Jamf Nation Community

I recently discovered that a standard user is able to check the mark for 'Screen Recording' in Security & Privacy.
Is this a setting in JAMF or is it always been like this?

Like @admin.mcp said, standard users should be able to check this box for applications they have the permission to run.

That makes sense. Thanks.

We got this working by creating a PPPC profile for the following app within the Chrome Remote Desktop app with Accessibility set to Allow.

/Library/PrivilegedHelperTools/ChromeRemoteDesktopHost.app/Contents/MacOS/RemoteAssistanceHost.app

We also allowed Accessibility for all 4 apps/executables within that MacOS folder just in case.

Glad to have found this thread. Based on the response above from @jsquires3, was able to create the correct PPPC for Chrome Remote Desktop Host and the two apps contained in the contents:
com.google.chromeremotedesktop.me2me-host
com.google.chrome.remote_desktop.native-messaging-host
com.google.chrome.remote_desktop.remote-assistance-host-v2

Thanks!

Anyone have the profile available as a download so I don't have to recreate?

Or does anyone have a screenshot for example?

thanks @jsquires3 for the location of the apps. see below for the mobileconfig.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadDescription</key>
            <string>ChromeRemoteDesktop</string>
            <key>PayloadDisplayName</key>
            <string>ChromeRemoteDesktop</string>
            <key>PayloadIdentifier</key>
            <string>D21CF3FB-6BDB-475B-82AB-589B05FF007A</string>
            <key>PayloadOrganization</key>
            <string>YourOrg</string>
            <key>PayloadType</key>
            <string>com.apple.TCC.configuration-profile-policy</string>
            <key>PayloadUUID</key>
            <string>E0D9E86A-5BCE-4475-BFB2-4C47119715BB</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>Services</key>
            <dict>
                <key>Accessibility</key>
                <array>
                    <dict>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>identifier "com.google.chrome.remote_desktop.native-messaging-host" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>com.google.chrome.remote_desktop.native-messaging-host</string>
                        <key>IdentifierType</key>
                        <string>bundleID</string>
                    </dict>
                    <dict>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>identifier "com.google.chrome.remote_desktop.remote-assistance-host-v2" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>com.google.chrome.remote_desktop.remote-assistance-host-v2</string>
                        <key>IdentifierType</key>
                        <string>bundleID</string>
                    </dict>
                    <dict>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>identifier "remoting_me2me_host_service" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>/Library/PrivilegedHelperTools/ChromeRemoteDesktopHost.app/Contents/MacOS/remoting_me2me_host_service</string>
                        <key>IdentifierType</key>
                        <string>path</string>
                    </dict>
                    <dict>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>identifier "com.google.chromeremotedesktop.me2me-host" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EQHXZ8M8AV</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>/Library/PrivilegedHelperTools/ChromeRemoteDesktopHost.app/Contents/MacOS/remoting_me2me_host</string>
                        <key>IdentifierType</key>
                        <string>path</string>
                    </dict>
                </array>
            </dict>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>ChromeRemoteDesktop</string>
    <key>PayloadDisplayName</key>
    <string>ChromeRemoteDesktop</string>
    <key>PayloadIdentifier</key>
    <string>D21CF3FB-6BDB-475B-82AB-589B05FF007A</string>
    <key>PayloadOrganization</key>
    <string>YourOrg</string>
    <key>PayloadType</key>
    <string>com.apple.TCC.configuration-profile-policy</string>
    <key>PayloadUUID</key>
    <string>9BE78520-BA6A-4F7E-8C6B-B120AFC37061</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>payloadScope</key>
    <string>system</string>
</dict>
</plist>

@TomDay @thecrow93

I reccommend using Jamf's PPPC Utility to create these profiles. You just need to drag all 4 files within the /Library/PrivilegedHelperTools/ChromeRemoteDesktopHost.app/Contents/MacOS/ folder into the PPPC Utility application and then change Accessibility to Allow for each of the files. The utility allows you to upload the the profile directly to your JSS instance or you can just save it locally and upload it to your JSS manually.

If you have issues with the utility then here are some screenshots.

@jsquires3 That worked for me.

Interestingly when I did the same thing with the PPPC utility, it did put the entries into the pref pane, but it left them all unchecked. I'm assuming this is because there is no Allow option under Screen Capture in PPPC Utility. Does allowing Accessibility somehow allow you to work around not having Screen Recording/Capture set to allow?

Additionally, the screen recording permissions are definitely greyed out on standard accounts for us. Not sure why this is different for us.

Nevermind my response above. I see that Screen Recording is only for Catalina, and that since the local user has to enable it, there's now allow checkbox. 99% of my users are on Mojave, so I'll use accessibility for now. Unfortunately though, I'm not having much luck with that either.

Here's a video I made following @TomDay's instructions.

Hello!

I am looking at the opposite direction, need to block Chrome Remote Desktop. There is managed key to blocklist the extension itself:

<key>ExtensionInstallBlacklist</key>
<array>
<string>extension_id1</string>
<string>extension_id2</string>
</array>

Question - anybody knows what is Chrome Remote Desktop's extension_id, please?

I'm not having any luck either. The remote assistance option is still unchecked after the profile is installed. I added all 4 files from/Library/PrivilegedHelperTools/ChromeRemoteDesktopHost.app/Contents/MacOS/ folder and I verified that the profile was installed correctly to my test computer. Is there something that I am missing?

We ended up getting things to work correctly with three App Access items added to the PPPC payload:

I had no luck either. Tried the same steps provided by @jsquires3 with PPPC utility. The checkbox is still unchecked.

It seems that most of you have had success pushing the application to machines, but I'm having a bunch of issues.

I used the DMG from Google to push to machines and the policy installs fine, but it appears nothing is actually being installed on client machines. I have FEU set on the policy, i've tried it with FEU on and off. I've also tried the PKG from Google with no luck.

Can someone tell me how their policy is setup to get CRD software onto the machine?

install app in application folder /Applications/

Did anyone got the PPPC working on Big Sur? I have created a PPPC (with PPPC Utility) for Big Sur but it will not be installed. It throws an error saying the key value is not correct.

(standard)Users on Big Sur are not able to allow screen recording.
PPPC is working just fine on Catalina (a PPPC without the Big Sur Compatibility)