I'm just now dipping my toe into Mojave. I upgraded a Mac to 10.14.2 and one of my first tests was to launch Pulse Secure.app. Well I got an alert saying Pulse Secure.app needed to access files in Pulse Secure.app. I'm looking in the PPPC Utility to build a PPPC profile but I'm confused. I see I can allow/Deny "Admin Files" and "All Files", but nothing for the files within a program. How would I proceed for this?
Solved! Go to Solution.
I've just started toying around with PPPC Utility, a great new open source tool for creating PPPC Config Profiles. Can't offer any advice yet, as I've just begun, but you might also want to download it and see if you can follow the instructions to get Pulse Secure whitelisted in a PPPC config profile.
Oops, never mind. I didn't read your post all the way through first. Sorry. Good luck.
If we have some arbitrary app Foo.app that needs some unspecified or confusing access, how are we supposed to know which options to Allow for PPPC. I've reached out to some vendors directly and they all act like I've got 5 heads with purple hair and speaking in Klingon. I have doubts that any of the apps we use will need the Address Book or Photos or Calendar etc, but those should be fairly obvious to figure out. Microphone and camera and accessibility, sure once again it should be obvious. What exactly are Post Events? And what about hidden gems like ARDAgent? I'm still struggling to get that to stop asking for access... and why do we have to jump through hoops to get a built-in Apple tool like ARD to work the way it's supposed to?
@AVmcclint The hardest apps will be ones that don't even present a TCC prompt b/c they haven't been updated in some time, or were built with a really old version of XCode. There can definitely be some quirks, like a Helper app buried in the .app bundle needs to control the parent app itself.
This is a good post on reading TCC logs. In my testing I just opened a Terminal prompt and ran the below command. Then I setup/enrolled the machine as if a new user was getting it and setting everything up for first use. As prompts come up, you can reference the TCC logs to see what needs access.
log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'