Allow Apps in Security & Privacy -> Privacy -> Accessibility in Mojave (Bomgar)

dennisnardi
Contributor

Has anyone figured out an automated way to add apps to the System Preferences -> Security & Privacy -> Privacy -> Accessibility section in Mojave to allow them to control the computer?

We use Bomgar in my environment for remote support, and are running into a less than ideal interaction with Mojave. Users are prompted to allow the Bomgar app to control the computer, but users can only do that if they have administrative privileges, which not many people have in my environment.

I contacted Bomgar about this, and they said it's expected due to security changes Apple made and there's no way around this with their software. I contacted Jamf as well and they told me they were unaware of a way to add an app to this section automatically. I've tried and it does not appear I can grant users the ability to modify this section of System Preferences if they don't have admin privileges, like I can other sections.

I'm hoping someone else may have ideas on this.

2 ACCEPTED SOLUTIONS

sshort
Valued Contributor

check out Jamf's tool to create a Privacy Preferences Policy Control profile and upload to your JSS. You'll want to add Bomgar to the accessibiltiy section, then add an AppleEvent that allows Bomgar to control System Preferences.

You can check out my TeamViewer profile as an example, that's essentially what you'll want, just substitute with Bomgar.

View solution in original post

DBrowning
Valued Contributor II

Yes @dennisnardi that is expected. 10.7.1 does not yet have a GUI for the PPPC Payload. Once the GUI is put into code, you will see the payload options on the screen.

View solution in original post

41 REPLIES 41

sshort
Valued Contributor

check out Jamf's tool to create a Privacy Preferences Policy Control profile and upload to your JSS. You'll want to add Bomgar to the accessibiltiy section, then add an AppleEvent that allows Bomgar to control System Preferences.

You can check out my TeamViewer profile as an example, that's essentially what you'll want, just substitute with Bomgar.

dennisnardi
Contributor

That's great info! That seems to work for me. The weird thing is that when I uploaded the config profile to my Jamf, it shows as completely blank, but appears to work fine. 181479d93e1b47d38017d080f0287b64

Is that expected behavior?

DBrowning
Valued Contributor II

Yes @dennisnardi that is expected. 10.7.1 does not yet have a GUI for the PPPC Payload. Once the GUI is put into code, you will see the payload options on the screen.

Robkirsch
Release Candidate Programs Tester

@dennisnardi I am new to the PPPC utility and was wondering how you configured the Bomgar payload using the GUID. I tried a few different configurations, but the Mac_service_helper.sh remains unchecked in Security & Privacy > Privacy > Accessibility.

dennisnardi
Contributor

@Robkirsch I think you may have to upgrade your Bomgar server. Before the current version (18.2.6.33030), when you jumped to a computer the "Mac_service_helper.sh" script wanted to be run to start the jump session. If you see this in sys prefs, you can probably right click and show in finder. If you do that you may be able to drag it into the PPC utility and set all the settings to use this in the config profile.

Since we upgraded to 18.2.6.33030, it now says the "Bomgar app" instead of "Mac_Service_Helper.sh". I dragged the "bomgar-scc-xxxxxxx.app" from /users/shared into PPC and gave it all the permissions I could. This doesn't actually show up in the Privacy panel in sys prefs, but works perfect. Below is a screenshot of my PPPC for Bomgar:

df698f55d597412aa8a36f9844402442

HNTIT
Contributor II

I have 2 Issues that this tool does not help me with, any ideas ?

1 : I have a simple Bash Script that runs at login, in it, this runs 1 line of AppleScript to pop up a user input box, this fails and the script gives the error "Not authorised to send Apple events to System Events. (-1743)" I have no idea which app to allow, and what to allow it access to.

2 : We deploy a Piece of remote control software called ScreenConnect, this installs and runs OK, but only in View Only, to get full functionality we need need to tick it in the Accessibility Section, where it Auto Populates, the problem is if I use the PPPC Utility, i cannot select the app as it runs from /opt, and even if I browse to the app, it ignores it.

Any Ideas people ?

daniel_ross
Contributor III

Ok been playing with the PPPC utility for a while now and its working great except for 2 things Camera and Microphone permissions for Zoom. I loaded Zoom into the PPPC utility and discovered that I only have the deny option for the Camera and Microphone. I said to myself, ok well I'll just go change the flags from "false" to "true" and that'll fix it. Instead, when I load the .mobileconfig profile into JAMF it says this in the failed commands below.

8740a3761d0d45beb692e5f382fcdefd

We're trying to prep everything to be seamless for our users to upgrade to 10.14 but things like this are holding us back. Below is the code that PPPC Utility kicks out when I used the deny flags (not sure why to allow doesn't appear). If anyone has any advice I'd love it as I'm hitting my head against the wall on this one. Also as of note I've tried this a few times to see if it was just a fluke and the UUID I know is different than my text below from the image above.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadDescription</key>
            <string>To Allow Camera and Microphone settings</string>
            <key>PayloadDisplayName</key>
            <string>Zoom PPPC Settings</string>
            <key>PayloadIdentifier</key>
            <string>10587A41-6D41-4F7C-816C-085C91D5B055</string>
            <key>PayloadOrganization</key>
            <string>Xactly Corp</string>
            <key>PayloadType</key>
            <string>com.apple.TCC.configuration-profile-policy</string>
            <key>PayloadUUID</key>
            <string>E8E46BB2-88AB-44B6-9E3E-FF62731F52DA</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>Services</key>
            <dict>
                <key>Camera</key>
                <array>
                    <dict>
                        <key>Allowed</key>
                        <false/>
                        <key>CodeRequirement</key>
                        <string>identifier "us.zoom.xos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = BJ4HAAB9B3</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>us.zoom.xos</string>
                        <key>IdentifierType</key>
                        <string>bundleID</string>
                    </dict>
                </array>
                <key>Microphone</key>
                <array>
                    <dict>
                        <key>Allowed</key>
                        <false/>
                        <key>CodeRequirement</key>
                        <string>identifier "us.zoom.xos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = BJ4HAAB9B3</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>us.zoom.xos</string>
                        <key>IdentifierType</key>
                        <string>bundleID</string>
                    </dict>
                </array>
            </dict>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>To Allow Camera and Microphone settings</string>
    <key>PayloadDisplayName</key>
    <string>Zoom PPPC Settings</string>
    <key>PayloadIdentifier</key>
    <string>10587A41-6D41-4F7C-816C-085C91D5B055</string>
    <key>PayloadOrganization</key>
    <string>Xactly Corp</string>
    <key>PayloadType</key>
    <string>com.apple.TCC.configuration-profile-policy</string>
    <key>PayloadUUID</key>
    <string>2E2AE47A-9AAE-4B8E-B09A-4A2130D6D4E6</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>payloadScope</key>
    <string>system</string>
</dict>
</plist>

sshort
Valued Contributor

@daniel_ross That's expected behavior. You can only deny, unfortunately. I get why you can't pre-approve this, but for orgs that use multiple chat/conference apps your users can get dialog fatigue.

61fbadf6657e486eb9551a3d7db05a23

a_simmons
Contributor II

@HNTIT I've got the same problem with ScreenConnect 6.6. I'll updated to 6.8 at test soon. The application located in /opt/screenconnect-.app doesn't look like its signed.

daniel_ross
Contributor III

@sshort, that's what I thought and also found a similar article. Luckily its only two prompts so nothing too crazy.

Love all the information on this though!

dmitchell
Contributor

I know this post is a month old now but I have a question. I created a config in PPPC for Zoom and TeamViewer. It successfully uploaded into Jamf Pro (I am on 10.8) but it's blank. I pushed it to a few machines and it successfully installs but the preferences didn't seem to change at all. Is there something I am missing?

sshort
Valued Contributor

@dmitchell It's expected that you won't see anything in the Jamf UI for a custom uploaded profile. You can always visit System Preferences > Profiles on a device the profile is installed on to confirm the contents.

When you say the preferences don't change, do you mean that nothing appears in the Privacy section in Security & Privacy? That's expected, anything enforced from a profile doesn't appear, just user-approved stuff. That may change in the future, but as of 10.14.1 you won't see anything.

If you mean that you pushed the profile and the app isn't recognizing the whitelisted items you placed in the profile, that's expected if the app was run/launched before the profile is installed.

dmitchell
Contributor

@sshort Thanks, it definitely worked.

J_Martinez
New Contributor III

@HNTIT, I'm dealing with the same issue. Tried using the PPPC profile creation tool but it seems to ignore the ScreenConnect application. Did you ever manage to find a work around or a solution to the issue?

Thanks

KyleEricson
Valued Contributor

I have the same issue, is there any word from Bomgar support on this?


Hire me as an independent contractor.

KyleEricson
Valued Contributor

This is the error I get.
d82a8b1e9e4142b0b0aa3c505d03bbc4


Hire me as an independent contractor.

sshort
Valued Contributor

@kericson Do you know the file path of the mac_service_helper.sh? You can create a profile that whitelists that for Accessibility using a file path vs a bundle ID.

You might also need an AppleEvent for the script to control System Preferences (seems to be common with accessibility requests. Otherwise the app "adds itself" to the user-facing list in System Preferences, but the box remains unchecked/disabled).

KyleEricson
Valued Contributor

Heres the location:
a7c917eb3819442385501a309606716f


Hire me as an independent contractor.

KyleEricson
Valued Contributor

There's no way to add this since it's inside the bomgar jump client .app I'm using the JAMF PPPC Utility.


Hire me as an independent contractor.

jmcconathy
New Contributor III

I am also seeing the PPPC application ignore the app for Connectwise (Screenconnect) remote control software, and have been unable to find what criteria may be missing. Connectwise doesn't sign their app, though they claim they will work on that in a future release, which seems like that could be the issue.

Very frustrating that there isn't a better way to manage this.

KyleEricson
Valued Contributor

I upgraded Bomgar to the newest and the issue is now fixed.


Hire me as an independent contractor.

tchawaga
New Contributor II

@kericson @Robkirsch

I have the exact same issue trying to whitelist Bomgar. Haven't had any luck trying to codesign the mac_service_helper.sh by itself either.

Any luck figuring it out? Does updating your Bomgar server to the latest version resolve it? We're behind a bit.

KyleEricson
Valued Contributor

Yes upgrading to the latest seems to fix the issue. Check their site there are release notes about Mojave support on the newest.


Hire me as an independent contractor.

bcrockett
Contributor

@dmitchell Do you mind sharing your configuration for the TeamViewer PPPC configuration profile you successfully created?

I am struggling to get one to work in my test environment. Attached is a screen shot of my current config. 687d5d15f0a54e4ea3538f0c064c3076

Update

Never mind.

I used the PPPC Utility to create the profile. Saved it and uploaded it to the JSS. That work flow seems to work well for the common man.

Update2

I also created a 7m screen cast which shows the workflow visually. Perhaps this will help visual learners get started using these new workflows: https://youtu.be/-IAhZLanHvU

Attached screenshots show the working config. Should someone else run into this problem. 7fedbb33f9df408f808f53bc4e25431c
f5f9042660834252a9472909904fee80
8f8b1a61c5bb44bbb647bf513e452293

dmitchell
Contributor

@bcrockett ha, I was just going to respond. Looks like you got it.

kmathern
New Contributor III

so can someone confirm that they are using Mojave and they are able to use Bomgar on a User that does not have Admin rights? I keep getting the popup asking for them to allow mac_service_helper.sh which they can't do without admin rights. I have the config profile for the bomgar app in /users/shared setup using the pppc app. Is there something else I'm missing?

Thanks for any light you can shine on this issue.

romanne3
New Contributor

I was told you can only use PPPC on machines that are 10.14 and higher... is there a way to allow the same (allowing Bomgar (or any other app) access to SysPreferences > Security & Privacy > Accessibility) for machines that are less than 10.14.X. I have several machines that are 10.13.6 ,10.12.X, and 10.11.X.

klindas
New Contributor II

For anyone still trying to get Bomgar added to PPPC, here's how I did it. This thread helped me down the path, but I wasn't able to find the exact steps I've outlined below, so hopefully this will help someone still looking for the answer.

To set the stage, we use Bomgar by logging into the console app, having the user go to our Bomgar website, and kick off a session there. We don't pre-install anything on our machines.

I grabbed the PPPC utility from Jamf's Github page, linked in this thread by @sshort. I then started a remote session in Bomgar as a user would. I connected the session and got the prompt. While the session was still active, I went to UsersSharedomgar-scc-XXXXX (where XXXX is a timestamp). Drag the Bomgar Support Client to the PPPC utility and give it the Allow permission for Accessibility. Save, upload, and test.

You have to grab the file while the remote session is active because once you disconnect, it deletes it. After I did this, I tested on a few machines and after the initial config profile gets applied, nothing shows up under Privacy. Upon the first subsequent connection, however, it will show up, but it will not be checked. However I've confirmed that I didn't get prompted to allow it. Additionally, after the subsequent session ends, the Bomgar icon will revert to a blank "unknown" type of icon. Still works, though. Hope this helps.

ClassicII
Contributor III

@klindas

What version of Bomgar Server are you running ?

klindas
New Contributor II

@ClassicII 18.2.9.

ClassicII
Contributor III

@klindas

Thanks for the confirmation. It looks like we need at least version 18.2.6 to get PPPC TCC controls working.

Mr_Einstein
New Contributor II

Does anyone know how to use this to grant an application Full Disk Access?

Hugonaut
Valued Contributor II

PPPC Utility - https://github.com/jamf/PPPC-Utility

59eed0c23f374ba29fc20f7d0c63030d

Pretty sure all you need to do is drag your application into the section on the left of the PPPC Utilitys Window pane, then in the right section allow for "All Files"

I dragged coderunner into the pppc utility pane & selected all files as a visual for you

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________


Virtual MacAdmins Monthly Meetup - First Friday, Every Month

Mr_Einstein
New Contributor II

@Hugonaut Is a Signing Entity required in the window after clicking Save?

8bc0e0259cd346558a9bcf532132f4ca

jcshofner
New Contributor III

@ dennisnardi I am having the same issue with Bomgar - remoting into standard user accounts on Mac computers and not being able to elevate access control privileges! Can you provide me a step by step guide how to create a Privacy Preferences Policy Control profile for Bomgar and Jamf? This would be helpful! Thanks!

dennisnardi
Contributor

@jcshofner I'd start by downloading the Jamf PPPC utility at: https://github.com/jamf/PPPC-Utility

After that navigate to /Users/Shared/bomgar-scc-xxxxxx-xxxxx and you should have a "Bomgar Support Client" application if you have Bomgar a jump client installed. If you do not have a jump client installed you may want to install it quick or open a temporary Bomgar session on your compute to create this/8294ff95069a465d9343673627f49a0b

Open up the PPPC utility and drag the Bomgar Support Client app in. You need to allow access to the Admin Files and All Files I believe. I'm unsure if you need to Allow the 3 different default Apple Events (Finder, SystemUIServer, and System Events) but I have enabled them in my environment. 352b4c8c8f464c51a44caf115f0c8d32

You can then hit Upload in this tool and plug in your Jamf Pro info to upload this as a config profile. You can then scope out the profile to computers where it's necessary (10.13.2+ I believe).

Hopefully that's helpful!

Phil_James
New Contributor III

In order for my TeamViewer PPPC to work I had to add both the TeamViewer Host & TeamViewer_Desktop in the Privacy Preferences Policy Control Utility213f1fb596624c62af55475d33937f5c

Only wasted 4 hours to get it working :)

PE2000
Contributor

Hi

Any one having issue with or Got it working with Google File Stream ?

I ran the same set up using PPPC and got a System Software from developer * , was blocked from loading.

Thanks.

tvargas
New Contributor

Hello,

Is there a way through the PPPC Utility or other means to have Jamf "Click" on 'Allow' to have an application load?

447f2c1a46584f239ea158b3002eb83e

Thanks