Monterey, M1, and PPPC...you're killing us Wacom!

donmontalvo
Esteemed Contributor II

EDIT: Removing the usual rant, worked with a Wacom dev team contact, verified these settings work with Monterey on Intel and M1:

Codesign commands, to gather the info needed for the PPPC configuration profile:

$ codesign -dr - /Applications/Wacom\ Tablet.localized/Wacom\ Desktop\ Center.app 
Executable=/Applications/Wacom Tablet.localized/Wacom Desktop Center.app/Contents/MacOS/Wacom Desktop Center
designated => anchor apple generic and identifier "com.wacom.Wacom-Desktop-Center" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Applications/Wacom\ Tablet.localized/Wacom\ Display\ Settings.app/
Executable=/Applications/Wacom Tablet.localized/Wacom Display Settings.app/Contents/MacOS/Wacom Display Settings
designated => anchor apple generic and identifier "com.wacom.Wacom-Display-Settings" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Applications/Wacom\ Tablet.localized/Wacom\ Tablet\ Utility.app
Executable=/Applications/Wacom Tablet.localized/Wacom Tablet Utility.app/Contents/MacOS/Wacom Tablet Utility
designated => anchor apple generic and identifier "com.wacom.RemoveWacomTablet" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Library/PrivilegedHelperTools/com.wacom.IOManager.app
Executable=/Library/PrivilegedHelperTools/com.wacom.IOManager.app/Contents/MacOS/com.wacom.IOManager
designated => anchor apple generic and identifier "com.wacom.IOManager" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Library/PrivilegedHelperTools/com.wacom.DataStoreMgr.app
Executable=/Library/PrivilegedHelperTools/com.wacom.DataStoreMgr.app/Contents/MacOS/com.wacom.DataStoreMgr
designated => anchor apple generic and identifier "com.wacom.DataStoreMgr" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Library/PrivilegedHelperTools/com.wacom.UpdateHelper.app/
Executable=/Library/PrivilegedHelperTools/com.wacom.UpdateHelper.app/Contents/MacOS/com.wacom.UpdateHelper
designated => anchor apple generic and identifier "com.wacom.UpdateHelper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Applications/Wacom\ Tablet.localized/.Tablet/WacomTabletDriver.app
Executable=/Applications/Wacom Tablet.localized/.Tablet/WacomTabletDriver.app/Contents/MacOS/WacomTabletDriver
designated => anchor apple generic and identifier "com.wacom.wacomtablet" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Applications/Wacom\ Tablet.localized/.Tablet/WacomTouchDriver.app
Executable=/Applications/Wacom Tablet.localized/.Tablet/WacomTouchDriver.app/Contents/MacOS/WacomTouchDriver
designated => anchor apple generic and identifier "com.wacom.WacomTouchDriver" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Applications/Wacom\ Tablet.localized/.Tablet/TabletDriver.app
Executable=/Applications/Wacom Tablet.localized/.Tablet/TabletDriver.app/Contents/MacOS/TabletDriver
designated => anchor apple generic and identifier "com.wacom.TabletDriver" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Applications/Wacom\ Tablet.localized/.Tablet/FirmwareUpdater.app
Executable=/Applications/Wacom Tablet.localized/.Tablet/FirmwareUpdater.app/Contents/MacOS/FirmwareUpdater
designated => anchor apple generic and identifier "com.wacom.FirmwareUpdater" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

 

Here are screenshots, using the above, to add the 10 items to a PPPC configuration profile:

com.wacom.IOManager:

com.wacom.IOManager.png

com.wacom.UpdateHelper:

com.wacom.UpdateHelper.png

com.wacom.DataStoreMgr:

com.wacom.DataStoreMgr.png

com.wacom.wacomtablet:

com.wacom.wacomtablet.png

com.wacom.FirmwareUpdate:

com.wacom.FirmwareUpdater.png

com.wacom.WacomTouchDriver:

com.wacom.WacomTouchDriver.png

com.wacom.TabletDriver:

com.wacom.TabletDriver.png

com.wacom.RemoveWacomTablet:

com.wacom.RemoveWacomTablet.png

com.wacom.Wacom-Display-Settings:

com.wacom.Wacom-Display-Settings.png

com.wacom.Wacom-Desktop-Center:

com.wacom.Wacom-Desktop-Center.png

Here are the items the user will now need to enable, since Apple won't let us do it for them:       

Input Monitoring 03.png

Input Monitoring 02.png

Input Monitoring 01.png

Nothing shows up under Accessibility, but that might be because we don't have a USB-C compatible Wacom tablet. If anyone has screenshots of the expected items, please punt them this way so I can update (with attribution!).

Accessibility.png

The above should end this annoying prompt:

annoying-wacom-prompt.png

--
https://donmontalvo.com
1 ACCEPTED SOLUTION

donmontalvo
Esteemed Contributor II

I had a remote session with a Wacom dev contact, went through all 10 of the apps that exist, whitelisting each. Confirmed that Wacom now works, without any prompts, on Monterey on both Intel and M1.

User still has to go to Input Monitoring to check all the boxes for the items there.

Not sure about Accessibility since things work, and we only see AEServer listed.

Hope this helps the next person....and yes I suggested Wacom create a KB for admin folks like us.

--
https://donmontalvo.com

View solution in original post

13 REPLIES 13

PaulHazelden
Valued Contributor

I have 3 things in my PPPC for Wacom...

com.wacom.wacomtablet

com.wacom.WacomTouchDriver

com.wacom.IOManager

All 3 are set to the same thing...

Accessibility - Allow

ListenEvent - Allow Standard Users to Allow Access

PostEvent - Allow

 

I am running OSX 12.3.1 on there and whatever Wacom gave me as a driver in Feburary, I cant remember the version. On a mix of M1 and intel Macs.

Students have to do the input monitoring allow bit for themselves, I cant do that for them.

donmontalvo
Esteemed Contributor II

Thanks! The Wacom dev person told us 6.3.44 will work for Monterey on Intel and M1.

--
https://donmontalvo.com

killer23d
New Contributor III

Screen capture, Input Monitoring are among the many things that gives me nightmares everyday.

While security and privacy is paramount for Apple, the inability to pre-allow many PPPC and System Extensions is what makes my job difficult. Many may have disagree with that I am about to say, we invested a lot of time in the ecosystem, play by their rules (MDM, Jamf...), yet they have not cut macsysadmin any slacks. When I pay for a management system, I expect it to lighten up my workload or simplify my daily; but in the past few years, I find that I am trying hard to deal with end user tickets like this or script my way through problems.

 

I know every org is different: as EDU, users are not local admin and we should have more granular or mass controls over this.

 

Don't even get me started on mass-upgrade/erase/upgrade OS with M1. 🥲

donmontalvo
Esteemed Contributor II

I kind of like how Apple is constantly moving the goal posts on macOS. Keeps nefarious folks at bay. Also accelerates receding hairline. :)

--
https://donmontalvo.com

donmontalvo
Esteemed Contributor II

I had a remote session with a Wacom dev contact, went through all 10 of the apps that exist, whitelisting each. Confirmed that Wacom now works, without any prompts, on Monterey on both Intel and M1.

User still has to go to Input Monitoring to check all the boxes for the items there.

Not sure about Accessibility since things work, and we only see AEServer listed.

Hope this helps the next person....and yes I suggested Wacom create a KB for admin folks like us.

--
https://donmontalvo.com

Thank you so much, this totally worked for the Input Monitoring to allow our users on Monterey to check the options and get rid of that annoying popup.

 

Unfortunately it doesn't seem to allow for checking the boxes in Accessibility. On a couple of test machines I've got here, one has com.wacom.IOManager and the other has com.wacom.IOManager, WacomTabletDriver, and WacomTouchDriver. None are selectable even with Accessibility set to Allow in the Configuration Profile.

 

Is there possibly more to it on Monterey for the Privacy > Accessibility settings? Having a hard time finding an answer when digging around.

killer23d
New Contributor III

My team told me they are able to have the standard users click on Allow. I think what you described is a JAMF bug, have you tried doing to PPPC and click on Edit, change to deny, save and change back to Allow? I have been doing that since 10.35.

MNussbaum
New Contributor III

Thank you for the suggestion! That is the first I've heard of that bug and workaround.

 

I went into the profile and set Accessibility to Deny for all of them, pushed them out to the computers, went back and changed Accessibility back to Allow for all of them, and pushed them back out again. Everything looks good in the Profile as far as I can tell, and Input Monitoring is working great, but Privacy > Accessibility still doesn't allow the standard user to check the box for any of the Wacom options.

killer23d
New Contributor III

I checked with my team, you are correct that Accessibility is still unchecked and I am not able to check without unlock.  No one has given me feedback about something not working, does the Wacom tablet work at all?

MNussbaum
New Contributor III

From what I can tell, the tablet is able to control the cursor but it's not registering the clicks. Not sure if that is an issue with Accessibility or something else.

killer23d
New Contributor III

My team says toggling Accessibility manually doesn't seem to affect the Wacom app from detecting the tablet.

Maybe you need to build a clean system without the PPPC and manually test each piece. It's painful I know.

Thanks for posting this Don.  This has been the messiest configuration I've had to setup in a while. Kudos to Wacom for placing applications in hidden, localized, folders.  I salute them with a tip-of-the-cap!

donmontalvo
Esteemed Contributor II

@taugust04 Wacom is a good example of a cash cow who has become complacent. /rant

--
https://donmontalvo.com