Profile for Windows Auto Updater (office 2016)

mroe
New Contributor III

I'm trying to make a configuration profile to whitelist the Windows Auto Updater (for office 2016) so it can run against a script to check for and install/apply updates without user interaction and something keeps getting snagged in all my test runs. I can see it has something to do with com.apple.security.automation.apple-events and com.microsoft.autoupdate.fba but I cannot for the life of me figure out how to approve it. I've tried both doing it manually through the Jamf GUI and with PPPC and still can't seem to get it. Do I need to allow something with com.apple.TCC:access first, or am I just not identifying something correctly? There was a com.microsoft.autoupdate.cli that was getting flagged but I was able to get that one working and replicating the steps didn't help for the .fba

Log:

2019-03-29 13:02:26.544600-0400 0x761f Error 0x0 237 0 tccd: [com.apple.TCC:access] Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for ACC:{ID: com.microsoft.autoupdate.fba, PID[7418], auid: 501, euid: 501, binary path: '/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft AU Daemon.app/Contents/MacOS/Microsoft AU Daemon'}, REQ:{ID: com.apple.appleeventsd, PID[35], auid: 55, euid: 55, binary path: '/System/Library/CoreServices/appleeventsd'}
2019-03-29 13:08:06.123945-0400 0x99ee Error 0xc032 1409 0 tccd: [com.apple.TCC:access] Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for ACC:{ID: com.microsoft.autoupdate.fba, PID[11022], auid: 501, euid: 501, binary path: '/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft AU Daemon.app/Contents/MacOS/Microsoft AU Daemon'}, REQ:{ID: com.microsoft.autoupdate.fba, PID[11022], auid: 501, euid: 501, binary path: '/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft AU Daemon.app/Contents/MacOS/Microsoft AU Daemon'}
2019-03-29 13:08:06.126015-0400 0x993b Error 0x0 237 0 tccd: [com.apple.TCC:access] Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for ACC:{ID: com.microsoft.autoupdate.fba, PID[11022], auid: 501, euid: 501, binary path: '/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft AU Daemon.app/Contents/MacOS/Microsoft AU Daemon'}, REQ:{ID: com.apple.appleeventsd, PID[35], auid: 55, euid: 55, binary path: '/System/Library/CoreServices/appleeventsd'}
2019-03-29 13:08:06.138572-0400 0x99ee Default 0xc032 1409 0 tccd: [com.apple.TCC:access] Prompting for access to indirect object Microsoft AutoUpdate by Terminal

EDIT UPDATE: I figured out what I was missing, I needed to allow 4 different applications/executables access to one another as well as giving terminal access to all 4 of them and vice verse. There is the regular Microsoft AutoUpdate.app found in /Library/Application Support/Microsoft/MAU2.0/ Then there is Microsoft AU Daemon.app, Microsoft AutoUpdate.exe, and msupdate.exe all located at /Library/Application Support/Microsoft/MAU2.0/Contents/macOS
All 4 are given full disk access and accessibility(this may be unnecessary, I'm going to run another test later without accessibility access to see if it's required) and access to System Events and SystemUIServer.

2 REPLIES 2

talkingmoose
Honored Contributor II

@mroe. you've described a few different pieces of your plan, some of which don't really fit together.

I get that you're trying to update Office apps using the Microsoft AutoUpdate utility. On its own, it can keep your apps up-to-date.

Can you describe the end result you're wanting to accomplish rather than the methods you're trying to use? Do you simply want to keep the apps updated automatically or do you need to time their updates somehow?

You may find the first part of a recent webinar @pbowden and I presented back in January useful:

How to manage Microsoft Office 2019 for Mac - Q&A

mroe
New Contributor III

Sorry for the lack of details and slow follow up, Friday afternoons right?

What I'm trying to do is, at the moment we push out Office 2016 with a volume installer which works fine. The problem I'm facing is that our users don't always open their office programs right away and the auto-updater doesn't seems to do anything until both it and each office product are opened at least one time. So for example, a user only opens Word and nothing else, Word will function just fine, but because the user never opened the auto-updater, it will never prompt them to check for updates, it also won't update excel/powerpoint/etc. because they where not opened yet, nor will it just update silently (it will once opened).

I figured that as long as the updater was triggered somehow I don't particularly care if it updates all the Office programs as long as it triggers for the ones they use (mostly Word and Outlook for probably 90% of our users) so I went ahead and made a script calling on the CLI tools documented here: https://docs.microsoft.com/en-us/deployoffice/mac/update-office-for-mac-using-msupdate

The script I'm using looks like this and is set to trigger on occasional check-in:

#!/bin/sh

#Trigger auto updater to download and install all available updates
/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/msupdate --install

There is also a package that installs the newest Microsoft Auto Updater (4.9 right now). This altogether functionally accomplishes what I need it to do (albeit probably not the most graceful method) except I'd like it to run without making a security dialog to allow the auto updater to trigger for the first time so users aren't confused and/or don't miss it. I just can't seem to get Mojave's security access control to white-list the process of calling on the auto-updater with the CLI tool.

I was trying to do a configuration profile using Privacy Preferences Policy Control options to avoid the pop up security dialog. Weirdly enough I was originally getting flagged by both the com.microsoft.autoupdate.cli and com.microsoft.autoupdate.fba not having proper permissions, but I was able to set the appropriate App Access for com.microsoft.autoupdate.cli just not the .fba which is weird because I'm not sure it should even be getting triggered at all honestly. I'm pretty sure the .fba is just the GUI process and it should really only be triggering the .cli (I could be wrong though). At this rate I think it may be best to just rework how Office is deployed, it's an (inherited) mess right now.