Skip to main content

We have encountered the scenario described in this post: https://developer.apple.com/forums/thread/715220

We took a brand new MacBookPro that came with Ventura pre-installed on it and after it enrolled via DEP, we sometimes login as the admin account and run sudo jamf policy to speed up the full enrollment process. This time we discovered that we encountered a problem. It appears that Ventura now doesn't let us run Terminal commands that change apps.  In System Settings > Privacy & Security > App Management Terminal was listed but not enabled.

Is there an MDM setting in Jamf that will allow us to pre-approve Terminal and any other apps we need to have this functionality?

The associated notification:

 

@AVmcclint There's a new SystemPolicyAppBundles property with macOS Ventura. It's not in the PPPC payload configuration UI as of Jamf Pro 10.42.1, but the iMazing Profile Editor supports it.

Thanks for pointing me to that. I found the setting but there are fields it is asking for input and I can't find any documentation for what it needs.

Thanks for pointing me to that. I found the setting but there are fields it is asking for input and I can't find any documentation for what it needs.


@AVmcclint I haven't had occasion to use it yet, but my understanding is it's configured basically the same as the SystemPolicyAllFiles setting (supposedly it's a subset of AllFiles added to Ventura specifically for app bundles so the settings can be more granular)

I'm interested in doing this as well.  Doesn't look like there was a resolution to this post.  Any chance you figured it out and can share your wisdom?

I wrote a script to allow teminal controls app if anyone still needed this

 

#!/bin/bash

loggedInUser=$(ls -l /dev/console | awk '/ / { print $3 }')
last_modified=$(date "+%s")
db_location="/Users/$loggedInUser/Library/Application Support/com.apple.TCC/TCC.db"

REQ_STR=$(codesign -d -r- /System/Applications/Utilities/Terminal.app/ 2>&1 | awk -F ' => ' '/designated/{print $2}')
echo "$REQ_STR" | csreq -r- -b /tmp/csreq.bin
REQ_HEX=$(xxd -p /tmp/csreq.bin | tr -d '\\n')
mod_REQHEX="X'$REQ_HEX'"


sqlite3 "$db_location" "INSERT INTO access VALUES('kTCCServiceSystemPolicyAppBundles','com.apple.Terminal',0,2,3,1,$mod_REQHEX,NULL,NULL,'UNUSED',NULL,0,$last_modified,NULL,NULL,'UNUSED',$last_modified);"

@AVmcclint There's a new SystemPolicyAppBundles property with macOS Ventura. It's not in the PPPC payload configuration UI as of Jamf Pro 10.42.1, but the iMazing Profile Editor supports it.


We're on Jamf Pro 11.7.1 and I'm still not seeing the SystemPolicyAppBundles. Am I missing something?

Reply


Terms & ConditionsCookie settings