Jamf Nation Community

That's great info! That seems to work for me. The weird thing is that when I uploaded the config profile to my Jamf, it shows as completely blank, but appears to work fine.

Is that expected behavior?

@dennisnardi I am new to the PPPC utility and was wondering how you configured the Bomgar payload using the GUID. I tried a few different configurations, but the Mac_service_helper.sh remains unchecked in Security & Privacy > Privacy > Accessibility.

@Robkirsch I think you may have to upgrade your Bomgar server. Before the current version (18.2.6.33030), when you jumped to a computer the "Mac_service_helper.sh" script wanted to be run to start the jump session. If you see this in sys prefs, you can probably right click and show in finder. If you do that you may be able to drag it into the PPC utility and set all the settings to use this in the config profile.

Since we upgraded to 18.2.6.33030, it now says the "Bomgar app" instead of "Mac_Service_Helper.sh". I dragged the "bomgar-scc-xxxxxxx.app" from /users/shared into PPC and gave it all the permissions I could. This doesn't actually show up in the Privacy panel in sys prefs, but works perfect. Below is a screenshot of my PPPC for Bomgar:

I have 2 Issues that this tool does not help me with, any ideas ?

1 : I have a simple Bash Script that runs at login, in it, this runs 1 line of AppleScript to pop up a user input box, this fails and the script gives the error "Not authorised to send Apple events to System Events. (-1743)" I have no idea which app to allow, and what to allow it access to.

2 : We deploy a Piece of remote control software called ScreenConnect, this installs and runs OK, but only in View Only, to get full functionality we need need to tick it in the Accessibility Section, where it Auto Populates, the problem is if I use the PPPC Utility, i cannot select the app as it runs from /opt, and even if I browse to the app, it ignores it.

Any Ideas people ?

Ok been playing with the PPPC utility for a while now and its working great except for 2 things Camera and Microphone permissions for Zoom. I loaded Zoom into the PPPC utility and discovered that I only have the deny option for the Camera and Microphone. I said to myself, ok well I'll just go change the flags from "false" to "true" and that'll fix it. Instead, when I load the .mobileconfig profile into JAMF it says this in the failed commands below.

We're trying to prep everything to be seamless for our users to upgrade to 10.14 but things like this are holding us back. Below is the code that PPPC Utility kicks out when I used the deny flags (not sure why to allow doesn't appear). If anyone has any advice I'd love it as I'm hitting my head against the wall on this one. Also as of note I've tried this a few times to see if it was just a fluke and the UUID I know is different than my text below from the image above.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadDescription</key>
            <string>To Allow Camera and Microphone settings</string>
            <key>PayloadDisplayName</key>
            <string>Zoom PPPC Settings</string>
            <key>PayloadIdentifier</key>
            <string>10587A41-6D41-4F7C-816C-085C91D5B055</string>
            <key>PayloadOrganization</key>
            <string>Xactly Corp</string>
            <key>PayloadType</key>
            <string>com.apple.TCC.configuration-profile-policy</string>
            <key>PayloadUUID</key>
            <string>E8E46BB2-88AB-44B6-9E3E-FF62731F52DA</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>Services</key>
            <dict>
                <key>Camera</key>
                <array>
                    <dict>
                        <key>Allowed</key>
                        <false/>
                        <key>CodeRequirement</key>
                        <string>identifier "us.zoom.xos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = BJ4HAAB9B3</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>us.zoom.xos</string>
                        <key>IdentifierType</key>
                        <string>bundleID</string>
                    </dict>
                </array>
                <key>Microphone</key>
                <array>
                    <dict>
                        <key>Allowed</key>
                        <false/>
                        <key>CodeRequirement</key>
                        <string>identifier "us.zoom.xos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = BJ4HAAB9B3</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>us.zoom.xos</string>
                        <key>IdentifierType</key>
                        <string>bundleID</string>
                    </dict>
                </array>
            </dict>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>To Allow Camera and Microphone settings</string>
    <key>PayloadDisplayName</key>
    <string>Zoom PPPC Settings</string>
    <key>PayloadIdentifier</key>
    <string>10587A41-6D41-4F7C-816C-085C91D5B055</string>
    <key>PayloadOrganization</key>
    <string>Xactly Corp</string>
    <key>PayloadType</key>
    <string>com.apple.TCC.configuration-profile-policy</string>
    <key>PayloadUUID</key>
    <string>2E2AE47A-9AAE-4B8E-B09A-4A2130D6D4E6</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>payloadScope</key>
    <string>system</string>
</dict>
</plist>

@daniel_ross That's expected behavior. You can only deny, unfortunately. I get why you can't pre-approve this, but for orgs that use multiple chat/conference apps your users can get dialog fatigue.

@HNTIT I've got the same problem with ScreenConnect 6.6. I'll updated to 6.8 at test soon. The application located in /opt/screenconnect-.app doesn't look like its signed.

@sshort, that's what I thought and also found a similar article. Luckily its only two prompts so nothing too crazy.

Love all the information on this though!

I know this post is a month old now but I have a question. I created a config in PPPC for Zoom and TeamViewer. It successfully uploaded into Jamf Pro (I am on 10.8) but it's blank. I pushed it to a few machines and it successfully installs but the preferences didn't seem to change at all. Is there something I am missing?

@dmitchell It's expected that you won't see anything in the Jamf UI for a custom uploaded profile. You can always visit System Preferences > Profiles on a device the profile is installed on to confirm the contents.

When you say the preferences don't change, do you mean that nothing appears in the Privacy section in Security & Privacy? That's expected, anything enforced from a profile doesn't appear, just user-approved stuff. That may change in the future, but as of 10.14.1 you won't see anything.

If you mean that you pushed the profile and the app isn't recognizing the whitelisted items you placed in the profile, that's expected if the app was run/launched before the profile is installed.

@sshort Thanks, it definitely worked.

@HNTIT, I'm dealing with the same issue. Tried using the PPPC profile creation tool but it seems to ignore the ScreenConnect application. Did you ever manage to find a work around or a solution to the issue?

Thanks

I have the same issue, is there any word from Bomgar support on this?

This is the error I get.

@kericson Do you know the file path of the mac_service_helper.sh? You can create a profile that whitelists that for Accessibility using a file path vs a bundle ID.

You might also need an AppleEvent for the script to control System Preferences (seems to be common with accessibility requests. Otherwise the app "adds itself" to the user-facing list in System Preferences, but the box remains unchecked/disabled).

Heres the location:

There's no way to add this since it's inside the bomgar jump client .app I'm using the JAMF PPPC Utility.

I am also seeing the PPPC application ignore the app for Connectwise (Screenconnect) remote control software, and have been unable to find what criteria may be missing. Connectwise doesn't sign their app, though they claim they will work on that in a future release, which seems like that could be the issue.

Very frustrating that there isn't a better way to manage this.

I upgraded Bomgar to the newest and the issue is now fixed.

@kericson @Robkirsch

I have the exact same issue trying to whitelist Bomgar. Haven't had any luck trying to codesign the mac_service_helper.sh by itself either.

Any luck figuring it out? Does updating your Bomgar server to the latest version resolve it? We're behind a bit.

Yes upgrading to the latest seems to fix the issue. Check their site there are release notes about Mojave support on the newest.

@dmitchell Do you mind sharing your configuration for the TeamViewer PPPC configuration profile you successfully created?

I am struggling to get one to work in my test environment. Attached is a screen shot of my current config.

Update

Never mind.

I used the PPPC Utility to create the profile. Saved it and uploaded it to the JSS. That work flow seems to work well for the common man.

Update2

I also created a 7m screen cast which shows the workflow visually. Perhaps this will help visual learners get started using these new workflows: https://youtu.be/-IAhZLanHvU

Attached screenshots show the working config. Should someone else run into this problem.

@bcrockett ha, I was just going to respond. Looks like you got it.

so can someone confirm that they are using Mojave and they are able to use Bomgar on a User that does not have Admin rights? I keep getting the popup asking for them to allow mac_service_helper.sh which they can't do without admin rights. I have the config profile for the bomgar app in /users/shared setup using the pppc app. Is there something else I'm missing?

Thanks for any light you can shine on this issue.

I was told you can only use PPPC on machines that are 10.14 and higher... is there a way to allow the same (allowing Bomgar (or any other app) access to SysPreferences > Security & Privacy > Accessibility) for machines that are less than 10.14.X. I have several machines that are 10.13.6 ,10.12.X, and 10.11.X.

For anyone still trying to get Bomgar added to PPPC, here's how I did it. This thread helped me down the path, but I wasn't able to find the exact steps I've outlined below, so hopefully this will help someone still looking for the answer.

To set the stage, we use Bomgar by logging into the console app, having the user go to our Bomgar website, and kick off a session there. We don't pre-install anything on our machines.

I grabbed the PPPC utility from Jamf's Github page, linked in this thread by @sshort. I then started a remote session in Bomgar as a user would. I connected the session and got the prompt. While the session was still active, I went to UsersSharedomgar-scc-XXXXX (where XXXX is a timestamp). Drag the Bomgar Support Client to the PPPC utility and give it the Allow permission for Accessibility. Save, upload, and test.

You have to grab the file while the remote session is active because once you disconnect, it deletes it. After I did this, I tested on a few machines and after the initial config profile gets applied, nothing shows up under Privacy. Upon the first subsequent connection, however, it will show up, but it will not be checked. However I've confirmed that I didn't get prompted to allow it. Additionally, after the subsequent session ends, the Bomgar icon will revert to a blank "unknown" type of icon. Still works, though. Hope this helps.

@klindas

What version of Bomgar Server are you running ?

@ClassicII 18.2.9.

@klindas

Thanks for the confirmation. It looks like we need at least version 18.2.6 to get PPPC TCC controls working.

Does anyone know how to use this to grant an application Full Disk Access?

PPPC Utility - https://github.com/jamf/PPPC-Utility

Pretty sure all you need to do is drag your application into the section on the left of the PPPC Utilitys Window pane, then in the right section allow for "All Files"

I dragged coderunner into the pppc utility pane & selected all files as a visual for you

@Hugonaut Is a Signing Entity required in the window after clicking Save?

@ dennisnardi I am having the same issue with Bomgar - remoting into standard user accounts on Mac computers and not being able to elevate access control privileges! Can you provide me a step by step guide how to create a Privacy Preferences Policy Control profile for Bomgar and Jamf? This would be helpful! Thanks!

@jcshofner I'd start by downloading the Jamf PPPC utility at: https://github.com/jamf/PPPC-Utility

After that navigate to /Users/Shared/bomgar-scc-xxxxxx-xxxxx and you should have a "Bomgar Support Client" application if you have Bomgar a jump client installed. If you do not have a jump client installed you may want to install it quick or open a temporary Bomgar session on your compute to create this/

Open up the PPPC utility and drag the Bomgar Support Client app in. You need to allow access to the Admin Files and All Files I believe. I'm unsure if you need to Allow the 3 different default Apple Events (Finder, SystemUIServer, and System Events) but I have enabled them in my environment.

You can then hit Upload in this tool and plug in your Jamf Pro info to upload this as a config profile. You can then scope out the profile to computers where it's necessary (10.13.2+ I believe).

Hopefully that's helpful!

In order for my TeamViewer PPPC to work I had to add both the TeamViewer Host & TeamViewer_Desktop in the Privacy Preferences Policy Control Utility

Only wasted 4 hours to get it working :)

Hi

Any one having issue with or Got it working with Google File Stream ?

I ran the same set up using PPPC and got a System Software from developer * , was blocked from loading.

Thanks.

Hello,

Is there a way through the PPPC Utility or other means to have Jamf "Click" on 'Allow' to have an application load?

Thanks