There is a config profile on GitHub that sorts all that out mate..
JamfAppleEvents.mobileconfig
Been using it and all is good at my end.
G'Luck!
@kerouak is correct, we pre-built a profile that would whitelist the Jamf Binary, Jamf Agent and Jamf.app to be able to communicate with SystemEvents, SystemUIServer and Finder via the Apple Events service listed within the PPPC framework. That JamfAppleEvents.mobileconfig profile can be found here: https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles and is linked in our KB Preparing Your Organization for User Data Protections on macOS 10.14
We do not plan to auto-whitelist terminal to communicate with things since that should be an Admins choice about what other applications they want to allow to communicate with things. Also, if an admin is running something via terminal they can click the allow button themselves.
Hi @mike.paul, please see my Jamf Nation post regarding the PPPC utility.
https://www.jamf.com/jamf-nation/discussions/29629/privacy-preferences-config-profile-issues
the app appears to be creating blank profiles as far as I can see.
In addition @mike.paul when I try and upload pre created config profiles I get the following error:
Is there something I need to do to the file before uploading?
Thanks
Thanks @kerouak That seems to work fine with the Jamf interaction events.
I was under the impression that v10.7.1 already was doing this with the built in profile but as you mentioned, it requires to add the one above as well (not really sure why it wasn't included?).
@ocla&&09 I've uploaded a few profiles and all of them work fine. They look empty in JSS but you can check the data once the profile is installed. Sounds like you've got connection issues with the JSS. Does it work when you use "Test Connection"?
@tjhall no connection problems. Maybe I am seeing what you are ie the "General" section of the profile is populated with info, but there is no other payload in there. Maybe it is just a UI glitch.
This is expected behavior in the product until the full GUI is added in a future version of Jamf Pro. You can confirm the content is there by downloading the profile post upload and inspecting the content (it will be signed so you'd have to remove the signature prior to reading it easily) or pushing it to a test device to see the values displayed in the Profiles pane in System Preferences.
@ocla&&09, in regards to the upload failure, I am not sure what would be causing that error. How was this profile created? Is it signed? The PPPC Util app was just updated to 1.0.1 to handle a bug around creation of profiles with SystemPolicySysAdminFiles.
Hi @mike.paul sorry, I may have not been clear. The upload error happens when I try to manually upload a .mobileconfig file through the Jamf Console. Upload via the PPPC Util does not have issues.
How was that profile created and what is its contents? Would you care sharing it here? I just manually uploaded a profile saved from the PPPC Util and one I manually wrote out and both uploaded without error.
@mike.paul I am even having the issue with the JamfAppleEvents.mobileconfig file on your GitHub repo.
Im guessing your browser modified the file prior to downloading. When I right click on the .mobileconfig and download it in Firefox and open it in a text editor I see it starting with
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<link rel="dns-prefetch" href="https://assets-cdn.github.com">
<link rel="dns-prefetch" href="https://avatars0.githubusercontent.com">
<link rel="dns-prefetch" href="https://avatars1.githubusercontent.com">
<link rel="dns-prefetch" href="https://avatars2.githubusercontent.com">
<link rel="dns-prefetch" href="https://avatars3.githubusercontent.com">
<link rel="dns-prefetch" href="https://github-cloud.s3.amazonaws.com">
<link rel="dns-prefetch" href="https://user-images.githubusercontent.com/">
The above values are not correct.
Your file should look the same as it displays in GitHub, looking similar to this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>Services</key>
<dict>
<key>AppleEvents</key>
<array>
So your options to not have your browser mess with it is:
I think I've seen a duplicate identifier cause that "unable to create object from file" error ... possibly a number of reasons.
Anybody else having issue with the PPPC utility and making a scrip.sh be allowed to manipulate finder? It wont let me select a .sh file.
I tried the utility to add bash and osaacripts to be allowed but still same pop up
@szultzie, unless you signed your script and/or self made apps, it won't be allowed to be whitelisted as that is a requirement for PPPC. The PPPC utility will give you better display of why it is denying things in a future version.
You can use this nifty write up from Carl Ashley on signing scripts to help you get this accomplished though: https://carlashley.com/2018/09/23/code-signing-scripts-for-pppc-whitelisting/
Thanks @mike.paul , i will give that a try. Interesting that I need them signed, Jamf Support said I had to add <string>/usr/bin/bash</string> to my launch agent and then i can white list bash.
I know it not the best approach but i just wanted to get it working somehow so i can continue to test Mojave in our environment
Ill try signing it.
-Peter
Yes, you can whitelist anything that is signed, whether that is an app, binary or a script.
Since bash is a binary is signed by Apple you could whitelist that, its identifier would be /bin/bash and its code signature requirement would be identifier "com.apple.bash" and anchor apple.
But what it really comes down to is when the thing is running and causing the prompts, what does the prompt or the logging command show for the parent process requesting access?
/usr/bin/log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'
For example, when I run a shell script from terminal that has osacript inside that is doing a call to Finder (common workflow for end user prompts), I see terminal as my parent process to whitelist. Logs from that show:
2018-10-08 09:20:44.376179-0500 0x2a409c Info 0x0 341 0 tccd: [com.apple.TCC:access] AttributionChain: RESP:{ID: com.apple.Terminal, PID[17885], auid: 501, euid: 501, responsible path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal', binary path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal'}, ACC:{ID: com.apple.osascript, PID[18161], auid: 501, euid: 0, binary path: '/usr/bin/osascript'}, REQ:{ID: com.apple.appleeventsd, PID[69], auid: 55, euid: 55, binary path: '/System/Library/CoreServices/appleeventsd'}
With the one being responsible for the call being RESP:{ID: com.apple.Terminal, and the thing its requesting access to being REQ:{ID: com.apple.appleeventsd,
yes, so after some more testing...
I do have bash whitelisted, and adding the line <string>/usr/bin/bash</string> in my launch agent that calls the script, it doesn't run at log in now. When i call the scrip from terminal it runs but my new item being blocked is terminal, which makes sense based on what you say that my new parent process is terminal, and bash is white listed so the script doesn't get flagged.
Why is Apple trying to be an AV now. I have to fight against our AV Cylance as well with this stuff. Our desktops are going to end up being very secure lots of redundancies are set in place lol
@mike.paul similar to @ocla&&09 I'm having problems U/L to jamf too, when I do, it accepts the file, but doesn't have a payload when saved. I'm on jamf 10.7.1 already.
I tried the clone/copy and past method and it doesn't work.
So just an update... adding the <string>/usr/bin/bash</string> or <string>/bin/bash</string> causes the launch agent not to launch. Wait to hear back from Jamf Support.
@jwojda The Profiles Pane on the client shows a Profile loaded, you should check to se if it is applied for you, the Payload in JSS will only b General from what @mike.paul said in an earlier post.
So, talking about best practices. Are people making individual configs per application or family of apps (ie Office) or are you doing everything in one config?
And I've seen where if I add too many items to PPPC Utility the +/- buttons disappear.
so i codesigned mylittle.app (all it does is run a script) . when i run
codesign -dr - mylittle.app/
Executable=mylittle.app
host => identifier "com.apple.bash" and anchor apple
designated => identifier "mylittle" and certificate root = H"11376458a31f4465f1736b716feb8cd45d8cdcb1"
but when i try to add suing the + button it into the PPC Utility it doesn't open, other .apps do. ANy ideas?
-Peter
@mike.paul I've code signed my .sh file following instructions from Carl Ashley, I verify it's signed, but cannot drag into PPPC Utility? Am I missing something? My hopes were to allow that script only via a config profile using PPPC.
I originally created a .app using Platypus but what's odd is when I codesign the .app it won't launch. I can successfully launch an un-signed .app. Not sure what I'm missing there either.
I am sorry that some of you are hitting issues with the PPPC Utility. Since it is an open source project you file file issues on the GitHub page: https://github.com/jamf/PPPC-Utility/issues.
I dont know why the app wouldn't take your custom apps or signed scripts. Thankfully you don't only have to use the utility to build profiles as the config profile is now in the GUI of Jamf Pro as well.
You can use the codesign -dr - /path/to/thing to gather the code signature and identifier and paste that into the profile in the Jamf Pro server or you could try to use Carl Ashley's https://github.com/carlashley/tccprofile or Erik Berglund's https://github.com/erikberglund/ProfileCreator
@mike.paul Thank you for the information. I still need to upgrade to the latest JAMF Pro that has the PPPC Built in. I will try out one of the other utilities.
Thank you
