Skip to main content
  1. Addigy
  2. Catalog
  3. Software

Installing Trend-Micro Apex Using Addigy

Updated:

Trend Micro Apex One is an endpoint security platform that provides automated threat detection and response for Mac devices. This guide walks you through deploying Apex One silently across your fleet using Addigy Smart Software, including all required Device Settings (MDM Profiles) for Full Disk Access and System Extension permissions.

Overview

A complete Apex One deployment in Addigy requires three components, which must be configured and deployed in this order:

  1. PPPC Device Setting (MDM Profile) — grants Full Disk Access to Apex One processes
  2. System Extensions Device Setting (MDM Profile) — whitelists Apex One's system extensions
  3. Smart Software item — silently installs Apex One using the installer provided by Trend Micro

Important: Deploy both Device Settings to your devices before deploying the software. Installing the software first may cause end user disruption. Addigy's default installation priorities are designed to handle this automatically — see Priority Deployments for more information.

Prerequisites

  • The Apex One .zip installer file, downloaded from your Trend Micro portal

Step 1: Create the PPPC Profile (Full Disk Access)

This profile grants Apex One the Full Disk Access permissions it needs to protect devices without prompting end users for approval.

  1. Navigate to Catalog > Device Settings and click New.
  2. Select PPPC.
  3. Add the following three entries to both the Access to Protected Files and Access to System Admin Files sections. For each entry, click Add New, fill in the fields, and make sure Allowed is checked.
Identifier Identifier Type Code Requirement Allowed
com.trendmicro.icore Bundle ID identifier "com.trendmicro.icore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "E8P47U2H32" Yes
com.trendmicro.tmsm.MainUI Bundle ID identifier "com.trendmicro.tmsm.MainUI" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "E8P47U2H32" Yes
com.trendmicro.icore.es Bundle ID identifier "com.trendmicro.icore.es" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "E8P47U2H32" Yes

4. Click Save in the bottom right.

Step 2: Create the System Extensions Profile

This profile whitelists Apex One's system extensions so they load automatically without requiring user approval.

  1. Navigate to Catalog > Device Settings and click New.
  2. Select System Extensions.
  3. Under Allowed System Extensions, enter the following:
    • Team Identifier: E8P47U2H32
    • Bundle Identifiers: com.trendmicro.icore, com.trendmicro.tmsm.MainUI, com.trendmicro.icore.es, com.trendmicro.icore.netfilter
  4. Click Add, then click Save.

Note: Enter the bundle identifiers as a comma-separated list in the Bundle Identifier field. All four identifiers must be included for Apex One to function correctly.

Step 3: Deploy Both Device Settings to Your Policy

Add both Device Settings to the relevant Policy and confirm they have been delivered to your target devices before proceeding. You can verify profile delivery under GoLive > Device Settings > Installed Device Settings.

Step 4: Create the Smart Software Item

Once the profiles are deployed, create the Smart Software item to silently install Apex One.

  1. Navigate to Catalog > Software > Smart Software and click New.
  2. Enter a name (e.g., TrendMicro_Apex_One).
  3. Under Installation Files, click Select File(s) and upload the .zip installer file from your Trend Micro portal.
  4. Paste the following into the Installation Command field, adjusting the paths to match your item name, version, and filename:
unzip -o "/Library/Addigy/ansible/packages/TrendMicro_Apex_One (2.0)/tmsminstall (2).zip" -d "/Library/Addigy/ansible/packages/TrendMicro_Apex_One (2.0)/"

installer -pkg "/Library/Addigy/ansible/packages/TrendMicro_Apex_One (2.0)/tmsminstall/tmsminstall.pkg" -target /

The parts of the script that must match your setup:

  • The folder path (e.g., TrendMicro_Apex_One (2.0)) must match the item name and version you set in Addigy exactly, including capitalization and spaces.
  • The .zip filename (e.g., tmsminstall (2).zip) must match the exact filename of the file you uploaded.
  • The final segment /tmsminstall/tmsminstall.pkg is consistent across Apex One versions and does not need to change.
  1. Click Save in the bottom right.
  2. Add the Smart Software item to the relevant policy for deployment. 

Optional: Add an Install Condition

An install condition prevents the software from running before the required Device Settings have been delivered to the device — useful if you're deploying everything at once to a new Policy.

To add one, expand the Condition for Install section in the Smart Software item and select If profile exists. Choose the PPPC profile you created in Step 1. Addigy will automatically generate the condition script and will only proceed with installation once that profile is confirmed on the device.

Related Articles

Was this article helpful?
1 out of 2 found this helpful
Return to top

Didn’t find what you’re looking for?

Contact our Support Team