Jamf Nation Community

I've just started toying around with PPPC Utility, a great new open source tool for creating PPPC Config Profiles. Can't offer any advice yet, as I've just begun, but you might also want to download it and see if you can follow the instructions to get Pulse Secure whitelisted in a PPPC config profile.

https://github.com/jamf/PPPC-Utility

Oops, never mind. I didn't read your post all the way through first. Sorry. Good luck.

I am using that PPPC Utility to do this. Thanks @ddcdennisb and @Chris for your suggestions. I'll give that a try....which raises a point:

If we have some arbitrary app Foo.app that needs some unspecified or confusing access, how are we supposed to know which options to Allow for PPPC. I've reached out to some vendors directly and they all act like I've got 5 heads with purple hair and speaking in Klingon. I have doubts that any of the apps we use will need the Address Book or Photos or Calendar etc, but those should be fairly obvious to figure out. Microphone and camera and accessibility, sure once again it should be obvious. What exactly are Post Events? And what about hidden gems like ARDAgent? I'm still struggling to get that to stop asking for access... and why do we have to jump through hoops to get a built-in Apple tool like ARD to work the way it's supposed to?

I'm still trying to get full ARD privs to set correctly on my test machines running 10.14. It's pretty frustrating.

@AVmcclint The hardest apps will be ones that don't even present a TCC prompt b/c they haven't been updated in some time, or were built with a really old version of XCode. There can definitely be some quirks, like a Helper app buried in the .app bundle needs to control the parent app itself.

This is a good post on reading TCC logs. In my testing I just opened a Terminal prompt and ran the below command. Then I setup/enrolled the machine as if a new user was getting it and setting everything up for first use. As prompts come up, you can reference the TCC logs to see what needs access.

log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'

Just wanted to follow up about this. @AVmcclint have you made any progress with this at all? I've been messing with this now for a few weeks and have had no success with getting this to work. I've dissected the logs for this but nothing appears to work with the configuration profile.

@joethedsa see the first reply to this post by @ddcdennisb, I built a config profile that looks exactly like that and it works.

Hey, just FYI

So I just double-checked our set up and we don't have a Pulse PPPC .. we set our cert to allow app to see it..

Hmm, @AVmcclint I copied the configuration as posted by @ddcdennisb and have had no success. @gachowski , isn't the System Events and the certificate in the keychain different? I'm curious also, where do you find this setting to all access to a certain certificate?

If you're having a certificate issue, that's most likely going to be unrelated to PPPC. You'll need to set the certificate trust to Allow all apps in the config profile you're using to push out the certs.

@AVmcclint , are there two components to configuring the PPPC for Pulse Secure then? The first being the certificate and the second being the actual PPPC whitelist?

We use AD certificates that are used in many places by different apps. We happen to also use Pulse. The Pulse PPPC profile is the only one we build specifically for Pulse. It happens to take advantage of the AD certificate that has been globally set to allow all apps to trust it.