nxlog deployment security settings

VintageMacGuy
Contributor II

We are rolling out NXLog to our Macs. I have the installer working, but don't have any security info to configure things like PPPC or  System Extensions. I was able to manually tick the box for Full Disk Access, but I am still getting an error message saying that im_maces|in NXLog requires Transparency, Consent, and Control (TCC) approval to connect to Endpoint Security.

If I can find the Bundle ID and Identifier, I should be able to roll that info a PPPC configuration profile which will flip the switch to turn on the Full Disk Access during install, so I don't have to manually do that.

 

Then to clear the error message I am getting above, I likely need a Team Identifier and/or System Extension type for the System Extensions portion of the Configuration Profile in JAMF.

I have checked their website and don't seem to find anything there in the documentation or message boards about  any identifier. Is there a way to find this info out by looking on a system that has the software installed?

15 REPLIES 15

sdagley
Esteemed Contributor II

@VintageMacGuy The Apparency app (https://mothersruin.com/software/Apparency/) should show you the bundle identifier and signing ID for NXLog

I grabbed a copy of Apparency and installed it. I used the drag and drop method to take the binary of nxlog from /opt/nxlog/bin/ and try to get Apparency to open it up, but got an error message that says this doesn't appear to be a valid MacOS bundle. It says the extension suggests that it is a bundle, but the contents don't appear to be valid and that the info.plist may be damaged.

Thanks for the pointer to this utility - may come in handy.

sdagley
Esteemed Contributor II

@VintageMacGuy Interesting they're installing a bundle from there as most companies using System Extensions appear to be moving to bundles inside applications installed in /Applications (and I believe that's either an Apple recommendation or soon to be requirement)

Yeah - it's more of a script.

https://nxlog.co/

 

sdagley
Esteemed Contributor II

@VintageMacGuy If you do a Show Package Contents on the nxlog binary in the Finder does it show any contents?

Yes. The contents of nxlog include:

_CodeSignature/CodeResources
Embedded.provisionfile
MacOS/nxlog

sdagley
Esteemed Contributor II

Dropping the MacOS/nxlog file onto Apparency _might_ give you the signing ID/Team Identifier, but I'm not sure about the extension type

Thank you! I was able to find the Team Identifier - 6KBH6TBU4P

Waiting for feedback from the developer on the rest.

sdagley
Esteemed Contributor II

@VintageMacGuy If you're trying to allow nxlog as a System Extension you _should_ be able to simply create a System Extension payload with the System Extension Types popup set to Allowed Team Identifiers and with the Team Identifier field set to 6KBH6TBU4P

Thank you! I am going to give that a try later this afternoon and report back.


@sdagley wrote:

@VintageMacGuy The Apparency app (https://mothersruin.com/software/Apparency/happy wheels) should show you the bundle identifier and signing ID for NXLog


Thank you. I found it.

rubberchicken
New Contributor
New Contributor

.

VintageMacGuy
Contributor II

Thank you for the help so far. I was able to get some information with the utilities mentioned above and put together a configuration profile and added that to JAMF, but I am still getting errors in the log.nxlog pppc.png

 

nxlog system extension.png

 

 

2022-08-17 08:37:05 INFO [xm_admin|agent_management] reconnecting to 192.168.1.1:4041 in 2 sec
2022-08-17 08:37:07 INFO [xm_admin|agent_management] connecting to 192.168.1.1:4041
2022-08-17 08:37:11 ERROR [xm_admin|agent_management] couldn't connect to 192.168.1.1:4041;Network is unreachable
2022-08-17 08:37:11 INFO [xm_admin|agent_management] reconnecting to 192.168.1.1:4041 in 4 sec
2022-08-17 08:37:14 WARNING [CORE|main] nxlog received a termination request signal, exiting...
2022-08-17 08:38:12 ERROR [im_maces|in] NXLog requires Transparency, Consent, and Control (TCC) approval to connect to Endpoint Security
2022-08-17 08:38:12 WARNING [CORE|main] no functional input modules!
2022-08-17 08:38:12 INFO [CORE|main] nxlog-5.5.7535-trial (1b5eab762@REL_v5.5) started on macOS
2022-08-17 08:38:12 INFO [xm_admin|agent_management] connecting to 192.168.1.1:4041
2022-08-17 08:38:17 ERROR [xm_admin|agent_management] couldn't connect to 192.168.1.1:4041;Network is unreachable
2022-08-17 08:38:17 INFO [xm_admin|agent_management] reconnecting to 192.168.1.1:4041 in 1 sec
2022-08-17 08:38:18 INFO [xm_admin|agent_management] connecting to 192.168.1.1:4041
2022-08-17 08:38:23 ERROR [xm_admin|agent_management] couldn't connect to 192.168.1.1:4041;Network is unreachable

I am working with nxlog to troubleshoot, but they don't have a JAMF platform to test on. They said they are reaching out to JAMF to see about getting a sandbox so we can test this, but have not seen a reply yet from JAMF.

What does the TCC approval error relate to? Is there a misconfiguration in my PPPC or System Extension configuration profile?

I was able to get the PPPC settings to work by updating the "Identifier" to:
/opt/nxlog/bin/nxlog.app/Contents/MacOS/nxlog

Which is inside the app bundle. This is also the same file that needs to be drug and dropped into the PPPC Utility to get the proper settings/info. The "Open" dialog box won't work because it points to the Applications folder and will only select the App bundle and not go inside the app (unless someone knows a cool trick to get inside the app from inside a dialog box asking you to select an item).

sdagley
Esteemed Contributor II

@VintageMacGuy In the Open File dialog do a Shift-Command-G (the same as the Finder's Go to Folder... command) and you can then type, or paste, the path of any file you want to open even if it's something inside an application bundle.