Anyone else have Parallels 7/8 working with Workgroup Manager managed permissions?

We're paying rather a lot of money for an annual subscription to Parallels Desktop, which we haven't been able to use as of yet because Parallels won't play nice within our managed environment. I was wondering whether anyone else has had greater success than us in "allowing" network users to open Parallels Desktop on a managed client using Workgroup Manager?

Basic specs: OS X 10.6.8, locally-configured MCX preferences, using Workgroup Manager as part of Server Tools 10.6.8. We've so far tried, with the latest version 7:
* Adding Parallels Desktop to the allowed list of Applications (logging in as a network user: "You don't have permission to open the application 'Parallels Desktop'.")
* Adding individual apps within the Parallels Desktop.app bundle (same result)

And with the latest version 8:
* Adding Parallels Desktop to the allowed list (logging in as a network user: "You don't have permission to open the application 'launcher'.")
* Adding "launcher" specifically ("You don't have permission to open the application 'inittool'.")
* Adding all other binaries to the list (back to "You don't have permission to open the application 'launcher'.")

In each case, I see some variation of the following message from parentalcontrolsd in the logs:

setup.local parentalcontrolsd[1193]: -[ActivityTracker checkApp:csFlags:] [1036:user] -- *** Incoming app appears to be masquerading as white listed app and failed signature validation: /Applications/Parallels Desktop.app/Contents/MacOS/launcher. Note: This may be a valid app of a different version than what was whitelisted (on a different volume?)

After trying many more permission combinations besides, I gave up and raised a support ticket which led to an internal developer ticket PDFM-36862. Is it really just a case of the developers fixing Parallels Desktop, or has anyone else had success letting it through the gates?

 

I'm having the same exact issue. Were you ever able to find a resolution? I was at least getting Parallels 7 to work if I put it in /Applications/Parallels and whitelisted that folder, but Parallels 8 gives me the error "You don't have permission to use the application "launcher".

 

A resolution took a lot longer to reach than I'd have liked, but I'm immensely grateful to Parallels Support for putting me in touch with one of the developers who spent a good couple hours troubleshooting this problem with me. Long story short: "com.apple.CodeSignature" extended attributes (xattrs) which work with OS X 10.7 and beyond were being stripped in 10.6 upon installation for being too long, causing the myriad of apps within the main Parallels application bundle to fail signature validation. So, here's what I did to get around that.

Rather than delete the remaining CodeSignature xattrs as suggested by the developer, I simply deleted the CFBundleSignature key from all the "Info.plist" files I could find in the Parallels Desktop bundle. This allowed me to add Parallels as an unsigned app in Workgroup Manager to avoid any CodeSignature confusion, but I still came up against "denied" messages when trying to launch Parallels as a managed user.

(To find the Info.plist files, I opened Terminal and executed the following command
find /Applications/Parallels\ Desktop.app/* | grep Info.plist

I was eventually able to eliminate most of the "denied" messages by adding just the "launcher" executable (Parallels Desktop.app/Contents/MacOS/launcher) to the allowed list, then also allowing all applications within the following folders:

/Applications/Parallels Desktop.app/ (as a folder! shift-cmd-G within the file navigation dialog to "Go to folder...", including application bundles)
/Library/Filesystems/prlufs.fs/
/Users/Shared/Parallels/ (where we store our ".pvm" virtual machine, as that's also treated as an application)

The one problem we have left to conquer is adding the dozens of dynamically-generated "WinAppHelper" copies (Mac applications acting as shortcuts to Windows applications for Dock icon placement purposes etc) to the allowed list, possibly sharing the "Applications (Parallels)" folder between users to facilitate this, and I've been waiting for the past few weeks to talk to developers about that in connection to two support tickets. We can live with the odd "denied" message for now though, at least now that we have a mostly functioning copy of Parallels 9 running on OS X 10.6.

I very much hope this information helps others in the same situation.

 

I also have this issue and submitted a help ticket. So far I haven't gotten any more info back other than having it escalated.
jc, if you're still around on the site could you recall the instructions for clearing out the extended attributes that Parallels recommended? I'm trying to dig around and I'm not even sure where to look to find these attributes to then use xattr to remove.