Forcing Allow in Security and Privacy

RealMestizo
New Contributor II

I would like to automatically force Allow access to the Microphone and Camera for apps such as Zoom and Chrome.

As part of our security policy we have disabled users from accessing the security and privacy setting. Whenever they need to grant access to the mic or camera for a new app, we have to exclude their machine from this policy in JAMF, have them force pull the policy from their terminal, and then they go in and grant the permission access. We would then re-apply the policy back on their machine and have them force the policy in terminal once more. This is a tedious process that interrupts the workflow for all involved and simply does not scale with our growing user base.

Is there a way to have a JAMF config profile push down the permission to automatically Allow access to the mic and camera for specific apps? I've taken a look at the PPPC config settings in JAMF and for the mic and camera it seems like it can only push down the Deny and not Allow setting. Is there a way around this?

1 ACCEPTED SOLUTION

sdagley
Esteemed Contributor II

@hyprjmartinez There is no capability to force Allow, just Deny. This is not a Jamf limitation, it's an Apple requirement that user's make those choices.

View solution in original post

17 REPLIES 17

nelsoni
Contributor III

There is no way around this. Screen Recording, Mic, and Camera access have to be approved by the user. The only option in any MDM is to set an explicit deny. There is no plan to change this in the future.

sdagley
Esteemed Contributor II

@hyprjmartinez There is no capability to force Allow, just Deny. This is not a Jamf limitation, it's an Apple requirement that user's make those choices.

RNCNetops
New Contributor

Is there a way to write a script to do it?

hkabik
Valued Contributor

You can enable microphone and camera programmatically by manually editing the TCC.db. You cannot do this for Screen Recording using this method as that is set in the /Library level TCC.db which is SIP protected, but this method works fine for Mic and Camera as they are in the ~/Library level TCC.db.

Examples:

Enable Microphone in Skype For Business for the currently logged in user -

#!/bin/sh

#get username
user=`stat -f "%Su" /dev/console`

sqlite3 /Users/$user/Library/Application Support/com.apple.TCC/TCC.db -cmd "INSERT or REPLACE INTO access VALUES('kTCCServiceMicrophone','com.microsoft.SkypeForBusiness',0,1,1,NULL,NULL,NULL,'UNUSED',NULL,0,1541440109);" ".exit"

Enable Camera in Teams for the currently logged in user -

#!/bin/sh

#get username
user=`stat -f "%Su" /dev/console`

sqlite3 /Users/$user/Library/Application Support/com.apple.TCC/TCC.db -cmd "INSERT or REPLACE INTO access VALUES('kTCCServiceCamera','com.microsoft.teams',0,1,1,NULL,NULL,NULL,'UNUSED',NULL,0,1541440109);" ".exit"

gwertman
New Contributor III

I'm trying this on a Catalina 10.15.7 system...When trying this as an ARD Unix command I get this error:

Error: unable to open database "/Users/student/Library/Application Support/com.apple.TCC/TCC.db": unable to open database file

I can view the access table via sqlite3 on the system locally, so it's definitely there. Running the command on the system gives the same result.

 

Any advice? 🙂

gwertman
New Contributor III

It was because neither ARD nor Terminal had full disk access.. lesson learned there! Thank you for this post of yours, it was incredibly helpful!

cainehorr
Contributor III

I took @hkabik's example and made one for Zoom

# Acquire currently logged in username
userName=$(/usr/bin/stat -f "%Su" "/dev/console")

# Allow Microphone
/usr/bin/sqlite3 /Users/${userName}/Library/Application Support/com.apple.TCC/TCC.db -cmd "INSERT OR REPLACE INTO access VALUES('kTCCServiceMicrophone','us.zoom.xos',0,1,1,NULL,NULL,NULL,'UNUSED',NULL,0,1234567890);" ".exit"

# Allow Camera
/usr/bin/sqlite3 /Users/${userName}/Library/Application Support/com.apple.TCC/TCC.db -cmd "INSERT OR REPLACE INTO access VALUES('kTCCServiceCamera','us.zoom.xos',0,1,1,NULL,NULL,NULL,'UNUSED',NULL,0,1234567890);" ".exit"

exit
Kind regards,

Caine Hörr

A reboot a day keeps the admin away!

kmitnick
New Contributor III
New Contributor III

@cainehorr

Caine,

I’m testing your zoom script to enable the camera and microphone and I’m getting this error: “table access has 13 columns but 12 values were supplied”. Have you come across this? I’m running big sur 11.1

patgmac
Contributor III

@kmitnick Apple probably "fixed" it in Big Sur. This was never intended to be a valid way of enabling these. Apple wants a human in front of the screen to make that choice. And for very good reason!

howie_isaacks
Valued Contributor II

Perhaps you should re-think not allowing users to access the Security & Privacy preference pane. I want my users to understand that they must give permission for apps to access things on their Mac. I also want them to learn to do this themselves instead of always asking for someone to do it for them. I am 100% in agreement with Apple about this, even if it is a pain in the butt to deal with as an Apple admin.

kmitnick
New Contributor III
New Contributor III

@patgmac @howie_isaacks totally understand what you guys are saying. I was just trying to test this to see if it still worked in Big Sur. Trying to avoid users from doing it. it was more of a "see if it would work" then a recommendation to use it. thanks guys.

Switchfly_IT
New Contributor III

Kind of related but different so ignore this if it's too off the path.

I want to know if there's a way to see if an "allow" is just sitting unchecked in a user's Security settings. There's an issue with Crowdstrike requiring users to allow but we don't trust them to do it and there's no way CS can tell us if they did or not. This means firmware detections will not be reported.

dvasquez
Valued Contributor

Does anyone have a similar script for enabling Google Chrome for Microphone and Camera?

 Or can someone point me in the right direction...

Appreciated!

dvasquez
Valued Contributor

this is my output trying to figure this out:

+ /usr/bin/sqlite3 /Users/dvasqu29/Library/Application Support/com.apple.TCC/TCC.db -cmd 'INSERT OR REPLACE INTO access VALUES('\''kTCCServiceMicrophone'\'','\''com.google.Chrome'\'','\''com.google.Chrome'\'','\''com.google.Chrome beta'\'','\''com.google.Chrome.dev'\'','\''com.google.Chrome.canary'\'', 0,1,1,NULL,NULL,NULL,'\''UNUSED'\'',NULL,0,1234567890);' .exit
Error: no such table: access
Error: near "Support": syntax error
+ /usr/bin/sqlite3 /Users/dvasqu29/Library/Application Support/com.apple.TCC/TCC.db -cmd 'INSERT OR REPLACE INTO access VALUES('\''kTCCServiceCamera'\'','\''com.google.Chrome'\'','\''com.google.Chrome'\'','\''com.google.Chrome beta'\'','\''com.google.Chrome.dev'\'','\''com.google.Chrome.canary'\'',0,1,1,NULL,NULL,NULL,'\''UNUSED'\'',NULL,0,1234567890);' .exit
Error: no such table: access
Error: near "Support": syntax error
+ exit

dvasquez
Valued Contributor

This is my scrtip simply edited from CaneHorr for Google.

userName=$(/usr/bin/stat -f "%Su" "/dev/console")

# Allow Microphone
/usr/bin/sqlite3 /Users/${userName}/Library/Application Support/com.apple.TCC/TCC.db -cmd "INSERT OR REPLACE INTO access VALUES('kTCCServiceMicrophone','com.google.Chrome','com.google.Chrome','com.google.Chrome beta','com.google.Chrome.dev','com.google.Chrome.canary', 0,1,1,NULL,NULL,NULL,'UNUSED',NULL,0,1234567890);" ".exit"

# Allow Camera
/usr/bin/sqlite3 /Users/${userName}/Library/Application Support/com.apple.TCC/TCC.db -cmd "INSERT OR REPLACE INTO access VALUES('kTCCServiceCamera','com.google.Chrome','com.google.Chrome','com.google.Chrome beta','com.google.Chrome.dev','com.google.Chrome.canary',0,1,1,NULL,NULL,NULL,'UNUSED',NULL,0,1234567890);" ".exit"

exit

chafe
New Contributor III

I was jsut reading through this thread and if you scroll up a bit someone mentioned that this was of enabling the mic and camera have likely been patched by Apple since it was never supposed to be a way to do it in the first place. 

Still at a loss but hopefully someone can direct both of us from this thread soon.

dvasquez
Valued Contributor

I think there could be/is a way to use Sqlite3 and the DB to set these permissions. 

 

I will continue to look at it in time. But thank you for the reply.