Chrome Remote Desktop and PPPC

blairb
New Contributor III

Greetings...

We are facing a possible school closure due to Coronavirus. We are attempting to use Chrome Remote Desktop as a remote support solution, due to ease of use on the user's end.

The issue is that when you first start a support sessions (on the user end) it opens the Privacy pref pane and asks the user to give permission. You have to be an admin to do this, and the vast majority of our affected students aren't admins.

I tried creating a PPPC for the app... but it doesn't work. There appears to be another binary inside the app bundle. Even if I drag that binary to the PPPC utility and check allow, when I distribute the profile, the app appears in the list but is unchecked. Anyone have any ideas?

21 REPLIES 21

pete_c
Contributor III

No remote screen sharing or recording tools will be allowed without user approval, even if whitelisted by the MDM. That's Apple's spec.

You could publish a 'temporarily promote to admin' task in Self Service, or deploy Privileges.app.

admin_mcp
New Contributor

I recently discovered that a standard user is able to check the mark for 'Screen Recording' in Security & Privacy.
Is this a setting in JAMF or is it always been like this?
f062ee75455c4850b87c64af596486ac

Ludeth
New Contributor II

Like @admin.mcp said, standard users should be able to check this box for applications they have the permission to run.

blairb
New Contributor III

That makes sense. Thanks.

jsquires3
New Contributor II

We got this working by creating a PPPC profile for the following app within the Chrome Remote Desktop app with Accessibility set to Allow.

/Library/PrivilegedHelperTools/ChromeRemoteDesktopHost.app/Contents/MacOS/RemoteAssistanceHost.app

We also allowed Accessibility for all 4 apps/executables within that MacOS folder just in case.

DWilliams-cmsd
New Contributor III

Glad to have found this thread. Based on the response above from @jsquires3, was able to create the correct PPPC for Chrome Remote Desktop Host and the two apps contained in the contents:
com.google.chromeremotedesktop.me2me-host
com.google.chrome.remote_desktop.native-messaging-host
com.google.chrome.remote_desktop.remote-assistance-host-v2

Thanks!

TomDay
Release Candidate Programs Tester

Anyone have the profile available as a download so I don't have to recreate?

thecrow93
New Contributor II

Or does anyone have a screenshot for example?

jhaff
New Contributor III

thanks @jsquires3 for the location of the apps. see below for the mobileconfig.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadDescription</key>
            <string>ChromeRemoteDesktop</string>
            <key>PayloadDisplayName</key>
            <string>ChromeRemoteDesktop</string>
            <key>PayloadIdentifier</key>
            <string>D21CF3FB-6BDB-475B-82AB-589B05FF007A</string>
            <key>PayloadOrganization</key>
            <string>YourOrg</string>
            <key>PayloadType</key>
            <string>com.apple.TCC.configuration-profile-policy</string>
            <key>PayloadUUID</key>
            <string>E0D9E86A-5BCE-4475-BFB2-4C47119715BB</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>Services</key>
            <dict>
                <key>Accessibility</key>
                <array>
                    <dict>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>identifier "com.google.chrome.remote_desktop.native-messaging-host" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>com.google.chrome.remote_desktop.native-messaging-host</string>
                        <key>IdentifierType</key>
                        <string>bundleID</string>
                    </dict>
                    <dict>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>identifier "com.google.chrome.remote_desktop.remote-assistance-host-v2" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>com.google.chrome.remote_desktop.remote-assistance-host-v2</string>
                        <key>IdentifierType</key>
                        <string>bundleID</string>
                    </dict>
                    <dict>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>identifier "remoting_me2me_host_service" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>/Library/PrivilegedHelperTools/ChromeRemoteDesktopHost.app/Contents/MacOS/remoting_me2me_host_service</string>
                        <key>IdentifierType</key>
                        <string>path</string>
                    </dict>
                    <dict>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>identifier "com.google.chromeremotedesktop.me2me-host" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>/Library/PrivilegedHelperTools/ChromeRemoteDesktopHost.app/Contents/MacOS/remoting_me2me_host</string>
                        <key>IdentifierType</key>
                        <string>path</string>
                    </dict>
                </array>
            </dict>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>ChromeRemoteDesktop</string>
    <key>PayloadDisplayName</key>
    <string>ChromeRemoteDesktop</string>
    <key>PayloadIdentifier</key>
    <string>D21CF3FB-6BDB-475B-82AB-589B05FF007A</string>
    <key>PayloadOrganization</key>
    <string>YourOrg</string>
    <key>PayloadType</key>
    <string>com.apple.TCC.configuration-profile-policy</string>
    <key>PayloadUUID</key>
    <string>9BE78520-BA6A-4F7E-8C6B-B120AFC37061</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>payloadScope</key>
    <string>system</string>
</dict>
</plist>

jsquires3
New Contributor II

@TomDay @thecrow93

I reccommend using Jamf's PPPC Utility to create these profiles. You just need to drag all 4 files within the /Library/PrivilegedHelperTools/ChromeRemoteDesktopHost.app/Contents/MacOS/ folder into the PPPC Utility application and then change Accessibility to Allow for each of the files. The utility allows you to upload the the profile directly to your JSS instance or you can just save it locally and upload it to your JSS manually.

If you have issues with the utility then here are some screenshots.

b5d73d0bf39e4ea1906e9087cfd12794

0f8df03b1c8a4aeea5e2ad821eb44dcd

fd42c4b92d3a49569d0b1b1dd25b6f06

830b8ed9a50f46a18194658b7c920787

thecrow93
New Contributor II

@jsquires3 That worked for me.

blairb
New Contributor III

Interestingly when I did the same thing with the PPPC utility, it did put the entries into the pref pane, but it left them all unchecked. I'm assuming this is because there is no Allow option under Screen Capture in PPPC Utility. Does allowing Accessibility somehow allow you to work around not having Screen Recording/Capture set to allow?

Additionally, the screen recording permissions are definitely greyed out on standard accounts for us. Not sure why this is different for us.

blairb
New Contributor III

Nevermind my response above. I see that Screen Recording is only for Catalina, and that since the local user has to enable it, there's now allow checkbox. 99% of my users are on Mojave, so I'll use accessibility for now. Unfortunately though, I'm not having much luck with that either.

amckee
New Contributor

mhasman
Valued Contributor

Hello!

I am looking at the opposite direction, need to block Chrome Remote Desktop. There is managed key to blocklist the extension itself:

<key>ExtensionInstallBlacklist</key>
<array>
<string>extension_id1</string>
<string>extension_id2</string>
</array>

Question - anybody knows what is Chrome Remote Desktop's extension_id, please?

alphaps
New Contributor II

I'm not having any luck either. The remote assistance option is still unchecked after the profile is installed. I added all 4 files from/Library/PrivilegedHelperTools/ChromeRemoteDesktopHost.app/Contents/MacOS/ folder and I verified that the profile was installed correctly to my test computer. Is there something that I am missing?
32337ec8187048d5b1a98a0cf45dd91d

e551a90992234199b4eb1627f4a77f5d

9dab85a17f484ebea65fe04f6429e4ba

DWilliams-cmsd
New Contributor III

We ended up getting things to work correctly with three App Access items added to the PPPC payload:

638d69f670dc46d5ab448fb3aede275e

dff6ab82a7e74c109a962e9aa15fc612

51bd12ffcbf44b738aa9bf5ff23fa172

sebastianl
New Contributor III

I had no luck either. Tried the same steps provided by @jsquires3 with PPPC utility. The checkbox is still unchecked.

darren_leong
New Contributor

It seems that most of you have had success pushing the application to machines, but I'm having a bunch of issues.

I used the DMG from Google to push to machines and the policy installs fine, but it appears nothing is actually being installed on client machines. I have FEU set on the policy, i've tried it with FEU on and off. I've also tried the PKG from Google with no luck.

Can someone tell me how their policy is setup to get CRD software onto the machine?

user-SbqsYoNcXA
New Contributor

install app in application folder /Applications/

rblaas
Contributor II

Did anyone got the PPPC working on Big Sur? I have created a PPPC (with PPPC Utility) for Big Sur but it will not be installed. It throws an error saying the key value is not correct.

(standard)Users on Big Sur are not able to allow screen recording.
PPPC is working just fine on Catalina (a PPPC without the Big Sur Compatibility)