PPPC - Trend Micro / Apex One Security Agent

erichughes
Contributor II

The recent agent update from Trend Micro requires full disk access. We have a Configuration Profile for accepting the kernel extension and that has worked great until now. The new update for Catalina compatibility requires a new item be given full disk access. Trying to use the PPPC-Utility I can not add the iCoreService to the Application list. Never used that utility so I'm probably missing something. We don't want to have to do this 5 step process on every client machine. Pointers are appreciated.
9cb5936c6103478594a9c74530060391

23 REPLIES 23

AppleAdminRedbo
New Contributor

Would like to know the same, any help would be appreciated

erichughes
Contributor II

I created a ticket with Jamf support and they helped / created for me, the Configuration profile for me to upload. I would share it here but am not certain it is universally applicable. They referenced this KB https://www.jamf.com/jamf-nation/articles/553

mbuczkowski
New Contributor

I think it will be universal one. Would you be so kind and share it?

simon_brooke
New Contributor III

Hi Eric @erichughes

Would you please share the PPPC file created. This would be greatly appreciated.

Thanks Simon

allanp81
Valued Contributor

@simon.brooke @mbuczkowski This worked for me:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadDescription</key>
            <string>PPPC Trend All Files</string>
            <key>PayloadDisplayName</key>
            <string>PPPC Trend All Files</string>
            <key>PayloadIdentifier</key>
            <string>45103537-FAD7-4736-AFCB-C8CBBB622723</string>
            <key>PayloadOrganization</key>
            <string>Your Org</string>
            <key>PayloadType</key>
            <string>com.apple.TCC.configuration-profile-policy</string>
            <key>PayloadUUID</key>
            <string>6F7BC0ED-14A6-47AD-82E2-81EBA70BE428</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>Services</key>
            <dict>
                <key>SystemPolicySysAdminFiles</key>
                <array>
                    <dict>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>identifier iCoreService and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>/Library/Application Support/TrendMicro/TmccMac/iCoreService</string>
                        <key>IdentifierType</key>
                        <string>path</string>
                    </dict>
                </array>
            </dict>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>PPPC Trend All Files</string>
    <key>PayloadDisplayName</key>
    <string>PPPC Trend All Files</string>
    <key>PayloadIdentifier</key>
    <string>45103537-FAD7-4736-AFCB-C8CBBB622723</string>
    <key>PayloadOrganization</key>
    <string>Your Org</string>
    <key>PayloadType</key>
    <string>com.apple.TCC.configuration-profile-policy</string>
    <key>PayloadUUID</key>
    <string>B95E6425-5D73-4DAC-BD6E-04BE9E783D04</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>payloadScope</key>
    <string>system</string>
</dict>
</plist>

erichughes
Contributor II

This is what is in the payload for me.

bef9e46a965845f3a4413533d902c04d

lcater
New Contributor II

605a87911fb8442ab6b63b39008a3134
Hello, Im referencing KB https://www.jamf.com/jamf-nation/articles/553. My policy seems to be the same as mentioned as above and when I send the PPPC Trend no longer ask for full disk permission. When doing this Trend will not connect to parent server. If I remove the PPPC it will work for a few seconds then ask for full disk permission. Is there anything else I should be adding to this? I have tried reinstalling and installing multiple times. When I approve Disk Permissions manually it works. Any Ideas would be greatly appreciated.

cbruce
New Contributor III

removed

jwojda
Valued Contributor II

according to the Trend KB it also needs Accessibility access.

I used the jamf PPPC utility with the chmod recommendations by @rrouleau in this thread, then enabled full disk access and accessibility access on the iCoreService file.

The profile shows up and the iCoreService is listed under full disk access but the checkbox is unchecked and nothing under accessibility. is that normal?

nstefanelli56
New Contributor II

Attaching a screenshot of mine. I pulled the file path but didn't take out the slashes for the spaces originally. When I fixed that it worked!
3b4e149496b940aea7463c16c63c9bed

jwojda
Valued Contributor II

I still can't seem to get it to run. With the PPPC in place Apex One starts to load but eventually crashes with an unexpected error. w/o it I need to manually enable the full disk access.

erichughes
Contributor II

I created a support ticket with Jamf and they helped me create the PPPC, because there was dominating I was missing. How are you installing Apex One? We are using a Policy with install script payload. The PPPC Profile is already on the computer by the time the install happens.

#!/bin/bash

#Switch to the /tmp directory
cd /tmp

#Download the Trend installer
curl -O -k https://<yourserver>.manage.trendmicro.com/officescan/console/html/TMSM_HTML/ActiveUpdate/ClientInstall/tmsminstall.zip


#Unzip the installer
unzip tmsminstall.zip

#Install the Trend Software
installer -pkg /tmp/tmsminstall/tmsminstall.pkg -target /

#Clean up the folder
rm tmsminstall.zip
rm -rf /tmp/tmsminstall

exit 0

jwojda
Valued Contributor II

@erichughes can you share your PPPC?

erichughes
Contributor II

I also have a separate Configuration Profile that allows the kernel extension. That was in place before the PPPC was required. I have also attached an image of the pertinent part of that. It may not be required any longer but it is still in place on my workstations.
dcef126f35b4448c887d7701b51ff83a

9f56933abc5e4cac89fb2f421eba08f7

jwojda
Valued Contributor II

@erichughes do you need both for Catalina?
I tried just the Kernel extension and the system is saying I need to allow it under security system preference pane.

erichughes
Contributor II

I'm not certain, it is part of my base enrollment push, most of our machines are Mojave, but the handful on Catalina still have it installed. It is part of a Profile that has multiple kernel extensions in it (next time I would have a Profile for each). Have not tested without the kernel extension in place. We are using Trend Micro / Apex One cloud protection. Transitioned from an onsite server earlier this year and didn't have to do anything with clients until the agent update that brought the need for the PPPC. I also want to say that even though the Profile was in place it still required a restart of the computer to recognize it.

jhalvorson
Valued Contributor

I originally had a configuration profile with the PPPC that covered Trend Micro. It was scoped to Mojave and worked great.
When Catalina was release, I added all Catalina to the scope, but for some reason those devices never got the CP or it wasn't honoring the Accessibility service. It's possible that I also added the Accessibility service mid-way through the life of that profile.

I created a fresh new configuration profile with the PPPC that covers Trend Micro, with exactly the same settings and scoped it to Catalina and it works for Catalina devices.

It's not ideal that I have two profiles but each works for their respective OS versions. (On-prem, Apex One (Mac) Security agent 3.5.x)

IDENTIFIER
/Library/Application Support/TrendMicro/TmccMac/iCoreService

IDENTIFIER PATH
path

CODE REQUIREMENT
identifier iCoreService and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = E8P47U2H32

Validate the Static Code Requirement is not selected

APP OR SERVICE
SystemPolicyAllFiles   Allow
Accessibility          Allow

swhps
Contributor III

Does anyone have a script to restart trend? we updated our PPPC but trend won't follow it until its restarted.

Also, does anyone have some Trend EAs to share? I have one for version number but can't come up with a "last check in" type stat.

erichughes
Contributor II

If you are using the script I posted here check your server name for the URL Otherwise your clients will be attached to someone else's server.

achristoforatos
Contributor II

Thanks for all your help everyone. Got it working with the help of PPPC.

allanp81
Valued Contributor

Be aware that if you move to the Trend cloud based agent, this appears to need a new profile due to a change in the location of the trend files.

jgrant
New Contributor II

FYI, if anyone else runs into issues with this. Here is a helpful article from Trend that helped me work through the issues I was seeing.
https://success.trendmicro.com/solution/000277823

swhps
Contributor III

@jgrant thanks for the update!!