the following conditions have been met:

• At least one group has been created for the Parallels Business Account Admins.

• You have written down the unique names of the groups you have created for the Parallels users and admins.

• An additional transit group has been created, and the Parallels enterprise application has been registered with Okta and assigned to that group.

• A rule has been created that enables you to push members of both the admin and user groups to the Parallels enterprise application through the transit group.

Click on Click to edit on the respective group and insert the Parallels Admins group name you have written down earlier into both corresponding fields (“UUID” and “Display Name”), then do the same for the Parallels Desktop Users group section. Click Save to save the changes.

(4) Configure SAML Integration

If everything is set, proceed to the next step.

(5) Configure SCIM Integration

SCIM 2.0 integration between Parallels My Account and your Organization’s IdP allows you to keep user identity information in Parallels My Account in constant sync with the updates made to user identities in the IdP Directory. Okta supports the SCIM 2.0 protocol, which is used for this purpose.

To configure provisioning via SCIM, you must first enable the provisioning for the Parallels enterprise application registered with Okta. After that, you must copy two parameters, SCIM Base URL and Bearer Token, from Parallels My Account (the section of Step 5 of the integration configurator) to Okta. Finally, you must configure the push of the user groups from Okta to Parallels through SCIM.

The description below illustrates the procedure for Okta. It is assumed that you have appropriate permissions to configure enterprise applications in Okta. To configure the provisioning settings for the Parallels enterprise application registered with Okta:

1. Log into the Okta management portal using the account with privileges for configuring enterprise applications.

2. When on the portal's landing page, choose Applications > Applications in the left-hand side panel to open the list of enterprise applications registered for your organization.

4. Click on the General tab to switch to the tab that displays the app’s general settings. There, click Edit in the upper right corner of the tab to switch to the edit mode.

5. Select the option Enable SCIM Provisioning and click Save.

6. A new tab called Provisioning will appear at the top of the page. Click on it to open the tab where you can configure the SCIM settings for the application.

7. While on the Provisioning tab, click Edit in the upper right corner to switch to the edit mode.

9. Copy the values from the Step 5 section Parallels My Account to Okta, as specified below:

   1. SCIM connector base URL (Okta): insert the value of the parameter SCIM Base URL copied from Parallels My Account.

   2. Bearer (Okta): insert the value of the parameter Bearer Token copied from Parallels My Account. The Bearer field in Okta is not displayed by default. To make it visible, switch Authentication Mode to HTTP Header.

10. Enable the options Push New Users, Push Profile Updates, and Push Groups on the same page in Okta.

11. Insert the text userName (use the text exactly as it is provided here: userName) into the input field Unique identifier field for users.

12. Click Save to save the changes. Okta’s interface will revert to the Provisioning tab of the Parallels enterprise application.

13. Make sure the section To App is selected on the left. Click Edit to switch to edit mode. Enable the following options: Create Users, Update User Attributes, Deactivate Users. Click Save to save the changes.

14. Click the Push Groups tab at the top to open the tab with the list of the groups from which the users are supposed to be pushed to the Parallels ecosystem. The list is supposed to be empty.

Continue to the next step.

(6) Add Users to the Application Groups

To do so, switch to Okta and follow the standard procedure for adding users to groups. Please note that no user will be able to activate their Parallels product unless they have been added to the User group.

(7) Configure Backup Login

To prepare the autodeploy package, you need to add the following required and optional components to it:

• Parallels Desktop installation image ().

• Parallels Desktop Business Edition license key (required, unless you are using "Activation using corporate account (SSO)").

• One or more virtual machines (). The user can later install or download a virtual machine via the link in a .

• One or more Windows application stubs (optional). Stubs are special links to Windows applications installed in a virtual machine that can be added to the Dock in macOS during deployment.

• You can also configure deployment options according to your needs by modifying the configuration file included in the autodeploy package.

You will have to take the following steps:

1. the Autodeploy package, which comes in a ZIP format.

2. Unarchive it.

3. [OPTIONALLY] Populate the folders with specific and .

4. Set the deployment preferences to your liking by the deploy.cfg file.

5. Transform the resulting folder into an ready for deployment.

The subsequent sections describe how to add the necessary components and how to configure autodeploy package options.

This section describes how to mass deploy Parallels Desktop Business Edition using Mac management tools.

Parallels Desktop Enterprise Edition can also be deployed to Mac computers using Mac management tools, including, but not limited to:

• Jamf Pro

• Microsoft Intune

• Kandji

• Apple Remote Desktop (ARD)

• IBM Endpoint Manager

• Mosyle

• Addigy

• Munki

• VMware Workspace ONE

This chapter includes detailed instructions on how to deploy Parallels Desktop using Jamf Pro. For instructions on how to use other tools, please see their respective documentation.

Choosing the Deployment Method

Adding a virtual machine to the autodeploy package is optional. You can mass deploy Parallels Desktop only and install virtual machines on individual Mac computers later. Consider the following possible scenarios:

• If you are deploying Parallels Desktop on either Apple Silicon or Intel-based Mac computers (but not both at the same time), you can include a virtual machine in the autodeploy package, so it will be installed on a Mac as part of the deployment process.

• The recommended approach is to deploy without any virtual machines in the autodeploy package and instead provision a corporate VM image using a Configuration Profile in Parallels My Account. This method is especially useful when you plan to deploy Parallels Desktop on both Apple Silicon` and Intel-based Mac computers at the same time. For more information, please see Using Configuration Profiles and Corporate VM Image Provisioning.

There are two ways to include a virtual machine in the autodeploy package: as a downloadable link or as a local file manually added to the package. Regardless of which one you choose, take the following steps first:

1. Configure the virtual machine as described in the subsections of this chapter;

2. FULLY STOP the virtual machine by opening Actions in the macOS menu bar and choosing Shut Down. Suspending or pausing it will not suffice;

3. Reduce the size of the selected virtual machine by doing one of the following:

   • Open the Parallels Desktop Control Center, right-click on the virtual machine, and select Prepare for Transfer;

   • Alternatively, open the Parallels Desktop Control Center, right-click on the virtual machine, and select Show in Finder. Right-click on the virtual machine .pvm file and select Compress {vm_name}.

[RECOMMENDED] Including a Virtual Machine as a Downloadable Link

Several popular MDM solutions have been known to experience issues with deploying large packages. As a way to mitigate this, you can amend the deploy.cfg file to include a link to a file share location with the virtual machine file instead of including it in the package. Take the following steps:

1. Upload the compressed file to a permitted cloud storage that would be accessible to all target Macs (e.g., OneDrive or Google Share). Make sure the resulting link is direct and open to all the users affected by the deployment. The best way is to choose Share with anyone.

2. Open the deploy.cfg file in a text editor, same as when specifying a license key, scroll to the Virtual Machines section and add the download link there exactly as described, following the instructions carefully.

[ALTERNATIVE] Adding a Virtual Machine File to the Autodeploy Package

To add a virtual machine to the autodeploy package directly, simply copy the virtual machine file to the Virtual Machine(s) sub-folder that can be found under Bundle > Virtual machine(s) . More than one virtual machine can be added to the autodeploy package if needed.

Read on to learn about modifications that you can make to the virtual machine configuration before adding it to the autodeploy package.

If you haven't already, use the link below to download the Parallels Desktop Autodeploy Package directly to a Mac computer.

Download the deployment package here.

The autodeploy package archive contains a folder named "Parallels Desktop Business Edition mass deployment package vxxx", where "vxxx" is the autodeploy package version number.

The folder contains the following files:

• Changelog.txt — contains a record of changes that were made to the autodeploy package over time.

• Deploy.cfg — contains all the parameters that you'll need to check and set, as described here.

• Prepare — contains the build script that creates a flat package ready for deployment.

Read on to learn how to add the necessary components to the autodeploy package.

By default, you can skip this step and allow the Autodeploy package to simply download the latest version of Parallels Desktop installation image from the Parallels Server.

However, if you wish to include a specific build in the package, open the Parallels Desktop DMG folder and copy the Parallels Desktop installation image file to it (the .dmg file). If you don't have the file, you can download it from here.

The package should now look like this:

Please note that the Parallels Desktop installation image file name on the screenshot above is just an example. In your case, the file name will also include the current build number information.

Windows application stubs are special links to Windows applications installed in a virtual machine that can be added to the Dock in macOS during deployment.

About Application Stubs

Application stubs are created in macOS when you create a virtual machine and install Parallels Tools in it. To see application stubs for a virtual machine:

1. In macOS, navigate to /Users/<user-name>/Applications (Parallels)

2. Expand a desired virtual machine folder. For example, Windows 11 Applications, as shown in the screenshot below:

The icons in the folder are Windows application stubs. If you double-click an icon, the corresponding Windows application will be started in the virtual machine.

You can add one or more application stubs to the autodeploy package to be added to the Dock on a target Mac computer. For example, if your Mac users use a particular application most of the time, it would make sense to add it to the Dock so they can quickly launch it without dealing with the user interfaces of Windows or Parallels Desktop.

Adding Application Stubs to the Autodeploy Package

To add one or more application stubs to the autodeploy package, simply copy it to the Windows Application(s) stubs to add to Dock folder of the package.

To invite users to install Parallels Desktop via email:

1. Log in to your Parallels account at .

2. On the Dashboard page, locate the Parallels Desktop for Mac Business Edition product card and click the Invite Users button.
3. In the dialog that opens, select a license key that you want to use to activate Parallels Desktop on users' computers and click Next.

4. In the Invite Parallels Desktop Users dialog, specify the following options:

   • Language of Invitation: Select a language for the instructions in the invitation email.
   • Invitation Expires in: Use the drop-down list to select when the invitation should expire. After it expires, the temporary activation code included in it will no longer work.

   • Email address: Type a user's email address and click Add. Repeat for all intended users. You can also specify a CSV file containing email addresses of your users. The CSV file must contain a single column (a valid email address) with multiple rows (one email address on each row). Please note that if the number of users included in this list exceeds the number of available licenses for the specified key, the activation of Parallels Desktop will happen on a first-come, first-served basis.

   • The Download Invitations button allows you to save the invitation email information to a CSV file. The information includes email addresses that you specified, a temporary activation code (generated individually for each user), and the Parallels Desktop download URL (also generated individually for each user). You can use the information in the downloaded file to create your own invitation email or to answer helpdesk questions, should any arise.

5. Click Send Invitations to send the email to users.

The invitation email that the users receive contains the following information:

• Installation instructions and a link from which a user can download the Parallels Desktop installation file.

• A temporary activation code. The code will be used automatically when a user installs Parallels Desktop on their computer. If for any reason automatic activation fails, the user can use the code included in the mail to manually activate Parallels Desktop. Please note that this is not the actual license key that you selected when you created the invitation email. This is only a temporary activation code with a limited scope and duration. The real license key is never shown to your Parallels Desktop users.

Once the users have installed and activated Parallels Desktop on their computers, you will be able to see the list of active installations in your Parallels account.

Setting Up a Virtual Machine

Once Parallels Desktop is installed on a Mac computer, the user needs to set up a virtual machine to run Windows on their Mac. This can be accomplished using one of the following methods:

• A user can create and configure a virtual machine and install Windows in it manually.

• An administrator can prepare a virtual machine and put it on a corporate network storage from where users can download it to their computers.

Once you have the Parallels Desktop autodeploy package configured, you can test it on a single Mac before you mass deploy it to other Mac computers in your organization.

To test the package:

1. Copy it to a Mac on which you want to test it. The Mac should have a configuration similar to other Mac computers on which you'll be deploying Parallels Desktop. Specifically, if your target Mac computers don't have Parallels Desktop and virtual machines installed, the test Mac shouldn't have them installed either. If target Macs have an older version of Parallels Desktop, the test Mac should have it installed too, so you can see what the results will be.

2. To speed up the execution of the package during testing, consider running it from the command line using /System/Library/CoreServices/Installer.app. When executed this way, the package will not be tested by macOS for digital signature, and the usual package verification procedure will be skipped. Please note that if you run the package by double-clicking on it, macOS will warn you that the package is not signed and will not install it. If you run the package by right-clicking and choosing Open, the signature check will be skipped but the verification of the package will take a long time if you have one or more virtual machines in it (because of the large size of a typical virtual machine). When you use the Installer.app to run the package, the installation will commence installing immediately, without any checks or verifications. All of the above only applies when you run the package manually. When you mass deploy it on Mac computers, verification is not performed, and the installation is completely silent.

3. When the installation is complete, verify that Parallels Desktop is installed, activated, and is functioning properly. If your package is configured to deploy Parallels Desktop in Single Application Mode, try running the application and see that it starts and runs as it should.

4. Please note that when the package is executed, it writes logs into /var/log/install.log. If you experience issues, examine the logs. If that doesn't help, you can contact Parallels Support for business customers which is available 24/7.

Read on to learn how to mass deploy the package using one of the Mac management tools.

This section contains instruction on how to deploy the Parallels Desktop autodeploy package using the following solutions:

• Jamf Pro

When you want to distribute pre-configured Windows virtual machines to your users, you may need to manage those machines granularly: enroll them into domains, activate Windows licenses, differentiate PC names, enforce specific policies, enable company-wide licensing tools, etc. All that and more can be achieved with the help of Microsoft's Sysprep utility. To learn more, refer to this article.

When you deploy Parallels Desktop to Macs, their operating system normally prompts users to authorize access to various sensitive folders (Documents, Downloads, etc.), devices (such as camera or microphone), and functions (screen and audio recording). For a smoother, more streamlined deployment, accepting some of those requests can be automated using Jamf’s PPPC utility, available here.

The utility generates a configuration profile that can be added to the deployment package to pre-authorize privacy requests.

For more information on creating, configuring, issuing, and using a PPPC configuration profile, please refer to Jamf's guide here.

Jamf Pro includes the Software Distribution functionality that you can use to deploy the Parallels Desktop package to Mac computers in your organization. To deploy the package, you need:

• Jamf Pro server installed and configured.

• Target Mac computers enrolled in Jamf Pro.

• A distribution point (cloud or file share) configured and be accessible from the target Mac computers.

Adding a Distribution Point

A distribution point is a server that hosts files for distribution to computers. If your Jamf Pro installation doesn't have a distribution point, you need to add one to host the Parallels Desktop autodeploy package.

To add a distribution point:

1. Open the Jamf Pro console and log in to your Jamf server.

2. Click the gear icon in the upper right and then click Server Infrastructure in the left pane.
3. Jamf Pro supports cloud-based (content delivery networks) and file share distribution points. Depending on what is available to you, click the Cloud Distribution Point or the File Share Distribution Points icon. The instructions below are for setting up a file share distribution point. If you would like to set up a cloud distribution point, please consult Jamf Pro documentation for details.

4. After you click the File Share Distribution Point icon, click New.

5. On the General tab page:

   • Type a name for the distribution point.

   • Specify the IP address or the host name of the distribution point server.

   • Select the Use as master distribution point option.

6. Click the File Sharing tab and specify the following:

   • Protocol: Select AFP or SMB depending on which protocol is used on your server for file sharing.

   • Share name: Specify the share name. For example, if your server name is MYSERVER and your full share name is \\MYSERVER\JAMF-SHARE, specify JAMF-SHARE in this field.

   • Port: In most cases the default value is what a given protocol normally uses. If you know that your server uses a different port number, specify it here.

   • Read/Write Account: Specify credentials of an account that has read/write access to the share.

   • Read-Only Account: Specify credentials of an account that has read-only access to the share.

7. If your server supports HTTP downloads, select the HTTP/HTTPS tab and then select the Use HTTP downloads option. Based on our own and other users' experience, HTTP/HTTPS-enabled distribution points are more reliable than AFP/SMB shares, but you can try both options and see which one works better for you.

8. Click Save to save the settings and add the distribution point to your Jamf Pro installation.

Adding the Autodeploy Package to the Distribution Point

To add the autodeploy package to the distribution point:

1. Open the Jamf Admin app on a Mac and log in to your Jamf Pro server.

2. Drag the package to the main repository area (the middle area in the right pane).

3. The package will be uploaded to the master distribution point and will appear in Jamf Admin.
4. You can set other options if needed, such as add a package to a category or change the package priority. Indexing the package is not necessary for the purpose of deploying it on Macs.

5. Close the Jamf Admin when done.

To verify that the package has been added to the distribution point:

1. Open the Jamf Pro console and login to Jamf Pro server.

2. Click the gear icon in the upper right and select Computer Management in the left pane.

3. Click Packages in the right pane. You should see the Parallels Desktop Autodeploy.pkg.zip package in the list.
4. If needed, you can modify the package display name and other settings. To do so, click the package and then click the Edit button in the lower right. Modify any of the settings as you require (except the file name). All settings are optional. If not sure, simply leave them unchanged.

Installing the Package

You can install the package on Mac computers using a policy or you can use the Jamf Remote app that works similar to Apple Remote Desktop. This section contains instructions on how to install a package using a policy. For Jamf Remote instructions, please refer to the Jamf Pro documentation.

Creating a Policy

To create a policy:

1. In the Jamf Pro console, click the Computers tab in the left pane and then click Policies.
2. In the right pane, click New. The New Policy pane loads where you can define the policy.

3. In the General payload, specify the following:

   • Type a name for the policy.

   • Select the Enabled option.

   • Specify a category (optional).

   • In the Trigger section, select one or more events that should trigger the policy retrieval on target Mac computers.

   • In the Execution Frequency drop-down list, select a frequency at which to run the policy. Since Parallels Desktop has to be installed just once, you may select Once per computer or Once per user (to install Parallels Desktop for each user if a Mac has more than one).

   • The Target Drive option allows you to specify the drive on which to run the policy. You would normally use the default option, which will run the policy on the boot drive.

   • Other options in the General payload allow you to configure limitations on when the policy can and cannot run. This includes server-side and client-side limitations. You can specify them according to your needs or you can leave them blank.

4. To specify a package for the policy, click the Packages payload and then click the Configure button in the right pane. The pane will be populated with the list of available packages.

5. Locate the Parallels Desktop Autodeploy.pkg.zip package and click Add.
6. Select a distribution point that contains the Parallels Desktop package. If you select the Specific file share distribution point option, choose the distribution point. If the distribution point is both an AFP/SMB and HTTP share, Jamf will try to use the HTTP option to download the package to target Macs. If needed, you can force it to use the AFP/SMB share by selecting the Force file sharing over AFP/SMB option. Based on our observations, HTTP shares work more reliably in Jamf, but you can try different options if you are experiencing issues with mounting shares on Mac computers during the policy execution.

7. In the Action drop-down list, select how the package should be downloaded and installed on Mac computers:

   • Install — when the policy runs, the package is downloaded and installed on a Mac computer as a single operation. Note that if you have a large number of Macs and the policy runs on all of them simultaneously, all of them will try to download the policy at the same time. For this reason, you may consider the options below to avoid overloading your network.

   • Cache — when the policy runs, the package is downloaded to a Mac computer but is not installed at that time.

   • Install Cached — a policy with this action installs the package that has been downloaded previously using the Cache option. You can use this and the "Cache" options if you are deploying Parallels Desktop on a large number of Macs. First, you "cache" the autodeploy package on each Mac at a convenient time. Once that's done, you run the "Install Cached" policy to install the package, which will be a completely local operation for each Mac. This way, you can ensure that Parallels Desktop is deployed on each Mac at roughly the same time (e.g. on the weekend) without delays.

8. The rest of the payloads are not required for Parallels Desktop package deployment.

9. To specify target Mac computers, click the Scope tab at the top of the pane. You can specify targets by computer name or username (or both). You can also set limitations and exclusions to further narrow down the target list. Note: If you are deploying Parallels Desktop on both Intel-based and Apple Silicon Macs, and your autodeploy package contains a virtual machine for one of the processor types, you need to select computers of a corresponding type. This can be done using Smart Groups. For more information, please see the following article on the Jamf website: https://learn.jamf.com/en-US/bundle/technical-paper-deploying-macos-upgrades-current/page/Creating_a_Smart_Computer_Group_to_Identify_Eligible_Computers.html. If you are deploying just Parallels Desktop (without any virtual machines), then this step is unnecessary.

10. If you would like the package to appear in the Self Service app on a Mac, click the Self Service tab, select the Make the policy available in Self Service option, and specify additional options if needed. The Self Service app allows the user to initiate the policy retrieval manually without waiting for it to trigger.

11. The User Interaction tab page allows you to specify messages that will be displayed to a Mac user when the policy runs on their Macs. If you want the installation to be completely silent, you can skip this page.

12. When done, click Save to save the policy.

Deploying the Package

Once the policy is retrieved by a Mac, it will install and activate Parallels Desktop on that Mac. Once completed, the user can begin working with Parallels Desktop.

If you are testing your policy, you can wait for it to trigger, or you can run it manually using the Self Service app. The app is installed when a Mac is enrolled in Jamf Pro and can be opened from the Applications folder in macOS. If there are errors executing the policy, you can review them in the app. Please also note that when testing a policy, don't try to run it on the same Mac that you use as a distribution point because an attempt to mount a share on the same Mac that hosts it will fail.

Single Application Mode is a special Parallels Desktop deployment option that allows you to largely obscure Parallels Desktop and Windows on a Mac, making Windows applications appear native to macOS. This mode is designed for system administrators who want Mac users in their organization to run one or more Windows applications while minimizing their interaction with Windows or Parallels Desktop.

When Parallels Desktop is deployed using Single Application Mode:

• A Mac user will not see the Parallels Desktop icon, user interface, or the virtual machine window while interacting with Windows applications.

• A Windows application icon is added to the Dock and registered in macOS for opening the associated file types. When the user clicks on the icon, the application will run on a Mac desktop like a native macOS application.

• A user's macOS workflows will remain largely unaffected by the background presence of Parallels Desktop and Windows.

Configuring Deployment Options

To deploy Parallels Desktop using Single Application Mode, do the following:

1. Add a virtual machine to the autodeploy package. For instructions, see . Please take note of the following:

   • You can add only ONE virtual machine when using Single Application Mode.

   • The virtual machine must be completely shut down before adding it to the autodeploy package. DO NOT simply close it, as this will be detected as a crash by Windows, and a Mac user will have to deal with it at startup.

2. Add a Windows application stub to the autodeploy package that will be used to run a desired Windows application on a Mac. If you want to deploy more than one Windows application, add a corresponding stub for each one. For details, please see .

3. To enable Single Application Mode, set the enable_single_application_mode="yes" parameter in the deploy.cfg file, as described in . The parameter is included in the User Experience section of the deploy.cfg file.

4. Deploy Parallels Desktop to Mac computers as described in .

Configuring Windows

For Windows to be completely hidden on a Mac, you need to make some changes manually because they cannot be automated. The following list describes these changes:

• Enable auto logon in Windows. Make sure that Windows in the virtual machine doesn't ask the user to log on. If this is not done, a Mac user will see the Windows logon screen when Windows starts or reboots.

• Configure file associations in Windows. This is necessary so that Windows doesn't open another Windows application when the user tries to open a file from the primary application. For example, let's say you deployed Outlook for Windows. A Mac user may try to open a text file attachment in Outlook. Normally, the file will open in Notepad in Windows, which may confuse the user. To prevent this, you can associate text files with TextEdit (a macOS application) in a virtual machine. The ability to associate file extensions with macOS applications is a standard Parallels Desktop feature available in Windows in a virtual machine. In addition, we recommend that you have as few applications installed in Windows as possible in order not to create additional file associations.

• Use the Productivity profile. When creating a virtual machine for Single Application Mode, choose the Productivity profile in the virtual machine Installation Assistant. If you are using an existing virtual machine, change its profile by going to Configuration > General > Configure for, clicking Change, and then selecting Productivity.

• Remove Sound & Camera devices from the VM configuration. This will eliminate the chance of macOS prompting the user to provide Windows with access to the respective hardware. To do that, go to Configure > Hardware > Sound & Camera and click the "-" button in the bottom left corner.

Configuring macOS

This section of the Management Portal is where you go to designate the virtual machines that will be deployed across your organization.

At the moment, it contains sections for two virtual machine files available to all Parallels Desktop users in an organization, one for all your Apple silicon Macs and one for Intel Macs.

When adding a virtual machine for deployment, the following three fields are mandatory:

1. Name. Give the virtual machine a descriptive, easy-to-read name, e.g., {company_name} Windows 11 Pro for Arm;

3. Checksum (SHA-256). When packaging a virtual machine (right-click on it in the Control Center and choose Prepare for Transfer), the resulting .pvmp file is accompanied by a .txt file containing a SHA-256 checksum for it. Copy and paste the contents of that file in this field.

Once your organization’s Parallels Desktop setup grows beyond a couple of dozen machines, the need often arises to manage them more granularly while relying less on manual procedures for things like setup, updates, and maintenance.

Thankfully, one of the main features of Parallels Desktop Enterprise Edition is the Parallels Management Portal — your one-stop shop for setting up and controlling your entire fleet of Parallels Desktop installations and virtual machines.

This section of the guide deals with all the tasks that can be completed from the Management Portal, such as deployment, management, policy provisioning, and removal of virtual machines.

You can reach the Management Portal by clicking the respective button in your business profile or directly following this .

Enrolling Parallels virtual machines in Azure Active Directory with Microsoft Intune enables managing and securing your virtual machine environment. To achieve that goal, you will have to create a provisioning package and deliver it to your end users. To learn more about provisioning packages for Windows, follow .

Follow these steps:

1. Install Windows Configuration Designer from Microsoft Store or download it directly from the Microsoft website.

2. Once installed, launch it and create a new project following the Provision desktop devices template.

3. Once the project is created, you will see the following page:

At this point, you need to choose a name convention. Once done, click Next and switch to the Set up network tab. There, you need to switch off the setup network toggle and click Next, proceeding to the Account Management page.

4. The following step is important: You need to select the Enroll in Azure AD option and obtain a bulk token.

Here, you need to sign in with your Microsoft Azure credentials. Once you’ve successfully signed in, you’ll see the message confirming the successful receipt of the token.

5. Click Next. Feel free to skip the remaining steps by clicking Next on each one of them.

6. Finally, you need to double-check your configuration summary and ensure everything is correct.

Click Create and memorize the path to the package file.

From this point, you have three possible ways to proceed:

1. Share the package with users who will need to launch it to enroll their virtual machines in Azure;

2. Install the package manually on every machine;

When you need to change configuration settings of all virtual machines that are already registered on a Mac computer, you can use the Parallels desktop command-line interface. To do so, you first need to create a script to perform a desired configuration modification. You can then execute the script on a Mac computer using one of the remote Mac management tools described earlier in this chapter.

The following is a script example that disables the auto pausing option for all virtual machines registered on a Mac computer:

The script above uses the prlctl list command to first obtains a list of registered virtual machines and then (inside the loop) sets the --pause-idle option for every VM to "off", which disables pausing of an idle virtual machine.

The complete command-line reference is documented in the .

In Parallels Desktop for Mac Business and Enterprise Editions, configuration profiles are sets of parameters that can be applied remotely to a Parallels Desktop installation. Configuration profiles can be used to enable and configure the following functionality in Parallels Desktop for Mac Business Edition:

• Provisioning a corporate virtual machine image

• Enabling major version upgrades

Configuration profiles are created in an organization's Parallels business account. You must be the administrator of the account to create and manage configuration profiles. License administrators (admins who are allowed to manage specific licenses) cannot manage configuration profiles.

Configuration Profile Payloads

Payloads in a configuration profile contain settings specific to a particular functionality. For example, the VM for Apple Silicon Mac and the VM for Intel Mac payloads allow you to configure virtual machine image provisioning, while the Product Updates payload allows you to manage Parallels Desktop updates. The configuration profile itself is created and configured the same way, regardless of which of its payloads are configured and enabled.

A configuration profile can have one or more payloads configured and enabled. For example, you can configure and enable a particular payload in one profile and a different payload in another profile. This allows you to enable one functionality for one group of users and another functionality for a different group (see below how configuration profiles are applied to Mac computers). You can create as many profiles as necessary.

Applying Configuration Profiles to Mac Computers

Configuration profiles are applied to registered Mac computers based on a license or sublicense key that computers are using to run Parallels Desktop. After you create a configuration profile, you need to apply it to one or more license or sublicense keys in your subscription. By doing so, you are essentially applying the profile to Mac computers on which Parallels Desktop was activated using that license key.

The rest of this part of the guide describes how to:

• Create a configuration profile

• Apply the configuration profile to a license or sublicense key

• Configure individual payloads

This chapter describes features that are specific to Parallels Desktop for Mac Enterprise Edition.

Parallels Desktop for Mac Enterprise Edition is a version of Parallels Desktop specifically designed for organizations with a large number of Parallels Desktop installations and virtual machines. Its main goal is to simplify the deployment, monitoring, and management of large, dynamic fleets of virtual machines in organizations with highly diverse needs.

The main feature of Parallels Desktop Enterprise Edition that enables granular management is the Parallels Management Portal. Read about it in this section of the guide.

The autodeploy package contains a special script, which is automatically executed on a target Mac after the package is transferred to it. When executed, the script reads the configuration parameter values from the deploy.cfg file, which you can modify according to your needs.

To modify the parameters, expand the License Key and Configuration folder in the autodeploy package and open the deploy.cfg file in a text editor. The configuration parameters are organized in sections, which are described below.

License

The License section is used to specify the Parallels Desktop Business Edition license key.

Software Updates

The Software Updates section is used to configure automatic updates for Parallels Desktop.

Please note that a configuration profile can be used to control upgrades over major versions of Parallels Desktop. But if the updates_url variable is used (see the table below), then the configuration profile option is ignored. The recommended approach is not to use the updates_url variable and instead, use a configuration profile to enable upgrades when the IT feels confident about the new version.

Help & Support

The Help and Support section is used to specify the action for the Help > Support Center menu item in the Parallels Desktop graphical user interface.

Technical Data Reports

The Technical Data Reports section is used to specify whether Parallels Desktop issue reports should contain screenshots of the macOS and virtual machine desktops. You can exclude screenshots for security reasons.

Customer Experience

The Customer Experience section allows you to specify whether the Macs should participate in the Parallels Customer Experience Program (CEP). The Parallels Customer Experience Program is a feedback solution that allows Parallels Desktop to automatically collect usage statistics and system information that will help Parallels develop new features and updates for future releases. For more information, please see https://www.parallels.com/pcep/.

Security

The Security section allows you to enable or disable the password requirement for a number of Parallels Desktop operations.

User Experience

The User Experience section allows you specify options related to user experience.

If you would like us to improve or add a specific feature to the Parallels Management Portal, you can use our feedback form by clicking on the user icon in the top-right corner and selecting the Provide Feedback option. Just type in your request and hit Send, and our Product Management team will receive your idea via email.

If your organization is subscribed to Parallels Desktop for Mac Business Edition and then decides to try the Enterprise Edition, you will need to contact your Parallels sales representative to receive a separate, time-limited trial key in your Parallels My Account.

Once the trial ends and you decide to upgrade to Enterprise Edition, the recommended way forward is to contact your Parallels sales representative and convert a Business Edition license of your choice to an Enterprise Edition one.

In this scenario:

1. The Enterprise Edition trial license will be suspended;

2. The Golden Images added during the trial will become available to the users of the new Enterprise Edition setup;

3. The policies created during the trial will be saved but not applied to any sublicense keys/user groups. You will have to reassign them.

[NOT RECOMMENDED] Technically, your trial Enterprise Edition license can also be converted to a long-term one, keeping your existing Business Edition setup intact, on the following condition:

• If your Business Edition license seats have been activated using the per-device/license key method, your trial Enterprise Edition license can be converted to a long-term one, albeit with much effort;

• If your Business Edition license seats have been activated using the per-user/SSO method, your trial Enterprise Edition license cannot be converted to a long-term one, and you'll need to convert one of the existing Business Edition ones.

Creating a completely new setup with new sublicense keys and user groups and migrating your users to it is a daunting task, so we don't recommend this path.

Prior to Parallels Desktop 16, users were not automatically upgraded to the next major Parallels Desktop version. Starting with version 16, this option became available.

In the past, to upgrade Parallels Desktop for Mac Business Edition to a newer version, an IT administrator would need to set up a local update server or use a remote management tool or install the new version manually on a Mac computer. With this new option, administrators have the ability to automate major version upgrades if the organization policy allows it.

Here's a quick overview of how this feature works:

1. You create a configuration profile in Parallels My Account and configure the Product Updates payload where you enable or disable the "Allow upgrade..." option.

2. You then apply the configuration profile to a license or sublicense key.

3. Parallels Desktop periodically checks if a new major version is available. If it is, depending on how updates are configured in Parallels Desktop, the user will see a notification (with an option to upgrade or postpone), or the upgrade will be performed silently. When the upgrade is initiated, the new major version of Parallels Desktop is downloaded to the Mac computer and installed on it. After that, Parallels Desktop restarts, completing the upgrade.

The subsequent topics describe in detail how to configure and use the major version upgrade functionality.

This section allows you to monitor all the Parallels virtual machines in use with your organization and delete them in case of need. The list shows not only the corporate machines installed from the but also other virtual machines running on your users' Parallels Desktop installations.

You can use the drop-down menu in the top-left corner to select which of the following parameters you want to monitor:

• User name. This parameter is derived from the user account name on that Mac;

• Computer name;

• VM name. As designated during the virtual machine’s image preparation process;

• VM state. This parameter has the following possible values: Running, Stopped, Suspended, Unknown;

• VM status. This parameter will help you sort between active virtual machines, the ones whose Parallels Desktop setup had been deactivated, and the ones that have failed to delete;

• VM OS, VM Edition, VM OS build. This sorts your organization’s virtual machines by the operating systems, including editions and build numbers;

• VM Source. This parameter helps you indentify which virtual machines were set up using your company's ;

• Last used date (UTC). This shows when the particular virtual machine was last launched. This parameter may help you quickly find unused virtual machines;

• Last reported date (UTC). This parameter shows the date and time a specific virtual machine’s presence was reported to the server;

• Parallels Desktop Version. This shows the major version number of the Parallels Desktop installation used to run a particular virtual machine. This may help you identify installations that have failed to upgrade to a newer, better version of Parallels Desktop;

• Parallels Tools Version. Using this parameter, you can, for example, identify the machines in your organization that either do not have Parallels Tools installed or use an outdated version;

• Mac serial number;

• CPU. In this column, you can sort your virtual machines by their operating systems’ target architecture: Intel or Arm (Apple silicon);

Uncheck the parameters you won’t need for your monitoring requirements.

Use the drop-down menu in the bottom-right corner to adjust the number of virtual machines shown per page from 10 to 40.

Use the search bar in the top right corner to find virtual machines by their known parameters, or use the individual filters in each column to search by that column’s parameter. Clicking on the funnel symbol in the header of each column will help you filter virtual machines by a specific parameter.

This may, for example, help you quickly identify the machines that require your immediate attention when an urgent upgrade is required to plug a known severe vulnerability.

Deleting a specific virtual machine

Once you have located a specific virtual machine, you can delete it by right-clicking on it and selecting Delete Virtual Machine. Read the dialog carefully and confirm by clicking Delete.

Incomplete or missing information on a specific virtual machine

Sometimes, information on a specific virtual machine may be incomplete or entirely missing from the Parallels Management Portal's virtual machine monitoring panel described earlier in this chapter. This section provides a list of possible explanations for each case so that you may follow it to eliminate potential causes.

A virtual machine is missing

• The VM is no longer active or has been removed.

• The Parallels Desktop for Mac application did not manage to report/communicate with the Parallels backend after the VM was created.

Incomplete information for a virtual machine

• The Parallels Desktop for Mac application is on an older version that does not support reporting these specific details. Use the Parallels Desktop Version parameter to verify.

• The Parallels Desktop for Mac application has been updated but hasn’t reported to the portal yet. Use the Last reported date (UTC) parameter to verify.

Information for a virtual machine is outdated

• Parallels Tools is not installed.

• Parallels Tools is installed but outdated and requires an update. Use the Parallels Tools Version parameter to verify.

To create a configuration profile for enabling major version upgrades, do the following:

1. Begin creating a new configuration profile as described in the section.

2. When you have the new configuration profile dialog open, select the Product Updates payload in the left pane.
3. In the right pane, select the Enable managing product updates option. This will enable the payload, so when the configuration profile is sent to Mac computers, they will receive it.

4. To enable major version upgrades, select the Allow upgrade to the major Parallels Desktop version option.

5. Click Save to save the configuration profile.

Configuration profiles are applied to registered Mac computers based on a license or sublicense key that they are using to run Parallels Desktop. By applying a configuration profile to a license or sublicense key, you are essentially applying it to Mac computers that use (or will use in the future) that key.

To apply a configuration profile to a license or sublicense key:

1. In Parallels My Account, click Dashboard in the top menu and then click Active subscriptions inside the Parallels Desktop for Mac Business Edition product card.

2. Click a subscription to open a page containing the subscription information.

3. In the License Keys list, choose a license or sublicense key and click the "gear" icon at the end of the row. This opens a dialog containing the license key information and settings. In the dialog, select the Configuration Profile tab.
4. Initially, the tab page will say that "Configuration profile is not set" and the drop-down menu next to it will contain the "Default" profile. This is because you haven't applied a custom configuration profile to this license key yet.

5. Expand the drop-down menu and select the configuration profile that you created earlier.

6. Click Save.

Once a configuration profile is applied to a license key, the following will happen on Mac computers that use this key:

• The next time Parallels Desktop communicates with Parallels cloud, it will receive the configuration profile and will save the data that it contains locally.

• When an action is performed (by the user or by a scheduled event) that has to do with one of the configuration profile payloads, the data is read from the local storage and is used accordingly depending on the payload and its settings. This is described in more detail in topics that describe individual payloads.

This concludes the description of how to create a configuration profile and how to apply it to a license or sublicense key. The subsequent sections describe how to configure individual payloads and how to use the corresponding functionality when managing Parallels Desktop installations in your organization.

Once your Parallels Desktop for Mac Enterprise License is registered in your Parallels Business Account, you can proceed to set up and configure your Parallels Management Portal where you can dynamically change user group policies and monitor virtual machines. Access it by clicking the following button:

Learn more about the Parallels Management Portal in of the guide.

We expect many Enterprise Edition users to upgrade from our previous flagship version, the Business Edition.

The Enterprise Edition differs in the deployment and management procedures, with a particular emphasis on the new , which enables you to apply and quickly change policies to groups of Parallels Desktop users and control and monitor Parallels Desktop virtual machines in your environment.

You can convert your existing Parallels Desktop for Mac Business Edition to an Enterprise Edition one by contacting your Parallels sales representative for purchase and further instructions. Make sure to communicate to them whether your setup uses per-device or per-user licensing, as the upgrade procedure differs slightly between these two setup types.

It is important to know that converting your Business Edition license to an Enterprise Edition one will not require you to reactivate your existing installations, move users to new groups, or redeploy your existing setup.

Once you convert your license to Parallels Desktop for Mac Enterprise Edition, your local Parallels Desktop for Mac installations will retain their assigned security policies until you set up different policies using the Management Portal, following of the guide.

Follow the instructions to begin the process of configuring SSO integration in Parallels My Account:

1. Log into your Parallels account using either your email address and password (but not using the Continue with SSO option) or Apple, Google, or Facebook sign-in services. Go to the page, and make sure that your business account is selected as the current workspace in the top-left corner.

2. Click the item in the business account navigation menu (top-right corner).
3. Once on the Business Profile page, choose the menu item in the top-right corner to open the IdP Integration configurator page.

4. When on the IdP Integration configurator page, click Start Configuring to begin setting up the integration between the Parallels My Account service and your identity provider. You will have to complete the configuration in 7 steps. Each step is represented on the page by a separate list item. Uncompleted steps are marked as gray, and the successfully completed ones become green. The configuration process is successfully completed when all seven items on the list are marked green.
5. Start with Step 1 (Configure Your Organization's Domain(s)), then continue until all seven steps are completed. Click on the title of each step’s section to expand it, and follow the instructions provided. The SSO integration will not start working until all the steps are complete. However, completing all steps at once is not mandatory—you can interrupt the process at any time and continue later. The information entered at the previous steps persists between sessions. Read the sub-chapters in this section for step-by-step setup guides specific to one of the officially supported IdP providers. If your provider is not on the list but supports SAML 2.0 and SCIM 2.0, we recommend referring to the steps described in the and applying them according to your IdP's documentation.

6. When all configuration steps are completed (marked green), the Activate Integration button becomes available at the top of the page. Click the button to activate the integration between Parallels My Account and your Organization’s IdP. You can deactivate the integration anytime by clicking the Deactivate button at the top of the page.

Once the above steps have been completed, proceed to the respective chapter that covers integration with your IdP provider.

By default, the integration process between Parallels My Account and your identity provider, described in , implies that all users of Parallels Desktop for Mac in your company will end up in one user group.

However, as explained in , it may be beneficial to spread your end users across multiple groups, depending on their departments or functions within the company. This will enable administrators to set their own restrictions for each individual group of users, as described in of the Parallels Management Portal section of this guide.

The goal of this chapter is to explain the intricacies of the grouping process and prevent potential activation or policy application issues.

Terminology

For the purposes of this guide, the most important term on your IdP's side is a unique group identifier, which, depending on your IdP, can also be known as UUID, Object ID, or group name. Another important term is a SAML token: a file which contains information about a user and is sent by IdP to the service provider (in this case, Parallels) during the SSO authentication process. The individual meaningful pieces of information in SAML tokens are called claims.

What binds these three terms together is that certain claims in SAML tokens contain group identifiers, allowing Parallels service to see what groups the authenticating user is included in on the IdP side.

Group structure

Some IdPs allow administrators to create hierarchical user group structures to better reflect the organizational structure of the company, e.g., a "Product" group that would include subgroups like "Engineers", "Designers", "QA", etc. In this case, a member of the "Engineers" subgroup would have at least two group identifiers in their SSO claim: one for the "Product" group, and one for the "Engineers" subgroup.

Mapping existing groups to the Parallels Desktop app in your IdP

With the above information in mind, your overall process to divide the Parallels Desktop for Mac users in your organization into individually managed groups should include the following steps:

3. Amend the settings of the Parallels Desktop application on your IdP side, so that the SAML token exchanged during the SSO authentication process includes the group identifiers for all the groups a user is part of. In Microsoft Azure/Entra ID, do it by following this path Home → AD → Enterprise applications → Select Application → Single sign-on → 2. Attributes & Claims -> Edit and changing the Group Claims setting from Groups assigned to the application to All groups.
4. Once you have added all the groups you want, click Save.

Now, your users can activate their copies of Parallels Desktop for Mac using their groups' assigned quotas, and you can apply group policies as you see fit.

To avoid possible security and privacy issues, a suspended Windows virtual machine can be completely locked from user interaction and viewing. When this option is enabled and a virtual machine is suspended, the Windows desktop in the virtual machine window (and in the Parallels Desktop Control Center) is replaced with a black background and the Windows session is interrupted. When the virtual machine is resumed, the Windows session is remained locked and the user will have to enter their credentials or authenticate (depending on how Windows is set up) to unlock it and see the Windows desktop.

To enable or disable this option:

1. Open Parallels Desktop and select the desired virtual machine (e.g. the source virtual machine when preparing it for mass deployment).

2. On the Parallels Desktop menu bar, select Actions > Configure to open the virtual machine configuration dialog.

3. Click the Security tab.

4. Depending on your needs select or clear the Always lock Windows on suspend option.

5. Close the dialog.

A Parallels virtual machine can be encrypted from the Parallels Desktop graphical user interface. This is done from the Security tab of the virtual machine configuration dialog.

You can also use the prlctl command line utility (included with Parallels Desktop) to perform a full set of encryption operations on a virtual machine.

The following command line options are available:

• Encrypt a virtual machine

  prlctl encrypt <ID | NAME>

• Decrypt a virtual machine

  prlctl decrypt <ID | NAME>

• Change the encryption password

  prlctl change-passwd <ID | NAME>

The <ID | NAME> parameter can be either the virtual machine ID or the virtual machine name. When encrypting a virtual machine, you'll be asked to enter a password phrase, which will be used to encrypt the machine. When decrypting a virtual machine, you will be asked to enter the current password. When changing the password, you'll be asked to enter the old password and then the new password.

The encryption password will also be required to perform any other command line operation on an encrypted virtual machine, including starting, stopping, restarting, pausing, suspending, cloning, deleting a virtual machine, etc. For example, to start an encrypted virtual machine, you'll use the following command:

$ prlctl start my_virtual_machine

After executing the command above, you'll be asked to enter the password:

Virtual machine "my_virtual_machine" is encrypted - password required to continue operation
Please enter password:

After typing in the correct password, you'll see the following output:

Starting the VM...
The VM has been successfully started.

If you need to execute a command remotely without having to enter the password on every Mac, you can send the password via standard input (stdin) as shown in the following example:

$ echo mypass | prlctl start my_virtual_machine
Virtual machine 'my_virtual_machine' is encrypted - password required to continue operation
Please enter password:
Starting the VM...
The VM has been successfully started.

If you need to provide two passwords (as with the change-passwd command that changes the password), you can save the passwords to a text file and then use the following syntax:

$ cat /tmp/pass | prlctl change-passwd my_virtual_machine
Virtual machine 'my_virtual_machine' is encrypted - password required to continue operation
Please enter password: 
Please enter new password:
The password has been successfully changed.

The /tmp/pass file in the example above should contain the old password on the first line and the new password on the second line:

$ cat /tmp/pass
mypass
newpass

With Parallels Desktop Enterprise Edition, you can set up a local update server on your network from which Mac users can get Parallels Desktop updates. Updates are released periodically to improve the performance and reliability of Parallels Desktop. To reduce Internet traffic when downloading updates, you can set up a local update server, download the available updates to it, and then set up individual Macs on your network to take the updates from it instead of the Internet. Read on to learn about setting a local update server.

To set up a Parallels Desktop update server, you'll need a local Web server. Install a Web server on a computer connected to your network (or use an existing one).

Follow the steps below one by one to integrate Parallels My Account with Microsoft Entra ID.

(1) Configure Organization's Domain(s)

A domain is a part of the email addresses (after the @ symbol) used by the end users in your organization. When end users try to log in to Parallels My Account using SSO, they are prompted to enter their work email address. Parallels My Account checks the domain part of the email address and recognizes that the user belongs to your organization. Click on the title of Step 1 to expand it and read the instructions carefully.

• Add one or more domains your organization uses.

• Each domain must be unique and can only be registered to one business account that your organization has registered with Parallels.

• Make sure to add only the domains your organization can control.

The Parallels My Account service verifies the domain ownership by checking a specific TXT record that must be added to the DNS host of the corresponding domain. Make sure that all domains added to the list are verified before proceeding with the next steps.

Depending on the software and/or provider, a TXT record may take up to 72 hours to propagate. You can check whether it's been configured using the following command:

$ dig TXT {yourdomain}.{com}

(2) Register Parallels Enterprise App

Registering the Parallels enterprise application (required for integrating with the Parallels My Account service) in the IdP Directory allows you to configure the SSO-related parameters and correctly provision the integration between your IdP and the Parallels My Account service. The description below illustrates the registration procedure for Microsoft Entra ID. It is assumed that you have the permissions required to register and configure enterprise applications with Entra ID. To register a Parallels enterprise application with Microsoft Entra ID:

1. Log into the Microsoft Entra ID portal using an account that has the privileges required to register and configure enterprise applications for your organization.

2. On the Home page, choose Microsoft Entra ID from the services gallery to open the landing page.

3. Choose Enterprise applications in the Manage section on the left-hand side panel to open the page with the list of the enterprise applications registered with your organization.

4. Click New application above the list of registered applications to open the Browse Entra ID Gallery page which allows you to add a new app.

5. Click Create your own application to start the procedure of registering a new custom enterprise app. The popup panel Create your own application opens on the right.

6. Type the name of the application (the actual name remains at your discretion), choose the Integrate any other application you don't find in the gallery (Non-gallery) option, click Create and wait while the new enterprise application is being created. You will end up on the landing page of your new Parallels enterprise application.

Once the Parallels enterprise application registration in the IdP Directory is completed, switch back to the integration configurator page at Parallels My Account, expand the section of Step 2, and select the Configuration in the IdP Directory is done option at the bottom of the section. Then proceed to the next step.

(3) Configure User Groups Mapping

You must create user groups associated with the Parallels Desktop application in your IdP Directory. Later, you will add users to those groups to let Parallels My Account know which users should have business account admin privileges in the Parallels ecosystem. At least one user group is required for adding users with admin access to your organization’s business account registered with Parallels. Once the group is created, you should add the group's name and ID in Step 3 of the integration configurator page in Parallels My Account.

Start with creating the group in the IdP Directory. To do so, switch to your IdP management portal and follow the standard procedure of creating a user group and associating it with the Parallels enterprise application, as provided by your Organization’s IdP. The description below illustrates the registration procedure for Microsoft Entra ID. It is assumed that you have appropriate permissions that allow you to manage user groups in Entra ID. To create a user group for the Parallels enterprise application in Microsoft Entra ID:

1. Log into the Microsoft Entra ID portal using the account which has privileges for managing user groups and configuring enterprise applications. 9

2. On the Home page, choose Microsoft Entra ID in the services gallery to open the Entra ID landing page.

3. Choose Groups in the Manage section on the left-hand side panel to open the page with the list of the user groups registered in your tenant.

4. Click New group above the list of registered groups to open the page for creating a new group.

5. When on the page for creating a new group, specify:

   1. Group type: Security,

   2. Name and description of the group at your discretion,

   3. Membership type: Assigned.

6. Click Create and wait while the group is being created.

7. Once the group is created, it appears on the list of groups automatically. Select the group from the list (click on it) to open the page with the group’s properties.

8. Repeat steps 3, 4, 5, and 6 once again. Your goal is to set up two groups, one for the admins of your organization’s Parallels business account and another for the users of Parallels Desktop for Mac Enterprise Edition, who will be granted permission to activate their copies via SSO. Note: Please make sure that the respective group names on the IdP side and the Parallels My Account side match precisely. This will help you avoid potential problems, as some IdPs use group names in their identification and authorization processes.

9. Copy the names of the specified groups and the Object ID (assigned automatically) to Parallels My Account. To do so, switch back to the Parallels My Account integration configuration page, expand the Step 3 section, click on Click to edit on the respective group, paste the group name and ID into the corresponding input fields, and click Save. Repeat twice for the Parallels Business Account Admins and Parallels Desktop Users groups.

10. Switch back to the Microsoft Azure portal and associate both groups with the Parallels app. To do so:

    1. Choose MS Azure Home > Entra ID > Enterprise applications;

    2. Select the Parallels application from the list and click on it to open its home page;

    3. Select Users and groups on the side panel on the left;

    4. Click Add user/group;

    5. In Add Assignment, click on None Selected under Users and Groups to launch group selection;

    6. Select the groups created in Step 4, and click Select;

    7. Finally, click Assign.

    Make sure to link both groups, the administrators and the users.

11. While on the Parallels application’s home page in MS Azure Home, select Properties in the left-hand side panel, scroll down to the Assignment Required setting, and make sure it’s enabled.

12. On the same page, make sure that the Visible to users option is disabled.

13. Click Save at the top of the page.

Once the required groups have been created in the IdP Directory and associated with the Parallels app, switch back to the Parallels My Account integration configurator page. If everything is set, move on to the next step.

(4) Configure SAML Integration

SAML 2.0 integration between Parallels My Account and your organization’s IdP allows your organization's users to activate their copies of Parallels Desktop for Mac Enterprise Edition using Single Sign-On (SSO) while your admins can use it to log into the business account registered with Parallels using their main corporate login credentials.

To complete this step, you must copy certain parameters from your Parallels My Account to the settings section of the Parallels application registered in the IdP Directory and then copy certain data provided in the IdP Directory to the Parallels My Account admin panel.

The following description illustrates the procedure for Entra ID. It is assumed that you have appropriate permissions that allow you to configure enterprise applications in Entra ID. If your organization uses a different IdP service, follow the instructions provided in the admin guide specific to your IdP of choice.

Expand the Step 4 section on the integration configurator page in Parallels My Account. Note that there are two groups of parameters in the section. The first group has two values, Service Provider Entity ID and Assertion Consumer Service URL, which must be copied from Parallels My Account to the IdP Directory. The second group includes three parameters – Identity Provider Entity ID, Identity Provider SSO URL, and Public Certificate. The values for these parameters must be copied from your IdP Directory to Parallels My Account.

There are two ways to copy the parameters between Parallels My Account and the IdP Directory: via metadata files (assuming your IdP software supports transferring those parameters via external files) or manually.

Begin with copying the first group of parameters — Service Provider Entity ID and Assertion Consumer Service URL (both values are pre-set automatically and cannot be changed) from Parallels My Account to the IdP Directory.

[RECOMMENDED] Option 1: Copying the data to and from Parallels My Account to Entra ID via a metadata file

Click Download a metadata file link in the subtitle of the group to save these parameters to the external metadata file. To transfer the values of the parameters from the metadata file to the IdP Directory, follow these steps:

1. Log into the Microsoft Azure portal using the account which has privileges for configuring enterprise applications.

2. Choose MS Azure Home > Entra ID > Enterprise applications, select the Parallels enterprise application from the list, click on it to open the application’s home page, and choose Single sign-on in the Manage section on the left-hand side panel to open the page for configuring the Single Sign-On method for the enterprise application.

3. When on the Single Sign-On configuration page, choose SAML as the Single Sign-On method. The page for configuring a Single Sign-on with SAML will open.

4. Switch to your IdP integration page in My Account, scroll down to, and expand Step 4 ("Configure SAML integration"). Under Service Provider Settings, click the Download a metadata file link to download the metadata.xml file.

5. Return to the Set up Single Sign-on with SAML page and click Upload metadata file at the top of the page to open the popup dialog that allows you to select the file. Select the file you have previously downloaded from Parallels My Account, then click Add to load the data from the selected file. The popup panel opens with the properties of the basic SAML configuration loaded from the metadata file.

6. Check that the following parameters are set: Identifier (Entity ID), Reply URL (Assertion Consumer Service URL), and the values of the parameters match those in the respective Parallels My Account section. Click Save.

7. On the left pane, choose Single sign-on. Select Attributes and Claims, then Edit, then click Add a group claim.
8. In Group Claims, select Groups Assigned to the Application and click Save.
9. To close the configuration, click Close at the top of the panel on the right. Then, return to the SAML-Based Sign-On page.

10. On the SAML-Based Sign-On page, under the SAML Certificates section, locate Federation Metadata XML and click Download.
11. Switch to your IdP integration page in My Account, scroll down to and expand Step 4 ("Configure SAML integration"). Under Identity Provider Settings, click on the Upload a metadata file link and select the downloaded XML file.

12. Select the Configuration in the IdP Directory is done option at the bottom of the section and click Save to finish the configuration. Proceed to the next step.

Option 2: Copying data to and from Parallels My Account to Entra ID manually

Alternatively, you can set up the basic SAML configuration manually. To do so, perform steps 1-3 as described above in the Option 1 section. When on the Set up Single Sign-on with SAML page, click Edit in the section (1) Basic SAML Configuration. A popup panel will open with the properties of the basic SAML configuration (the values won’t be set). Copy the value of the Service Provider Entity ID from Parallels My Account to the Identifier (Entity ID) box in the IdP Directory. Copy the value of Assertion Consumer Service URL from Parallels My Account to the Reply URL (Assertion Consumer Service URL) box in the IdP Directory. Click Save at the top of the panel to save the configuration. Close the Basic SAML Configuration panel.

Proceed to configure Attributes & Claims by adding the “user.groups” claim on the xn page in Entra ID as described above (refer to step 6 above in the Option 1 section).

Next, copy the three parameters from MS Azure’s Set up Single Sign-on with SAML settings to My Account. On the Single Sign-on page, scroll to 4. Set up Application Name and copy the value of the Login URL to the Identity Provider SSO URL field in My Account. Next, copy the value of Entra ID Identifier to the Identity Provider Entity ID field in My Account. And finally, under the SAML Certificates section, click to download the Certificate (Base64) file and copy the file’s contents to the Public Certificate field in My Account.

Finally, select the Configuration in the IdP Directory is done option at the bottom of the section and click Save in Parallels My Account to confirm that you have finished the configuration procedure in the IdP Directory. Proceed to the next step.

(5) Configure SCIM Integration

SCIM 2.0 integration between Parallels My Account and your Organization’s IdP allows you to keep user identity information in Parallels My Account in constant sync with the updates made to user identities in the IdP Directory.

It is assumed that your IdP software supports SCIM. For this reason, the SCIM Support option in the Step 5 section on the integration configurator page in the Parallels My Account is enabled by default. If your IdP does not support SCIM, disable the option and move on to the next step.

The following description is based on the assumption that SCIM is supported.

To configure provisioning via SCIM, you must copy two parameters: SCIM Base URL and Bearer Token (both values are pre-set automatically and cannot be changed) from the Step 5 section of the integration configurator page in Parallels My Account to the IdP Directory.

The description below illustrates the procedure for Microsoft Entra ID. It is assumed that you have appropriate permissions that allow you to configure enterprise applications in Entra ID. If your organization uses a different IdP service, follow the instructions provided in the admin guide specific to your IdP of choice. To configure SCIM settings at the IdP management portal:

1. Log into the Microsoft Azure portal using the account that has privileges for configuring enterprise applications.

2. Choose MS Azure Home > Entra ID > Enterprise applications. Select the Parallels enterprise application in the list, click on it to open the application’s home page, and choose Provisioning in the Manage section on the left-hand side panel to open the page for configuring the provisioning settings of the enterprise application.

3. On the Provisioning page, click Get Started. It opens the page where you can configure the provisioning settings.

4. When on the configuration page, set Provisioning Mode to "Automatic", then expand the Admin Credentials section and set the Tenant URL to SCIM Base URL (retrieve the value from Parallels My Account), Secret Token to Bearer Token (retrieve the value from Parallels My Account).

5. Click Save to save the changes.

6. [IMPORTANT] While in the Manage section of the Provisioning page, open the Attribute mapping tab and click on Provision Microsoft Entra ID Users. There, under the Attribute Mappings section, locate the externalId parameter, click Edit, change the Source attribute parameter from mailNickname to objectId, and click OK. Click Save in the top left corner. Note that without this step, there may be a mixup in product license provisioning between users with similar names.

7. Return to Overview (Preview) in the left side panel and click Start provisioning in the top-left corner.

Once the provisioning settings in the IdP Directory have been saved, switch back to Parallels My Account and select the Configuration in the IdP Directory is done option at the bottom of the section to confirm that you have finished the configuration procedure in the IdP Directory. Then, continue to the next step.

(6) Add users to the application groups

Add users and administrators to their respective groups created in Step 3 (described above) to permit them to activate their copies of Parallels Desktop (users) and log into Parallels My Account (administrators) using their corporate login credentials. To do so, switch to the IdP management portal and follow the conventional procedure (as provided by the IdP software) for adding users to the groups. Once it is done, or if you plan to add users later, select the Configuration in the IdP Directory is done option at the bottom of the section.

(7) Configure backup login

The backup login can be used to access your organization’s business account registered with Parallels bypassing Single Sign-On in an event of a SSO malfunction. By default, the backup login is set to the email address of the currently logged-in user. If you want to define a different backup login, add more users first on the Users page of the Business Profile section in Parallels My Account. The new user must log into the business account at least once before they can be designated as a backup login.

The Parallels Customer Experience Program is a feedback solution that allows Parallels Desktop to automatically collect usage statistics and system information that will help Parallels to improve the product's quality and support for popular configurations.

Regardless of how you choose to deploy Parallels Desktop to your end users, you will need to provide them with virtual machines to run. Parallels Desktop for Mac Enterprise Edition accepts virtual machine images in a packed .pvmp format. To create such an image:

1. Using your own Parallels Desktop setup, create a Parallels virtual machine, install the operating system in it, pre-install the software that your users may need, and otherwise configure the virtual machine according to your requirements. Note that if your organization has both Apple silicon and Intel Macs, you need to create a separate virtual machine for each processor architecture. For the list of supported operating systems, please visit https://www.parallels.com/requirements/. Note: Boot Camp-based virtual machines, archived virtual machines, and linked clones cannot be used for deployment.

2. If your virtual machine is running Windows, you may need to use Sysprep to strip it of installation-specific information such as the SID (Security Identifier), GUID (Globally Unique Identifier), and other identifiers before deploying it. Follow the directions from this KB article.

3. Make sure the virtual machine is shut down.

4. If your virtual machine has snapshots, it is recommended that you remove them. This will significantly reduce the virtual machine size. Moreover, these snapshots may be unusable on another computer because of hardware differences.

5. When the virtual machine is ready, it needs to be packed as a .pvmp file before you make it available for download to your users. To pack it:

   1. Open the Parallels Desktop Control Center;

   2. Right-click on the virtual machine that you want to transfer and select Prepare for Transfer. Parallels Desktop will start packing the virtual machine. This process may take some time, depending on the virtual machine size;
   3. Once the .pvmp package is created, you can right-click it and choose to show where it is stored in the Finder;

   4. An SHA-256 checksum for the virtual machine package is calculated automatically and saved as a .txt file in the same folder. You will need it later during the deployment process. You can also calculate the checksum by executing the shasum command.

Uploading the Image

Once you have a virtual machine saved as a .pvmp archive, upload it to the server from which Parallels Desktop users can download it to their Mac computers via HTTPS. The link must:

• Be available to all your end users without extra authentication;

• Lead directly to the virtual machine package file ending with .pvmp.

For example, a typical link to a file shared via Microsoft SharePoint has a structure that does not meet the requirements:

https://domain.sharepoint.com/:u:/g/personal/{user_name_company_name}/EX7k5IgeC53PsvTvVAvwqcLBH7cOc_q6kzLY-rtEZ8kNRA?e=biTI9C

Therefore, your task as a system administrator is to implement an alternative solution. We suggest that you make the virtual machine image files available only inside your corporate network and require off-site users to establish a VPN connection to it.

The next step is to configure individual Macs to take their updates from the local update server. This can be done automatically during the mass deployment of Parallels Desktop by modifying the appropriate deployment configuration option. Please see for the complete info (see the description of the Software Updates section of the configuration file).

If you have an existing Parallels Desktop installation that was not configured for automatic updates during deployment, then read on to learn how to do it manually.

To configure Parallels Desktop automatic updates, you need to modify the Parallels Desktop property list file on a Mac as follows:

1. Find the com.parallels.Parallels Desktop.plist file located in the Library/Preferences subfolder in the user's home folder. This is the Parallels Desktop property list file that contains the user-specific information.

2. Open the file using the Property List Editor application (included with Xcode).

3. Set the update policy by modifying the Application preferences.VolumeLicenseUpdatePolicy property. If the property doesn't exist, add it to the file specifying its data type as String. Set the property value using one of the following options (see also the Notes subsection below):

   • "Parallels" — when this value is set, the updates will be downloaded from the Parallels update server via the Internet. The value is case-sensitive.

   • Complete URL of the parallels_updates.xml file residing on your local update server. For example, "https://10.0.0.1/pdfm/v8/en_us/parallels/parallels_updates.xml". When the URL is specified, the updates will be obtained from the local update server.

   • "None" — automatic updates are disabled. The value is case-sensitive.

4. Specify how often Parallels Desktop should check for updates. This is done by modifying the Application preferences.Check for updates property. If the property doesn't exist, add it to the file specifying its data type as Number. Specify the property value using one of the following options:

   • 0 — Never

   • 1 — Once a day

   • 2 — Once a week

   • 3 — Once a month

5. Set the automatic download option. Find the Application preferences.Download updates automatically property. If it doesn't exist, add it to the file specifying its data type as Boolean. Set the property value using one of the following options:

   • True — Download updates automatically. Specify this value when using a local update server.

   • False — Notify the user about the updates but don't download them automatically. This option is useful only when updates are downloaded from the Parallels update server, and the user has full control over the update functionality.

6. Save the file and close the Property List Editor application.

Notes

On initial Parallels Desktop activation using a Business Edition key, the Parallels Desktop update properties will be absent from the com.parallels.Parallels Desktop.plist file. In such a case, a Mac user will be able to configure Parallels Desktop automatic updates using the Parallels Desktop graphical user interface.

When the update-related properties are added to the com.parallels.Parallels Desktop.plist file, the automatic updates will be performed according to the specified values. In addition, the value of the Application preferences.VolumeLicenseUpdatePolicy property will affect the Parallels Desktop update-related elements in the Parallels Desktop graphical user interface as follows:

• If the property contains a URL of the local update server or "None", the Parallels Desktop update-related controls will be disabled (grayed out) in the Parallels Desktop graphical user interface. The displayed settings will have no effect on how the Parallels Desktop updates are carried out. Therefore, the user will not be able to configure automatic updates or check for updates manually.

• If the property doesn't exist, has no value, or contains "Parallels" as a value, the Parallels Desktop update controls will be enabled in the user interface giving the user the ability to configure automatic updates and check for updates manually.

If a virtual machine user forgets the password of their guest OS account (e.g. a Windows user password), it can be reset outside the virtual machine using the command line interface.

To use this functionality the following conditions must be met:

• Parallels Tools must be installed in the guest OS.

• The virtual machine must be running. If it's stopped, start it and wait until you see the guest OS login prompt.

• Depending on your requirements, the following option can be selected or cleared in the virtual machine configuration dialog: Security > Require Password to: [ ] Change guest OS password via CLI. If this option is selected, you will be asked to provide the macOS administrator password to change the guest OS password from the command line. If the option is cleared, the administrator password will not be required. By default, the option is cleared.

To reset the password, open Terminal and enter the following command:

where:

• vm_name is the virtual machine name. To obtain the list of virtual machines installed on this Mac, type prlctl list.

• username is the guest OS user name.

• new_password is the new password.

Example:

If the Require Password to: Change guest OS password via CLI option is selected in the virtual machine configuration dialog (see above), the command will display the following text and prompt:

Enter the name of the macOS user with administrative privileges and press the Enter key. Type the user password and press Enter again.

Once the new password is set, you can use it to log in to the guest OS.

Parallels Desktop Control Center is a part of the Parallels Desktop graphical user interface. It's a window from which a Mac user launches virtual machines. By default, the Control Center displays the list of the available virtual machines, as in the following example:

You can customize the Control Center by specifying a URL to your own HTML document, which will be embedded at the top of the Control Center window. The HTML page can contain text, graphics, and links such as your company logo, custom text, a link to a support page, etc. The HTML document format doesn't have any specific requirements.

The URL must be specified during the preparation stage of the . Specifically, you need to specify the URL and the HTML page size using the following variables in the mass deployment configuration file (deploy.cfg):

• control_center_banner_url

• control_center_banner_height

• control_center_banner_min_width

The following is an example of Parallels Desktop Control Center displaying a custom banner at the top.

You can download a sample HTML document defining the banner using the following URL:

When configuring USB device settings for a virtual machine, you can enforce what types of USB devices are allowed to be connected. For example, if storage devices (in general) are not allowed, the Mac user will not be able to connect an external hard disk or thumb drive to the virtual machine. This functionality is available in Parallels Desktop Business edition only and is absent in other editions.

To enforce USB device policies, open the virtual machine configuration window and select Hardware > USB & Bluetooth.

In the Allow external devices list:

• Clear the types of devices that you don't want Mac users to connect to the virtual machine.

• Select the types of devices that should be allowed.

When users run Parallels Desktop Enterprise Edition, they can get support at any time by clicking the Help > Support Center menu. By default, this will open one of the following:

• If you are a large organization with your own Help Desk, the menu will open a message box saying the user should contact the system administrator for assistance.

• If you are a small organization without a Help Desk or if you are using a trial version of Parallels Desktop, the menu will open the Parallels Desktop support web page.

You can change the default behavior described above and make the Help > Support Center menu open a custom URL, such as your corporate Help Desk page or any other web page you desire.

The customization can be done during mass deployment of Parallels Desktop by modifying the corresponding deployment configuration parameter. Please see for the complete info (see the description of the Help and Support section of the configuration file).

You can also make the customization manually on an individual Mac as follows:

1. Log in to the Mac.

2. In the Finder, navigate to the /Users/<User_Name>/Library/Preferences directory and locate the com.parallels.Parallels Desktop.plist file.

3. Open the file using the Property List Editor application, which is included with Xcode.

4. Find the SupportRequestUrl property in the file. If the property doesn't exist, add it to the file specifying its data type as String.

5. To specify the action that should be performed by the Help > Support Center menu, set the value of the SupportRequestUrl property:

   • To display the default text message, clear the property value.

   • To open a URL, specify the full URL of the desired web page or resource.

By default, Parallels Desktop Business and Enterprise Edition downloads updates from a special location on the Parallels website dedicated to hosting Parallels Desktop Business and Enterprise Edition updates. Parallels Desktop Standard and Pro editions download their updates from a different location. As an administrator, you have an option to choose the location from which Parallels Desktop Business or Enterprise Edition downloads updates. The reason why you would want to do this is explained below.

When Parallels Desktop updates are released by Parallels, they become immediately available for Parallels Desktop Standard and Pro Editions. Updates for Parallels Desktop Business and Enterprise Edition are released at a slightly later date (from a few days to 1-2 weeks from the initial release). The delay is necessary for additional testing of business features of Parallels Desktop to ensure they meet the highest quality standards. During this period, we even give an updated version of Parallels Desktop to some of our corporate customers,who test and evaluate it in their real-world environments.

We recommend that you use the default configuration and download Parallels Desktop Business/Enterprise Edition updates when they are finalized and available for download. However, if for any reason you don't want to wait, you can configure Parallels Desktop Business or Enterprise Edition to download updates from the Parallels Desktop Pro location. The updates are the same regardless of where you download them from. The only difference is, the updates downloaded from the Parallels Desktop Pro location will have not been fully tested in a business environment.

When you mass-deploy Parallels Desktop, you can set the desired Software Update options in the deployment configuration file. Mass Deployment of Parallels Desktop is described later in this guide. For more information, please read the entire and specifically the section. Look for the Software Updates section in the parameter table.

If you need to modify Parallels Desktop software update options on a specific Mac without using the Mass Deployment procedure, you can do this as described below.

To configure Parallels Desktop to download updates from the Parallels Desktop Pro location, execute the following command on a Mac:

The command above writes the specified URL (the parameter in the second part of the command) into the Parallels Desktop plist file. Please note that the "v20" part of the URL indicates the current Parallels Desktop version number. If you are using a later version, substitute this part with the correct number.

To switch back to the default Parallels Desktop Business/Enterprise download location, execute the following command:

Create a file named parallels_updates.xml on the Web server where it can be accessed via HTTP. The file is an XML document that should contain specifications for a particular Parallels Desktop update available on your local updated server.

To create your own document, use the following sample XML document and the XML document specification that follows it as a reference.

A Sample parallels_updates.xml File

XML Document Specification

Parallels Tools is a collection of utilities and drivers that vastly improve the virtual machine performance and enable some features that are not available otherwise. Parallels Tools are included with every copy of Parallels Desktop and are highly recommended to be installed in every virtual machine right after an operating system is installed in it. Your source virtual machine should have Parallels Tools installed. For instructions on how to install Parallels Tools, please see .

A Parallels Desktop for Mac license key is required to activate Parallels Desktop on target Macs. The key must be specified in the autodeploy package.

You can find the primary key in your Business Account customer area as described in . There, you can also issue secondary keys that we recommend to use for activation.

To specify the license key:

1. In the autodeploy package, expand the Parallels Desktop Autodeploy > Scripts > License Key and Configuration folder.
2. Open the deploy.cfg file in a text editor.

3. Find the License section (second from the top) and enter your Parallels Desktop Business Edition license key as a value of the license_key variable. The key must be supplied in the following format: "XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX" (including quotes and dashes).

4. Save the deploy.cfg file.

SSO activation is one of the activation options offered with a newly installed/deployed copy of Parallels Desktop for Mac. Users who choose this option will see a window that looks like this:

Some users might skip this dialog by clicking Cancel. In this case, you can instruct them on how to re-start the SSO-based activation procedure manually. To start the SSO-based activation:

1. In the application's menu, choose Parallels Desktop → Account & License... and select the Continue with SSO option.
2. On the Sign-In to Parallels Account dialog, clicking Business Edition (at the bottom of the dialog, on the left) opens the Activate Business Edition dialog.
3. On the Enter Enterprise Key dialog, clicking Continue with SSO (at the bottom of the dialog, on the left) opens the dialog, which prompts the user to enter the corporate email address. This is where the product activation procedure via Single Sign-On starts!
4. Users should type their corporate email address in the popup dialog that is opened by clicking Continue with SSO, then click Next.

Once you have added all the files to the package and in the deploy.cfg file, it's time to turn the resulting folder into a flat package suitable for deployment via your MDM solution of choice.

Do the following:

1. Inside the Autodeploy Package folder, locate the Scripts folder, right-click on it, and choose Services > New Terminal at Folder. This will open a Terminal window right in the Scripts directory where the build script is located.
2. Launch the package building script by typing the following command and pressing Enter:

E.g.,

This action creates a .pkg file in the destination folder that is ready for distribution.

When preparing a source virtual machine for mass deployment, you may change any of its configuration settings to fit your needs. The following list describes a few common options:

• CPU & Memory. Beginning with Parallels Desktop 17, you can configure a virtual machine to select CPU and memory settings automatically depending on the available hardware resources. This option is preselected for all new virtual machines. To ensure it is selected, open the virtual machine configuration, and select Hardware > CPU & Memory. In the right pane, check that the Automatic option is selected.

• Shared Folders and Profiles. Parallels Desktop offers great flexibility in bridging the capabilities of macOS and your guest operating system by configuring shared folders and profiles. Think over which files and folders you wish to share between the two operating systems and set them up beforehand.

• Enforce USB Device Policies. Specify what types of USB devices can be connected to the virtual machine. See Enforcing USB device policies for complete details.

• Installing Applications. You can install all the necessary applications in the virtual machine before deploying it.

For the complete information about Parallels virtual machine configuration, please refer to the Parallels Desktop User's Guide.

The corporate VM image policy is checked every time a new VM creation process is started by the user in Parallels Desktop on a Mac computer. If the corporate VM image policy is set (a configuration profile with the VM for Intel Mac or VM for M-series Mac payload exists and has been applied to the license key used by this Parallels Desktop installation), the Parallels Desktop Control Center displays a message inviting the user to download the corporate VM image. If the user accepts the invitation, the VM image download begins and the progress indicator is displayed (note that because of the large size of a VM, the download may take some time). If the user declines, he/she is taken to the Installation Assistant where they can create a virtual machine from scratch.

After the VM image download completes, the image is unpacked, and the virtual machine is registered in Parallels Desktop.

On this page, you can assign policies for pre-existing user groups that you can set up in Parallels My Account. Each user group is a sublicense of your main Parallels Desktop Enterprise Edition license with a unique key.

To create user groups and populate them with users, please refer to this page.

To create a new policy, click on the Add button in the top left corner of the page.

Presently, policies only define what users from your organization can do with their Parallels Desktop setups and not their virtual machines. The four available settings are:

• Limit users to corporate virtual machines only. This policy prevents users from setting up new virtual machines from sources other than your organization’s Golden Images, as well as importing or cloning pre-existing ones. You may want to enact this policy to prevent members of your organization from setting up virtual machines for their own extracurricular activities;

• Limit the number of corporate virtual machines per user to one. This setting prevents users from installing any more virtual machines from the approved sources (i.e., your organization’s Golden Images). Note: If you select this option alone, without the previous option, users will still be able to add new virtual machines using third-party sources, such as the default images available through Parallels Desktop;

• Do not allow removing corporate virtual machines;

• Do not allow upgrading to the next major Parallels Desktop version. This setting will still allow users to update their Parallels Desktop installations to a minor version (e.g., 20.0 to 20.1) but will prevent them from upgrading to a major version (e.g., from 20.x to 21.x) when it becomes available. Enabling this setting will allow you to first ensure that a major new version suits your needs before proceeding with a fleet-wide upgrade. Note: This setting will have no effect if your organization is running a local update server, or your update policies are managed via an MDM solution.

When adding a new policy, provide the following information:

1. Name. Use a unique descriptive name in case the number of policies increases in the future;

2. Description;

3. User group. This setting allows you to add and remove the groups that the policy applies to. To add a group, select one from the drop-down list and click Add. To remove one already added, click on the Trash Can symbol next to the one already listed;

4. Set the restrictions as described above;

5. Click Add.

The default view of the main Policies screen shows you the list of all the policies under your management, citing their names as provided during the setup process, their descriptions, and the list of groups they apply to. Right-clicking on a policy from the list allows you to edit or delete it.

Asset tags help identify, control, and track computer assets in an organization. Parallels Desktop for Mac Business Edition provides the ability to set an asset tag in the virtual machine BIOS, which can then be read using the standard tools of the guest operating system. You can set an asset tag using the Parallels Desktop graphical user interface or the prlctl command line utility that comes with Parallels Desktop.

To set an asset tag using the Parallels Desktop GUI:

1. On the Parallels Desktop menu bar, select Actions > Configure to open the virtual machine configuration dialog.

2. Select Business.

3. Use the Asset tag field to specify the desired tag.

To set an asset tag using the prlctl command line utility, use the following syntax:

prlctl set ID|name --asset-id tag

where ID|name is the virtual machine ID or name, and tag is the asset tag to set.

To obtain the asset tag in Windows, use the WMIC.exe command:

WMIC SystemEnclosure get SMBIOSAssetTag

For the complete syntax of the WMIC utility please see the Microsoft documentation.

Once set, the asset tag never changes. Even if you perform such virtual machine operations as cloning, template manipulation, registering, or any other, the asset tag always stays the same. If you do want to change an existing asset tag for any reason, you can do it manually using of the methods described above.

Parallels Desktop for Mac Enterprise Edition allows you to protect the configuration of a virtual machine with a custom password. When a password is set, even a local Mac administrator will be required to enter it in order to modify virtual machine settings.

Setting the Password via GUI

To set a password in the Parallels Desktop graphical user interface:

1. Open Parallels Desktop and select a virtual machine.

2. On the Parallels Desktop menu bar, select Actions > Configure to open the virtual machine configuration dialog.

3. Select Security.

4. Click the Custom password: Turn On... button.

5. Enter a password, then enter it again to verify and click OK.

To change or remove the password:

• To change the password, click the Change Password button and follow the instructions on the screen.

• To remove the password, click Custom password: Turn Off and follow the instructions on the screen.

If the password is set and the user tries to view or modify the virtual machine configuration, they will be required to enter this custom password.

Setting the Password via CLI

In addition to the graphical user interface, you can use the prlctl command-line utility to set a custom password for editing the virtual machine configuration.

To set the password, type the following command in Terminal:

where vm_name is the virtual machine name in quotes. You'll be asked to enter a password and then confirm it.

To change or remove the password, type the same command as above:

You'll be asked to enter the current password and then a new password.

To view the current protection status for a virtual machine, type the following command:

In the output, search for the Security section and look at the Custom password protection property. It will be either set to "on" or "off".

Setting the Password Using the Mass Deployment Process

If you are mass deploying Parallels Desktop and one or more virtual machines, you can simply set the custom password in the source virtual machine. When a virtual machine is deployed on Mac computers, the password will be retained.

Starting from Parallels Desktop 18, the Activation using corporate account (sometimes referred as SSO-activation) option became available.

This option works best for Medium and Enterprise size organizations that have an identity provider (e.g., Entra ID) and rely on it to automate applications license management routines. With SCIM integration (optional) licenses from contractors and people who left the company and removed from the identity provider directory will be automatically revoked. There is also an option to automatically revoke licenses from people who are not using the product for a long time.

The license key is also not used in this scenario, so there are less chances for it to be misused.

There are three major steps to enable this option:

1. This option works only if you purchased a special license type. Please check your license certificate for details and contact your sales representative if you have questions. Note that the minimum purchase for this license type is 50 licenses and it is not available as an online purchase from parallels.com.

2. IT team has to setup integration between your identity provider (Entra, Okta, Ping Identity, or others that support SAML 2.0 and SCIM 2.0) and Parallels My Account by using the "Configure SSO-based activation" guide that is available in this . If there is no guide for your identity provider, it is recommended to follow the one for Entra ID.

3. To provide your employees with the best user experience use the deployment capabilities described in this guide or simply share this link with users: .

As administrator of a large Parallels Desktop for Mac deployment, you may need to restrict your users' ability to perform certain common actions, such as creating a completely new virtual machine that would be outside of your control and not configured to your company's standards, or remove your standard-issue corporate virtual machine.

One of the advantages of Parallels Desktop for Mac Enterprise Edition is the ability to set up, monitor, or change all such policies on all of your organization's workstations in a centralized manner via the Parallels Management Portal. Refer to the Policies section for more information.

Your users won't be able to access the Settings -> Security panel on their managed machines where that panel looks like this:

To create a configuration profile:

1. Log in to your Parallels business account.

2. In the Parallels Desktop for Mac Enterprise Edition product card, click Registered Computers.

3. Click the More item in the main menu (top right) and choose Configuration Profiles, as shown in the screenshot below.
4. The page listing configuration profiles opens. If you haven't created any profiles yet, the list will be empty.

5. Click the Create Profile button. A dialog opens where you can configure the profile.
6. To replace the default profile name (top left), simply erase the default name (New Configuration Profile) and type a new one.

7. The payloads are listed in the left pane. To configure a payload, select it and then specify the necessary settings in the right pane. Each payload has the "Enable..." option at the top of the right pane. This option enables or disables a payload but doesn't change or discard the payload settings. When a payload is enabled, it is included in the configuration profile when the profile is applied to Mac computers. When a payload is disabled, it is not included, so Mac computers don't receive it. For creating the payload (i.e, a virtual machine image), refer to this page of the guide.

8. When done, click Save to save the configuration profile.

At this point we will not configure any of the payloads yet and will go straight to applying the configuration profile to a license or sublicense keys (it is allowed to create a profile with all payloads disabled). Once you learn how to create and apply a configuration profile, we'll talk about how to configure and use each individual payload.

Single Application Mode is a special Parallels Desktop deployment option that allows you to largely obscure Parallels Desktop and Windows on a Mac, making Windows applications appear native to macOS. This mode is designed for system administrators who want Mac users in their organization to run one or more Windows applications while minimizing their interaction with Windows or Parallels Desktop.

To make Parallels Desktop run in Single Application Mode, you need to deploy it on Mac computers via the autodeploy package. This includes preparing the autodeploy package in a special way and then either deploying it on Mac computers using Mac management tools or running it manually on a Mac.

For more information about how to use the autodeploy package and how to deploy Parallels Desktop in Single Application Mode, please see the following sections of this guide:

Parallels Desktop Enterprise, Business, and Pro editions include developer tools which are aimed at software developers using Parallels Desktop as part of their development and testing setup. The tools are accessed by clicking the Develop menu on the virtual machine menu bar and then choosing one of the available options (e.g. Start SSH Session, Start Debugging Session, and others). If users in your organization are not using these tools, you can hide the Develop menu altogether. The reason you would want to do this, some of these features (if used accidentally) may start a debugging session or engage in some other development-specific activities that may temporarily disrupt normal Parallels Desktop operation.

This option is a part of a virtual machine configuration and can be set using the Parallels graphical user interface as follows:

1. Open the virtual machine configuration dialog (click the gear icon or choose Actions > Configure).

2. In the dialog, click Options (at the top) and then click More Options in the left pane.

3. In the right pane, select or clear the Show developer tools option. This will show or hide the Develop menu on the virtual machine menu bar (you don't have to restart a virtual machine if it's running).

To modify this setting from the command line, execute the following command in Terminal:

where ID/Name is the GUID or name of a target virtual machine.

When mass deploying Parallels Desktop on Mac computers in your organization, you can configure the autodeploy package to apply these settings to all included virtual machines automatically. For details, see .

To create a configuration profile for VM image provisioning:

1. Begin creating a new configuration profile as described in the section.

2. When you have the new configuration profile dialog open, select VM for Intel Mac or VM for M-series Mac payload, depending on the image type that you want to provision.
3. In the right pane, select the Enable VM image provisioning option and specify the following properties:

   • Name: Type a name for the VM image as you want it to be named in this profile. This is the name your users will see in Parallels Desktop when they receive an invitation to download it. This field is mandatory.

   • Description: An optional description. The end user will see this description in Parallels Desktop. For example, if a VPN connection is required to download the image, you may include this information here.

   • Download URL: The VM Image download URL. Mac users must be able to download the image via HTTP or HTTPS using this URL. This field is mandatory. For additional info, please see .

   • Checksum (SHA-256): The VM image checksum. This field is mandatory. If you used the PVMP format to archive the virtual machine, the checksum was calculated automatically and saved as a VmName.sha256.txt file. If you archived the virtual machine using the ZIP or other supported format, you'll need to calculate the checksum. For the info about the PVMP format and how to calculate the checksum, please see .

4. Click Save to save the configuration profile.

Beginning with Parallels Desktop 16 for Mac Business Edition, IT administrators have an option to provision a corporate Parallels Desktop virtual machine image from a link that they specify in Parallels My Account.

Here's a quick overview of how this functionality works:

1. An administrator first creates a Parallels virtual machine image with the operating system installed. The virtual machine will serve as a corporate VM image to be deployed on users' computers to run Windows applications used in the organization.

2. The virtual machine is then saved as an archive (ZIP or PVMP, we'll talk about archive formats later) and is placed on a server from which Parallels Desktop users can download it to their computers via HTTP or HTTPS.

3. The administrator creates a configuration profile in Parallels My Account and specifies the download URL of the virtual machine image (together with other required parameters).

4. When a Parallels Desktop user initiates the process of creating a new virtual machine, Parallels Desktop checks if a configuration profile with the VM image link exists and is applicable to the Parallels Desktop license key used by this Mac computer. If the profile exists, a dialog is shown to the user, inviting them to download and install the corporate virtual machine image. If the user accepts, the virtual machine is downloaded to the user's computer and is registered in Parallels Desktop.

The subsequent sections describe how to perform the steps above.

You can set an expiration date for a virtual machine. This can be a useful option if you are preparing a virtual machine for a contractor (or a third party user) and want to make sure that it works only for the duration of the contract.

To set an expiration date for a virtual machine:

1. Open Parallels Desktop and select the desired virtual machine.

2. On the Parallels Desktop menu bar, select Actions > Configure to open the virtual machine configuration dialog.

3. Select the Security tab.

4. An expiration date can only be set on an encrypted virtual machine. If your machine is not yet encrypted, click Encryption: Turn On, specify an encryption password, and click OK. Make sure to record the password or you will not be able to start the virtual machine. Wait until the encryption process finishes.

5. To set an expiration date for the virtual machine, click Expiration Date: Set Date, specify a password and click OK. Make sure to record the password to be able to change the expiration settings later. You should keep this password secret to prevent the prospective user of the virtual machine from changing the expiration date.

6. On the next screen, specify the following options:

   • Do not allow this VM start after: specifies the virtual machine expiration date.

   • Contact info: specifies the system administrator email, phone number, or other contact information. This information will be included in the message that will be displayed to the user when the virtual machine is about to expire. You can include each piece of information on a separate line.

   • Time Server: specifies the time server URL. The virtual machine expiration time will be checked against this server. The default time server is https://parallels.com.

   • Date Check Frequency: specifies how often the date and time should be verified against the time server. You can specify it in minutes, hours, or days.

   • If unable to check date, use VM for: specifies for how long the virtual machine should be kept working if the time server cannot be reached. For the duration of this period, the virtual machine will continue to check the date. If it succeeds before this period is over, the counter is reset, and the virtual machine will continue to work normally.

7. Click OK when done entering the expiration info.

8. To modify the current expiration date or password, click Expiration Date: Change Date or Expiration Date: Change Password and enter the new values.

When the expiration date approaches, the virtual machine user will be notified as follows: a message will begin to be displayed seven days before the expiration date. The message will be shown to the user every 24 hours and additionally on every virtual machine startup. Once the date is reached, the virtual machine will be locked, so the user will not be able to start or resume it anymore.