JAMF / PPPC/ Microsoft Autoupdate

nycnewman
New Contributor III

Is there a good way to debug an issue with TCC / PPPC policy and Microsoft Update?

I've implemented the PPPC Policy from @pbowden and associated update script. However for a subset of machines the "msupdate --config" step never returns any results and the rest is ignored. I would guess this is related to PPPC policy and ability to send Apple events.

I've tried to look at TCC logs and get the following:

2020-12-31 14:24:54.162632-0500 0xf70f98 Error 0x109e829 660 0 tccd: [com.apple.TCC:access] Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={identifier=com.microsoft.autoupdate.fba, pid=91467, auid=501, euid=501, binary_path=/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft Update Assistant.app/Contents/MacOS/Microsoft Update Assistant}, requesting={identifier=com.microsoft.autoupdate.fba, pid=91467, auid=501, euid=501, binary_path=/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft Update Assistant.app/Contents/MacOS/Microsoft Update Assistant}, 2020-12-31 14:24:54.162695-0500 0xf70f98 Default 0x109e829 660 0 tccd: [com.apple.TCC:access] target_executable_path_URL: file:///Applications/iTerm.app/Contents/MacOS/iTerm2 2020-12-31 14:24:54.163179-0500 0xf70b68 Error 0x1099aee 160 0 tccd: [com.apple.TCC:access] Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={identifier=com.microsoft.autoupdate.fba, pid=91467, auid=501, euid=501, binary_path=/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft Update Assistant.app/Contents/MacOS/Microsoft Update Assistant}, requesting={identifier=com.apple.appleeventsd, pid=570, auid=55, euid=55, binary_path=/System/Library/CoreServices/appleeventsd},

but this appears on machines that work and those that don't. Even manually running "msupdate --config" fails.

Other things I have tried:
- checking binary code signing signature (codesign -dr - <path>)
- updated PPC to include some additional Apple Events settings for jamf and com.microsoft.autoupdate.cli

Any thoughts on best way to track down what is blocking autoupdate?

2 REPLIES 2

nycnewman
New Contributor III

Just a follow up. Current investigation:

  • under a variety of conditions some systems appear to get no response from msupdate via AppleEvents
  • Logs seems to imply that it is possible that the msupdate process is dying and thus not returning results
  • I have seen stack trace type failures when manually running "msupdate --config" under sudo but not consistent
  • Fixed the above errors with an update PPC policy but still having issues getting the config test to respond.

Anyone else seeing issues with msupdate?

nycnewman
New Contributor III

Sadly still seeing this. Approx half a dozen machiens across 10.14, 10.15, and 11.1 all produce the TCC errors. I have done the following:

  • Checked MDMOverrides.plist is distributing consistently to all machine and has correct TCC values
  • Trace the logs on several machines and see the following across them all
  • Revalidated application signatures on machines (codesign -dr -<app>) for jamf and msupdate

Is there a better way to debug tccd issues?

2021-01-28 13:05:05.420001+0000 0x694da Error 0x0 306 0 tccd: [com.apple.TCC:access] Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for RESP:{ID: com.jamfsoftware.jamf, PID[14276], auid: 0, euid: 0, responsible path: '/usr/local/jamf/bin/jamf', binary path: '/usr/local/jamf/bin/jamf'}, ACC:{ID: com.microsoft.autoupdate.cli, PID[18750], auid: 501, euid: 501, binary path: '/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/msupdate'}, REQ:{ID: com.apple.appleeventsd, PID[77], auid: 55, euid: 55, binary path: '/System/Library/CoreServices/appleeventsd'}

RESP: com.jamfsoftware.jamf
ACC: com.microsoft.autoupdate.cli
REQ: com.apple.appleeventsd

2021-01-28 13:05:06.888646+0000 0x69402 Error 0x7d65d 404 0 tccd: [com.apple.TCC:access] Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for ACC:{ID: com.microsoft.autoupdate.fba, PID[18793], auid: 501, euid: 501, binary path: '/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft Update Assistant.app/Contents/MacOS/Microsoft Update Assistant'}, REQ:{ID: com.microsoft.autoupdate.fba, PID[18793], auid: 501, euid: 501, binary path: '/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft Update Assistant.app/Contents/MacOS/Microsoft Update Assistant'}

RESP:
ACC: com.microsoft.autoupdate.fba
REQ: com.microsoft.autoupdate.fba

2021-01-28 13:05:06.932372+0000 0x694da Error 0x0 306 0 tccd: [com.apple.TCC:access] Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for ACC:{ID: com.microsoft.autoupdate.fba, PID[18793], auid: 501, euid: 501, binary path: '/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft Update Assistant.app/Contents/MacOS/Microsoft Update Assistant'}, REQ:{ID: com.apple.appleeventsd, PID[77], auid: 55, euid: 55, binary path: '/System/Library/CoreServices/appleeventsd'}

RESP: ACC: com.microsoft.autoupdate.fba
REQ: com.apple.appleeventsd