By any chance has anyone here had any luck creating a privacy preference policy profile for Wacom tablets? All that is required to enable is Accessibility but for some reason when I create the policy with the PPPC utility the tablets don't respond properly.
Page 1 / 2
I have but will need to be back in the office to download and share it . I tested it in my art labs...Was kind of a pain in the butt
Every release Wacom seems to further run afoul of TCC/Accessibility requirements. GET IT TOGETHER!
So I believe I has this working now.
I followed Wacom's instructions here: https://www.wacom.com/en-us/support?linkId=57350690&guideTitle=Is-there-a-compatible-driver-for-Mac-OS-10.14-Mojave%3F&guideId=014-001
However, the apps they tell you to find, I found in the locations below shown in the screenshots, and deploying these in a PPP profile created in PPPC Utility appears to have configured the tablets correctly:
The WacomTabletDriver.app they tell you to find in the Resources folder is actually located at /Library/Application Support/Tablet/WacomTabletDriver.app
The second driver IS located at /Library/Application Support/Tablet/WacomTabletDriver.app/Contents/Resources/WacomTouchDriver.app.
There is a "TabletDriver.app" in /Library/Application Support/Tablet/WacomTabletDriver.app/Contents/Resources/, but that didn't work when creating a profile in the PPCUtility.
So what values did you wind up using in Privacy Preferences Policy Control?
would love a follow-up on this one as well...
Hi guys,
Here are some screen shots of what it looks like in Jamf Pro. I made this in the PPPC Utility with https://www.wacom.com/en-us/support?linkId=57350690&guideTitle=Is-there-a-compatible-driver-for-Mac-OS-10.14-Mojave%3F&guideId=014-001 as a guide.
Does this help?
Thanks for this. I am going to be needing to do this soon.
How to create Preference profile for "input monitoring" on catalina os using pppc utility?
@dtmille2 I have been able to specify "allow" for all the required Wacom items for Accessibility in PPPC utility but I miss how to automatically "tick" their boxes on client side.
I noticed you also have "Apple Events" for each item but "Receiver code requirement" is not visibile in your screen shots.
Is that the same that appears within "code requirement" ?
The Wacom items appear client side within security but an admin is required to unlock and tick the checkboxes
I likely miss something obvious
Many thanks!
Carlo
@carlo.anselmi , if memory serves me I believe I looked into the issue of the client side boxes not checking off in system preferences, and discovered that they may not when managing this with a configuration profile. However, if the profile is accomplishing its intended function, you are all good. In other words, this may be expected behavior.
The "Receiver code requirement" in my profile was created by the PPPC Utility. In taking a look at it just now, yes, it does look identical to what appears in "Code requirement".
@dtmille2 many thanks again! I'll try some more testing with your info
Great to understand the unchecked boxes is the expected behavior!
In the newest version of the wacom driver 6.3.38-3 as of today, the file you need to drag into PPPC Utility is located in /Library/PrivilegedHelperTools/com.wacom.IOManager. By doing this I was able to stop the nag and wacom driver issue we were seeing.
@TheDecline I was going through and trying to create the Profile for the com.wacom.IOManager.
However no matter what configs I set either through PPPC Utility, it doesn't work.
Do you mind sharing the config you made for this?
Anyone got this working on Catalina? I understand Apple won't let people manage the Input Monitoring, but it would be nice to have the accessibility working. The profile I created using the PPPC Utility for com.wacom.IOManager and Wacom Desktop Center didn't work. Any ideas?
@K.K. Yes I have this working under Catalina 10.15.6
I used Jamfs PPPC Utility to make it:
https://github.com/jamf/PPPC-Utility
https://github.com/jamf/PPPC-Utility/releases/tag/1.2.0
Add to accessibility
/Library/PrivilegedHelperTools/com.wacom.IOManger.app
CANT Add to input monitoring via PPPC file :(
/Applications/Wacom Tablet/.Tablet/FirmwareUpdater.app
/Applications/Wacom Tablet/.Tablet/TabletDriver.app
/Applications/Wacom Tablet/.Tablet/WacomTabletDriver.app
/Applications/Wacom Tablet/.Tablet/WacomTouchDriver.app
Add to full disk access
/Applications/Wacom Tablet/Wacom Desktop Center.app
/Applications/Wacom Tablet/Wacom Display Settings.app
/Applications/Wacom Tablet/Wacom Tablet Utility.app
When you import the finished PPPC mobileconfig file into Jamf, you also need to tick the 'Validate the static code requirement' tick box (for each app/setting listed, I have 4 as above.) in the Privacy Preferences Policy Control payload section in the Jamf interface to ensure you don't still get PPPC prompts in macOS. I do it as standard for every PPPC file I create.
The above settings got the pen & tablet working for me as regards drawing, pen buttons, scrolling and moving the mouse pointer around. If you need to monitor keyboard input, it has to be added manually to the input monitoring section unfortunately.
You will also get extra PPPC prompts when using the device utlity software that comes with the tablet:
Wacom Desktop Center wants access to control System Preferences
Wacom Tablet Driver wants access to control System Preferences
Again the Jamf PPPC Utility can silence those.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>PPPC - Wacom Tablet</string>
<key>PayloadDisplayName</key>
<string>PPPC - Wacom Tablet</string>
<key>PayloadIdentifier</key>
<string>F14CB25C-8E2D-42AF-A404-EC8F22E4EF24</string>
<key>PayloadOrganization</key>
<string>YOUR-ORGANIZATION</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>6A9F734F-B0AA-4F3B-A16B-5B86AA85180F</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Services</key>
<dict>
<key>Accessibility</key>
<array>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.wacom.IOManager" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.wacom.IOManager</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.wacom.Wacom-Desktop-Center" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.wacom.Wacom-Desktop-Center</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.wacom.Wacom-Display-Settings" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.wacom.Wacom-Display-Settings</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.wacom.RemoveWacomTablet" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.wacom.RemoveWacomTablet</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
</dict>
</dict>
</array>
<key>PayloadDescription</key>
<string>PPPC - Wacom Tablet</string>
<key>PayloadDisplayName</key>
<string>PPPC - Wacom Tablet</string>
<key>PayloadIdentifier</key>
<string>F14CB25C-8E2D-42AF-A404-EC8F22E4EF24</string>
<key>PayloadOrganization</key>
<string>YOUR-ORGANIZATION</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>4192846A-74DE-4C8F-9F59-A6309BB4F82D</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>payloadScope</key>
<string>system</string>
</dict>
</plist>The above works for me with a Wacom Intuos Tablet + latest driver 6.3.40-2 on macOS 10.15.6
and then these 2 posts below to get rid of the extra PPPC messages from the tablet utility software
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Wacom Desktop Center wants access to control System Preferences</string>
<key>PayloadDisplayName</key>
<string>Wacom Desktop Center wants access to control System Preferences</string>
<key>PayloadIdentifier</key>
<string>93492BF7-C238-4518-98F0-6728C31E8023</string>
<key>PayloadOrganization</key>
<string>YOUR-ORGANIZATION</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>1F49F6A3-E677-4933-9A00-605A7C5675C7</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Services</key>
<dict>
<key>AppleEvents</key>
<array>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systempreferences" and anchor apple</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systempreferences</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.wacom.Wacom-Desktop-Center" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.wacom.Wacom-Desktop-Center</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
</dict>
</dict>
</array>
<key>PayloadDescription</key>
<string>Wacom Desktop Center wants access to control System Preferences</string>
<key>PayloadDisplayName</key>
<string>Wacom Desktop Center wants access to control System Preferences</string>
<key>PayloadIdentifier</key>
<string>93492BF7-C238-4518-98F0-6728C31E8023</string>
<key>PayloadOrganization</key>
<string>YOUR-ORGANIZATION</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>DCCC5E4C-CBB4-4012-AB53-8E141C792AF5</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist><?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Wacom Tablet Driver wants access to control System Preferences</string>
<key>PayloadDisplayName</key>
<string>Wacom Tablet Driver wants access to control System Preferences</string>
<key>PayloadIdentifier</key>
<string>8A9C2C5F-F2A6-47B4-9756-41D61A8FCDDF</string>
<key>PayloadOrganization</key>
<string>YOUR-ORGANIZATION</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>EACEF9F1-D8DE-4AB5-8270-7F63A29E8A1C</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Services</key>
<dict>
<key>AppleEvents</key>
<array>
<dict>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systempreferences" and anchor apple</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systempreferences</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.wacom.wacomtablet" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>com.wacom.wacomtablet</string>
<key>IdentifierType</key>
<string>bundleID</string>
</dict>
</array>
</dict>
</dict>
</array>
<key>PayloadDescription</key>
<string>Wacom Tablet Driver wants access to control System Preferences</string>
<key>PayloadDisplayName</key>
<string>Wacom Tablet Driver wants access to control System Preferences</string>
<key>PayloadIdentifier</key>
<string>8A9C2C5F-F2A6-47B4-9756-41D61A8FCDDF</string>
<key>PayloadOrganization</key>
<string>YOUR-ORGANIZATION</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>1E290FCD-E266-457C-A550-AA412F6D8EEF</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>@snowfox Thank you so much, I did use PPPC utility to create the profile but didn't tick the 'Validate the static code requirement' tick box. I will give it a try on Monday and let you know. Have a good weekend!
@K.K. No problem. The above will work as-is on macOS 10.15.5
I'm just testing it here on 10.15.6 and it's now complaining about legacy system (kernel) extensions will be deprecated in a future version of macOS and Wacom Technology Corp has tried to load one. Please approve it in Security & Privacy.
If you're running the current Wacom tablet driver on 10.15.6 you may have to whitelist the kernel extension in Jamf.
Good article here for Jamf School on how to find the Team ID and Bundle ID
https://docs.jamf.com/jamf-school/deploy-guide-docs/Whitelisting_Kernel_Extensions.html
sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
SELECT * FROM kext_policy;
Team ID: EG27766DY7
Bundle ID: com.FTDI.driver.D2XXHelper
Team ID: EG27766DY7
Bunde ID: com.silabs.driver.CP210xVCPDriver64Add the Team ID and 2x Bundle IDs into the 'Approved Kernel Extensions' payload in a Jamf Configuration Profile.
Have a good weekend too :)
@snowfox I would have given you a thousand likes if I could. These are great! I had just started looking into this for Catalina since my old ones for Mojave worn't working properly. Thank you for your hard work!
@snowfox I was using the 'Approved Kernel Extensions' payload(only had Team ID) from before on 10.15.6 and it didn't complain. However, I still don't see any of the profile applied under the priacy tab and the Wacom Desktop Center wants access to control System Preferencesare is still unchecked. Are they invisible? Thank you.
@kwoodard Welcome! :D
@K.K. Yes they are invisible. When you set PPPC preferences via a mobileconfig file, they don't typically show up in the GUI interface in macOS (Security & Privacy). This goes for most settings set by a PPPC profile.
It's possible the teamID is enough to suppress the legacy system extension message without the bundle IDs. We have standard users that can't authenticate as Administrators to approve the setting in Security & Privacy so I just include both per the Jamf School article to be sure.
Wacom Desktop Centre wants to access system preferences - pops up when you run it and try to use the diagnostics utility for the tablet.
You'll see the popups if you test the Wacom utlity software on a machine without the PPPCs applied.
@snowfox Many thanks! Wow that's quite different from the profiles I am currently using for Mojave and Wacom 6.3.38-3 (with some random issues)
I will try to see if I can use your profiles/PPPC for Mojave and 6.3.38-3/6.3.40-2
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.