Jamf Nation Community

donmontalvo · ‎04-26-2022

EDIT: Removing the usual rant, worked with a Wacom dev team contact, verified these settings work with Monterey on Intel and M1:

Codesign commands, to gather the info needed for the PPPC configuration profile:

$ codesign -dr - /Applications/Wacom\ Tablet.localized/Wacom\ Desktop\ Center.app 
Executable=/Applications/Wacom Tablet.localized/Wacom Desktop Center.app/Contents/MacOS/Wacom Desktop Center
designated => anchor apple generic and identifier "com.wacom.Wacom-Desktop-Center" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Applications/Wacom\ Tablet.localized/Wacom\ Display\ Settings.app/
Executable=/Applications/Wacom Tablet.localized/Wacom Display Settings.app/Contents/MacOS/Wacom Display Settings
designated => anchor apple generic and identifier "com.wacom.Wacom-Display-Settings" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Applications/Wacom\ Tablet.localized/Wacom\ Tablet\ Utility.app 
Executable=/Applications/Wacom Tablet.localized/Wacom Tablet Utility.app/Contents/MacOS/Wacom Tablet Utility
designated => anchor apple generic and identifier "com.wacom.RemoveWacomTablet" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Library/PrivilegedHelperTools/com.wacom.IOManager.app 
Executable=/Library/PrivilegedHelperTools/com.wacom.IOManager.app/Contents/MacOS/com.wacom.IOManager
designated => anchor apple generic and identifier "com.wacom.IOManager" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Library/PrivilegedHelperTools/com.wacom.DataStoreMgr.app 
Executable=/Library/PrivilegedHelperTools/com.wacom.DataStoreMgr.app/Contents/MacOS/com.wacom.DataStoreMgr
designated => anchor apple generic and identifier "com.wacom.DataStoreMgr" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Library/PrivilegedHelperTools/com.wacom.UpdateHelper.app/
Executable=/Library/PrivilegedHelperTools/com.wacom.UpdateHelper.app/Contents/MacOS/com.wacom.UpdateHelper
designated => anchor apple generic and identifier "com.wacom.UpdateHelper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Applications/Wacom\ Tablet.localized/.Tablet/WacomTabletDriver.app 
Executable=/Applications/Wacom Tablet.localized/.Tablet/WacomTabletDriver.app/Contents/MacOS/WacomTabletDriver
designated => anchor apple generic and identifier "com.wacom.wacomtablet" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Applications/Wacom\ Tablet.localized/.Tablet/WacomTouchDriver.app 
Executable=/Applications/Wacom Tablet.localized/.Tablet/WacomTouchDriver.app/Contents/MacOS/WacomTouchDriver
designated => anchor apple generic and identifier "com.wacom.WacomTouchDriver" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Applications/Wacom\ Tablet.localized/.Tablet/TabletDriver.app 
Executable=/Applications/Wacom Tablet.localized/.Tablet/TabletDriver.app/Contents/MacOS/TabletDriver
designated => anchor apple generic and identifier "com.wacom.TabletDriver" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

$ codesign -dr - /Applications/Wacom\ Tablet.localized/.Tablet/FirmwareUpdater.app 
Executable=/Applications/Wacom Tablet.localized/.Tablet/FirmwareUpdater.app/Contents/MacOS/FirmwareUpdater
designated => anchor apple generic and identifier "com.wacom.FirmwareUpdater" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)

Here are screenshots, using the above, to add the 10 items to a PPPC configuration profile:

com.wacom.IOManager:

com.wacom.UpdateHelper:

com.wacom.DataStoreMgr:

com.wacom.wacomtablet:

com.wacom.FirmwareUpdate:

com.wacom.WacomTouchDriver:

com.wacom.TabletDriver:

com.wacom.RemoveWacomTablet:

com.wacom.Wacom-Display-Settings:

com.wacom.Wacom-Desktop-Center:

Here are the items the user will now need to enable, since Apple won't let us do it for them:

Nothing shows up under Accessibility, but that might be because we don't have a USB-C compatible Wacom tablet. If anyone has screenshots of the expected items, please punt them this way so I can update (with attribution!).

The above should end this annoying prompt:

--
https://donmontalvo.com

donmontalvo · ‎04-27-2022

I had a remote session with a Wacom dev contact, went through all 10 of the apps that exist, whitelisting each. Confirmed that Wacom now works, without any prompts, on Monterey on both Intel and M1.

User still has to go to Input Monitoring to check all the boxes for the items there.

Not sure about Accessibility since things work, and we only see AEServer listed.

Hope this helps the next person....and yes I suggested Wacom create a KB for admin folks like us.

--
https://donmontalvo.com

View solution in original post

PaulHazelden · ‎04-27-2022

I have 3 things in my PPPC for Wacom...

com.wacom.wacomtablet

com.wacom.WacomTouchDriver

com.wacom.IOManager

All 3 are set to the same thing...

Accessibility - Allow

ListenEvent - Allow Standard Users to Allow Access

PostEvent - Allow

I am running OSX 12.3.1 on there and whatever Wacom gave me as a driver in Feburary, I cant remember the version. On a mix of M1 and intel Macs.

Students have to do the input monitoring allow bit for themselves, I cant do that for them.

donmontalvo · ‎04-27-2022

Thanks! The Wacom dev person told us 6.3.44 will work for Monterey on Intel and M1.

--
https://donmontalvo.com

killer23d · ‎04-27-2022

Screen capture, Input Monitoring are among the many things that gives me nightmares everyday.

While security and privacy is paramount for Apple, the inability to pre-allow many PPPC and System Extensions is what makes my job difficult. Many may have disagree with that I am about to say, we invested a lot of time in the ecosystem, play by their rules (MDM, Jamf...), yet they have not cut macsysadmin any slacks. When I pay for a management system, I expect it to lighten up my workload or simplify my daily; but in the past few years, I find that I am trying hard to deal with end user tickets like this or script my way through problems.

I know every org is different: as EDU, users are not local admin and we should have more granular or mass controls over this.

Don't even get me started on mass-upgrade/erase/upgrade OS with M1. 🥲

donmontalvo · ‎04-27-2022

I kind of like how Apple is constantly moving the goal posts on macOS. Keeps nefarious folks at bay. Also accelerates receding hairline. :)

--
https://donmontalvo.com

donmontalvo · ‎04-27-2022

I had a remote session with a Wacom dev contact, went through all 10 of the apps that exist, whitelisting each. Confirmed that Wacom now works, without any prompts, on Monterey on both Intel and M1.

User still has to go to Input Monitoring to check all the boxes for the items there.

Not sure about Accessibility since things work, and we only see AEServer listed.

Hope this helps the next person....and yes I suggested Wacom create a KB for admin folks like us.

--
https://donmontalvo.com

MNussbaum · ‎05-11-2022

Thank you so much, this totally worked for the Input Monitoring to allow our users on Monterey to check the options and get rid of that annoying popup.

Unfortunately it doesn't seem to allow for checking the boxes in Accessibility. On a couple of test machines I've got here, one has com.wacom.IOManager and the other has com.wacom.IOManager, WacomTabletDriver, and WacomTouchDriver. None are selectable even with Accessibility set to Allow in the Configuration Profile.

Is there possibly more to it on Monterey for the Privacy > Accessibility settings? Having a hard time finding an answer when digging around.

killer23d · ‎05-11-2022

My team told me they are able to have the standard users click on Allow. I think what you described is a JAMF bug, have you tried doing to PPPC and click on Edit, change to deny, save and change back to Allow? I have been doing that since 10.35.

MNussbaum · ‎05-11-2022

Thank you for the suggestion! That is the first I've heard of that bug and workaround.

I went into the profile and set Accessibility to Deny for all of them, pushed them out to the computers, went back and changed Accessibility back to Allow for all of them, and pushed them back out again. Everything looks good in the Profile as far as I can tell, and Input Monitoring is working great, but Privacy > Accessibility still doesn't allow the standard user to check the box for any of the Wacom options.

killer23d · ‎05-11-2022

I checked with my team, you are correct that Accessibility is still unchecked and I am not able to check without unlock. No one has given me feedback about something not working, does the Wacom tablet work at all?

MNussbaum · ‎05-11-2022

From what I can tell, the tablet is able to control the cursor but it's not registering the clicks. Not sure if that is an issue with Accessibility or something else.

killer23d · ‎05-11-2022

My team says toggling Accessibility manually doesn't seem to affect the Wacom app from detecting the tablet.

Maybe you need to build a clean system without the PPPC and manually test each piece. It's painful I know.

itupshot · ‎02-22-2023

I'm getting the same issue with driver 6.4.1-1 on Monterey 12.6.3 (Intel).

Plus this:

Wacom CenterSystem Preferences

itupshot · ‎02-23-2023

I just want to add that it seems to have resolved itself after I restarted the computer.

@donmontalvo 's method also works with macOS Ventura.

I tested three computers (two Monterey, and one Ventura) and they all detected the Wacom Tablets when connected after a restart. I tested with a PTH-651 and PTH-660 tablet. For the Ventura laptop, the PTH-660 tablet was connected to a Dell USB-C Hub monitor.

I hope this helps.

taugust04 · ‎09-05-2022

Thanks for posting this Don. This has been the messiest configuration I've had to setup in a while. Kudos to Wacom for placing applications in hidden, localized, folders. I salute them with a tip-of-the-cap!

donmontalvo · ‎09-07-2022

@taugust04 Wacom is a good example of a cash cow who has become complacent. /rant

--
https://donmontalvo.com

itupshot · ‎02-22-2023

Does the sequence matter, or can I add all the apps from /Application/Wacom\ Tablet folder first, and then all the ones from /Library/PrivilegedHelperTools?

Thanks,

Jamf Nation Community

Monterey, M1, and PPPC...you're killing us Wacom!