Jamf Nation Community

kpotek · ‎09-26-2018

About a week ago we started getting a pop-up on clients regarding enabling LMIGUIAgent through Security & Privacy > Accessibility > Allow the apps below to control your computer (I will attach screenshoot). I believe this is for upcoming MacOSMojave, and does not affect other versions of MacOS. However, users will still get the pop-up for enabling the LMIGUIAgent. Has anyone seen this pop-up? or has developed command line or script to enable the LMIGUIAgent?

Hugonaut · ‎09-26-2018

Your image being sideways was killing me...

YES WE GOT IT AS WELL VERY ANNOYING. Thought I did something wrong, glad to see its not just us.

We stay an OS behind for about a year (Maybe 2 moving forward...haha) and are on 10.13 still and use all mac airs. We still do a monolothic base image. A part of the monolothic base image is just a startup script and the quickadd package. The startup script is manually added to the Sec & Priv -> Accessibility pane so the other stuff can happen, I just added the following script as a quick fix and working for us.

tell application "System Events"
    -- Selects 'Start Process'
    click at {875, 330}
    delay 3
    click at {875, 330}
    delay 3
    click at {1111, 127}
    delay 3
    click at {1030, 540}
    delay 3
    -- Selects 'Open System Preferences'
    click at {760, 330}
    delay 3
    -- Unlocks System Pref Pane to Modify
    click at {140, 600}
    delay 3
    -- Selects Text Input Location 'User Name'
    click at {415, 220}
    delay 5
    keystroke "AdminUsernameHere"
    delay 3
    -- Selects Text Input Location 'Password'
    keystroke tab
    delay 3
    keystroke "AdminPasswordHere"
    delay 3
    -- Selects 'Unlock' from Password Authentication prompt
    keystroke return
    delay 3
    -- Selects 'LMIGUIAGENT' in accessibility
    click at {390, 240}
    delay 3
    -- Select 'Pencil' in accessibility
    click at {390, 280}
    -- Locks Sys Pref Pane to Save Modifications
    delay 3
    click at {140, 600}
    delay 3
    -- Closes System Preferences
    click at {117, 73}
    delay 3
    -- Closes Log Me In
    click at {1000, 560}
end tell

Looking for a real solution, so if anyone else can chime in that would be Great!!! TCC.DB being locked down makes me wary of this being automated via JAMF

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________

Virtual MacAdmins Monthly Meetup - First Friday, Every Month

kpotek · ‎09-26-2018

Hugonaut, this scripted is for new deployments? can it be ran through jamf for users that already have their Mac?

Hugonaut · ‎09-26-2018

Highly Unlikely because gui scripting is so sensitive.... if they move there system preferences in any direct 5 - 10 pixels, this script breaks. Hence its only for the initial enrollment / startup.

Sure you could devise a way to do it...but I'd reach out to your LogMeIn rep and see what they offer. This was pushed silently without any changelogs or anything..available as of today...

http://help.logmein.com/articles/en_US/ReleaseNote/LogMeIn-Release-Note-for-September-19-2018/?l=en_...

We are handling our existing clients on an individual basis and doing it manually because they are not administrators.

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________

Virtual MacAdmins Monthly Meetup - First Friday, Every Month

kpotek · ‎09-26-2018

Thanks for the info. I contacted logmein and they offered not help or information. I have tried using sqlite3 commands, but have not found a way to make it work. I will continue to work on a solution and hope others will jump in if they do.

Hugonaut · ‎09-26-2018

welcome!

sqlite3 on the tcc.db?! ... we are sitting ducks for now my friend...it is read only

https://www.jamf.com/jamf-nation/discussions/23921/editing-the-tcc-db-with-sqlite3

wondering what the acquisition of NOMAD is going to bring JAMF

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________

Virtual MacAdmins Monthly Meetup - First Friday, Every Month

ajacob · ‎10-01-2018

Running this command via ARD gets rid of it:

sudo launchctl remove com.logmein.logmeinserver
killall "LMIGUIAgent"
rm -r "/Library/Application Support/LogMeIn/bin/LogMeIn.app/Contents/Helpers/LMIGUIAgent.app"

LogMeIn turns off and stays off, though.

danny_gutman · ‎10-01-2018

I have the same message rolling out to my users, and we're on mostly Sierra/High Sierra. Looking for a way to add this as an approved KEXT possibly?

PhillyPhoto · ‎10-01-2018

@danny.gutman This is not a kernel extension issue, it's something that must be approved in Accessibility.

Apple is really clamping down on scripts doing automated tasks and whatnot.

I use this command in the "Execute command" section of my policy to force a log out since using the "Log out" option in the Apple Menu doesn't always prompt for a password to kick off FileVault:

osascript -e 'tell application "System Events" to log out'

Starting on Mojave, it gives this prompt:

mike_paul · ‎10-03-2018

These pop-ups are due to Apples new Privacy Preference Policy Control functionality which you can find more information about here: https://www.jamf.com/jamf-nation/articles/553/preparing-your-organization-for-user-data-protections-....

You will need to build a profile that whitelists LMIGUIAgent to communicate with the Accessibility service. I would recommend using the PPPC Utility available on our GitHub to create that.

Hugonaut · ‎10-03-2018

@mike.paul

Gave me a project tomorrow. Thank you.

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________

Virtual MacAdmins Monthly Meetup - First Friday, Every Month

nstefanelli56 · ‎11-17-2018

@Hugonaut (or anyone who was able to get this to work, lol)

Did you get this to work in PPPC? I created the profile and uploaded and push out via Jamf, but it doesn't appear to enable it still.

Hugonaut · ‎11-19-2018

@kpotek @Stefanelli

https://github.com/Hugonauts/configuration-profiles

That works for me. Hope it helps & hope it works for you too!

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________

Virtual MacAdmins Monthly Meetup - First Friday, Every Month

JoshF · ‎11-28-2018

Have others used this successfully? I'm trying to implement this on 10.13. I'm wondering if the configuration will only work on 10.14?

ryan_s · ‎02-13-2019

@Hugonaut -- I am with @JoshF here...we have a large number of 10.13 "kiosks" that we need to deploy logmein to. Obviously the PPPC and config profile will only work with 10.14 (Mojave). For fun, I tried the mobileconfig and also the PPPC payload in JAMF and while they executed "successfully" they did not provide the functionality of actually adding LMIGUIAgent to the Accessibility module.

Is AppleScript truly the only possible way to do this on 10.12 and 10.13?? (Note these kiosks are remote and geographically spread across the globe, so manual intervention is not necessarily an option)

Hugonaut · ‎02-14-2019

@ryan.s with our enterprise license we were able to reach out to LogMeIn and roll back the update that forced the SEC & P Privvies

I have not been able to create a solution besides gui scripting on 10.12 or 10.13 but I hope there is and I hope im just using the PPPC Utility Wrong!

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________

Virtual MacAdmins Monthly Meetup - First Friday, Every Month

sfarazi · ‎10-27-2019

#block pop-up during initial install. 
/bin/mkdir /Library/Application Support/LogMeIn/bin/LogMeIn.app/Contents/Helpers/backupGUIAgent
/bin/mv -f /Library/Application Support/LogMeIn/bin/LogMeIn.app/Contents/Helpers/LMIGUIAgent.app /Library/Application Support/LogMeIn/bin/LogMeIn.app/Contents/Helpers/backupGUIAgent/
/bin/ps -aef | grep LMIGUIAgent |grep -v grep| awk ‘{print $2}’ | xargs kill -9 $2

Deploy Privacy Preferences Policy Control from MDM

beeboo · ‎11-05-2019

@sfarazi

is that a deploy pkg + script then a PPPC or 1 or the other?

eg:

is your workflow

deploy everyone the LMI GUI
once pkg is deployed, either in the same policy or another one, you run that script
at any point the PPPC is deploy as a config profile.

does that sound accurate?

whitelisting the backupGUIAgent is the app that the user gets right since the LMI console/rescue is called LogMeIn-Rescue.app

Trying to understand the deployment policy/process.

thanks!

Heavy_D · ‎01-12-2021

Hello Team I am having a really hard time getting the PPPC Policy and LogMeIn to install properly on Big Sur the installation goes well but it still will not silently add the Extensions nor the PPPC settings for the Application or LMIGUIAgent its really frustrating, the pop-up still comes up.

Has anyone been able to install this on Big Sur successfully silently without user intervention?

Heavy_D · ‎01-26-2021

Jamf Nation Community

Logmein LMIGUIAgent enable required for remote access

Deploy Privacy Preferences Policy Control from MDM