Help

JAMF / PPPC/ Microsoft Autoupdate

nycnewman
New Contributor III

Posted on ‎12-31-2020 11:33 AM

Is there a good way to debug an issue with TCC / PPPC policy and Microsoft Update?

I've implemented the PPPC Policy from @pbowden and associated update script. However for a subset of machines the "msupdate --config" step never returns any results and the rest is ignored. I would guess this is related to PPPC policy and ability to send Apple events.

I've tried to look at TCC logs and get the following:

2020-12-31 14:24:54.162632-0500 0xf70f98 Error 0x109e829 660 0 tccd: [com.apple.TCC:access] Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={identifier=com.microsoft.autoupdate.fba, pid=91467, auid=501, euid=501, binary_path=/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft Update Assistant.app/Contents/MacOS/Microsoft Update Assistant}, requesting={identifier=com.microsoft.autoupdate.fba, pid=91467, auid=501, euid=501, binary_path=/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft Update Assistant.app/Contents/MacOS/Microsoft Update Assistant}, 2020-12-31 14:24:54.162695-0500 0xf70f98 Default 0x109e829 660 0 tccd: [com.apple.TCC:access] target_executable_path_URL: file:///Applications/iTerm.app/Contents/MacOS/iTerm2 2020-12-31 14:24:54.163179-0500 0xf70b68 Error 0x1099aee 160 0 tccd: [com.apple.TCC:access] Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={identifier=com.microsoft.autoupdate.fba, pid=91467, auid=501, euid=501, binary_path=/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft Update Assistant.app/Contents/MacOS/Microsoft Update Assistant}, requesting={identifier=com.apple.appleeventsd, pid=570, auid=55, euid=55, binary_path=/System/Library/CoreServices/appleeventsd},

but this appears on machines that work and those that don't. Even manually running "msupdate --config" fails.

Other things I have tried:
- checking binary code signing signature (codesign -dr - <path>)
- updated PPC to include some additional Apple Events settings for jamf and com.microsoft.autoupdate.cli

Any thoughts on best way to track down what is blocking autoupdate?

0 Kudos
Reply
2 REPLIES 2

nycnewman
New Contributor III

Posted on ‎01-03-2021 04:08 PM

Just a follow up. Current investigation:

  • under a variety of conditions some systems appear to get no response from msupdate via AppleEvents
  • Logs seems to imply that it is possible that the msupdate process is dying and thus not returning results
  • I have seen stack trace type failures when manually running "msupdate --config" under sudo but not consistent
  • Fixed the above errors with an update PPC policy but still having issues getting the config test to respond.

Anyone else seeing issues with msupdate?

0 Kudos
Reply

nycnewman
New Contributor III

Posted on ‎02-01-2021 12:40 PM

Sadly still seeing this. Approx half a dozen machiens across 10.14, 10.15, and 11.1 all produce the TCC errors. I have done the following:

  • Checked MDMOverrides.plist is distributing consistently to all machine and has correct TCC values
  • Trace the logs on several machines and see the following across them all
  • Revalidated application signatures on machines (codesign -dr -<app>) for jamf and msupdate

Is there a better way to debug tccd issues?

2021-01-28 13:05:05.420001+0000 0x694da Error 0x0 306 0 tccd: [com.apple.TCC:access] Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for RESP:{ID: com.jamfsoftware.jamf, PID[14276], auid: 0, euid: 0, responsible path: '/usr/local/jamf/bin/jamf', binary path: '/usr/local/jamf/bin/jamf'}, ACC:{ID: com.microsoft.autoupdate.cli, PID[18750], auid: 501, euid: 501, binary path: '/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/msupdate'}, REQ:{ID: com.apple.appleeventsd, PID[77], auid: 55, euid: 55, binary path: '/System/Library/CoreServices/appleeventsd'}

RESP: com.jamfsoftware.jamf
ACC: com.microsoft.autoupdate.cli
REQ: com.apple.appleeventsd

2021-01-28 13:05:06.888646+0000 0x69402 Error 0x7d65d 404 0 tccd: [com.apple.TCC:access] Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for ACC:{ID: com.microsoft.autoupdate.fba, PID[18793], auid: 501, euid: 501, binary path: '/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft Update Assistant.app/Contents/MacOS/Microsoft Update Assistant'}, REQ:{ID: com.microsoft.autoupdate.fba, PID[18793], auid: 501, euid: 501, binary path: '/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft Update Assistant.app/Contents/MacOS/Microsoft Update Assistant'}

RESP:
ACC: com.microsoft.autoupdate.fba
REQ: com.microsoft.autoupdate.fba

2021-01-28 13:05:06.932372+0000 0x694da Error 0x0 306 0 tccd: [com.apple.TCC:access] Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for ACC:{ID: com.microsoft.autoupdate.fba, PID[18793], auid: 501, euid: 501, binary path: '/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft Update Assistant.app/Contents/MacOS/Microsoft Update Assistant'}, REQ:{ID: com.apple.appleeventsd, PID[77], auid: 55, euid: 55, binary path: '/System/Library/CoreServices/appleeventsd'}

RESP: ACC: com.microsoft.autoupdate.fba
REQ: com.apple.appleeventsd

0 Kudos
Reply