Logmein LMIGUIAgent enable required for remote access

kpotek
New Contributor

About a week ago we started getting a pop-up on clients regarding enabling LMIGUIAgent through Security & Privacy > Accessibility > Allow the apps below to control your computer (I will attach screenshoot). I believe this is for upcoming MacOSMojave, and does not affect other versions of MacOS. However, users will still get the pop-up for enabling the LMIGUIAgent. Has anyone seen this pop-up? or has developed command line or script to enable the LMIGUIAgent?cbd69d7119af47ad862899d46d9cfb20

19 REPLIES 19

Hugonaut
Valued Contributor

Your image being sideways was killing me...
bd46b5041ddb4646a12a7b224a487f64

YES WE GOT IT AS WELL VERY ANNOYING. Thought I did something wrong, glad to see its not just us.

We stay an OS behind for about a year (Maybe 2 moving forward...haha) and are on 10.13 still and use all mac airs. We still do a monolothic base image. A part of the monolothic base image is just a startup script and the quickadd package. The startup script is manually added to the Sec & Priv -> Accessibility pane so the other stuff can happen, I just added the following script as a quick fix and working for us.

tell application "System Events"
    -- Selects 'Start Process'
    click at {875, 330}
    delay 3
    click at {875, 330}
    delay 3
    click at {1111, 127}
    delay 3
    click at {1030, 540}
    delay 3
    -- Selects 'Open System Preferences'
    click at {760, 330}
    delay 3
    -- Unlocks System Pref Pane to Modify
    click at {140, 600}
    delay 3
    -- Selects Text Input Location 'User Name'
    click at {415, 220}
    delay 5
    keystroke "AdminUsernameHere"
    delay 3
    -- Selects Text Input Location 'Password'
    keystroke tab
    delay 3
    keystroke "AdminPasswordHere"
    delay 3
    -- Selects 'Unlock' from Password Authentication prompt
    keystroke return
    delay 3
    -- Selects 'LMIGUIAGENT' in accessibility
    click at {390, 240}
    delay 3
    -- Select 'Pencil' in accessibility
    click at {390, 280}
    -- Locks Sys Pref Pane to Save Modifications
    delay 3
    click at {140, 600}
    delay 3
    -- Closes System Preferences
    click at {117, 73}
    delay 3
    -- Closes Log Me In
    click at {1000, 560}
end tell

Looking for a real solution, so if anyone else can chime in that would be Great!!! TCC.DB being locked down makes me wary of this being automated via JAMF

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman

kpotek
New Contributor

Hugonaut, this scripted is for new deployments? can it be ran through jamf for users that already have their Mac?

Hugonaut
Valued Contributor

Highly Unlikely because gui scripting is so sensitive.... if they move there system preferences in any direct 5 - 10 pixels, this script breaks. Hence its only for the initial enrollment / startup.

Sure you could devise a way to do it...but I'd reach out to your LogMeIn rep and see what they offer. This was pushed silently without any changelogs or anything..available as of today...

http://help.logmein.com/articles/en_US/ReleaseNote/LogMeIn-Release-Note-for-September-19-2018/?l=en_...

We are handling our existing clients on an individual basis and doing it manually because they are not administrators.

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman

kpotek
New Contributor

Thanks for the info. I contacted logmein and they offered not help or information. I have tried using sqlite3 commands, but have not found a way to make it work. I will continue to work on a solution and hope others will jump in if they do.

Hugonaut
Valued Contributor

welcome!

sqlite3 on the tcc.db?! ... we are sitting ducks for now my friend...it is read only

https://www.jamf.com/jamf-nation/discussions/23921/editing-the-tcc-db-with-sqlite3

wondering what the acquisition of NOMAD is going to bring JAMF

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman

ajacob
New Contributor

Running this command via ARD gets rid of it:

sudo launchctl remove com.logmein.logmeinserver
killall "LMIGUIAgent"
rm -r "/Library/Application Support/LogMeIn/bin/LogMeIn.app/Contents/Helpers/LMIGUIAgent.app"

LogMeIn turns off and stays off, though.

danny_gutman
New Contributor III

I have the same message rolling out to my users, and we're on mostly Sierra/High Sierra. Looking for a way to add this as an approved KEXT possibly?

PhillyPhoto
Contributor III

@danny.gutman This is not a kernel extension issue, it's something that must be approved in Accessibility.

Apple is really clamping down on scripts doing automated tasks and whatnot.

I use this command in the "Execute command" section of my policy to force a log out since using the "Log out" option in the Apple Menu doesn't always prompt for a password to kick off FileVault:

osascript -e 'tell application "System Events" to log out'

Starting on Mojave, it gives this prompt:

f373681f34764a44acad9fe9932cc2c6

mike_paul
Contributor III

These pop-ups are due to Apples new Privacy Preference Policy Control functionality which you can find more information about here: https://www.jamf.com/jamf-nation/articles/553/preparing-your-organization-for-user-data-protections-....

You will need to build a profile that whitelists LMIGUIAgent to communicate with the Accessibility service. I would recommend using the PPPC Utility available on our GitHub to create that.

Hugonaut
Valued Contributor

@mike.paul

Gave me a project tomorrow. Thank you.

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman

nstefanelli56
New Contributor II

@Hugonaut (or anyone who was able to get this to work, lol)

Did you get this to work in PPPC? I created the profile and uploaded and push out via Jamf, but it doesn't appear to enable it still.

Hugonaut
Valued Contributor

@kpotek @Stefanelli

https://github.com/Hugonauts/configuration-profiles

That works for me. Hope it helps & hope it works for you too!

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman

JoshF
New Contributor II

Have others used this successfully? I'm trying to implement this on 10.13. I'm wondering if the configuration will only work on 10.14?

ryan_s
New Contributor II

@Hugonaut -- I am with @JoshF here...we have a large number of 10.13 "kiosks" that we need to deploy logmein to. Obviously the PPPC and config profile will only work with 10.14 (Mojave). For fun, I tried the mobileconfig and also the PPPC payload in JAMF and while they executed "successfully" they did not provide the functionality of actually adding LMIGUIAgent to the Accessibility module.

Is AppleScript truly the only possible way to do this on 10.12 and 10.13?? (Note these kiosks are remote and geographically spread across the globe, so manual intervention is not necessarily an option)

Hugonaut
Valued Contributor

@ryan.s with our enterprise license we were able to reach out to LogMeIn and roll back the update that forced the SEC & P Privvies

I have not been able to create a solution besides gui scripting on 10.12 or 10.13 but I hope there is and I hope im just using the PPPC Utility Wrong!

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman

sfarazi
New Contributor
#block pop-up during initial install. 
/bin/mkdir /Library/Application Support/LogMeIn/bin/LogMeIn.app/Contents/Helpers/backupGUIAgent
/bin/mv -f /Library/Application Support/LogMeIn/bin/LogMeIn.app/Contents/Helpers/LMIGUIAgent.app /Library/Application Support/LogMeIn/bin/LogMeIn.app/Contents/Helpers/backupGUIAgent/
/bin/ps -aef | grep LMIGUIAgent |grep -v grep| awk ‘{print $2}’ | xargs kill -9 $2

Deploy Privacy Preferences Policy Control from MDM

eec43d51c44540eb90c4e9afc042a3b9

beeboo
Contributor

@sfarazi

is that a deploy pkg + script then a PPPC or 1 or the other?

eg:

is your workflow

  1. deploy everyone the LMI GUI
  2. once pkg is deployed, either in the same policy or another one, you run that script
  3. at any point the PPPC is deploy as a config profile.

does that sound accurate?

whitelisting the backupGUIAgent is the app that the user gets right since the LMI console/rescue is called LogMeIn-Rescue.app

Trying to understand the deployment policy/process.

thanks!

JarvisUno
Contributor II

Hello Team I am having a really hard time getting the PPPC Policy and LogMeIn to install properly on Big Sur the installation goes well but it still will not silently add the Extensions nor the PPPC settings for the Application or LMIGUIAgent its really frustrating, the pop-up still comes up.

Has anyone been able to install this on Big Sur successfully silently without user intervention?

JarvisUno
Contributor II

Anyone?