Privacy Preferences Policy Control Payload

szultzie
Contributor II

So i get the following pop up on a new Mojave build.

24dcf4cb01ac485e966c751ac026485b

I even allowed bash and osa script bianries to have full disk access (thats what My script does, basically mounts some network shares for me at user login)

I ran thru trying to codesign my script.sh file whitelist it using various methods

using this tool after i code signed the script to whitelist https://github.com/carlashley/tccprofile

looked at the following urls in depth, but nothing seems to work for my pop up

https://derflounder.wordpress.com/2018/08/31/creating-privacy-preferences-policy-control-profiles-for-macos/

The reference below doesn't talk about how to allow access to finder, just some other apps and system files.

https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf

I can post the script but i dont think there is an issue with the script since it has worked fine for the past year or so on 10.12.6 and 10.13.3

Unless there is a better way to mount network shares based on teh mobile account logged in.

I also contacted Jamf and Apple.
Jamf said to use their utility

https://github.com/jamf/PPPC-Utility

Apple engineers are still "researching" a way around this pop up.

Any help is appreciated.

-Peter

6 REPLIES 6

szultzie
Contributor II

Here is a full list of URLS i have visited and tried things from.
Not in any specific order, and not only once πŸ˜ƒ

https://www.jamf.com/jamf-nation/discussions/29605/pppc-utility-question-on-best-practice-to-create-config-list

https://github.com/jamf/PPPC-Utility

https://github.com/carlashley/tccprofile

https://carlashley.com/2018/09/23/code-signing-scripts-for-pppc-whitelisting/

https://derflounder.wordpress.com/2018/08/31/creating-privacy-preferences-policy-control-profiles-for-macos/

https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf

https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html

szultzie
Contributor II

So i missed a few things about how i call the script. It gets called with a launchagent. Here is the script in case im doing something wrong

############### Mount Network Shares ##################

SMBScriptPath="$(dscl "/Active Directory/companyname/All Domains" -read /Users/$USER SMBScriptPath)"
Sdrive="$(echo smb:${SMBScriptPath##*s:} | sed 's/\///g')"
echo $Sdrive
Udrive="smb://shares.companyname.edu/univwideres"
echo $Udrive

if ping -c 1 shares.companyname.edu &> /dev/null
then
  # Mount the network home
    mount_script=`/usr/bin/osascript > /dev/null << EOT
    tell application "Finder" 
    activate

    mount volume "smb://shares.companyname.edu/mdrive"
    mount volume "smb://shares.companyname.edu/coursework"
    mount volume "$Sdrive"
    mount volume "$Udrive"

    end tell
EOT`
else
  # Mount the network home if files.companyname.edu not available

    # get current user
    user=`ls -l /dev/console | cut -d " " -f4`

    mount_script=`/usr/bin/osascript > /dev/null << EOT
    tell application "Finder" 
    activate
    mount volume "https://$user@shares.companyname.edu"
    end tell
EOT`

fi

exit 0

float0n
Contributor

@szultzie , I'd recommend running log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"' in terminal before the script runs. If the script runs at login, you can ssh into the machine from another computer before logging in to see the full log.

Mac mule also explains towards the end of this video a little how to read the logs and use that info when creating your profile. http://docs.macsysadmin.se/2018/video/Day1Session4.mp4

Chuey
Contributor III

@szultzie Were you ever able to create a PPPC Profile to whitelist your script only ? I've code signed my script but cannot use the PPPC utility with it...

szultzie
Contributor II

The PPPC utility didn't work for the custom signed script, i used

https://github.com/carlashley/tccprofile

it work, if i remember correctly it was a little tricky to get going but in the end it worked. It has two sections Service Permissions and Apple Events, so depending on what you need to whitelist you need to set it up individually for the scrip or app.

Ill be doing it again to whitelist a few more apps/scripts so i may take the time and do a quick write up. But basically once you select everythign ou need and click save, it create a .mobilconfig file that you can upload into Jamf.

-Peter

philipwoods
New Contributor III

Might be a bit late to this party, but here's my write up on how to properly distribute scripts which are then triggered by a LaunchAgent locally.

Ideally you will need two Apple developer ID certificates installed on your Mac. The 'Application certificate' to code sign the script itself, plus the 'Installer' certificate to sign the installer that you create to distribute the completed script. In my example they are as below:

Developer ID Application: Example Company (123456789AB) Developer ID Installer: Example Company (123456789AB)

Create the script that you wish to code sign and store it in a fake β€˜root’ directory to mimic it’s eventual location. This is important for later on in the process when you come to package up the script (moving code signed scripts around can destroy the extended attributes which denote the signature details).

In my example I want to deploy a script called myscript.sh in to /Library/Scripts/ on my clients, so I store the developing script in the path ~/Desktop/FakeRoot/Library/Scripts/myscript.sh

Once happy the script does what we want ensure that it has the correct ownership and privileges for it’s eventual deployment. In our example the script should be owned by root, but be executable by everyone:

sudo chown root:wheel ~/Desktop/FakeRoot/Library/Scripts/myscript.sh
sudo chmod 775 ~/Desktop/FakeRoot/Library/Scripts/myscript.sh

Having installed the Developer ID application certificate "Developer ID Application: Example Company (123456789AB)" I run this command to code sign the script:

sudo codesign -s "Developer ID Application: Example Company (123456789AB)" -i com.examplecompany.myscript ~/Desktop/FakeRoot/Library/Scripts/myscript.sh

You can then verify that the script has the new extended attributes by running this command:

xattr ~/Desktop/FakeRoot/Library/Scripts/myscript.sh
com.apple.cs.CodeDirectory
com.apple.cs.CodeRequirements
com.apple.cs.CodeRequirements-1
com.apple.cs.CodeSignature

To grab the code requirement for the PPPC whitelisting profile run the command:

codesign -dr - ~/Desktop/FakeRoot/Library/Scripts/myscript.sh
Executable=~/Desktop/FakeRoot/Library/Scripts/myscript.sh
host => identifier "com.apple.sh" and anchor apple
designated => identifier "com.examplecompany.myscript" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = β€œ123456789AB"

A PPPC profile for this example script would contain the following identifier:

Identifier = /Library/Scripts/myscript.sh Identifier Type = path Code Requirement = identifier "com.examplecompany.myscript" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = β€œ123456789AB"

We now need to package up the script ready for distribution via Jamf Pro. To do that use the command line tool β€˜pkgbuild’ and the important flag --preserve-xattr to keep the code signing attributes in place. Run the following command to create your signed distribution pkg for the same example script and location we have used throughout this article:

pkgbuild --root ~/Desktop/FakeRoot/ --identifier com.examplecompany.myscriptinstall --sign "Developer ID Installer: Example Company (123456789AB)"  ~/Desktop/myscriptinstall.pkg --preserve-xattr

It's not strictly necessary to sign the installer package, but while we're in the mood why not? If the installer doesn’t need to be signed simply remove this part of the command --sign "Developer ID Installer: Example Company (123456789AB)"

Otherwise a signed installer package will be on your desktop ready to deploy via Jamf Pro. In this example we would also be deploying a Launch Agent agent in to the user template to trigger myscript.sh, typically each time a user logs in. The Launch Agent doesn’t need to be code signed because it’s not an executable in itself and just triggers the executable (in this case myscript.sh).