PPPC Not Enabling SystemFilesAllAccess for AdminByRequest

cako1955
New Contributor II

Hey all. I'm still fairly new to all this. I've been trying this for a couple of days now, and I cannot seem to get the proper permissions for AdminByRequest to work. Per this article, I need to allow SystemFilesAllAccess for ABR. I've been using PPPC Utility to created the profile, and I have tried a few different combinations of settings, but none of them have worked. I know it will not show in the Security settings on the Mac, but in profiles, my PPPC is there, and it still not working. I've uninstalled and reinstalled the app with the profile applied, still nothing.

Has anyone had any experience like this, whether with ABR specifically, or another app, that could give me some pointers? 

This has all been on a singular test computer on Monterey, and I need to try to deploy this PPPC to about 80 or so machines, so the manual route is not really an option.

 

Thanks,
C

1 ACCEPTED SOLUTION

cako1955
New Contributor II

So I also had a support ticket in with AdminByRequest. They provided me with the following, which wound up working. I hope this can help someone in the future.

cako1955_0-1677244466143.png

 

View solution in original post

12 REPLIES 12

cako1955
New Contributor II

Woops. Forgot to paste the article. 

https://www.adminbyrequest.com/docs/Mac-Client

I'm just not sure what I'm doing wrong. 

aparten
New Contributor III

Can you show how you have the current PPPC profile setup? We use ABR on our PCs and have kinda been on hold for using it on Macs since it hasn't exactly offered the best experience ever, but I'm slightly familiar with it lol

cako1955
New Contributor II

cako1955_0-1677015722381.png

Here is my most recent attempt. They started out as basic as just the identifier, the code req, and allowing full disk access, and gradually grew to this. I've been doing a ton of googling, and trying anything I have seen.

aparten
New Contributor III

Well when I install it manually and grant All Files access, the location of the file that needs the priv is

/Library/adminbyrequest/adminbyrequest

so you may need to point to that instead? Or you may try using the bundle id rather than the path (not sure if you tried either of those already or not, but worth a shot).

I know it requires All Files, but I'm not really sure about the other 2 unfortunately. 

sudoErase
New Contributor III

Apologies if I read this wrong. 

Allowing All Files access does not 'enable' (checkmark) File access. 

It "allows" standard users to able to click checkmarks to enable.

To give more context:
Previously, PPPC Utility used to "enable" apps without standard users having to checkmark it themselves. Apple changed the privacy policy which basically felt that Admin should not be "enabling" without standard users' choice. So the PPPC Utility changed to "Allow" rather than "Enable" 

How does this work?
Standard users does not have Admin access so they cannot unlock the Lock (See: Security Privacy Bottom left )

PPPC allows standard users to checkmark "Allow" (Screen recording, File disk access). 

This means users will still need to manually click any permissions.

cako1955
New Contributor II

I see. I will have to check that out tomorrow. I hadn't gone into the settings under our test user account to look at that yet. 

cako1955
New Contributor II

Well, I didn't want to accept that as the way things are, but if that's the case, then so be it. I read something about Apple changing things, but I didn't know it affected this, too. 

However, when I log in with a standard user, I am still unable to check the box for adminbyrequest under full disk access. Is there something else I am missing? Our standard Mac users are unable to use the Lock in the bottom left corner, due to not having admin access.

cdev
Contributor III

This is incorrect. When a profile is deployed with the AllowAllFiles payload, it does not cause the checkbox to be checked, but it is properly enforced/allowed without checking the box. Some payloads, e.g. ScreenRecording have a setting for "Allow Standard Users to Allow Access" which requires the user to approve/deny the access.

sudoErase
New Contributor III

Please try the following:

  1. Go to PPPC Utility 
  2. Add the adminbyrequest app 
  3. Click Full Disk Access to "Allow"
  4. Press Save and fill in the information needed
  5. Upload the mobileconfig file to Configuration Profile in Jamf Pro
  6. Make sure to scope to your test computer
  7. Restart your test computer
  8. Check the Profile in the test machine to make sure the Configuration Profile has been installed.
  9. Go to Security & Privacy and you should be able to enable it.  

Note: Below is an example as I don't use adminbyrequest.

sudoErase_0-1677078851777.png

 

cako1955
New Contributor II

Yup, just did all of this step by step. Upon rebooting, confirmed that the profile was there. I then tried to run an installer by dragging it onto adminbyrequest, and I still received a pop-up saying that it does not have full disk access. 

cako1955_0-1677081474311.png

 

cako1955
New Contributor II

So I also had a support ticket in with AdminByRequest. They provided me with the following, which wound up working. I hope this can help someone in the future.

cako1955_0-1677244466143.png

 

Ashneel
New Contributor II

Could you kindly share your config profile? That will be very helpful.