When creating a new policy or editing an existing one, you may use the opportunity to establish remote administrative control over the settings for individual virtual machines in your corporate setup. This may help you prevent information leaks or minimize potential security vulnerabilities. This chapter lists the virtual machine settings that are available for remote control.
The following settings are currently available:
Attention: While all the listed settings are available for virtual machines running Windows, not all of them are supported for virtual machines running Linux, or macOS (on Intel or Apple silicon Macs). The supported guest operating systems are clearly marked across each individual setting. Consult the following table for applicability of particular settings.
Do not allow changing VM configuration (not available for macOS virtual machines on Apple silicon Macs)
Activating this option would prevent users from changing any virtual machine settings that are not listed here. For a complete list of virtual machine settings available in Parallels Desktop, read . Note: The linked chapter primarily describes settings available for Windows virtual machines. Available settings for Linux and macOS machines may differ.
Show Developer Tools (not available for macOS virtual machines on Apple silicon Macs)
This option unlocks an additional Parallels Desktop macOS bar menu that allows users to start SSH and debugging sessions with their virtual machines, generate core dumps, edit Windows registry, and . Developer tools are also available via .
Disable automatic updates of Parallels Tools
Parallels Tools are a suite of behind-the-scenes tools that allow seamless interaction between your Mac's macOS and a guest operating system. They normally update automatically, but this setting enables you to prevent that. To learn more about Parallels Tools, follow .
VM startup and shutdown
This drop-down menu controls how the virtual machine starts.
Manual. This option leaves the decision to launch or shut down the virtual machine to the user.
Ready in background. With this option, the virtual machine starts automatically with your Mac and remains ready in the background. This way, clicking on a Windows app icon in macOS instantly launches it without having to wait for the virtual machine to boot up.
Network source Note: If this setting is controlled remotely, the users won't be able to change other Network settings like Network Conditioner either. Adding another network adapter to the virtual machine's hardware configuration won't help: its settings will also be set as prescribed in the policy and won't be available for changing.
This drop-down menu controls the network settings for the Parallels virtual machines covered by a specific policy. The options are:
Disconnect. This option fully disconnects the virtual machine from any networks.
Shared Network (recommended). This option enables the Network Address Translation (NAT) feature for the virtual machine. In this case, your virtual machine shares whatever network connection is currently used by your Mac.
Host-Only. This option allows the virtual machine to connect to your Mac and other Parallels virtual machines on it but make it invisible outside the Mac. If this option is selected, the virtual machine cannot connect to the Internet.
Bridged Network (Default adapter). This options allows the virtual machine to access the local network and Internet through the default network adapter of your Mac. The virtual machine is treated as a stand-alone computer on the network and should be configured as such. Note: When set locally, this option allows you to select which Mac network adapter to use. However, when controlled remotely via a policy, the only option is to use the default adapter.
Isolate VM from Mac Note: Some of the settings in this section are not available on all supported platforms.
This section contains several ways to isolate the virtual machine from macOS, so that they no longer share folders, profiles, and applications. Connected external devices are no longer automatically accessible by the guest OS, the virtual machine and Mac no longer synchronize volume, and you can no longer copy or move objects between the virtual machine and macOS. Isolating your virtual machine from macOS may provide a higher level of security by not allowing compromised items from one OS to come into contact with the other. The section contains several specific settings for a more granular setup:
Disable sharing Mac folders with VM. This will prevent the virtual machine from accessing folders in the host Mac's macOS.
Disable sharing VM folders with Mac (Windows only). This will prevent the virtual machine from accessing folders in the virtual machine.
Disable sharing VM apps with Mac (Windows only). This will prevent opening Windows applications from the host Mac's macOS Finder.
Disable sharing Mac apps with VM (Windows only). This will prevent opening the host Mac's macOS applications from within the virtual machine.
Control clipboard synchronization (not supported for macOS virtual machines on Apple silicon Macs). This setting controls the contents of copy-and-paste clipboard between the Mac's macOS and the virtual machine.
Disconnect. Use this setting to completely isolate the clipboards of the Mac's macOS and the virtual machine.
Disable sharing smart card readers with VM (not available for macOS virtual machines on Apple silicon Macs)
Activating this option will isolate the smart card readers connected to the Macs from the Parallels virtual machines that run on them.
Do not allow external devices
Activating this option will bar your users from connecting external (i.e., USB) devices to the Parallels virtual machines running on their Macs. Note: When activated locally, this option enables you to granularly blacklist specific types of USB devices that you want to prevent, e.g., storage devices, mobile phones, or cameras. The Management Portal policy doesn't allow blacklisting specific types of USB devices yet. Learn more.
Always lock VM on suspend (not available for macOS virtual machines)
This option enforces the locking of virtual machine operating systems when they are suspended. Once the virtual machine is resumed, you’ll have to log into its operating system to unlock it.
Guest OS to Mac only
Mac to Guest OS only
On this page, you can assign policies for pre-existing user groups that you can set up in Parallels My Account. Each user group is a sublicense of your main Parallels Desktop Enterprise Edition license with a unique key. Read this chapter to learn more.
Attention: If you want, you may assign a new policy to the users activated with the primary license key. However, for security reasons, we strongly advise against using your primary key directly. Any compromised secondary (sublicense) keys can be deleted and replaced with new ones.
To create user groups and populate them with users, please refer to this page. If you plan on using Single Sign-On for license activation, refer additionally to this page.
To create a new policy, click on the Add button in the top left corner of the page. This will launch the multi-page policy creation process where you will have to provide the following information:
Name. Use a unique descriptive name in case the number of policies increases in the future.
Description.
Policy applies to. This setting allows you to add and remove the groups (as defined by ) that the policy applies to. Note: At any given time, each group may only have ONE policy applied to it, so you won't be able to add groups that already have other policies that apply to them. If you don't divide your Parallels users into groups, or have users assigned to the primary license key, you may assign a policy to the primary license key. To add a group, use the drop-down menu as indicated in the image above. To remove one already added, click on the
Throughout the policy creation process, you may use the Next and Previous buttons to move between the various steps and check settings.
Each policy includes a dedicated Golden Image that you may want to tailor to that group's specific needs.
Attention: Starting from version 20250909 of the Parallels Management Portal, the Policies page is the sole place for assigning Golden Images to specific groups, while the page remains the place where you create and/or customize them. Previous Golden Image assignments will be automatically combined with existing policies or turned into new ones.
Use the drop-down menu to select the preferred Golden Image and click Next.
At this step, you need to select specific limitations that will apply to this group of users. Presently, policies only define what users from your organization can do with their Parallels Desktop setups and not their virtual machines. The available controls are:
Limit users to provisioned VMs only. This policy prevents users from setting up new virtual machines from sources other than your organization’s , as well as importing or cloning pre-existing ones. You may want to enact this policy to prevent members of your organization from setting up virtual machines for their own extracurricular activities.
Limit the number of provisioned VMs per user to one. This setting prevents users from installing any more virtual machines from the approved sources (i.e., your organization’s ). Note: If you select this option alone, without the previous option, users will still be able to add new virtual machines using third-party sources, such as the default images available through Parallels Desktop.
Select the required settings and click Next.
This step allows you to control virtual machine settings remotely as part of the policy. Enable it by toggling the switch for the provisioned virtual machine image that (it will be marked as Current GI), and introduce the required settings.
If your policy users to create/add virtual machines from sources other than the provisioned Golden Image, you may also want to toggle the switch for VMs from other sources and introduce different or similar settings for those.
For the detailed description of available settings, refer to this .
Once you have filled out all the settings, click Add to enable the policy. You won't be able to create it unless all mandatory fields are filled.
The newly created/amended policy will apply to the target installations when the local Parallels Desktop for Mac installation checks for them. It is designed to happen on the following triggers:
The launch of the app.
Activation or reactivation.
Creating a new virtual machine.
A change of state of a virtual machine, including:
The default view of the main Policies screen shows you the list of all the policies under your management, citing their names as provided during the setup process, their descriptions, and the list of groups they apply to. Right-clicking on a policy from the list allows you to edit or delete it.
If a policy is marked as "not applied", it either means that no groups were selected during the creation, or the group(s) it initially applied to was (were) deleted.
Warning: Deleting a policy is non-reversible. Please make sure you are deleting the right one.
Click Next.
Do not allow upgrading to the next major Parallels Desktop version. This setting will still allow users to update their Parallels Desktop installations to a minor version (e.g., 26.0.1 to 26.1) but will prevent them from upgrading to a major version (e.g., from 20.x to 26.x) when it becomes available. Enabling this setting will allow you to first ensure that a major new version suits your needs before proceeding with a fleet-wide upgrade. Note: This setting will have no effect if your organization is running a local update server or your update policies are managed via an MDM solution.
Do not allow editing Parallels Desktop preferences. This setting prevents users from changing the preferences for their Parallels Desktop setups. With this policy applied, users attempting to open Parallels Desktop preferences by clicking Parallels Desktop > Preferences in the Mac menu bar will encounter a message telling them the action is blocked and referring them to the IT department. To learn more about the settings that can be changed in the Parallels Desktop Preferences panel, read of the Parallels Desktop's user guide.
Do not allow running VMs without this company's Parallels license. This setting prevents users from transferring and launching their virtual machines (as well as Golden Images) to Parallels Desktop installations that don't have your organization's Enterprise license. Read more on virtual machine encryption here. Note: The initial application of this setting to existing Parallels Desktop installations already running provisioned virtual machines will trigger a re-encryption procedure that will temporarily render those virtual machines unavailable for use. The users will receive a clear message when attempting to launch such virtual machines. Encrypting virtual machines using a command-line interface will become unavailable.
Start.
Suspend.
Resume.
Shutdown.
Change of virtual machine parameters (see more here).
Change of the Mac's network status, e.g., getting online.
If none of the above occurred, once a day per schedule.
