Anka Secure

What is Anka Secure?

Anka Secure solution is built on top of Anka macOS virtualization engine with features to create secure VMs and manage and distribute to the users. Anka VMs by default are intended to provide reproducible, stable, controllable, shareable environment for different tasks: build, test, debug etc.

VM isolation enables multiple environments simultaneously on the same host.

Processes running inside isolated Anka VMs can communicate with the outside world, including host via network interfaces, shared folders, pasteboard, and other mechanisms. However, there are use cases where there is a need to disallow any communication between processes running inside Anka VMs and the outside world and/or the host.

Some of the common examples are :

  1. Protecting privileged user access to sensitive data on a single device - Technical support accessing customer systems/data from their workstations, developers accessing and working with corporate developer/application certificates on their workstations.

  2. Increasing productivity of superusers who use macOS workstations by freeing security restrictions which impact their ability to innovate, without compromising enterprise security - iOS developers working/researching with beta versions of libraries, Xcode, third party libraries downloaded from the internet.

  3. Increasing productivity of superusers who use macOS workstations by freeing security restrictions which impact their ability to innovate, without compromising enterprise security - iOS developers working/researching with beta versions of libraries, Xcode, third party libraries downloaded from the internet.

  4. Malware and other sensitive analysis and testing tasks for macOS Anka Secure protects the Anka VM environment from unsolicited use, modifications and leakage of critical resources by controlling access and actions on these machines with a VM Policy.

Note In order to avoid risks of data stealing and modifications by unauthorized users, all information stored on disk images is also encrypted on the fly. .

Installation and Configuration

Anka when activated with the Anka Secure license enables installation of Anka package all mac hardware with Secure modules. It enables administrators to create policies for the VM and assign users/groups to the VM policy.

Installing the Anka Hypervisor binary is remarkably simple, just download it from Anka Secure Download page.
Run the anka.pkg installer. The Anka package includes the Core hypervisor and anka guest Add-ons.

After running the installer package, anka is found at /usr/local/bin/anka.

Verify the installation by running anka version command.

After install, if the users want to, they can change the location of this default Anka install location link manually.

Execute sudo mv /usr/local/bin/anka /to/any/other/location/.

Verify the installation by running anka version command.

View all settings for Anka installation on the host with anka config -l command.

anka config --help
Usage: anka config [OPTIONS] [PARAM]...

  Manage Anka configuration

  -l, --list   List value parameter(s)
  -r, --reset  Reset value of parameter(s)
  --help       Show this message and exit.

Activate with your Anka Secure license key.

sudo anka license activate <key>

Upgrading the Anka Package

  1. Download the latest version of Anka package (.pkg) and stop all running VMs.
  2. Before upgrading, you will also need to force stop any suspended VMs with the anka stop -f vmname command.

Note For major Anka releases, it maybe required to upgrade guest addons in existing Anka VMs. Check the release notes to identify if this step is required or not.

  1. Upgrade guest addons on the VM. Execute the following command to upgrade guest addons in existing VMs to the current release.
anka stop -f vmname
anka start -u vmname
Preparing update configuration
Installing updates
update succeeded

If you are not able to upgrade the guest add-ons tool using the anka start -u vmname command, then you have a very old version of guest addon tools on your VM. You will first need to manually update them. Contact Veertu support. 4. Push your upgraded VMs to the Registry.


From the command line, execute the following command. Make sure all your VMs are stopped.

sudo /Library/Application\ Support/Veertu/Anka/tools/

Creating VM Policy

VM Policy is extensible and flexible mechanism to control access to certain resources and functionality while at the same time preserving consistency and hardening runtime for increased security.

Core elements of the VM Policy are:

  1. Users (and groups)
  2. Rules

Every vm policy can be treated as a user database (accounts, participating in policy). Every user, registered in the policy belongs to groups, group has similar parameters as a user, for example name and associated rules. Unlike the users, groups doesn’t contain authorization and crypto information, so group name can’t be used to access the policy.

Group can be a part of another group, so the policy is actually tree structure of users and groups.

The “standard” group is the root of the tree, every user and group is part of this group. Another predefined group is “administrators”. Administrators is part of the standard group, but has some fundamental differences:

  1. Only administrators can modify policy.
  2. Policy has to have at least one administrator.


Another part of the VM Policy is rule. Rule is a literal string rulename with assigned verdict:TRUE or FALSE.


Example -

Rule is not being used by policy itself, conversely systems (VM in our case), using the policy, associate their internal functionality with certain rulename.


com.veertu.ankahv.fs controls shared folder functionality for the VM. controls VM networking.

Behavior of the VM can be altered by changing the VM policy.

The rulename has reverse domain name structure (dot separated), and processing of rule is also happening in direction from larger scope to more specific one. Rule that describes more generic scope affects all subscopes, and “sub rules” could override rules of larger scope.

com.veertu.anka.fs=deny - specified in policy, disables ability to mount any host folder into VM.

Additional “sub rule” com.veertu.anka.fs./Users/test/workspace1=allow overrides more generic com.veertu.anka.fs rule, and allows to mount workspace1 (and any of its subfolders) of system user test.

Policy rules are used to control entire VM functionality: ability to start, modify, access network, use shared paste buffers, external drives, USB, etc. Rules mechanism is pretty flexible, so it’s easy to add additional controls in the future.

Anka VM policy rules can have three kinds of “verdicts”.

  1. Logical TRUE (allow, enable, 1, yes, on, pass, …)
  2. Logical FALSE (deny, disable, 0, no, off, block, …)
  3. Undefined (the rulename is not specified in the policy)

By default all runtime features, like networking, shared folders, are “enabled”, so to disable them it’s needed to explicitly specify corresponding denial rule in the policy.

Contrary to this, all configuration changes - changing RAM size, VNC password, etc (except some needed for normal operation of anka tool) are prohibited by default to non-administrators.

To allow such changes, explicitly specify corresponding rule in the policy.

Runtime functionality rules have the following form - com.veertu.ankahv.{function}={verdict}

Rules for VM configuration have the following form - com.veertu.anka.cfg.{parameter}={verdict}

Anka Secure policy Management

VM Policy can be modified by users with a private key. Administrators have such key, while regular users have only public key, so they are only able to read policy. Groups have no keys at all, so they can’t be used to open policy file.

This design prevents modification of policy files by non-admin users. It’s safe to share policy files over unencrypted channels and store in plain files - no additional protection is required. But such design also introduces some limitations in assigning user’s passwords - only administrator can modify user’s data, the user is not able to change their password in policy by themselves.

To get temporary passwords, password renewal (by user) and other “privacy” related things, additional external mechanisms should be invoked.

Following algorithms are used - RSA-2048, SHA-256, AES-256 .

Critical policy parts are encrypted with user’s password (aes-cbc-256).

Policy Management Tool

Current implementation of VM Policy uses separate json files to store user/rules db and cryptographic information. To maintain policy and sign VM configuration files the policy tool is used. This tool is being shipped with Anka package 2.0 , available with Anka Secure license and above (located at /Library/Application\ Support/Veertu/Anka/bin/policy).

This tool can be compiled and used under Linux and (probably) other posix compliant systems.

/Library/Application\ Support/Veertu/Anka/bin/policy
usage: policy [options] <command>

   Manipulate Anka policy (create, add, assign, sign, ...)

  -l,--login <val>   Username to access policy file
  --version          Print version information and quit
  --help             Show usage for particular command and exit

  create             Create new policy file with initial admin user
  adduser            Add new user to policy
  addgroup           Add new group to policy
  delete             Delete user or group from policy
  join               Add user/group to certain group
  leave              Remove user from group(s)
  users              List the policy users
  groups             List the policy groups
  assign             Assign rule(s) to certain user or group
  retract            Retract rule(s) from certain user or group
  rules              List rules applied to the user or group
  decide             Evaluate the rule for the user returning corresponding status
  sign               Sign input (yaml) file
  validate           Validate integrity of (yaml) file

Every policy has to have at least one administrator user. This user is created during the creation of new policy file. Later users and groups can be added with corresponding commands.

The policy tool infers “current” user from command line option, environment, and current macOS user name in the following order.

  1. --login <username> command line option
  2. ANKA_USER environment variable,
  3. current system user name (a user under which the policy tool was started)

Some commands don’t require authentication and could be invoked anonymously, like users, groups & rules.

Password is required to authorize certain user. The password could be provided through ANKA_PASSWORD environment variable, or asked interactively through tty (if connected). If no tty is connected to the policy process and the ANKA_PASSWORD variable is not found, the user’s password is assumed to be EMPTY (that is also valid, but insecure, password).

Turn Policy on for a VM - anka modify VM set policy

This command creates policy.json file inside VM folder with initial admin user, inferred from arguments and environment as discussed above. Initial policy has some predefined minimal set of rules to allow core Anka logic (i.e. clone, suspend, push, pull etc) to operate.

View active rules (for current user) - policy rules /path/to/vm_dir/UUID/policy.json

This operation doesn’t require actual authorization.

VM Policy can be changed later (with the policy tool) to allow non-administrators to make some changes like change cpu count, RAM size, configure display settings etc.

Disable VM Policy - anka modify VM delete policy

Only administrators can delete the VM policy.

Clone - Clone operation preserves current policy settings and so it’s allowed to all users by default. clone --copy produces pure (no policy) VM. So clone --copy operation can be performed only by the VM administrator.

Push and Pull - Pushing and pulling of VM is also allowed to all users by default. Implement certificate based access to the registry is supported to control access for the users.

Note VM functions that don’t affect VM configuration and runtime directly (anka config, anka registry,cluster etc) are not controlled by the policy.

Anka Secure Policy Rulename List

com.veertu.ankahv.start=0 To disable VM to start by authorized user (non-authorized ones can’t start in any case)

Networking disable “local” (interhost) connectivity set all IPs blacklisted by default{}=1 whitelist specific outgoing IP address disable TCP protocol disable UDP protocol disable other (that TCP and UDP)

Special com.veertu.ankahv.local=0 rule disables any connectivity (Ethernet and IP levels) among host where VM is running. This includes

  1. Inter vm connectivity
  2. VM - Host connectivity
  3. VM - host bridge and aliases connectivity
  4. Zero configuration protocols (DNS, DHCP, ARP..) handling

Note The user can still build custom network topology, e.g. connect personal laptop with patch cord, and perform uncontrollable (from the perspective of corporate network) data transfers.

Protocols{prot_number}=1 allow specific network protocol (ethernet) disable all port forwarding rules{dport}.{addr}.{sport}=1 allow specific port forwarding rule. {lp} is port opened on the host, {addr} is a listening address, for example receives connections from any peer, {dp} is service port in VM.

Due to reverse domain name essense of the rulename processing, there could be some “wildcards” in the port forwarding rules. - Allows connections to any port inside VM from host through port 20000

Disk Access com.veertu.ankahv.disk=0 prevent access to any unencrypted drives com.veertu.ankahv.disk.%s=1 allow access to certain unencrypted drive

Shared Folders and Anka Run com.veertu.ankahv.fs=0 disable ability to mount host folders com.veertu.ankahv.fs.{/abs/path/to}=1 allow to mount specific host folder disable anka run functionality{/abs/path/to}=1 allow to run certain commands via anka run

Anka View com.veertu.ankahv.view.pb=0 disable shared paste bufferd(PasteBoard) in Anka View com.veertu.ankahv.view.hid=0 disable keyboard pass-through in Anka View

Anka VNC
Anka VM has it’s own implementation of VNC (RFB) server, allowing to access guest’s display via the network protocol. Additionally macOS guests have Screen Sharing service, also allowing to interact with the desktop over network.

Anka VNC doesn’t allow to use any kind of paste buffer sharing, moreover once the policy is enabled for certain VM, the VNC password became encrypted.

height: 768
pci_slot: 29
width: 1024

Users who don’t know Anka VNC password are not able to infer it neither with anka describe, neither anka show commands. There is no special policy rule, controlling Anka VNC module for now.

To control connectivity to the guest’s Screen Sharing service, disable local networking, and close guest port 5900 from port forwarding.


USB Pass-Through is provided by the uhost module. Policy allows to prevent this module from loading. So with policy USB pass-through could be enabled or disabled only generally - on all kinds of devices.

com.veertu.ankahv.usb.{module}=0 disable corresponding USB Module (“host”)

VM Disk Encryption

Disk encryption logic plays an important role in VM Policy infrastructure. Anka Disk Engine is closely integrated with VM Policy and performs on the fly encryption (OTFE) of all information passed to/from disk image. Encryption uses cryptography data from the associated policy, so it’s not possible to use (decode) encrypted drive with another policy or without policy itself. This robustly protects encrypted VMs from policy replacement attacks.

OTFE is not turned on by default with anka modify VM set policy command. It can be turned on with anka modify VM set hard-drive command.

anka modify Mojave10145 set hard-drive --help
Usage: anka modify set hard-drive [OPTIONS] INDEX

  modify hard drive settings

  -s, --size TEXT                 Disk size
  -e, --enc [aes-128|aes-192|aes-256|none]
                                  Set OTFE algorithm
  --help                          Show this message and exit.

Currently aes-ecb encryption algorithm is supported. 128 bit encryption is more than enough to protect VM from unsolicited access/modifications, but for some applications aes-ecb-256 could be needed.

Certificate-based access to Registry

Anka CLI Operations

Anka package provides an complete set of CLI interface to manage macOS infrastructure as a cloud for CI purposes.

Execute anka help to see a complete list CLI commands available.

anka --help
Usage: anka [OPTIONS] COMMAND [ARGS]...

  --machine-readable              JSON output format
  --log-level [debug|info|error]
  -l, --login TEXT                Specify the vm policy user (if configured)
  --help                          Show this message and exit.

  clone     Clones a VM
  config    Manage Anka configuration
  create    Creates a VM
  delete    Deletes a VM (or list of vms)
  describe  Shows VM configuration
  license   licensing commands
  list      List VM library contents
  modify    Modifies a VM settings
  mount     Mounts local folder into VM
  reboot    Restarts a VM(s)
  registry  VMs registry
  run       Run commands inside VM environment
  show      Shows VM runtime properties
  start     Starts or resumes paused VM
  stop      Shuts down a vm
  suspend   Suspends a VM(s)
  unmount   Unmount shared folder (filesystem...
  usb       Do actions on USB devices
  version   prints out version
  view      Open VM display viewer

Use anka --machine-readable to get machine readable output from all anka CLI commands. Example anka --machine-readable clone VMname Vmname2.

Create VM - Use anka create command. Go to Create VM documentation.

Clone VM - Use anka clone command. -c flag consolidates/shrinks all the snapshots and creates an independent copy.

anka clone --help
Usage: anka clone [OPTIONS] VM_ID NEW_VM_NAME

  Clones a VM

  -c, --copy  Create independent copy instead of clone
  --help      Show this message and exit.

Manage VM configuration - Use anka config command to manage VM configuration.

anka config --help
Usage: anka config [OPTIONS] [PARAM]...

  Manage Anka configuration

  -l, --list   List value parameter(s)
  -r, --reset  Reset value of parameter(s)
  --help       Show this message and exit.

Delete VM - Use anka delete command to delete one, multiple or all VMs in the local VM directory.

anka delete [OPTIONS] [VMID]...

  Deletes a VM (or list of vms)

  --yes      flag. don't ask - just delete
  -a, --all  Delete all vms in library
  --help     Show this message and exit.

Show VM configuration - Use anka describe command to view Vm configuration.

anka describe --help
Usage: anka describe [OPTIONS] VM_ID

  Shows VM configuration

  --help  Show this message and exit.

Manage anka license - Use anka license command to activate, remove and execute other licesing related operations for the host.

anka license --help
Usage: anka license [OPTIONS] COMMAND [ARGS]...

  licensing commands

  --help  Show this message and exit.

  accept-eula  accept EULA (root privileges)
  activate     activate license key (root privileges)
  remove       removes the current license (root privileges)
  show         show license information
  validate     validates the current license

list of all VMs - Use anka list command to view all the VMs available in the local VM directory with their status and other properties.

anka list --help
Usage: anka list [OPTIONS] [VMID]...

  List VM library contents

  -r, --running  show only running vms
  -s, --stopped  show only stopped vms
  --help         Show this message and exit.

Modify VM properties - Use anka modify command to Vm properties like port-forwarding, vCPU, ram, etc. You can set, add and delete properties.

SET Operations

anka modify vmname/ID set --help
Usage: anka modify set [OPTIONS] COMMAND [ARGS]...

  --help  Show this message and exit.

  cpu              set number of cpu cores and frequency
  custom-variable  configure variables
  description      set textual description of the VM
  display          configure displays
  hard-drive       modify hard drive settings
  name             set new name for the VM
  nested           enable nested virtualization
  network-card     modify network card settings
  policy           Enable VM access management (available in Anka Secure license)
  ram              set RAM size and parameters

ADD Operations

sudo anka modify vmname/ID add --help
Usage: anka modify add [OPTIONS] COMMAND [ARGS]...

  --help  Show this message and exit.

  usb-device (available in enterprise and enterprise plus tiers)

DELETE Operations

sudo anka modify vmname/ID delete --help
Usage: anka modify delete [OPTIONS] COMMAND [ARGS]...

  --help  Show this message and exit.

  usb-device (available in enterprise and enterprise plus tiers)

Mount local file system into the VM - Use the anka mount command to mount current local folder from the host inside the VM. Returns 231 on timeout.

anka mount --help
Usage: anka mount [OPTIONS] VM_NAME [DIRS]...

  Mounts local folder into VM

  --help  Show this message and exit.

Unmount mounted folder - Use the anka unmount to Unmount the locally folder mounting. Returns 231 on timeout.

anka unmount --help
Usage: anka unmount [OPTIONS] VM_NAME FSID

  Unmount shared folder (filesystem pass-through)

  --help  Show this message and exit.

Reboot VM - Use the anka reboot to reboot one, multiple or all Vms in the VM local directory.

anka reboot --help
Usage: anka reboot [OPTIONS] [VMID]...

  Restarts a VM(s)

  -f, --force  flag. restarts the vm process
  -a, --all    reboot all running vms
  --help       Show this message and exit.

Work with registry - Use the anka registry command for access, push, pull Vms from the registry. See the Manage VM Templates in Registry documentation.

Start VM - Use the anka start coammnd to start VM. use the -u flag to update the guest addons inside the VM. This maybe be required for upgrading Vms for major Anka releases.

anka start --help
Usage: anka start [OPTIONS] VM_ID

  Starts or resumes paused VM

  -u, --update-addons, --update  Run guest addons update procedure, previous version of the addons should be already
  -f, --force                    Start VM with minimum checks
  -v, --view                     Open display window
  -o, --optical-drive TEXT       Path to ISO file or device
  -d, --usb TEXT                 USB device ID/Location (should be claimed)
  --help                         Show this message and exit.

Stop VM - Use the anka stop command to stop VM.

anka stop --help
Usage: anka stop [OPTIONS] [VMID]...

  Shuts down a vm

  -f, --force  force the vm process to shut down
  -a, --all    Shutdown all running vms
  --help       Show this message and exit.

Suspend VM - Use anka suspend command to put Vm in Instant Boot state. It’s recommended to suspend VMs before pushing them to the Registry for use in CI.

anka suspend --help
Usage: anka suspend [OPTIONS] [VMID]...

  Suspends a VM(s)

  -a, --all  suspend all running vms
  --help     Show this message and exit.

Open Vm Window/viewer - Use anka view command to open running VM window. anka viewer supports Retina support for Mojave VMs.

anka view --help
Usage: anka view [OPTIONS] VM_ID

  Open VM display viewer

  -d, --display INTEGER  Specify the displays to view
  -s, --screenshot       Make png screenshot
  --help                 Show this message and exit.

View Anka version - Use anka version command to view current anka version.

anka version
Anka Build Enterprise version 2.0 (build 108)

Show running VM properties - Use anka show command to view VM properties of running VM.

anka show --help
Usage: anka show [OPTIONS] VM_ID [PROPERTY]...

  Shows VM runtime properties

  --help  Show this message and exit.

Attach and Detach USB devices to VM - Use anka USB device to attach and work with USB devices inside the VM. The USb devices should be connected to the host. See working with real devices documentation.

Execute operation inside Vm from the host with RUN - Use anka run coammnd, similar to docker run to execute operation inside the Vm from the host where it’s running. Returns 125 on timeout.

anka run --help
Usage: anka run [OPTIONS] VM_NAME COMMAND [ARGS]...

  Run commands inside VM environment

  -w, --workdir PATH              Working directory inside the VM
  -v, --volumes-from, --volume PATH
                                  Mount host directory (current directory by default) into VM . '--volumes-from' is
                                  deprecated form
  -n, --no-volumes-from, --no-volume
                                  Use this flag to prevent implicit mounting of current folder (see --volume
                                  option). '--no-volumes-from' is deprecated form
  -E, -e, --env                   Inherit environment variables. '-e' is deprecated form
  -f, --env-file PATH             Provide environment variables from file
  -N, --wait-network              Wait till guest network interface up
  -T, --wait-time                 Wait for guest time sync
  --help                          Show this message and exit.

Examples of anka run usage

anka run sierrav40c1 xcodebuild -sdk iphonesimulator -scheme Kickstarter-iOS build will mount the default directory from the host into the sierrav40c1 Vm and execute build.

anka run -w /Applications VMNAME ls -l will pipe the results of ls -l from the VM’s /Applications directory.

anka run -v . VMNAME ls will mount the host current directory inside the VM, execute ls, pipe the results and unmount.

anka run -v . VMNAME xcodebuild ... will mount the current directory from the developer machine(host) to the VM and execute an xcodebuild command and pipe the results back.

anka run sudo ... executes commands inside the VM with sudo privileges. For instance:

anka run VMNAME cp -R simpledir /Users/anka will copy the current host directory to the VM at /Users/anka location

anka run -n sierrav40c1 xcodebuild -sdk iphonesimulator -scheme Kickstarter-iOS build will not mount the curent host directory and execute build in the VM current directory

$ anka run VMNAME sudo whoami

It’s also possible to explicitly specify mount directory inside VM, using this syntax -v /host/forlder:/mnt/path, e.g:

anka run -v $PWD:/tmp/mountpoint_1 VMNAME pwd

Currently only single volume could be specified in the run command. If you need more than one folder shared between host and the VM, please use anka mount/unmount commands.

anka mount VMNAME ~/Library/MobileDevice/Provisioning\ Profiles/ /Users/anka/Library/MobileDevice/Provisioning\ Profiles/
anka run VMNAME xcodebuild -exportOptionsPlist exportInfo.plist archive

Please note, VM should be running for mount command. If you need more configuration changes to the VM, before anka run execution, you could start the VM with corresponding parameters, or write the parameters to VM configuration with anka modify command.

Working with environment variables using anka run

anka run command doesn’t use .profile, .bash_profile by itself. To configure the environment variables, you can pass it with anka run -f environment.txt, where environment.txt is a text file in the form VARIABLE=VALUE, one variable per line.

To inherit entire host’s environment, use anka run -E command, but in this case existing guests variables will not be overridden by host’s variables.

In order to use environment variables from VMs .bash_profile, execute the following command via intermediate bash.

anka run ios-temp bash -c 'source ~/.bash_profile; ./iPhone/make_build -b dev -c 1 -d ./build -e Mobile -z'

Few things to note

anka run doesn’t support TTY mode, but you could easily use POSIX streams as with regular bash tool.

anka run -n VNMANE whoami > /dev/null

cat file.txt | anka run -n VMNAME md5

anka run, when run in default mode with no flags, mounts the current folder from the host into the VM and executes commands on this mount point as current directory.

Accessing the host from within Anka VM

The host from Anka VM has fixed IP address of (or in host-only mode).