Help

PPPC Ventura/Sonoma

Go to solution
Wgphoto
New Contributor III

Posted on ‎02-16-2024 07:16 AM

I have tried to create a PPPC config with the utility and given a couple apps "allow" for accessibility, and "let standard users approve" for input monitoring and screen recording. while I understand these settings will not show in the macOS GUI, the users are still not able to enable these settings without admin prompt. I have only tested on Ventura, but we have a few machines (with more to come) running Sonoma. Is there something I'm missing?

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
Wgphoto
New Contributor III

Posted on ‎02-22-2024 06:14 AM

So, after speaking with support on this, it appears I was expecting different behavior to what is actually expected with this type of config profile. I was expecting the users to be able to go into system prefs/settings and enable certain apps in the sections of security and privacy they needed and were allowed by PPPC. This is incorrect. The PPPC allows the users to go through the prompts that each app might present without being prompted for admin. This makes sense, but thanks for all the responses.

View solution in original post

0 Kudos
Reply
10 REPLIES 10

Go to solution
statusBrew
New Contributor III

Posted on ‎02-16-2024 07:46 AM

If they're still prompting for an admin permission, it sounds like the PPPC hasn't applied to the machine correctly, or the content of the Profile isn't matching the details of the Application.

 

Are you able to share the Application (and version) you're looking to configure, and a snip of the profile?

I find the easiest way to create a PPPC is to install the Application on a test device, then run two commands in terminal, dragging the app in:

 

codesign -dv /path/to/application
codesign -dr - /path/to/application

The first command will give you the bundle ID, look for "Identifier=com.vendorname.applicationname" e.g. com.google.chrome

The second command will give you the code requirement. Copy everything in the output after "designated =>" normally starting with "anchor apple..." and ending with the team identifier.

 

Pop those into the PPPC, and give it a go on a test machine.

Reply

Go to solution
Wgphoto
New Contributor III
In response to statusBrew

Posted on ‎02-16-2024 09:49 AM

I tried manually configuring as you said (which also didn't work), but isn't the point of the utility to add the content by just adding the apps and setting the settings you want? One of the apps I was trying is zoom.Screenshot 2024-02-16 at 12.41.17 PM.png

0 Kudos
Reply

Go to solution
statusBrew
New Contributor III
In response to Wgphoto

Posted on ‎02-19-2024 01:50 AM

I agree the point of the utility is to make it simpler, but was just suggesting a method to try and pin down if the utility was the root cause of the problem .

I have pretty much the same PPPC configured in my environment (bar some permission changes) and this morning I've tested on a client with a non-admin user logged in.

Before the PPPC was installed, it prompted for admin. After, it simply prompted to quit and re-launch the app

 

Could it be any trailing/leading whitespace characters in your configuration that's breaking it?

 

 

Reply

Go to solution
Wgphoto
New Contributor III
In response to statusBrew

Posted on ‎02-20-2024 07:56 AM

Hey, I tried manually as you suggested, but same result. I also checked for any trailing/leading whitespace, but even though it appears in the GUI that there might be whitespace after the code requirement, there actually isn't any. You said "bar some permission changes". Did you mean you don't have yours set as allow, for instance? I'm sure it's something simple I'm missing, just not sure what it might be. Is it worth maybe checking the box to validate?

0 Kudos
Reply

Go to solution
statusBrew
New Contributor III
In response to Wgphoto

Posted on ‎02-21-2024 07:52 AM

When I said 'bar some permission changes', I also grant access to SystemPolicyAllFiles, but don't grant anything for ListenEvents.

 

I don't have the box selected for validation.

 

Is the profile confirmed installed on the devices that your standard users are reporting issues with?

Could those devices have become unmanaged somehow?

 

0 Kudos
Reply

Go to solution
Wgphoto
New Contributor III
In response to statusBrew

Posted on ‎02-21-2024 07:57 AM

OK, thanks for clarification. The profile is installed on the machines I've tested with, and they are still managed.

0 Kudos
Reply

Go to solution
statusBrew
New Contributor III
In response to Wgphoto

Posted on ‎02-21-2024 08:26 AM

This might be coming to the limit of my knowledge then I'm afraid.

 

With Zoom, which application version are you using? 5.17.5 is the latest, I've been testing with 5.17.1, and 5.17.2

 

Could there be any other conflicting profiles that are preventing the PPPC from applying as you expect?

Beyond that, I'm afraid I don't think I can offer any other suggestions 😕

 

0 Kudos
Reply

Go to solution
Wgphoto
New Contributor III
In response to statusBrew

Posted on ‎02-21-2024 09:16 AM

Thanks for your responses. I'll have to check which version, but I'm also going to check if there conflicting profiles, so thanks for that suggestion.

0 Kudos
Reply

Go to solution
Wgphoto
New Contributor III

Posted on ‎02-22-2024 06:14 AM

So, after speaking with support on this, it appears I was expecting different behavior to what is actually expected with this type of config profile. I was expecting the users to be able to go into system prefs/settings and enable certain apps in the sections of security and privacy they needed and were allowed by PPPC. This is incorrect. The PPPC allows the users to go through the prompts that each app might present without being prompted for admin. This makes sense, but thanks for all the responses.

0 Kudos
Reply

Go to solution
cucaracha
New Contributor III

Posted on ‎05-09-2024 10:00 AM

@Wgphoto , why not use Nudge?

0 Kudos
Reply