Monterey, M1, and PPPC...you're killing us Wacom!

donmontalvo
Esteemed Contributor III

EDIT: Removing the usual rant, worked with a Wacom dev team contact, verified these settings work with Monterey on Intel and M1:

Codesign commands, to gather the info needed for the PPPC configuration profile:

$ codesign -dr - /Applications/Wacom\ Tablet.localized/Wacom\ Desktop\ Center.app 
Executable=/Applications/Wacom Tablet.localized/Wacom Desktop Center.app/Contents/MacOS/Wacom Desktop Center
designated => anchor apple generic and identifier "com.wacom.Wacom-Desktop-Center" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Applications/Wacom\ Tablet.localized/Wacom\ Display\ Settings.app/
Executable=/Applications/Wacom Tablet.localized/Wacom Display Settings.app/Contents/MacOS/Wacom Display Settings
designated => anchor apple generic and identifier "com.wacom.Wacom-Display-Settings" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Applications/Wacom\ Tablet.localized/Wacom\ Tablet\ Utility.app
Executable=/Applications/Wacom Tablet.localized/Wacom Tablet Utility.app/Contents/MacOS/Wacom Tablet Utility
designated => anchor apple generic and identifier "com.wacom.RemoveWacomTablet" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Library/PrivilegedHelperTools/com.wacom.IOManager.app
Executable=/Library/PrivilegedHelperTools/com.wacom.IOManager.app/Contents/MacOS/com.wacom.IOManager
designated => anchor apple generic and identifier "com.wacom.IOManager" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Library/PrivilegedHelperTools/com.wacom.DataStoreMgr.app
Executable=/Library/PrivilegedHelperTools/com.wacom.DataStoreMgr.app/Contents/MacOS/com.wacom.DataStoreMgr
designated => anchor apple generic and identifier "com.wacom.DataStoreMgr" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Library/PrivilegedHelperTools/com.wacom.UpdateHelper.app/
Executable=/Library/PrivilegedHelperTools/com.wacom.UpdateHelper.app/Contents/MacOS/com.wacom.UpdateHelper
designated => anchor apple generic and identifier "com.wacom.UpdateHelper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Applications/Wacom\ Tablet.localized/.Tablet/WacomTabletDriver.app
Executable=/Applications/Wacom Tablet.localized/.Tablet/WacomTabletDriver.app/Contents/MacOS/WacomTabletDriver
designated => anchor apple generic and identifier "com.wacom.wacomtablet" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Applications/Wacom\ Tablet.localized/.Tablet/WacomTouchDriver.app
Executable=/Applications/Wacom Tablet.localized/.Tablet/WacomTouchDriver.app/Contents/MacOS/WacomTouchDriver
designated => anchor apple generic and identifier "com.wacom.WacomTouchDriver" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Applications/Wacom\ Tablet.localized/.Tablet/TabletDriver.app
Executable=/Applications/Wacom Tablet.localized/.Tablet/TabletDriver.app/Contents/MacOS/TabletDriver
designated => anchor apple generic and identifier "com.wacom.TabletDriver" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Applications/Wacom\ Tablet.localized/.Tablet/FirmwareUpdater.app
Executable=/Applications/Wacom Tablet.localized/.Tablet/FirmwareUpdater.app/Contents/MacOS/FirmwareUpdater
designated => anchor apple generic and identifier "com.wacom.FirmwareUpdater" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

 

Here are screenshots, using the above, to add the 10 items to a PPPC configuration profile:

com.wacom.IOManager:

com.wacom.IOManager.png

com.wacom.UpdateHelper:

com.wacom.UpdateHelper.png

com.wacom.DataStoreMgr:

com.wacom.DataStoreMgr.png

com.wacom.wacomtablet:

com.wacom.wacomtablet.png

com.wacom.FirmwareUpdate:

com.wacom.FirmwareUpdater.png

com.wacom.WacomTouchDriver:

com.wacom.WacomTouchDriver.png

com.wacom.TabletDriver:

com.wacom.TabletDriver.png

com.wacom.RemoveWacomTablet:

com.wacom.RemoveWacomTablet.png

com.wacom.Wacom-Display-Settings:

com.wacom.Wacom-Display-Settings.png

com.wacom.Wacom-Desktop-Center:

com.wacom.Wacom-Desktop-Center.png

Here are the items the user will now need to enable, since Apple won't let us do it for them:       

Input Monitoring 03.png

Input Monitoring 02.png

Input Monitoring 01.png

Nothing shows up under Accessibility, but that might be because we don't have a USB-C compatible Wacom tablet. If anyone has screenshots of the expected items, please punt them this way so I can update (with attribution!).

Accessibility.png

The above should end this annoying prompt:

annoying-wacom-prompt.png

--
https://donmontalvo.com
1 ACCEPTED SOLUTION

donmontalvo
Esteemed Contributor III

I had a remote session with a Wacom dev contact, went through all 10 of the apps that exist, whitelisting each. Confirmed that Wacom now works, without any prompts, on Monterey on both Intel and M1.

User still has to go to Input Monitoring to check all the boxes for the items there.

Not sure about Accessibility since things work, and we only see AEServer listed.

Hope this helps the next person....and yes I suggested Wacom create a KB for admin folks like us.

--
https://donmontalvo.com

View solution in original post

16 REPLIES 16

PaulHazelden
Valued Contributor

I have 3 things in my PPPC for Wacom...

com.wacom.wacomtablet

com.wacom.WacomTouchDriver

com.wacom.IOManager

All 3 are set to the same thing...

Accessibility - Allow

ListenEvent - Allow Standard Users to Allow Access

PostEvent - Allow

 

I am running OSX 12.3.1 on there and whatever Wacom gave me as a driver in Feburary, I cant remember the version. On a mix of M1 and intel Macs.

Students have to do the input monitoring allow bit for themselves, I cant do that for them.

donmontalvo
Esteemed Contributor III

Thanks! The Wacom dev person told us 6.3.44 will work for Monterey on Intel and M1.

--
https://donmontalvo.com

killer23d
Contributor

Screen capture, Input Monitoring are among the many things that gives me nightmares everyday.

While security and privacy is paramount for Apple, the inability to pre-allow many PPPC and System Extensions is what makes my job difficult. Many may have disagree with that I am about to say, we invested a lot of time in the ecosystem, play by their rules (MDM, Jamf...), yet they have not cut macsysadmin any slacks. When I pay for a management system, I expect it to lighten up my workload or simplify my daily; but in the past few years, I find that I am trying hard to deal with end user tickets like this or script my way through problems.

 

I know every org is different: as EDU, users are not local admin and we should have more granular or mass controls over this.

 

Don't even get me started on mass-upgrade/erase/upgrade OS with M1. 🥲

donmontalvo
Esteemed Contributor III

I kind of like how Apple is constantly moving the goal posts on macOS. Keeps nefarious folks at bay. Also accelerates receding hairline. :)

--
https://donmontalvo.com

donmontalvo
Esteemed Contributor III

I had a remote session with a Wacom dev contact, went through all 10 of the apps that exist, whitelisting each. Confirmed that Wacom now works, without any prompts, on Monterey on both Intel and M1.

User still has to go to Input Monitoring to check all the boxes for the items there.

Not sure about Accessibility since things work, and we only see AEServer listed.

Hope this helps the next person....and yes I suggested Wacom create a KB for admin folks like us.

--
https://donmontalvo.com

Thank you so much, this totally worked for the Input Monitoring to allow our users on Monterey to check the options and get rid of that annoying popup.

 

Unfortunately it doesn't seem to allow for checking the boxes in Accessibility. On a couple of test machines I've got here, one has com.wacom.IOManager and the other has com.wacom.IOManager, WacomTabletDriver, and WacomTouchDriver. None are selectable even with Accessibility set to Allow in the Configuration Profile.

 

Is there possibly more to it on Monterey for the Privacy > Accessibility settings? Having a hard time finding an answer when digging around.

My team told me they are able to have the standard users click on Allow. I think what you described is a JAMF bug, have you tried doing to PPPC and click on Edit, change to deny, save and change back to Allow? I have been doing that since 10.35.

MNussbaum
New Contributor III

Thank you for the suggestion! That is the first I've heard of that bug and workaround.

 

I went into the profile and set Accessibility to Deny for all of them, pushed them out to the computers, went back and changed Accessibility back to Allow for all of them, and pushed them back out again. Everything looks good in the Profile as far as I can tell, and Input Monitoring is working great, but Privacy > Accessibility still doesn't allow the standard user to check the box for any of the Wacom options.

I checked with my team, you are correct that Accessibility is still unchecked and I am not able to check without unlock.  No one has given me feedback about something not working, does the Wacom tablet work at all?

MNussbaum
New Contributor III

From what I can tell, the tablet is able to control the cursor but it's not registering the clicks. Not sure if that is an issue with Accessibility or something else.

My team says toggling Accessibility manually doesn't seem to affect the Wacom app from detecting the tablet.

Maybe you need to build a clean system without the PPPC and manually test each piece. It's painful I know.

I'm getting the same issue with driver 6.4.1-1 on Monterey 12.6.3 (Intel).

Plus this:

Wacom CenterWacom CenterSystem PreferencesSystem Preferences

I just want to add that it seems to have resolved itself after I restarted the computer.

@donmontalvo 's method also works with macOS Ventura.

I tested three computers (two Monterey, and one Ventura) and they all detected the Wacom Tablets when connected after a restart. I tested with a PTH-651 and PTH-660 tablet. For the Ventura laptop, the PTH-660 tablet was connected to a Dell USB-C Hub monitor.

I hope this helps.

Thanks for posting this Don.  This has been the messiest configuration I've had to setup in a while. Kudos to Wacom for placing applications in hidden, localized, folders.  I salute them with a tip-of-the-cap!

donmontalvo
Esteemed Contributor III

@taugust04 Wacom is a good example of a cash cow who has become complacent. /rant

--
https://donmontalvo.com

itupshot
Contributor II

Does the sequence matter, or can I add all the apps from /Application/Wacom\ Tablet folder first, and then all the ones from /Library/PrivilegedHelperTools?

 

Thanks,