Skip to main content

Trying to wrap my head around this. Had a couple of instances with new Mojave builds where the Jamf agent was called.

We already upgraded to JSS v10.7.1 so it's not the agent requiring access but likely a policy which needs access and the message is piped through the agent. Do you compile a complete list based on testing all the installed apps and policy's and then upload it to the jss or do you break it down somehow?

Approving Terminal first I can see which application are in the TCC list (sqlite3 /Library/Application Support/com.apple.TCC/TCC.db "SELECT * from access") but it doesn't show me which events they require.

Runnning the following: (/usr/bin/log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"') shows me the process running but doesn't seem to correspond to which application calls them.

My main question How do I know which application needs to be pre-approved and with what specific action?
Anyone who's already mastered this and care to shed some light before madness kicks in....?

FWIW, with respect to the osascript prompts, at least with respect to Fusion 11 Pro, their dev team responded to our request for help with this prompt:

Their response:

The customer's issue is that the MDM cannot push out the osascript prompt and his attempt to allow VMware access to System Events via Privacy Payload does not work. According to the attached screenshot "TCC whitelist.png", Fusion access System Events via /usr/bin/osascript, so in TCC.db it is "/usr/bin/osascript" that access System Events, not Fusion, I would suggest the customer to try allowing /usr/bin/osascript access to System Events in Privacy Preferences Policy Control Payload.


I'm getting totally lost with this whole process. I have created numerous profiles and uploaded them to our JSS running 10.9. Some seem to work as expected but when trying to run things via Self Service that launch scripts I'm still seeing the prompts about allowing jamfAgent to control System Events.

As you can see from my attached screenshot, as far as I can tell I've allowed it to control System Events so not sure why I'm still seeing the prompts?

How do you go about adding in something for Automation section? specifically for the below:

I'm trying to run the following command via a simple policy's "Files and processes" payload
osascript -e 'tell application "System Events" to make login item at end with properties {path:"/Applications/Microsoft Teams.app", hidden:false}' but it doesn't seem to work. The log says

Result of command: 36:131: execution error: An error of type -10810 has occurred. (-10810)

I tried putting the command in a script and running it from there instead but now I get

Script result: 36:131: execution error: Not authorized to send Apple events to System Events. (-1743)

When I run the command via Terminal it works fine, so I have to assume it's a PPPC issue. But how to I build a PPPC profile for an osascript command?

I have the same question as sslavieroGSMA. My infosec team is requiring that we install/patch OpenJDK via Brew. I have the install set to pass the brew install command to a terminal window open as the user via osascript (building off emily's work https://www.jamf.com/jamf-nation/discussions/24803/deploy-homebrew) and get a prompt "Jamf want access to control "Terminal." If manually approved I get

Running 

tccutil reset AppleEvents

removes the entry, but I can't figure out how to build a .mobileconfig file to replicate it.

Try using the PPPC Utilty from Jamf and drag the Jamf agent binary into the column on the left.

Terms & ConditionsCookie settingsAccessibility statement