Jamf Nation Community

@kerouak is correct, we pre-built a profile that would whitelist the Jamf Binary, Jamf Agent and Jamf.app to be able to communicate with SystemEvents, SystemUIServer and Finder via the Apple Events service listed within the PPPC framework. That JamfAppleEvents.mobileconfig profile can be found here: https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles and is linked in our KB Preparing Your Organization for User Data Protections on macOS 10.14

We do not plan to auto-whitelist terminal to communicate with things since that should be an Admins choice about what other applications they want to allow to communicate with things. Also, if an admin is running something via terminal they can click the allow button themselves.

Hi @mike.paul, please see my Jamf Nation post regarding the PPPC utility.
https://www.jamf.com/jamf-nation/discussions/29629/privacy-preferences-config-profile-issues

the app appears to be creating blank profiles as far as I can see.

In addition @mike.paul when I try and upload pre created config profiles I get the following error:

Is there something I need to do to the file before uploading?

Thanks

Thanks @kerouak That seems to work fine with the Jamf interaction events.
I was under the impression that v10.7.1 already was doing this with the built in profile but as you mentioned, it requires to add the one above as well (not really sure why it wasn't included?).

@ocla&&09 I've uploaded a few profiles and all of them work fine. They look empty in JSS but you can check the data once the profile is installed. Sounds like you've got connection issues with the JSS. Does it work when you use "Test Connection"?

@tjhall no connection problems. Maybe I am seeing what you are ie the "General" section of the profile is populated with info, but there is no other payload in there. Maybe it is just a UI glitch.

This is expected behavior in the product until the full GUI is added in a future version of Jamf Pro. You can confirm the content is there by downloading the profile post upload and inspecting the content (it will be signed so you'd have to remove the signature prior to reading it easily) or pushing it to a test device to see the values displayed in the Profiles pane in System Preferences.

@ocla&&09, in regards to the upload failure, I am not sure what would be causing that error. How was this profile created? Is it signed? The PPPC Util app was just updated to 1.0.1 to handle a bug around creation of profiles with SystemPolicySysAdminFiles.

Hi @mike.paul sorry, I may have not been clear. The upload error happens when I try to manually upload a .mobileconfig file through the Jamf Console. Upload via the PPPC Util does not have issues.

How was that profile created and what is its contents? Would you care sharing it here? I just manually uploaded a profile saved from the PPPC Util and one I manually wrote out and both uploaded without error.

@mike.paul I am even having the issue with the JamfAppleEvents.mobileconfig file on your GitHub repo.

Im guessing your browser modified the file prior to downloading. When I right click on the .mobileconfig and download it in Firefox and open it in a text editor I see it starting with

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
  <link rel="dns-prefetch" href="https://assets-cdn.github.com">
  <link rel="dns-prefetch" href="https://avatars0.githubusercontent.com">
  <link rel="dns-prefetch" href="https://avatars1.githubusercontent.com">
  <link rel="dns-prefetch" href="https://avatars2.githubusercontent.com">
  <link rel="dns-prefetch" href="https://avatars3.githubusercontent.com">
  <link rel="dns-prefetch" href="https://github-cloud.s3.amazonaws.com">
  <link rel="dns-prefetch" href="https://user-images.githubusercontent.com/">

The above values are not correct. Your file should look the same as it displays in GitHub, looking similar to this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>PayloadContent</key>
        <array>
                <dict>
                        <key>Services</key>
                        <dict>
                                <key>AppleEvents</key>
                                <array>

So your options to not have your browser mess with it is:

• Go to the file in Github and view the RAW xml, copy and past in a legit text editor and save it as a .mobileconfig
• Click the Clone or download green button on the https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles
• Open the file using GitHub desktop

I think I've seen a duplicate identifier cause that "unable to create object from file" error ... possibly a number of reasons.

Anybody else having issue with the PPPC utility and making a scrip.sh be allowed to manipulate finder? It wont let me select a .sh file.

I tried the utility to add bash and osaacripts to be allowed but still same pop up

@szultzie, unless you signed your script and/or self made apps, it won't be allowed to be whitelisted as that is a requirement for PPPC. The PPPC utility will give you better display of why it is denying things in a future version.

You can use this nifty write up from Carl Ashley on signing scripts to help you get this accomplished though: https://carlashley.com/2018/09/23/code-signing-scripts-for-pppc-whitelisting/

Thanks @mike.paul , i will give that a try. Interesting that I need them signed, Jamf Support said I had to add <string>/usr/bin/bash</string> to my launch agent and then i can white list bash.

I know it not the best approach but i just wanted to get it working somehow so i can continue to test Mojave in our environment

Ill try signing it.

-Peter

Yes, you can whitelist anything that is signed, whether that is an app, binary or a script.

Since bash is a binary is signed by Apple you could whitelist that, its identifier would be /bin/bash and its code signature requirement would be identifier "com.apple.bash" and anchor apple.

But what it really comes down to is when the thing is running and causing the prompts, what does the prompt or the logging command show for the parent process requesting access?

/usr/bin/log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'

For example, when I run a shell script from terminal that has osacript inside that is doing a call to Finder (common workflow for end user prompts), I see terminal as my parent process to whitelist. Logs from that show:

2018-10-08 09:20:44.376179-0500 0x2a409c   Info        0x0                  341    0    tccd: [com.apple.TCC:access] AttributionChain: RESP:{ID: com.apple.Terminal, PID[17885], auid: 501, euid: 501, responsible path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal', binary path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal'}, ACC:{ID: com.apple.osascript, PID[18161], auid: 501, euid: 0, binary path: '/usr/bin/osascript'}, REQ:{ID: com.apple.appleeventsd, PID[69], auid: 55, euid: 55, binary path: '/System/Library/CoreServices/appleeventsd'}

With the one being responsible for the call being RESP:{ID: com.apple.Terminal, and the thing its requesting access to being REQ:{ID: com.apple.appleeventsd,

yes, so after some more testing...

I do have bash whitelisted, and adding the line <string>/usr/bin/bash</string> in my launch agent that calls the script, it doesn't run at log in now. When i call the scrip from terminal it runs but my new item being blocked is terminal, which makes sense based on what you say that my new parent process is terminal, and bash is white listed so the script doesn't get flagged.

Why is Apple trying to be an AV now. I have to fight against our AV Cylance as well with this stuff. Our desktops are going to end up being very secure lots of redundancies are set in place lol

@mike.paul similar to @ocla&&09 I'm having problems U/L to jamf too, when I do, it accepts the file, but doesn't have a payload when saved. I'm on jamf 10.7.1 already.

I tried the clone/copy and past method and it doesn't work.

So just an update... adding the <string>/usr/bin/bash</string> or <string>/bin/bash</string> causes the launch agent not to launch. Wait to hear back from Jamf Support.

@jwojda The Profiles Pane on the client shows a Profile loaded, you should check to se if it is applied for you, the Payload in JSS will only b General from what @mike.paul said in an earlier post.

So, talking about best practices. Are people making individual configs per application or family of apps (ie Office) or are you doing everything in one config?

And I've seen where if I add too many items to PPPC Utility the +/- buttons disappear.

so i codesigned mylittle.app (all it does is run a script) . when i run

codesign -dr - mylittle.app/

Executable=mylittle.app
host => identifier "com.apple.bash" and anchor apple
designated => identifier "mylittle" and certificate root = H"11376458a31f4465f1736b716feb8cd45d8cdcb1"

but when i try to add suing the + button it into the PPC Utility it doesn't open, other .apps do. ANy ideas?

-Peter

@mike.paul I've code signed my .sh file following instructions from Carl Ashley, I verify it's signed, but cannot drag into PPPC Utility? Am I missing something? My hopes were to allow that script only via a config profile using PPPC.

I originally created a .app using Platypus but what's odd is when I codesign the .app it won't launch. I can successfully launch an un-signed .app. Not sure what I'm missing there either.

I am sorry that some of you are hitting issues with the PPPC Utility. Since it is an open source project you file file issues on the GitHub page: https://github.com/jamf/PPPC-Utility/issues.

I dont know why the app wouldn't take your custom apps or signed scripts. Thankfully you don't only have to use the utility to build profiles as the config profile is now in the GUI of Jamf Pro as well.

You can use the codesign -dr - /path/to/thing to gather the code signature and identifier and paste that into the profile in the Jamf Pro server or you could try to use Carl Ashley's https://github.com/carlashley/tccprofile or Erik Berglund's https://github.com/erikberglund/ProfileCreator

@mike.paul Thank you for the information. I still need to upgrade to the latest JAMF Pro that has the PPPC Built in. I will try out one of the other utilities.

Thank you

FWIW, with respect to the osascript prompts, at least with respect to Fusion 11 Pro, their dev team responded to our request for help with this prompt:

Their response:

The customer's issue is that the MDM cannot push out the osascript prompt and his attempt to allow VMware access to System Events via Privacy Payload does not work. According to the attached screenshot "TCC whitelist.png", Fusion access System Events via /usr/bin/osascript, so in TCC.db it is "/usr/bin/osascript" that access System Events, not Fusion, I would suggest the customer to try allowing /usr/bin/osascript access to System Events in Privacy Preferences Policy Control Payload.

I'm getting totally lost with this whole process. I have created numerous profiles and uploaded them to our JSS running 10.9. Some seem to work as expected but when trying to run things via Self Service that launch scripts I'm still seeing the prompts about allowing jamfAgent to control System Events.

As you can see from my attached screenshot, as far as I can tell I've allowed it to control System Events so not sure why I'm still seeing the prompts?

How do you go about adding in something for Automation section? specifically for the below:

I'm trying to run the following command via a simple policy's "Files and processes" payload
osascript -e 'tell application "System Events" to make login item at end with properties {path:"/Applications/Microsoft Teams.app", hidden:false}' but it doesn't seem to work. The log says

Result of command: 36:131: execution error: An error of type -10810 has occurred. (-10810)

I tried putting the command in a script and running it from there instead but now I get

Script result: 36:131: execution error: Not authorized to send Apple events to System Events. (-1743)

When I run the command via Terminal it works fine, so I have to assume it's a PPPC issue. But how to I build a PPPC profile for an osascript command?

I have the same question as sslavieroGSMA. My infosec team is requiring that we install/patch OpenJDK via Brew. I have the install set to pass the brew install command to a terminal window open as the user via osascript (building off emily's work https://www.jamf.com/jamf-nation/discussions/24803/deploy-homebrew) and get a prompt "Jamf want access to control "Terminal." If manually approved I get

Running

tccutil reset AppleEvents

removes the entry, but I can't figure out how to build a .mobileconfig file to replicate it.

Try using the PPPC Utilty from Jamf and drag the Jamf agent binary into the column on the left.