PPPC Ventura/Sonoma

Wgphoto
New Contributor III

I have tried to create a PPPC config with the utility and given a couple apps "allow" for accessibility, and "let standard users approve" for input monitoring and screen recording. while I understand these settings will not show in the macOS GUI, the users are still not able to enable these settings without admin prompt. I have only tested on Ventura, but we have a few machines (with more to come) running Sonoma. Is there something I'm missing?

1 ACCEPTED SOLUTION

Wgphoto
New Contributor III

So, after speaking with support on this, it appears I was expecting different behavior to what is actually expected with this type of config profile. I was expecting the users to be able to go into system prefs/settings and enable certain apps in the sections of security and privacy they needed and were allowed by PPPC. This is incorrect. The PPPC allows the users to go through the prompts that each app might present without being prompted for admin. This makes sense, but thanks for all the responses.

View solution in original post

10 REPLIES 10

statusBrew
New Contributor III

If they're still prompting for an admin permission, it sounds like the PPPC hasn't applied to the machine correctly, or the content of the Profile isn't matching the details of the Application.

 

Are you able to share the Application (and version) you're looking to configure, and a snip of the profile?

I find the easiest way to create a PPPC is to install the Application on a test device, then run two commands in terminal, dragging the app in:

 

codesign -dv /path/to/application
codesign -dr - /path/to/application

The first command will give you the bundle ID, look for "Identifier=com.vendorname.applicationname" e.g. com.google.chrome

The second command will give you the code requirement. Copy everything in the output after "designated =>" normally starting with "anchor apple..." and ending with the team identifier.

 

Pop those into the PPPC, and give it a go on a test machine.

Wgphoto
New Contributor III

I tried manually configuring as you said (which also didn't work), but isn't the point of the utility to add the content by just adding the apps and setting the settings you want? One of the apps I was trying is zoom.Screenshot 2024-02-16 at 12.41.17 PM.png

statusBrew
New Contributor III

I agree the point of the utility is to make it simpler, but was just suggesting a method to try and pin down if the utility was the root cause of the problem .

I have pretty much the same PPPC configured in my environment (bar some permission changes) and this morning I've tested on a client with a non-admin user logged in.

Before the PPPC was installed, it prompted for admin. After, it simply prompted to quit and re-launch the app

 

Could it be any trailing/leading whitespace characters in your configuration that's breaking it?

 

 

Wgphoto
New Contributor III

Hey, I tried manually as you suggested, but same result. I also checked for any trailing/leading whitespace, but even though it appears in the GUI that there might be whitespace after the code requirement, there actually isn't any. You said "bar some permission changes". Did you mean you don't have yours set as allow, for instance? I'm sure it's something simple I'm missing, just not sure what it might be. Is it worth maybe checking the box to validate?

statusBrew
New Contributor III

When I said 'bar some permission changes', I also grant access to SystemPolicyAllFiles, but don't grant anything for ListenEvents.

 

I don't have the box selected for validation.

 

Is the profile confirmed installed on the devices that your standard users are reporting issues with?

Could those devices have become unmanaged somehow?

 

Wgphoto
New Contributor III

OK, thanks for clarification. The profile is installed on the machines I've tested with, and they are still managed.

statusBrew
New Contributor III

This might be coming to the limit of my knowledge then I'm afraid.

 

With Zoom, which application version are you using? 5.17.5 is the latest, I've been testing with 5.17.1, and 5.17.2

 

Could there be any other conflicting profiles that are preventing the PPPC from applying as you expect?

Beyond that, I'm afraid I don't think I can offer any other suggestions 😕

 

Wgphoto
New Contributor III

Thanks for your responses. I'll have to check which version, but I'm also going to check if there conflicting profiles, so thanks for that suggestion.

Wgphoto
New Contributor III

So, after speaking with support on this, it appears I was expecting different behavior to what is actually expected with this type of config profile. I was expecting the users to be able to go into system prefs/settings and enable certain apps in the sections of security and privacy they needed and were allowed by PPPC. This is incorrect. The PPPC allows the users to go through the prompts that each app might present without being prompted for admin. This makes sense, but thanks for all the responses.

cucaracha
New Contributor III

@Wgphoto , why not use Nudge?