Jamf Nation Community

Wow. So there isn't much I can do then until they sign it.

Correct. Part of the testing process will be to see if kids can click Ok and Allow 1x before the test. If you're in a lab setting you could technically just manually do it before testing. Not ideal. We're on 4.0.0.3.

Thanks @larry_barrett We have 3k machines for the test. I'll make some nice instructions with screenshots. Maybe they'll fix it later.

Today I read about new versions of the app for Windows and Chromebook. No news on a new macOS app version.

NWEA Released Secure Testing Browser v. 4.0.0.4, Finally it is a version compatible with PPPC Utility!

The new Mac Secure Testing Browser is now available on the main testing login page: teach.mapnwea.org

• Tip from my own experience: To avoid logging in: Click Support in the bottom left of the Login Window >> Subspaces >> Technical Resources >> Mac® Secure Browser

They also released a document containing instructions which I have posted Below: (Hope this helps!)

Creating a Configuration Profile to allow the Secure Testing Browser Permissions to System Events for macOS 10.14

When updating to 10.14 from an older macOS version sometimes there is a permissions bug that causes Configuration Profiles to be ignored. For the Configuration Profile to work on 10.14 the permissions to /Library/Application Support/com.apple.TCC need to be drwxr-xr-x@ (and not dwrx------@).

Extension Attribute

To detect if any of your macs have this issue you can create an extension attribute to read the permission and create a smart group for scoping the Configuration Profile. Something as simple as the script below will do the trick;

#!/bin/bash
result=`ls -l /Library/Application Support/ | grep com.apple.TCC | cut -c 1-11`
echo "<result>$result</result>"

Create the profile with PPPC Utility available on GitHub. https://github.com/jamf/PPPC-Utility

• Open the PPPC Utility
• Drag the NWEA Secure Testing Browser.app into the left column

• Under Apple Events: click on the plus and Click on System Events

• Click Save
• Add meaningful info for Organization, Payload Name, and Payload Description and click save again

• Select a save location and click Save

Upload the PPPC generated .mobileconfig file to jamf
• Sign in to Jamf
• Click on Computers -> Configuration Profiles
• Click on the upload button

• Click Choose File
• Select STBPrivacySetting.mobileconfig and click choose
• Click upload
• Change the name to match your naming convention and add a description
• Select a relevant category

• Click on Scope and select the target computers, then click Save

Create the Profile Manually
• Login to Jamf -> Computers -> Configuration Profiles -> New
• Give it a name
• Scroll down to Privacy Preferences Policy Control -> Click Configure. We are prompted to enter an Identifier and a Code Requirement. • The Identifier is; org.nwea.secure-testing-browser

• The Code requirement is;
identifier "org.nwea.secure-testing-browser" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = SRTXZJ7SQ3

• To find this information manually open Terminal and type

“codesign -dr - {location to NWEASecureTestingBrowser.app}”

and hit enter. In the example below the Identifier is highlighted in yellow and the code requirement is underlined in gray

• Click the add button
• From the drop down select Apple Events
Receiver Identifier;
com.apple.systemevents

Receiver Code Requirement;
identifier “com.apple.systemevents” and anchor apple

• Click Save

This is the process I used and I am having trouble getting the profile to install. I tried to automatically install and it never took, even after a restart and multiple update inventories. So I switched it to deploy via self service. When I went to install via self service I get an error where the install button is that clears out and says "Install" again after a few seconds. I check the notifications and all it says is Item Failed.

I deleted the configuration profile and tried adding it again using both methods you gave above to no avail.

Has anyone else run into this and /or have any suggestions?

Thanks!

Peter

@sternen

I did not have any issues are you able to issue out other new configuration profiles or is this the only one giving you an issue?

I made sure to grab the newest version of PPPC Utility and am also on 10.14.1 version of Jamf Pro.

For a test I would suggest to delete the one in place and make sure we have a fresh configuration profile in place, it also may be a good idea to test out another configuration profile to see if a new one can be issued as well.

I know i have for sure ran into the issue where I forgot to hit the accept button after a fresh enrollment a time or two. These are just ideas :)

@sternen It might also be a good idea just to confirm that the MDM profile on the computer you're testing with is in the User Approved state, otherwise PPPC won't come down. (Maybe a management action caused it to become unapproved, if it already had been - worth checking to make sure!)

Also, if there's a failure in deploying the profile, that should show up in the logs. Go to the device's inventory record > Management tab, and you should see some failed MDM commands if the profile is bombing out. Posting the error message may help us troubleshoot with you.