The recent agent update from Trend Micro requires full disk access. We have a Configuration Profile for accepting the kernel extension and that has worked great until now. The new update for Catalina compatibility requires a new item be given full disk access. Trying to use the PPPC-Utility I can not add the iCoreService to the Application list. Never used that utility so I'm probably missing something. We don't want to have to do this 5 step process on every client machine. Pointers are appreciated.
Page 1 / 1
Would like to know the same, any help would be appreciated
I created a ticket with Jamf support and they helped / created for me, the Configuration profile for me to upload. I would share it here but am not certain it is universally applicable. They referenced this KB https://www.jamf.com/jamf-nation/articles/553
I think it will be universal one. Would you be so kind and share it?
Hi Eric @erichughes
Would you please share the PPPC file created. This would be greatly appreciated.
Thanks
Simon
@simon.brooke @mbuczkowski This worked for me:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>PPPC Trend All Files</string>
<key>PayloadDisplayName</key>
<string>PPPC Trend All Files</string>
<key>PayloadIdentifier</key>
<string>45103537-FAD7-4736-AFCB-C8CBBB622723</string>
<key>PayloadOrganization</key>
<string>Your Org</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>6F7BC0ED-14A6-47AD-82E2-81EBA70BE428</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Services</key>
<dict>
<key>SystemPolicySysAdminFiles</key>
<array>
<dict>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier iCoreService and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
<key>Comment</key>
<string></string>
<key>Identifier</key>
<string>/Library/Application Support/TrendMicro/TmccMac/iCoreService</string>
<key>IdentifierType</key>
<string>path</string>
</dict>
</array>
</dict>
</dict>
</array>
<key>PayloadDescription</key>
<string>PPPC Trend All Files</string>
<key>PayloadDisplayName</key>
<string>PPPC Trend All Files</string>
<key>PayloadIdentifier</key>
<string>45103537-FAD7-4736-AFCB-C8CBBB622723</string>
<key>PayloadOrganization</key>
<string>Your Org</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>B95E6425-5D73-4DAC-BD6E-04BE9E783D04</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>payloadScope</key>
<string>system</string>
</dict>
</plist>This is what is in the payload for me.
Hello, Im referencing KB https://www.jamf.com/jamf-nation/articles/553. My policy seems to be the same as mentioned as above and when I send the PPPC Trend no longer ask for full disk permission. When doing this Trend will not connect to parent server. If I remove the PPPC it will work for a few seconds then ask for full disk permission. Is there anything else I should be adding to this? I have tried reinstalling and installing multiple times. When I approve Disk Permissions manually it works. Any Ideas would be greatly appreciated.
removed
according to the Trend KB it also needs Accessibility access.
I used the jamf PPPC utility with the chmod recommendations by @rrouleau in this thread, then enabled full disk access and accessibility access on the iCoreService file.
The profile shows up and the iCoreService is listed under full disk access but the checkbox is unchecked and nothing under accessibility. is that normal?
Attaching a screenshot of mine. I pulled the file path but didn't take out the slashes for the spaces originally. When I fixed that it worked!
I still can't seem to get it to run. With the PPPC in place Apex One starts to load but eventually crashes with an unexpected error. w/o it I need to manually enable the full disk access.
I created a support ticket with Jamf and they helped me create the PPPC, because there was dominating I was missing. How are you installing Apex One? We are using a Policy with install script payload. The PPPC Profile is already on the computer by the time the install happens.
#!/bin/bash
#Switch to the /tmp directory
cd /tmp
#Download the Trend installer
curl -O -k https://<yourserver>.manage.trendmicro.com/officescan/console/html/TMSM_HTML/ActiveUpdate/ClientInstall/tmsminstall.zip
#Unzip the installer
unzip tmsminstall.zip
#Install the Trend Software
installer -pkg /tmp/tmsminstall/tmsminstall.pkg -target /
#Clean up the folder
rm tmsminstall.zip
rm -rf /tmp/tmsminstall
exit 0@erichughes can you share your PPPC?
I also have a separate Configuration Profile that allows the kernel extension. That was in place before the PPPC was required. I have also attached an image of the pertinent part of that. It may not be required any longer but it is still in place on my workstations.
@erichughes do you need both for Catalina?
I tried just the Kernel extension and the system is saying I need to allow it under security system preference pane.
I'm not certain, it is part of my base enrollment push, most of our machines are Mojave, but the handful on Catalina still have it installed. It is part of a Profile that has multiple kernel extensions in it (next time I would have a Profile for each). Have not tested without the kernel extension in place. We are using Trend Micro / Apex One cloud protection. Transitioned from an onsite server earlier this year and didn't have to do anything with clients until the agent update that brought the need for the PPPC. I also want to say that even though the Profile was in place it still required a restart of the computer to recognize it.
I originally had a configuration profile with the PPPC that covered Trend Micro. It was scoped to Mojave and worked great.
When Catalina was release, I added all Catalina to the scope, but for some reason those devices never got the CP or it wasn't honoring the Accessibility service. It's possible that I also added the Accessibility service mid-way through the life of that profile.
I created a fresh new configuration profile with the PPPC that covers Trend Micro, with exactly the same settings and scoped it to Catalina and it works for Catalina devices.
It's not ideal that I have two profiles but each works for their respective OS versions. (On-prem, Apex One (Mac) Security agent 3.5.x)
IDENTIFIER
/Library/Application Support/TrendMicro/TmccMac/iCoreService
IDENTIFIER PATH
path
CODE REQUIREMENT
identifier iCoreService and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32
Validate the Static Code Requirement is not selected
APP OR SERVICE
SystemPolicyAllFiles Allow
Accessibility AllowDoes anyone have a script to restart trend? we updated our PPPC but trend won't follow it until its restarted.
Also, does anyone have some Trend EAs to share? I have one for version number but can't come up with a "last check in" type stat.
If you are using the script I posted here check your server name for the URL Otherwise your clients will be attached to someone else's server.
Thanks for all your help everyone. Got it working with the help of PPPC.
Be aware that if you move to the Trend cloud based agent, this appears to need a new profile due to a change in the location of the trend files.
FYI, if anyone else runs into issues with this. Here is a helpful article from Trend that helped me work through the issues I was seeing.
https://success.trendmicro.com/solution/000277823
@jgrant thanks for the update!!
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.