PPPC Utility - Question on best practice to create config list?

tjhall
Contributor III

Trying to wrap my head around this. Had a couple of instances with new Mojave builds where the Jamf agent was called.
85637ebef22b42a2bf39b43f356ad6e0
We already upgraded to JSS v10.7.1 so it's not the agent requiring access but likely a policy which needs access and the message is piped through the agent. Do you compile a complete list based on testing all the installed apps and policy's and then upload it to the jss or do you break it down somehow?

Approving Terminal first I can see which application are in the TCC list (sqlite3 /Library/Application Support/com.apple.TCC/TCC.db "SELECT * from access") but it doesn't show me which events they require.

Runnning the following: (/usr/bin/log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"') shows me the process running but doesn't seem to correspond to which application calls them.

My main question How do I know which application needs to be pre-approved and with what specific action?
Anyone who's already mastered this and care to shed some light before madness kicks in....?

31 REPLIES 31

kerouak
Valued Contributor

There is a config profile on GitHub that sorts all that out mate..
JamfAppleEvents.mobileconfig

Been using it and all is good at my end.

G'Luck!

mike_paul
Contributor III
Contributor III

@kerouak is correct, we pre-built a profile that would whitelist the Jamf Binary, Jamf Agent and Jamf.app to be able to communicate with SystemEvents, SystemUIServer and Finder via the Apple Events service listed within the PPPC framework. That JamfAppleEvents.mobileconfig profile can be found here: https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles and is linked in our KB Preparing Your Organization for User Data Protections on macOS 10.14

We do not plan to auto-whitelist terminal to communicate with things since that should be an Admins choice about what other applications they want to allow to communicate with things. Also, if an admin is running something via terminal they can click the allow button themselves.

ocla__09
Contributor

Hi @mike.paul, please see my Jamf Nation post regarding the PPPC utility.
https://www.jamf.com/jamf-nation/discussions/29629/privacy-preferences-config-profile-issues

the app appears to be creating blank profiles as far as I can see.

ocla__09
Contributor

In addition @mike.paul when I try and upload pre created config profiles I get the following error:
d81cb9fef3c845daac8187e3fee469fc

Is there something I need to do to the file before uploading?

Thanks

tjhall
Contributor III

Thanks @kerouak That seems to work fine with the Jamf interaction events.
I was under the impression that v10.7.1 already was doing this with the built in profile but as you mentioned, it requires to add the one above as well (not really sure why it wasn't included?).

@ocla&&09 I've uploaded a few profiles and all of them work fine. They look empty in JSS but you can check the data once the profile is installed. Sounds like you've got connection issues with the JSS. Does it work when you use "Test Connection"?

ocla__09
Contributor

@tjhall no connection problems. Maybe I am seeing what you are ie the "General" section of the profile is populated with info, but there is no other payload in there. Maybe it is just a UI glitch.

mike_paul
Contributor III
Contributor III

This is expected behavior in the product until the full GUI is added in a future version of Jamf Pro. You can confirm the content is there by downloading the profile post upload and inspecting the content (it will be signed so you'd have to remove the signature prior to reading it easily) or pushing it to a test device to see the values displayed in the Profiles pane in System Preferences.

@ocla&&09, in regards to the upload failure, I am not sure what would be causing that error. How was this profile created? Is it signed? The PPPC Util app was just updated to 1.0.1 to handle a bug around creation of profiles with SystemPolicySysAdminFiles.

ocla__09
Contributor

Hi @mike.paul sorry, I may have not been clear. The upload error happens when I try to manually upload a .mobileconfig file through the Jamf Console. Upload via the PPPC Util does not have issues.

mike_paul
Contributor III
Contributor III

How was that profile created and what is its contents? Would you care sharing it here? I just manually uploaded a profile saved from the PPPC Util and one I manually wrote out and both uploaded without error.

ocla__09
Contributor

@mike.paul I am even having the issue with the JamfAppleEvents.mobileconfig file on your GitHub repo.

mike_paul
Contributor III
Contributor III

Im guessing your browser modified the file prior to downloading. When I right click on the .mobileconfig and download it in Firefox and open it in a text editor I see it starting with

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
  <link rel="dns-prefetch" href="https://assets-cdn.github.com">
  <link rel="dns-prefetch" href="https://avatars0.githubusercontent.com">
  <link rel="dns-prefetch" href="https://avatars1.githubusercontent.com">
  <link rel="dns-prefetch" href="https://avatars2.githubusercontent.com">
  <link rel="dns-prefetch" href="https://avatars3.githubusercontent.com">
  <link rel="dns-prefetch" href="https://github-cloud.s3.amazonaws.com">
  <link rel="dns-prefetch" href="https://user-images.githubusercontent.com/">

The above values are not correct. Your file should look the same as it displays in GitHub, looking similar to this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>PayloadContent</key>
        <array>
                <dict>
                        <key>Services</key>
                        <dict>
                                <key>AppleEvents</key>
                                <array>

So your options to not have your browser mess with it is:

CGundersen
Contributor III

I think I've seen a duplicate identifier cause that "unable to create object from file" error ... possibly a number of reasons.

szultzie
Contributor II

Anybody else having issue with the PPPC utility and making a scrip.sh be allowed to manipulate finder? It wont let me select a .sh file.

I tried the utility to add bash and osaacripts to be allowed but still same pop up

szultzie
Contributor II

72b45782ca924a18a71a598b704f1600
5e9a60dbd05c4310bf5e3e29bfafc60f
b33ac01de8434103b5998abbc9407b13

mike_paul
Contributor III
Contributor III

@szultzie, unless you signed your script and/or self made apps, it won't be allowed to be whitelisted as that is a requirement for PPPC. The PPPC utility will give you better display of why it is denying things in a future version.

You can use this nifty write up from Carl Ashley on signing scripts to help you get this accomplished though: https://carlashley.com/2018/09/23/code-signing-scripts-for-pppc-whitelisting/

szultzie
Contributor II

Thanks @mike.paul , i will give that a try. Interesting that I need them signed, Jamf Support said I had to add <string>/usr/bin/bash</string> to my launch agent and then i can white list bash.

I know it not the best approach but i just wanted to get it working somehow so i can continue to test Mojave in our environment

Ill try signing it.

-Peter

mike_paul
Contributor III
Contributor III

Yes, you can whitelist anything that is signed, whether that is an app, binary or a script.

Since bash is a binary is signed by Apple you could whitelist that, its identifier would be /bin/bash and its code signature requirement would be identifier "com.apple.bash" and anchor apple.

But what it really comes down to is when the thing is running and causing the prompts, what does the prompt or the logging command show for the parent process requesting access?

/usr/bin/log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'

For example, when I run a shell script from terminal that has osacript inside that is doing a call to Finder (common workflow for end user prompts), I see terminal as my parent process to whitelist. Logs from that show:

2018-10-08 09:20:44.376179-0500 0x2a409c   Info        0x0                  341    0    tccd: [com.apple.TCC:access] AttributionChain: RESP:{ID: com.apple.Terminal, PID[17885], auid: 501, euid: 501, responsible path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal', binary path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal'}, ACC:{ID: com.apple.osascript, PID[18161], auid: 501, euid: 0, binary path: '/usr/bin/osascript'}, REQ:{ID: com.apple.appleeventsd, PID[69], auid: 55, euid: 55, binary path: '/System/Library/CoreServices/appleeventsd'}

With the one being responsible for the call being RESP:{ID: com.apple.Terminal, and the thing its requesting access to being REQ:{ID: com.apple.appleeventsd,

szultzie
Contributor II

yes, so after some more testing...

I do have bash whitelisted, and adding the line <string>/usr/bin/bash</string> in my launch agent that calls the script, it doesn't run at log in now. When i call the scrip from terminal it runs but my new item being blocked is terminal, which makes sense based on what you say that my new parent process is terminal, and bash is white listed so the script doesn't get flagged.

Why is Apple trying to be an AV now. I have to fight against our AV Cylance as well with this stuff. Our desktops are going to end up being very secure lots of redundancies are set in place lol

ImAMacGuy
Valued Contributor II

@mike.paul similar to @ocla&&09 I'm having problems U/L to jamf too, when I do, it accepts the file, but doesn't have a payload when saved. I'm on jamf 10.7.1 already.

I tried the clone/copy and past method and it doesn't work.

szultzie
Contributor II

So just an update... adding the <string>/usr/bin/bash</string> or <string>/bin/bash</string> causes the launch agent not to launch. Wait to hear back from Jamf Support.

@jwojda The Profiles Pane on the client shows a Profile loaded, you should check to se if it is applied for you, the Payload in JSS will only b General from what @mike.paul said in an earlier post.

cwaldrip
Valued Contributor

So, talking about best practices. Are people making individual configs per application or family of apps (ie Office) or are you doing everything in one config?

And I've seen where if I add too many items to PPPC Utility the +/- buttons disappear.

szultzie
Contributor II

so i codesigned mylittle.app (all it does is run a script) . when i run

codesign -dr - mylittle.app/

Executable=mylittle.app
host => identifier "com.apple.bash" and anchor apple
designated => identifier "mylittle" and certificate root = H"11376458a31f4465f1736b716feb8cd45d8cdcb1"

but when i try to add suing the + button it into the PPC Utility it doesn't open, other .apps do. ANy ideas?

-Peter

Chuey
Contributor III

@mike.paul I've code signed my .sh file following instructions from Carl Ashley, I verify it's signed, but cannot drag into PPPC Utility? Am I missing something? My hopes were to allow that script only via a config profile using PPPC.

I originally created a .app using Platypus but what's odd is when I codesign the .app it won't launch. I can successfully launch an un-signed .app. Not sure what I'm missing there either.

mike_paul
Contributor III
Contributor III

I am sorry that some of you are hitting issues with the PPPC Utility. Since it is an open source project you file file issues on the GitHub page: https://github.com/jamf/PPPC-Utility/issues.

I dont know why the app wouldn't take your custom apps or signed scripts. Thankfully you don't only have to use the utility to build profiles as the config profile is now in the GUI of Jamf Pro as well.

You can use the codesign -dr - /path/to/thing to gather the code signature and identifier and paste that into the profile in the Jamf Pro server or you could try to use Carl Ashley's https://github.com/carlashley/tccprofile or Erik Berglund's https://github.com/erikberglund/ProfileCreator

Chuey
Contributor III

@mike.paul Thank you for the information. I still need to upgrade to the latest JAMF Pro that has the PPPC Built in. I will try out one of the other utilities.

Thank you

donmontalvo
Esteemed Contributor III

FWIW, with respect to the osascript prompts, at least with respect to Fusion 11 Pro, their dev team responded to our request for help with this prompt:

3420c659b37349f48b89f1e8aa024d77

Their response:

The customer's issue is that the MDM cannot push out the osascript prompt and his attempt to allow VMware access to System Events via Privacy Payload does not work. According to the attached screenshot "TCC whitelist.png", Fusion access System Events via /usr/bin/osascript, so in TCC.db it is "/usr/bin/osascript" that access System Events, not Fusion, I would suggest the customer to try allowing /usr/bin/osascript access to System Events in Privacy Preferences Policy Control Payload.
--
https://donmontalvo.com

allanp81
Valued Contributor

f0a27828d037433699f1da3fe5998305
I'm getting totally lost with this whole process. I have created numerous profiles and uploaded them to our JSS running 10.9. Some seem to work as expected but when trying to run things via Self Service that launch scripts I'm still seeing the prompts about allowing jamfAgent to control System Events.

As you can see from my attached screenshot, as far as I can tell I've allowed it to control System Events so not sure why I'm still seeing the prompts?

sslavieroGSMA
New Contributor III

How do you go about adding in something for Automation section? specifically for the below:

737302e0025947f8acd7bc692242ac24

AVmcclint
Honored Contributor

I'm trying to run the following command via a simple policy's "Files and processes" payload
osascript -e 'tell application "System Events" to make login item at end with properties {path:"/Applications/Microsoft Teams.app", hidden:false}' but it doesn't seem to work. The log says

Result of command: 36:131: execution error: An error of type -10810 has occurred. (-10810)

I tried putting the command in a script and running it from there instead but now I get

Script result: 36:131: execution error: Not authorized to send Apple events to System Events. (-1743)

When I run the command via Terminal it works fine, so I have to assume it's a PPPC issue. But how to I build a PPPC profile for an osascript command?

chris_fast
New Contributor II

I have the same question as sslavieroGSMA. My infosec team is requiring that we install/patch OpenJDK via Brew. I have the install set to pass the brew install command to a terminal window open as the user via osascript (building off emily's work https://www.jamf.com/jamf-nation/discussions/24803/deploy-homebrew) and get a prompt "Jamf want access to control "Terminal." If manually approved I get ca81e2d8c72d4ce98fec6f7795e31097

Running

tccutil reset AppleEvents

removes the entry, but I can't figure out how to build a .mobileconfig file to replicate it.

allanp81
Valued Contributor

Try using the PPPC Utilty from Jamf and drag the Jamf agent binary into the column on the left.