Deploying PPPC Issue - Packages not signed

davidmundt
New Contributor III

I'm trying to get a simple Privacy Preference Policy Control deployed and am getting failures in Jamf Pro. I've used the PPPC Utility and it looks like the deployments are failing due to the pppc not being signed. I thought by uploading it to Jamf Pro it would be signed since "Signing Identity: Profile signed by server" is automatically selected but apparently not.

 

What do I need to do in order to sign packages created with the PPPC Utility?

8 REPLIES 8

davidmundt
New Contributor III

I'm not entirely sure this is a signing issue. When looking at the Computer's Management History Failed Commands I'm seeing "In the payload (UUID: 8A535282-C0C3-4A07-B89B-A60E2C4E9F3C), the key 'Authorization' has an invalid value." as the error. Any ideas on how to further troubleshoot This particular PPPC is for Zoom and has minimal settings as a test.

I've had similar errors when trying to use a value that is not compatible with a particular OS version. Had this with a Teams key I was trying to set which was only available for BigSur not Catalina. Meant worked fine on BigSur but gave me an error something like yours when trying to deploy to Catalina.  

pkleiber
Contributor

Like @AntMac said this is probably due to a new entry in a BigSur configuration profile called

ScreenCapture -> Allow Standard Users to Allow to Allow Access

Catalina can not process this. So you have to create two Configuration profiles. One for Catalina leaving the button in the PPPC utility off and one for Big Sur. Then make to Smart Computer groups.

One for Catalina and one for Big Sur so you can assign those two configuration profiles properly.

davidmundt
New Contributor III

I found the solution. When the PPPC was uploaded to Jamf Pro, Access gets set to 'Allow Standard Users to Allow Access'. Once I press edit it changes to Access = Allow. Is this what you guys mean by the Catalina/Big Sur comments? It's worth noting we don't have any Catalina Macs so I wont have to create one for each OS Ver.

 

 

Screen Shot 2021-11-16 at 12.00.18 PM.png

 

 

Screen Shot 2021-11-16 at 12.00.25 PM.png

In short yes. There are various settings where you need to set the permission as either allow standard users to access or access allow. I had the opposite issue where I had to set one of the permissions on Teams to Allow standard users to access for BigSur and Allow for Catalina machines. 

 

I found using the newer version of PPPC tool with the BigSur compatibility flag on has been a massive help for these kinds of issues.  

Thanks for this, my PPPC settings worked a peach after doing this.

Qwheel
Contributor II

While we're on topic.
We have buckets of PPPCs for pre-Big Sur and post-Catalina.

Is everyone really producing two PPPCs for everything?

I've seen a lot of the failed profiles listed on machines management pages.

Furthermore, when it comes to pre-stage enrolment and selecting profiles to be applied, how many are you applying? I've configured the bare minimum, but still see a load of failed management commands on devices.
Our PPPCs are scoped by smart group and I'm suspecting that during the enrolment phase, the JSS doesn't know what the operating system is, so tries to put a bunch of profiles on, which it then tries to remove (before or after they've been applied).

I only have 12 or so config profiles listed but it still tends to have a fit.
JAMF, JAMFAAD, JAMFagent, LoginWindow (because in my experience that had to be introduced for Big Sur and NoLoad), Screen Recording, and Remote Desktop.

Furthermore, when my initial profiles were failing even with the 'big Sur' tick box ticked on PPPC Utility, I started signing them and saving them to my device, then uploading them via the browser. They then started applying to devices successfully.

AntMac
Contributor II

For my company we are use the same PPPCs if the payload values are the same across the platforms. I will say majority of my fleet is Catalina or BigSur with a smattering of Mojave, Sierra, High Sierra. I have come across limited keys that are not compatible across Catalina/BigSur. Most of those are to downgrade a permissions to standard user prompt but there have been a few others. 

In relation to pre stage, we do have our pre stage separated out. One for Catalina and below, one for BigSur and up. We have found that it works really well and we can limit the config profiles better. We also use smart groups but for a new device found it is not calculated fully until the inventory cycle has run. We have this factored into our workflow to force an inventory and then policy check in on first log in. Remote desktop we set after first log in as there is a bug where permissions are set and check box ticked but is not fully set. We have a script that runs to fix that.    

Can't comment on the signing issue, have not had the issue with signing PPPC utility items. I do save them to my local machine and upload to our on prem JAMF instance.