Location Services

whiteb
Contributor II

Is it still the case that there is no way of allowing Location Services for a specific app, for non admin users? I don’t see a PPPC option for it, and it’s been stated that this is impossible in the past.

Zoom soft-phone client wants location services enabled for 911 call routing. Users don’t have admin rights.

I've seen someone say the below works for Big Sur, but even then I believe that just enables the general Apple location services, and not specifically for an app in particular.

#!/bin/sh

sudo /usr/bin/defaults write /var/db/locationd/Library/Preferences/ByHost/com.apple.locationd LocationServicesEnabled -int 1

sudo /usr/bin/defaults write /Library/Preferences/com.apple.timezone.auto Active -bool true

I need Location Services checked for Zoom specifically.

1 ACCEPTED SOLUTION

whiteb
Contributor II

I ended up putting in a Jamf support ticket on this. Went back and forth a little, it got escalated. In the end, their final answer was that it's an intentional limitation on Apple's end that MDM's do not have the ability to do this. Pretty sure their reasoning is privacy. Which I get, but still..

I believe our network admin who is mainly doing the Zoom phone transition/integration said you can configure Zoom Phone admin settings to associate different subnets with different building locations. So if they're calling 911 with Zoom Phone on a Mac, it will look at their subnet and pull 911 location that way. This was the best we were able to do.

View solution in original post

42 REPLIES 42

GeorgeCasper
New Contributor III

I'm a total python novice, so there may be better ways to do what I do here, but this seems to work properly:

#!/Library/ManagedFrameworks/Python/Python3.framework/Versions/Current/bin/python3
# using MacAdmins Recommended Python package

import plistlib

# Load the plist file into a Python data structure
with open("/var/db/locationd/clients.plist", "rb") as plist_file:
    plist_data = plistlib.load(plist_file)

# Specify the key to search for
search_key = "us.zoom.xos"

# Iterate through the array and look for the key in each element
for element in plist_data:
	try:
		if search_key in plist_data[element]['BundleId']:
 	   		# Key found, access the value
 	   		value = plist_data[element]['Authorized']
 	   		print("<result>{}</result>".format(value))
 	   		quit()
	except KeyError:
		# It's possible to not have a BundleId, in which case we just carry on
		pass
print("<result>Zoom not found!</result>")        

Note that it relies on python3, which means you'll need to have it deployed somehow; I used the MacAdmins python3 install.  Also note that it'll almost certainly require Terminal to have Full Disk Access, in order to access the plist file.  It also is showing you the permissions granted by the user logged in when recon was run, which may be misleading in multi-user per machine environments.

This code should be easily modifiable to check for Teams, Skype or whatever else you'd like - just look at the plist and figure out the BundleId of the application you're checking on.  

Finally, this just checks to see if the app has Location Services permission - it does nothing to ensure Location Services itself is turned on!  But that's easy to check on it's own.  

 

jel-gherson
New Contributor III

@williamaddis and @GeorgeCasper 

I am looking to use a version of your approach to approve location services for a different app. (It would actually be to use Location Services for a python script being run via the MacAdmins Python3.)

Without having actually tried it, I feel this should work. However I have encountered a different but related issue which I was wondering if you or anyone else could answer.

By manually enabling location services currently, my python script via the MacAdmin Python3 is able to utilise Location Services when run as a user. If however my python script is run via root aka sudo then it fails saying Location Services has not been authorised.

This suggests either this permission is a per-user setting or perhaps more likely root is treated differently.

So anyone seen this and has anyone been able to allow root to use Location Services? (This would make life easier since as mentioned in this discussion JAMF uses root to run scripts.)

I would start by looking in /var/db/locationd/clients.plist to see how that script is listed in there.  It'll probably have some com.whatever entry in there that you would want to look at changing in all the com.microsoft.teams entries in the original script.  Just remember that if you are testing the script manually through Terminal or Coderunner, etc that those apps will need to have Full Disk Access granted in the Privacy & Security settings.