Jamf Nation Community

cako1955 · ‎02-21-2023

Hey all. I'm still fairly new to all this. I've been trying this for a couple of days now, and I cannot seem to get the proper permissions for AdminByRequest to work. Per this article, I need to allow SystemFilesAllAccess for ABR. I've been using PPPC Utility to created the profile, and I have tried a few different combinations of settings, but none of them have worked. I know it will not show in the Security settings on the Mac, but in profiles, my PPPC is there, and it still not working. I've uninstalled and reinstalled the app with the profile applied, still nothing.

Has anyone had any experience like this, whether with ABR specifically, or another app, that could give me some pointers?

This has all been on a singular test computer on Monterey, and I need to try to deploy this PPPC to about 80 or so machines, so the manual route is not really an option.

Thanks,
C

cako1955 · ‎02-24-2023

So I also had a support ticket in with AdminByRequest. They provided me with the following, which wound up working. I hope this can help someone in the future.

View solution in original post

cako1955 · ‎02-21-2023

Woops. Forgot to paste the article.

https://www.adminbyrequest.com/docs/Mac-Client

I'm just not sure what I'm doing wrong.

aparten · ‎02-21-2023

Can you show how you have the current PPPC profile setup? We use ABR on our PCs and have kinda been on hold for using it on Macs since it hasn't exactly offered the best experience ever, but I'm slightly familiar with it lol

cako1955 · ‎02-21-2023

Here is my most recent attempt. They started out as basic as just the identifier, the code req, and allowing full disk access, and gradually grew to this. I've been doing a ton of googling, and trying anything I have seen.

aparten · ‎02-21-2023

Well when I install it manually and grant All Files access, the location of the file that needs the priv is

/Library/adminbyrequest/adminbyrequest

so you may need to point to that instead? Or you may try using the bundle id rather than the path (not sure if you tried either of those already or not, but worth a shot).

I know it requires All Files, but I'm not really sure about the other 2 unfortunately.

sudoErase · ‎02-21-2023

Apologies if I read this wrong.

Allowing All Files access does not 'enable' (checkmark) File access.

It "allows" standard users to able to click checkmarks to enable.

To give more context:
Previously, PPPC Utility used to "enable" apps without standard users having to checkmark it themselves. Apple changed the privacy policy which basically felt that Admin should not be "enabling" without standard users' choice. So the PPPC Utility changed to "Allow" rather than "Enable"

How does this work?
Standard users does not have Admin access so they cannot unlock the Lock (See: Security Privacy Bottom left )

PPPC allows standard users to checkmark "Allow" (Screen recording, File disk access).

This means users will still need to manually click any permissions.

cako1955 · ‎02-21-2023

I see. I will have to check that out tomorrow. I hadn't gone into the settings under our test user account to look at that yet.

cako1955 · ‎02-22-2023

Well, I didn't want to accept that as the way things are, but if that's the case, then so be it. I read something about Apple changing things, but I didn't know it affected this, too.

However, when I log in with a standard user, I am still unable to check the box for adminbyrequest under full disk access. Is there something else I am missing? Our standard Mac users are unable to use the Lock in the bottom left corner, due to not having admin access.

cdev · ‎02-22-2023

This is incorrect. When a profile is deployed with the AllowAllFiles payload, it does not cause the checkbox to be checked, but it is properly enforced/allowed without checking the box. Some payloads, e.g. ScreenRecording have a setting for "Allow Standard Users to Allow Access" which requires the user to approve/deny the access.

sudoErase · ‎02-22-2023

Please try the following:

Go to PPPC Utility
Add the adminbyrequest app
Click Full Disk Access to "Allow"
Press Save and fill in the information needed
Upload the mobileconfig file to Configuration Profile in Jamf Pro
Make sure to scope to your test computer
Restart your test computer
Check the Profile in the test machine to make sure the Configuration Profile has been installed.
Go to Security & Privacy and you should be able to enable it.

Note: Below is an example as I don't use adminbyrequest.

cako1955 · ‎02-22-2023

Yup, just did all of this step by step. Upon rebooting, confirmed that the profile was there. I then tried to run an installer by dragging it onto adminbyrequest, and I still received a pop-up saying that it does not have full disk access.

cako1955 · ‎02-24-2023

So I also had a support ticket in with AdminByRequest. They provided me with the following, which wound up working. I hope this can help someone in the future.

Ashneel · ‎05-05-2023

Could you kindly share your config profile? That will be very helpful.

Jamf Nation Community

PPPC Not Enabling SystemFilesAllAccess for AdminByRequest