Pulse Secure and PPPC in Mojave

AVmcclint
Valued Contributor III

I'm just now dipping my toe into Mojave. I upgraded a Mac to 10.14.2 and one of my first tests was to launch Pulse Secure.app. Well I got an alert saying Pulse Secure.app needed to access files in Pulse Secure.app. I'm looking in the PPPC Utility to build a PPPC profile but I'm confused. I see I can allow/Deny "Admin Files" and "All Files", but nothing for the files within a program. How would I proceed for this?

2 ACCEPTED SOLUTIONS

DBrowning
Valued Contributor

This is what we are using for Pulse.

555d8427c2fe4e88b64dc6d22981fe4a

View solution in original post

Chris
Valued Contributor

You need to add Pulse Secure to the "Apple Events" section and choose "Allow" there:
864c06da1319402098f0c584217d051a

View solution in original post

13 REPLIES 13

DBrowning
Valued Contributor

This is what we are using for Pulse.

555d8427c2fe4e88b64dc6d22981fe4a

View solution in original post

Chris
Valued Contributor

You need to add Pulse Secure to the "Apple Events" section and choose "Allow" there:
864c06da1319402098f0c584217d051a

View solution in original post

damienbarrett
Valued Contributor

I've just started toying around with PPPC Utility, a great new open source tool for creating PPPC Config Profiles. Can't offer any advice yet, as I've just begun, but you might also want to download it and see if you can follow the instructions to get Pulse Secure whitelisted in a PPPC config profile.

https://github.com/jamf/PPPC-Utility

Oops, never mind. I didn't read your post all the way through first. Sorry. Good luck.

AVmcclint
Valued Contributor III

I am using that PPPC Utility to do this. Thanks @ddcdennisb and @Chris for your suggestions. I'll give that a try....which raises a point:

If we have some arbitrary app Foo.app that needs some unspecified or confusing access, how are we supposed to know which options to Allow for PPPC. I've reached out to some vendors directly and they all act like I've got 5 heads with purple hair and speaking in Klingon. I have doubts that any of the apps we use will need the Address Book or Photos or Calendar etc, but those should be fairly obvious to figure out. Microphone and camera and accessibility, sure once again it should be obvious. What exactly are Post Events? And what about hidden gems like ARDAgent? I'm still struggling to get that to stop asking for access... and why do we have to jump through hoops to get a built-in Apple tool like ARD to work the way it's supposed to?

damienbarrett
Valued Contributor

I'm still trying to get full ARD privs to set correctly on my test machines running 10.14. It's pretty frustrating.

sshort
Valued Contributor

@AVmcclint The hardest apps will be ones that don't even present a TCC prompt b/c they haven't been updated in some time, or were built with a really old version of XCode. There can definitely be some quirks, like a Helper app buried in the .app bundle needs to control the parent app itself.

This is a good post on reading TCC logs. In my testing I just opened a Terminal prompt and ran the below command. Then I setup/enrolled the machine as if a new user was getting it and setting everything up for first use. As prompts come up, you can reference the TCC logs to see what needs access.

log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'

joethedsa
Contributor II

Just wanted to follow up about this. @AVmcclint have you made any progress with this at all? I've been messing with this now for a few weeks and have had no success with getting this to work. I've dissected the logs for this but nothing appears to work with the configuration profile.

AVmcclint
Valued Contributor III

@joethedsa see the first reply to this post by @ddcdennisb, I built a config profile that looks exactly like that and it works.

gachowski
Valued Contributor II

Hey, just FYI

So I just double-checked our set up and we don't have a Pulse PPPC .. we set our cert to allow app to see it..

0eb3178cb2884f0d925203962c6d6329

joethedsa
Contributor II

Hmm, @AVmcclint I copied the configuration as posted by @ddcdennisb and have had no success. @gachowski , isn't the System Events and the certificate in the keychain different? I'm curious also, where do you find this setting to all access to a certain certificate?

AVmcclint
Valued Contributor III

If you're having a certificate issue, that's most likely going to be unrelated to PPPC. You'll need to set the certificate trust to Allow all apps in the config profile you're using to push out the certs.

joethedsa
Contributor II

@AVmcclint , are there two components to configuring the PPPC for Pulse Secure then? The first being the certificate and the second being the actual PPPC whitelist?

AVmcclint
Valued Contributor III

We use AD certificates that are used in many places by different apps. We happen to also use Pulse. The Pulse PPPC profile is the only one we build specifically for Pulse. It happens to take advantage of the AD certificate that has been globally set to allow all apps to trust it.