Skip to main content
  1. Addigy
  2. Integrations
  3. Other

Addigy and Acronis

Updated:

Using Addigy and Acronis together is an easy way to step up your ability to support your device users and ensure the safety of your fleet.

With the combination of Addigy and Acronis you can easily deploy Acronis to your entire fleet. You can then leverage Acronis statuses and warning via the Addigy Devices page and build Monitoring and remediation all in one place! 

This article explains the process of leveraging the power of Addigy and Acronis side by side. 

First we need to get Acronis deployed to your fleet.

Acronis Setup

  1. Ensure your Acronis Administrator account is activated. 
  2. If you're an MSP managing multiple customers, you'll want a Customer Tenant for each company. The Partner Documentation explains this. 
  3. Now be sure you've created at least one Protection Plan for each Customer.  As of this writing Backup, antivirus and antimalware protection - real time antimalware protection and vulnerablity assessment run natively on Silicon and Intel. Device Control is support for Intel natively, and using Rosetta 2 for Silicon. 
  4. For an up-to-date list of supported features, see the Supported Cyber Protect features by operating system documentation.

Get Your Acronis Registration Tokens

  1. Go to a Customer tenant and click the Manage Service button at the top of the pagemceclip0.png 

  2. In the next screen, select Devices in the menu on the left and then click on Add in the the top-right.
  3. In the Add devices panel that opens, scroll to the bottom of the panel where you'll find the Registration token section. Click Generate.  mceclip1.png
  4. In the screen that opens:
    • Set the life span to the maximum length
    • Select a user from the current Customer. Any devices you register, will be registered as belonging to this user.
    • Optionally select a Protection Plan. This will allows the install script to also apply the selected Protection Plan.
    • Click Generate Token and then Copy. Be sure to store the token somewhere safe, because you will not be able to see this token again. If you lose it, you'll have to create a new one.
    • In the Addigy Custom Software Install script below replace "<yourtoken>" with the Registration Token generated here. 

Addigy Setup 

We will use Addigy Custom Software to prepare and deploy Acronis to your fleet of macOS devices by building an Addigy Custom Software that will deliver Acronis silently to your devices.
Note: The Acronis installer is downloaded via the installation script. It is not necessary to upload it into the Smart Software item.

  1. In Addigy, navigate to Catalog >> Software:
    Addigy___Catalog.png
  2. Select New and you are presented with the following view. In this example, we will name our Custom Software Acronis Cyber Protect 1
    Pasted_Image_4_14_22__1_21_PM.png
  •  

Installation Script

Add the following Installation Script to the Custom Software you're creating.

Note: Lines 8 and 9 should be modified to include your Acronis URL and your token, respectively.

The Install Script checks for Acronis already being present. 

base_path="/tmp/acronis_agent"

mount_path="${base_path}/dmg_root"

image_path="${base_path}/acronis_agent.dmg"

backup_config="/Library/Application Support/Acronis/Registry/BackupAndRecovery.config"

aakore_sock="/Library/Application Support/Acronis/Agent/var/run/aakore/aakore.sock"

stats_url="http://localhost/api/integration_management/v2/status"

registerer="/Library/Application Support/BackupClient/Acronis/RegisterAgentTool/RegisterAgent"

REGISTRATION_URL="https://xxx.cloud.acronis.com" # Replace with your actual registration URL

REGISTRATION_TOKEN="xxx-xxx-xxx-xxx-xxx" # Replace with your actual registration token

REGISTRATION_RETRIES=15

REGISTRATION_DELAY=10

DOWNLOAD_RETRIES=5

PLAN_RETRIES=5

PLAN_DELAY=5

RETRY_MAX_TIME=300

download_url_x86_64="${REGISTRATION_URL}/bc/api/ams/links/agents/redirect?language=multi&channel=CURRENT&system=apple&architecture=64&productType=enterprise&white_labeled=1"

download_url_arm64="${REGISTRATION_URL}/bc/api/ams/links/agents/redirect?language=multi&channel=CURRENT&system=apple&architecture=arm&productType=enterprise&white_labeled=1"







send_stats () {

 category="InstallAgent"




 # hardcoded values based on the script type

 os="MacOS"

 version="1.0.0.0"

 vendor_name="Addigy"

 vendor_version="1.0.0.0"

 application_id="ebf655ba-e5c7-4f46-8358-8a40199d91d2"




 resource_id=$(grep "InstanceID" "${backup_config}" | sed -E 's/.*<value name="InstanceID" type="TString">"(.+)"<\/value>.*/\1/' | tr '[:upper:]' '[:lower:]')

 agent_id=$(grep "MMSCurrentMachineID" "${backup_config}" | sed -E 's/.*<value name="MMSCurrentMachineID" type="TString">"(.+)"<\/value>.*/\1/' | tr '[:upper:]' '[:lower:]')

 hostname=$(grep "CachedHostName" "${backup_config}" | sed -E 's/.*<value name="CachedHostName" type="TString">"(.+)"<\/value>.*/\1/')




 printf -v payload \

 '{

 "module": {

 "version": "%s",

 "name": "%s"

 },

 "vendor_system": {

 "version": "%s",

 "name": "%s"

 },

 "application_id": "%s",

 "workload": {

 "resource_id": "%s",

 "agent_id": "%s",

 "hostname": "%s"

 },

 "events": [

 {

 "label": "%s",

 "category": "%s",

 "action": "%s"

 }

 ]

 }' $version $category $vendor_version $vendor_name $application_id $resource_id $agent_id $hostname $os $category $category




 curl -s \

 -X POST \

 --unix-socket "${aakore_sock}" \

 --url "${stats_url}" \

 -H "Content-Type: application/json" \

 -d "$payload" > /dev/null

}







# Cleaning up temporary files

cleanup() {

  printf "Cleaning temporary installation files.\n"




  if mount | grep -q "${mount_path}"; then

    printf "Unmounting temporary installation image.\n"

    hdiutil detach "${mount_path}"

  fi




  if [[ -d "${base_path}" ]]; then

    printf "Removing temporary installation files.\n"

    rm -rf "${base_path}"

  fi

}




unregister_agent() {

  printf "Unregistering agent.\n"




  if ! "${registerer}" -o unregister; then

    printf "Unregistering an agent failed.\n"

  else

    printf "Successfully unregistered an agent.\n"

  fi

}







# Will deploy smoothly the Acronis agent to all of your MAC OS devices

agent_install() {

printf "Preparing temporary installation directory.\n"

if ! mkdir -p "${mount_path}"; then

printf "Unable to create temporary installation directory.\n"

return 1

fi




current_user=$(id -un)

chown -R "${current_user}" "${base_path}"

chmod -R 0700 "${base_path}"







architecture=$(uname -m)

if [ "$architecture" == "arm64" ]; then

  printf "Detected architecture is ARM64.\n"

  download_url=$download_url_arm64

elif [ "$architecture" == "x86_64" ]; then

  printf "Detected architecture is x86-64.\n"

  download_url=$download_url_x86_64

else

  printf "Failed to recognize system architecture: %s. Aborting the installation.\n." "$architecture"

  return 1

fi










if [ -z "$download_url" ]; then

  echo "Failed to retrieve download link for current platform."

  exit 1

fi




printf "Downloading Acronis Cyber Protection Agent for Mac.\n"

if ! curl --retry $DOWNLOAD_RETRIES --retry-max-time $RETRY_MAX_TIME -f -L -C - -o "${image_path}" "${download_url}"; then

  printf "Downloading of the installation image failed.\n"

  return 1

fi




if ! hdiutil attach "${image_path}" -mountpoint "${mount_path}" -nobrowse -noautoopenro; then

  printf "Mounting of the installation image failed.\n"

  return 1

fi




if ! pkgutil --check-signature "${mount_path}/Install.pkg" | grep -q "Acronis International GmbH"; then

  printf "Failed to validate package signature. Aborting the installation.\n"

  return 1

fi




if ! installer -pkg "${mount_path}/Install.pkg" -target LocalSystem; then

  printf "Failed to install the package.\n"

  cat /var/log/acronis_install.log

  return 1

fi

}







# Will register the agent to Acronis Cyber Cloud

agent_registration() {

  printf "Starting registration of Acronis Cyber Protection Agent for Mac.\n"

  for ((i = 1; i <= REGISTRATION_RETRIES; i++)); do

    registration_interval=$((REGISTRATION_DELAY * i))

    printf "Pausing for %d seconds before registration attempt.\n" $registration_interval

    sleep $registration_interval




    printf "Attempting to register an agent.\n"

    if "${registerer}" -o register -t cloud -a "${REGISTRATION_URL}" --token "${REGISTRATION_TOKEN}"; then

      printf "Registration of an agent succeeded.\n"

      return 0

    fi

    printf "Registration of an agent failed.\n"

  done




  printf "No more registration attempts left.\n"

  return 1

}







# Will apply a default protection plan that is included in the token

apply_protection_plan() {

  resource_id=$(grep "InstanceID" "${backup_config}" | sed -E 's/.*<value name="InstanceID" type="TString">"(.+)"<\/value>.*/\1/' | tr '[:upper:]' '[:lower:]')

  if [ -z "$resource_id" ]; then

    printf "Failed to retrieve this machine’s resource ID. Application of protection plan cancelled.\n"

    return 1

  fi




  printf -v payload '{"context":{"items":["%s"]},"policy_id":"%s","disableOnConflict":false}' "${resource_id}"




  for ((i = 1; i <= PLAN_RETRIES; i++)); do

    plan_interval=$((PLAN_DELAY * i))

    printf "Pausing for %d seconds before protection plan appliance attempt.\n" $plan_interval

    sleep $plan_interval




    printf "Trying to apply the protection plan.\n"

    response=$(curl -s -w "\nHTTP STATUS CODE: %{http_code}\n" -L --request POST "${REGISTRATION_URL}/api/policy_management/v4/applications" \

      --header "Authorization: Bearer ${REGISTRATION_TOKEN}" \

      --header "Content-Type: application/json" \

      --data-raw "${payload}")




    if echo "${response}" | grep -q "HTTP STATUS CODE: 200"; then

      printf "Protection plan applied successfully.\n"

      return 0

    elif echo "${response}" | grep -q "HTTP STATUS CODE: 403"; then

      printf "No protection plan will be applied as it is not part of the token.\n"

      return 0

    elif echo "${response}" | grep -q "HTTP STATUS CODE: 500"; then

      printf "Protection plan has been already applied.\n"

      return 0

    else

      printf "Failed to apply a protection plan.\n"

      echo "${response}"

    fi

  done




  printf "Failed to apply protection plan.\n"

  return 1

}










printf "The installation of Acronis Cyber Protection agent for Mac starts now.\n"

cleanup

agent_install

cleanup

unregister_agent

agent_registration

apply_protection_plan

send_stats

printf "Successfully installed Acronis Cyber Protection agent for Mac.\n"

 

Save and Review the Custom Software 

  1. Click Save and Review to stage the changes to the Custom Software item.
  2. Click Confirm Changes to add the Custom Software to your Catalog.

System and Kernel Extension Permissions are Required

  • If you have macOS 11 (Big Sur) or newer that you will be deploying Acronis to, you need to deploy a System Extension MDM Profile that allows Acronis.  
    1. Navigate to Catalog >> MDM Profiles >> New >> System Extension
    2. Name the MDM Profile
    3. Add "ZU2TV78AA6" to "Allowed Team Identifiers" 
    4. Click "Create Profile"
    5. Add the Profile to the policies that you will be deploying Acronis to
  • If you have macOS 10.15 or older devices you will be deploying Acronis to, you need to deploy a Kernel Extension MDM Profile that allows Acronis. 
    1. Navigate to Catalog >> MDM Profiles >> New >> Kernel Extension Policy
    2. Name the MDM Profile 
    3. Add "ZU2TV78AA6" to "Allowed Team Identifiers" 
    4. Click "Create Profile"
    5. Add the Profile to the policies that you will be deploying Acronis

PPPC

To configure a PPPC MDM Profile for Acronis go to Catalog > MDM Profiles > New > PPPC. 

  1. Name the MDM Profile.
  2. Include Access to All Protected and System Administration Files with the following identifies, types and code requirements:
    • Identifier - com.acronis.backup
    • Identifier type – Bundle ID
    • Code Requirement - identifier "com.acronis.backup" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = ZU2TV78AA6
    • Allowed checked
    • Identifier - com.acronis.backup.aakore
    • Identifier type – Bundle ID
    • Code Requirement - identifier "com.acronis.backup.aakore" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = ZU2TV78AA6
    • Allowed checked
    • Identifier - com.acronis.backup.activeprotection
    • Identifier type – Bundle ID
    • Code Requirement - identifier "com.acronis.backup.activeprotection" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = ZU2TV78AA6
    • Allowed checked
    • Identifier - cyber-protect-service
    • Identifier type – Bundle ID
    • Code Requirement - identifier "cyber-protect-service" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = ZU2TV78AA6
    • Allowed checked
    • Identifier - cyber-scripting-executor
    • Identifier type – Bundle ID
    • Code Requirement - identifier "cyber-scripting-executor" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = ZU2TV78AA6
    • Allowed checked
    • Identifier - com.acronis.connectagentmac
    • Identifier type – Bundle ID
    • Code Requirement - identifier "com.acronis.connectagentmac" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = ZU2TV78AA6
    • Allowed checked

In the same PPPC MDM Profile Apple Events can be included to support Connect Agent:

  • Identifier - com.acronis.connectagentmac
  • Identifier Type – Bundle ID
  • Code Requirement - identifier "com.acronis.connectagentmac" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = ZU2TV78AA6
  • Allowed checked
  • ae_receiver Identifier - com.apple.finder
  • Identifier Type – Bundle ID

  • ae_receiver Code Requirement - identifier "com.apple.finder" and anchor apple

  • Identifier - com.acronis.connectagentmac
  • Identifier Type – Bundle ID
  • Code Requirement - identifier "com.acronis.connectagentmac" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = ZU2TV78AA6
  • Allowed checked
  • ae_receiver Identifier - com.apple.systemevents
  • Identifier Type – Bundle ID
  • ae_receiver Code Requirement - identifier "com.apple.systemevents" and anchor apple

Deploying the Acronis Custom Software

Add the Custom Software to the Policies you wish to deploy Acronis to: Adding and Removing items from a Policy

Acronis Cyber Protect will now deploy and be registered on a devices in the Assigned Policy and its children. 

For information on using custom facts to monitor Acronis, see our KB article Addigy Monitoring And Alerting With Acronis.

 

Was this article helpful?
1 out of 1 found this helpful
Return to top

Didn’t find what you’re looking for?

Contact our Support Team