Configuring Veeam Agent for Mac via Microsoft Intune

Previously, we discussed how to use Microsoft Intune to install Veeam Agent for Mac. Now we will continue this series with how to configure Veeam Agent for Mac via Microsoft Intune.

The way that macOS centrally manages and configures various aspects of the operating system and applications is through “Configuration Profiles”. A Configuration Profile is an XML document (.mobileconfig) that contains settings to let you standardize various functions in macOS. For example, the administrator can set up a profile(s) to:

You may be wondering, “Why do I need to go through the configuration process?” Quite simply, in order for Veeam Agent for Mac to know about the Veeam backup server, authenticate and make a connection, you must import configuration data that was generated/exported when creating the “Computers with pre-installed agents” protection group.

Much like the installation, Veeam offers two method to configure Veeam Agent for Mac:

Typically used when configuring a small number of macOS systems that require protection

Typically used when configuring a large number of macOS systems that require protection

One MDM solution that is growing in popularity is Microsoft Intune. This is a cloud-based service that provides MDM capabilities for laptops, phones, tablets and computers… including Macs! And if you were wondering how to leverage Microsoft Intune to automate the configuration of Veeam Agent for Mac, you have come to the right place!

This blog will be broken down into the following sections:

Pre-requisites for a successful configuration:

To ensure that Veeam Agent for Mac can be deployed via Microsoft Intune, the following are prerequisites:

The purpose of the XML and mobileconfig files:

Let’s dig into the various files that Veeam Agent for Mac and Microsoft Intune utilizes for configuration.

Veeam XML Configuration Files

There are two XML files generated as part of the “Computers with pre-installed agents” protection group creation process:

Figure 1

Both XML files contain the same information, only formatted differently. Each XML file contains information related (but not limited) to:

Why are there two XML files containing the same data but in different formats? Depending on the MDM solution, some support non-escaped and other support escaped formats. For example:

For the purposes of this blog, we will be using the file with “escaped” in the name as this is what Microsoft Intune requires.

mobileconfig (Configuration Profile)

A mobileconfig file (also XML) is used to configure devices and application running macOS.

This is also known as the “Configuration Profile”.

Creating the Configuration Profile templates – Full Disk Access

After installation, Veeam Agent for Mac requires permission to access all folders and files on the system. This is accomplished through the “Security and Privacy” setting “Full Disk Access” (FDA):

Figure 2

Users can manually configure this setting via “System Preferences” or use Microsoft Intune / Configuration Profile to grant this permission.

To create a Configuration Profile for FDA, simply copy the XML below and save it to a file with the extension “mobileconfig” — for example: “Veeam Agent for Mac Configuration Profile for FDA.mobileconfig”.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>PayloadIdentifier</key>
        <string>com.veeam.Agent.fda-permissions</string>
        <key>PayloadScope</key>
        <string>System</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadUUID</key>
        <string>31294b70-d005-11ea-87d0-0242ac130003</string>
        <key>PayloadOrganization</key>
        <string>Veeam backup server</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadDisplayName</key>
        <string>Full Disk Access for Veeam Agent for Mac</string>
        <key>PayloadDescription</key>
        <string>This profile allows Veeam Agent for Mac to obtain Full Disk Access</string>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>PayloadType</key>
                <string>com.apple.TCC.configuration-profile-policy</string>
                <key>PayloadUUID</key>
                <string>28afcd34-d005-11ea-87d0-0242ac130003</string>
                <key>PayloadIdentifier</key>
                <string>com.veeam.Agent.fda-permissions.28afcd34-d005-11ea-87d0-0242ac130003</string>
                <key>PayloadEnabled</key>
                <true />
                <key>Services</key>
                <dict>
                    <key>SystemPolicyAllFiles</key>
                    <array>
                        <dict>
                            <key>Allowed</key>
                            <true/>
                            <key>CodeRequirement</key>
                            <string>identifier "com.veeam.Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = NX3JU8SRVL</string>
                            <key>Identifier</key>
                            <string>com.veeam.Agent</string>
                            <key>IdentifierType</key>
                            <string>bundleID</string>
                        </dict>
                    </array>
                </dict>
              </dict>
          </array>
    </dict>
</plist>

Please note that FDA is only required for macOS version 10.14.x (Mojave) and above. If you are running 10.13.x (High Sierra), FDA is automatically enabled as part of the installation.

Creating the Configuration Profile templates – Veeam Configuration

You will also need to create a Configuration Profile / mobileconfig using the sample XML below or update an existing mobileconfig to include the Veeam Agent for Mac information.

Sample XML for mobileconfig file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>PayloadIdentifier</key>
        <string>dummy PayloadID</string>
        <key>PayloadRemovalDisallowed</key>
        <false />
        <key>PayloadScope</key>
        <string>System</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>dummy PayloadUUID</key>
        <string>00000000-0000-0000-0000-000000000000</string>
        <key>PayloadOrganization</key>
        <string>dummy PayloadOrg</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadDisplayName</key>
        <string>dummy PayloadDisplayName</string> 
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>PayloadType</key>
                <string>com.apple.ManagedClient.preferences</string>
                <key>PayloadUUID</key>
                <string>00000000-0000-0000-0000-000000000000</string>
                <key>PayloadIdentifier</key>
                <string>dummy PayloadID inside PayloadContent</string>
                <key>PayloadEnabled</key>
                <true />
                <key>Identifier</key>
                <string>com.veeam.Agent</string>
                <key>IdentifierType</key>
                <string>bundleID</string>
                <key>PayloadContent</key>
                <dict>
                    <key>com.veeam.Agent</key>
                    <dict>
                        <key>Forced</key>
                        <array>
                            <dict>
                                <key>mcx_preference_settings</key>
                                <dict>
                                    <key>CatchAllConfig</key>
                                    <string>PASTE XML FROM THE CONFIG FILE HERE</string>
                                </dict>
                            </dict>
                        </array>
                    </dict>
                </dict>
            </dict>
        </array>
    </dict>
</plist>

After the mobileconfig file is saved (ie: Veeam Agent for Mac Configuration Profile.mobileconfig), we need to copy the contents from the exported “escaped” configuration file:

Figure 3

After the file is open, select all contents:

Figure 4

And copy the contents of the file to your clipboard:

Figure 5

Once copied, paste the entire contents of the file into the previously highlighted section of the mobileconfig. For example:

Figure 6

Creating the Configuration Profile in Microsoft Intune

To recap, we have created two mobileconfig files:

In the examples below, screen shots are provided referencing the “Veeam Agent for Mac Configuration Profile.mobileconfig”. However, the same steps / a separate profile will need to be created for the “Veeam Agent for Mac Configuration Profile for FDA.mobileconfig” configuration profile.

In order for the Configuration Profiles to be deployed, we need to make our way over to Microsoft’s Endpoint Manager and access the “Devices” blade:

Figure 7

Once you are in the “Devices” blade, select “Configuration Profiles” and then “Create Profile”:

Figure 8
Figure 9

When the “Create a profile” dialog is presented, select the following options:

Platform: macOS
Profile type: Templates
Template name: Custom

Figure 10

Then you will provide a name and description of the “Custom Profile”

Figure 11

Then you will provide a name and description of the “Configuration Profile”

Figure 12

Next you will configure the assignments (based on groups / users / devices) the Configuration Profile will include and exclude:

Figure 13

You are now ready to review and create the Configuration Profile:

Figure 14
REMINDER:
Do not forget to also create / deploy the Configuration Profile created for Full Disk Access / FDA.

Verify that the Configuration Profile is deployed

Once the Configuration Profiles are created and assigned in Microsoft Intune, they will be added to the device profiles of the applicable users / groups / devices under “System Preferences” in macOS:

Figure 15
Figure 16

If you review the “Custom Settings” for Veeam Agent for Mac “Configuration Profile”, you will see the Veeam backup server connection information.

Conclusion

As more organizations embrace the Apple platform, you are seeing business critical data reside on macOS systems. This can be through IT departments providing Mac based computers and laptops as well as organizations embracing the Bring Your Own Device (BYOD) model. This is why it is important to protect that data with Veeam Agent for Mac.

As the number of macOS devices in your organization increases, leveraging a Mobile Application Management and Mobile Device Management solution like Microsoft Intune to install and configure Veeam Agent for Mac will ensure your it scales quickly and easily.

Exit mobile version