Outset and PPPC

CCNapier
Contributor

Hey folks,

I'm having real problems getting PPPC to work with outset.
I've followed guides here: https://carlashley.com/2018/09/23/code-signing-scripts-for-pppc-whitelisting/

Everything seems good/signed on my outset script, and I've managed to package it up and deploy it still signed. Various commands on terminal verify this.

It seems to be the Configuration Profile that I can't get to work correctly.

  • I used the PPPC Utility to make sure I was creating the settings correctly.
  • I allowed FINDER
  • I allowed SYSTEM EVENTS

Still I am prompted - am I missing something?
7c518d290d164ec9875e68311911bb6c

14 REPLIES 14

emily
Valued Contributor III

I haven't seen outset throw up any prompts yet. What do you have outset doing (if you can share more details)?

CCNapier
Contributor

Just runs bash scripts at login time to mount SMB shares. Sent down that route after JAMF support said login hooks from JAMF Pro were flaky and not fully supported anymore.

Been running like this for a while but recently upgraded to Mojave so have PPPC to deal with now.

joelsenders
New Contributor III

It would be helpful to post exactly what you have Outset doing. We need more details than "just runs bash scripts".

emily
Valued Contributor III

I'd recommend checking TCC logging to see what is actually causing the prompts. While outset is what is running, the bash script is mounting an SMB which is probably why it's looking like it's trying to access Finder.

This post might help you get what you're looking for:
https://carlashley.com/2018/09/06/reading-tcc-logs-in-macos/

CCNapier
Contributor

@emily thanks, that gives me a better understanding, although I haven't tried it yet.

It sounds like although Outset is the parent process, it's something else in the bash script itself that is causing the prompt and it only looks/presents like it is Outset?

I'll see what I can find next week. Thanks again.

joelsenders
New Contributor III

@CCNapier Yes this is why we need to see the script. Although Outset is being flagged, it's actually something Outset is performing in the login script.

Eigger
Contributor III

I to have this problem before and I fixed by following the steps here > https://carlashley.com/2018/09/23/code-signing-scripts-for-pppc-whitelisting/
You are going to need an Apple Code Signing certificate. We are K12 institution, so we get a free Apple Dev account to get this kind of certs.
Give it a try and let us know if it worked for you. EDIT: LOL! Didnt read the whole post, I see you tried it already, but I did have the same problem, but for me, my first try, I didn't verify if the it did really sucessfully signed. I tried it again and verified the signature and it worked.

CCNapier
Contributor

Thanks for the responses. Went on vacation right after this so only just back to test this.

@emily I'm really having trouble interpreting the TCC logging. I am running the outset login command from terminal as a test, so now terminal is requesting via the dialog box. I've therefore been trying to get PPPC working for terminal, and I'll transfer it to Outset. Hopefully.

Does any of the following make sense?

2019-10-25 11:28:19.111084+0100 0x6e4c     Info        0xffdf               334    0    tccd: [com.apple.TCC:access] AttributionChain: RESP:{ID: com.apple.Terminal, PID[2323], auid: 2067712324, euid: 2067712324, responsible path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal', binary path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal'}, ACC:{ID: com.apple.osascript, PID[3465], auid: 2067712324, euid: 2067712324, binary path: '/usr/bin/osascript'}, REQ:{ID: com.apple.WindowServer, PID[1700], auid: 88, euid: 88, binary path: '/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer'}
2019-10-25 11:28:19.120926+0100 0x6e4c     Info        0x0                  334    0    tccd: [com.apple.TCC:access] AttributionChain: RESP:{ID: com.apple.Terminal, PID[2323], auid: 2067712324, euid: 2067712324, responsible path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal', binary path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal'}, ACC:{ID: com.apple.osascript, PID[3465], auid: 2067712324, euid: 2067712324, binary path: '/usr/bin/osascript'}, REQ:{ID: com.apple.appleeventsd, PID[89], auid: 55, euid: 55, binary path: '/System/Library/CoreServices/appleeventsd'}
2019-10-25 11:28:19.121620+0100 0x6e4c     Info        0x0                  334    0    tccd: [com.apple.TCC:access] AttributionChain: RESP:{ID: com.apple.Terminal, PID[2323], auid: 2067712324, euid: 2067712324, responsible path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal', binary path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal'}, ACC:{ID: com.apple.osascript, PID[3465], auid: 2067712324, euid: 2067712324, binary path: '/usr/bin/osascript'}, REQ:{ID: com.apple.appleeventsd, PID[89], auid: 55, euid: 55, binary path: '/System/Library/CoreServices/appleeventsd'}
2019-10-25 11:28:19.151793+0100 0x6e58     Info        0x1026a              1862   0    tccd: [com.apple.TCC:access] AttributionChain: ACC:{ID: com.apple.finder, PID[1874], auid: 2067712324, euid: 2067712324, binary path: '/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder'}, REQ:{ID: com.apple.finder, PID[1874], auid: 2067712324, euid: 2067712324, binary path: '/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder'}
2019-10-25 11:28:19.203094+0100 0x6df6     Info        0x109d0              334    0    tccd: [com.apple.TCC:access] AttributionChain: ACC:{ID: com.apple.UserNotificationCenter, PID[3467], auid: 2067712324, euid: 2067712324, binary path: '/System/Library/CoreServices/UserNotificationCenter.app/Contents/MacOS/UserNotificationCenter'}, REQ:{ID: com.apple.WindowServer, PID[1700], auid: 88, euid: 88, binary path: '/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer'}
2019-10-25 11:28:19.223775+0100 0x6df6     Info        0x0                  334    0    tccd: [com.apple.TCC:access] AttributionChain: ACC:{ID: com.apple.UserNotificationCenter, PID[3467], auid: 2067712324, euid: 2067712324, binary path: '/System/Library/CoreServices/UserNotificationCenter.app/Contents/MacOS/UserNotificationCenter'}, REQ:{ID: com.apple.appleeventsd, PID[89], auid: 55, euid: 55, binary path: '/System/Library/CoreServices/appleeventsd'}
2019-10-25 11:28:19.224156+0100 0x6df6     Info        0x0                  334    0    tccd: [com.apple.TCC:access] AttributionChain: ACC:{ID: com.apple.UserNotificationCenter, PID[3467], auid: 2067712324, euid: 2067712324, binary path: '/System/Library/CoreServices/UserNotificationCenter.app/Contents/MacOS/UserNotificationCenter'}, REQ:{ID: com.apple.appleeventsd, PID[89], auid: 55, euid: 55, binary path: '/System/Library/CoreServices/appleeventsd'}

1) Looking at the first three RESP entries, it looks like the responsible application (Terminal) is accessing OsaScript and requesting WindowServer and appleeventsd.
2) I therefore created a PPPC (See image) for osascript to allow both WindowServer and appleeventsd, but the prompt still appears.

be8f9c49d0a94728a5014c5d8da31a89

Am I misunderstanding what needs to be created in the PPPC?

@joelsenders The script calls a script that might call a script! The initial script is as below. Does this throw any hints at all? I appreciate if you have the time to inspect.

#!/bin/bash

#Setup Redirect and descriptors
exec 3>&1 4>&2
trap 'exec 2>&4 1>&3' 0 1 2 3
exec 1>~/Library/Logs/login_primer.log 2>&1

#Version
ver="1.1"

#mountscript="/Volumes/Logon/mac_logon_171113.sh"
logonscript="/Volumes/Logon/mac_logon.sh"

# Create a log writing function
writelog()
{
    echo "`date +"%b %d %Y %T"` - ${1}" 
}

writelog "V${ver} Process Started on ${HOSTNAME}"

#Get Username
username=$(id -u -n)
writelog "User is: ${username}"


#This should only run for network users.
checkUser=$(dscl . list /Users | awk '{print $1}' | grep -Ex ${username})
checkRes=$?
if [ $checkRes -eq 0 ] ; then
    writelog "User was found in local user area - will not attempt to mount network share."
    writelog "Quiting Process."
    exit
else
    writelog "User is not local."
fi

#Check that Finder is running before attempting to continue.
#This will loop 5 times (with a 2 sec sleep, so 10 sec total) to check.
#We should still continue anyway, as Finder MAY start after that.
i=0

while [ $i -lt 10 ]
do

    # Check if Finder is running
    if pgrep "Finder" > /dev/null
    then
        i=11
        writelog "Finder is running"
    else
        writelog "Finder NOT running yet"
    fi

    sleep 2

    i=$[$i+1]
done

#We really need finder running at this point to use the osascript.
#Make sure the above loop is set to long enough to ensure finder running.

#Check if already mounted
writelog "Checking for existing mount..."
    fullPath="//${username}@domain.com/SYSVOL/domain.com/scripts/Logon"
    isMounted=$(df | awk '{print $1}' | grep -Ex "${fullPath}")
    mountRes=$?

    if [ $mountRes -eq 0 ] ; then
        writelog " - ($mountRes) Network share already mounted for ${username}"
        #exit 0
        #We want to continue so that we can mount Favourites Sidebar if needed.
    else
    #Mount SYSVOL
    writelog "Attempting to mount Logon Share..."
    mount_script=`/usr/bin/osascript << EOT
        tell application "Finder" 
        mount volume "smb://domain.com/SYSVOL/domain.com/scripts/Logon"
        end tell
EOT`

    #Check if result success.
    if [[ $? != 0 ]]; then
        writelog "Failed to mount Logon Share - quitting with no mounting."
        return  
    fi
    writelog "Mount success."
fi




#Check if logon script exists
if [ ! -f $logonscript ]; then
    writelog "Could not find required login script."
    exit
fi
writelog "Login script found."

#Execute script
writelog "Executing script..."
bash ${logonscript}
writelog "Script done."

sleep 5s
writelog "Unmounting Logon..."
diskutil unmount /Volumes/Logon
writelog "Result was $?"


#End
writelog "Complete."

talkingmoose
Honored Contributor II

@CCNapier, if you're planning to use Outset to deploy a PPPC profile, that won't work. It must very specifically come directly from your MDM server via push.

CCNapier
Contributor

@talkingmoose no, in trying to configure a PPPC profile to be pushed by JAMF Pro so that I stop being prompted by Outset.

Eigger
Contributor III

@CCNapier Try adding the following to your osascript PPPC, I believe you need finder when mounting network shares.
faa5c7fd84b145bb9e00dcf5152e15ea
I assume your script is in one of the outset folders, how did you package it? did you use pkgbuild or Packager, did you make sure you followed the blog post and you codesign outset with a valid apple dev certificate and you preserve the attributes?
7c805f8fe4d94d229d776840fa3d42c4

CCNapier
Contributor

@Eigger Outset is signed OK.

I applied the settings to an osascript PPPC:
1acc0ccf5ac840349b50fa76212af34c

As an experiment I'm attempting to run a simple set of commands from Terminal.

sudo tccutil reset All osascript -e 'tell app "System Events" to display dialog "Hello World"'

Problem still shows:
90d6cf3953144ad697d3a3c86e4a1edf

Should your osascript PPPC settings now allow me to run it from terminal?

Eigger
Contributor III

@CCNapier Do you have PPPC for Terminal to allow "System Events" for your experiment?

CCNapier
Contributor

Hi @Eigger Yes I do have Terminal to allow "System Events" (tried using path and bundleID methods):

a1ddd44879b4422cb43d66502978924b

TCC says the following:

Filtering the log data using "subsystem == "com.apple.TCC" AND composedMessage BEGINSWITH "AttributionChain""
Timestamp                       Thread     Type        Activity             PID    TTL  
2019-11-04 10:02:33.136226+0000 0x1cfa36   Info        0x14899d             316    0    tccd: [com.apple.TCC:access] AttributionChain: RESP:{ID: com.apple.Terminal, PID[1128], auid: 2067712324, euid: 2067712324, responsible path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal', binary path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal'}, ACC:{ID: com.apple.osascript, PID[48970], auid: 2067712324, euid: 2067712324, binary path: '/usr/bin/osascript'}, REQ:{ID: com.apple.WindowServer, PID[280], auid: 88, euid: 88, binary path: '/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer'}
2019-11-04 10:02:33.146951+0000 0x1cf9bd   Info        0x0                  316    0    tccd: [com.apple.TCC:access] AttributionChain: RESP:{ID: com.apple.Terminal, PID[1128], auid: 2067712324, euid: 2067712324, responsible path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal', binary path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal'}, ACC:{ID: com.apple.osascript, PID[48970], auid: 2067712324, euid: 2067712324, binary path: '/usr/bin/osascript'}, REQ:{ID: com.apple.appleeventsd, PID[89], auid: 55, euid: 55, binary path: '/System/Library/CoreServices/appleeventsd'}
2019-11-04 10:02:33.147662+0000 0x1cf9bd   Info        0x0                  316    0    tccd: [com.apple.TCC:access] AttributionChain: RESP:{ID: com.apple.Terminal, PID[1128], auid: 2067712324, euid: 2067712324, responsible path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal', binary path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal'}, ACC:{ID: com.apple.osascript, PID[48970], auid: 2067712324, euid: 2067712324, binary path: '/usr/bin/osascript'}, REQ:{ID: com.apple.appleeventsd, PID[89], auid: 55, euid: 55, binary path: '/System/Library/CoreServices/appleeventsd'}
2019-11-04 10:02:33.181324+0000 0x1cfa27   Info        0x149f50             841    0    tccd: [com.apple.TCC:access] AttributionChain: ACC:{ID: com.apple.systemevents, PID[48936], auid: 2067712324, euid: 2067712324, binary path: '/System/Library/CoreServices/System Events.app/Contents/MacOS/System Events'}, REQ:{ID: com.apple.systemevents, PID[48936], auid: 2067712324, euid: 2067712324, binary path: '/System/Library/CoreServices/System Events.app/Contents/MacOS/System Events'}

In fact, I have tried to completely replicate what's in https://carlashley.com/2018/09/06/reading-tcc-logs-in-macos/
I even tried using his exact code for creating the profile (albeit I had to modify some switches as they appear to be updated in the latest version he released) and it STILL prompted!!

./tccprofile.py --appleevents /Applications/Utilities/Terminal.app,/System/Library/CoreServices/System Events.app --allow --payload-description="Whitelist Terminal to allow AppleEvents sent from commands run in Terminal" --payload-identifier="com.github.carlashley" --payload-name="Terminal App AppleEvents Whitelist" --payload-org="My Great Company" --payload-version=1 -o Terminal_AppleEvents.mobileconfig

What the heck is going on??