Issue with Privacy Preferences Control Config Profile

kidtrebor
New Contributor

Hi,

I'm trying to get to grips with my first config profile to pre-approve an accessibility permission to one app used across our organisation but hitting the buffers somewhat.

I've read the how-to article to understand how to extract the necessary information using the codesign command. When I run the command I get the following output:

Executable=/Applications/Clevershare.app/Contents/MacOS/Clevershare_MAC
designated => anchor apple generic and identifier "com.cvte.clevershare.mac" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /
exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = P76M9BE8DQ)

So, in the config profile I used the following line as bundle ID:

Executable=/Applications/Clevershare.app/Contents/MacOS/Clevershare_MAC

...and I used the below as the code requirement:

anchor apple generic and identifier "com.cvte.clevershare.mac" and (certificate leaf[field.1.2.840.113635.100.6.1.9] / exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = P76M9BE8DQ)

I then added the app/service as 'accessibility', set it to 'enabled' and scoped it to my own device and... nothing happened. I can see the config profile there, but don't see anything in security and privacy in System Preferences.

I suspect I've lifted the wrong info from the codesign output, I wonder if anyone more knowledgable than me might know where I've gone wrong?

By the way, I've also tried the same as above but selected the path to the application as the identifier, but this didn't work either. Many thanks in advance.

Regards,
Robert

77db4ba454444088b9f19c80ec4dfe99

4 REPLIES 4

tomhastings
Contributor II

Try out the PPPC Utility:
https://github.com/jamf/PPPC-Utility
It takes some of the guess work of this process.

Search for "PPPC Utility" in Jamf Nation, you will find lots of great information.

sshort
Valued Contributor

@kidtrebor You're on the right path, but there is definitely some trial-and-error when testing these profiles. I also recommend the PPPC Utility app because it will automatically extract the correct codesign info and app identifier. When you're testing the profiles, only user-approved apps will appear in System Preferences. Anything you whitelist using a PPPC profile is not going to show in the Security & Privacy>Privacy section. Confirming your profile works would be opening the app to see if the accessibility permission pop-up doesn't appear. You can also confirm the profile is installed under the Profiles pane in System Preferences.

When you're manually copy & pasting, the identifier is in the com.example.example format. The screenshot you provided shows a string of Executable=/Applications/Clevershare.app/Contents/MacOS/Clevershare_MAC, when it should just be com.cvte.clevershare.mac Using the PPPC Utility helps with that because it's all filled in for you.

Another tip: it's common for accessibility profiles to also need an AppleEvent to add the exception to System Preferences. Check out the profiles I made for examples, like Parallels.

seraphina
Contributor II

The PPPC utility is great. I believe it will spit out a config that you can upload to JSS as well.
I think your executable path may be wrong, here is one of our profiles.
ee306303619743b9aefb68974a5d6349

kidtrebor
New Contributor

Thanks all for your responses - the PPPC utility helped solve the case and I was able to get the setting deployed, much obliged!