Posted on 07-06-2023 12:48 AM
Hello !
I have some questions regarding PPPC for apps permissions.
First of all, I would like to know how I can find what an app needs for permissions. Access to accessibility, full disk access or user's folders, etc... Most of the time, I have a window asking an app to have access to accessibility for example but for controlling Finder, System Events, System UI Server, I don't know if I have to grant it or not. I ask that because I made a PPPC for apps like Teams but one user had the problem that she couldn't share her screen with others. She needed admin rights but she's a standard user. I didn't think about this and had to change my profile. I would like to avoid that because it was a serious problem for her when it happened.
In fact, I would like to fine tune my PPPCs so they are more strict but with enough permissions. I also fear that an app needs more permissions but the user can't grant them as it needs admin rights. Screen recording, for example, or granting access to desktop, downloads and documents folder, but asking for more later ? I know that I can give user's approval in PPPCs for screen recording. I use PPPC Utility but sometimes, it's no help. I found another nice app, iMazing profile Editor, but I didn't find where I can allow a user to approve when it should be an admin (still screen recording for example). It seems that it's best to create a profile manually.
Another question: what is the best practice ? One configuration profile per app or can I make one for multiple apps. 1 profile for Teams and Zoom, or one for each app for example ? Do I have to try to make as few PPPCs as possible or it doesn't change anything ?
A last question: what does granting an app to control com.apple.finder, com.apple.systemevents and com.apple.systemuiserver do ? I didn't find documentation about those 3 and I would like to know the mechanisms behind.
Thank you for your advices !
Posted on 07-06-2023 06:02 AM
I do all PPPC settings in 2 profiles just for convenience. One profile is only PPPC (Screen Recording) with things like Teams, Webex, SnagIt, etc that require the user to approve screen control. For that, you just choose the option to let allow standard users to make the change.
I have a 2nd profile for everything else, like security tools that require full-disk access for example. Only the screen recording settings give a standard user option, for everything else I just run the software and see what manual prompts come up and add them to the PPPC profile if its something we want to suppress for users.
Posted on 07-08-2023 07:38 AM
@Spillou wrote:First of all, I would like to know how I can find what an app needs for permissions. Access to accessibility, full disk access or user's folders, etc... Most of the time, I have a window asking an app to have access to accessibility for example but for controlling Finder, System Events, System UI Server, I don't know if I have to grant it or not. I ask that because I made a PPPC for apps like Teams but one user had the problem that she couldn't share her screen with others. She needed admin rights but she's a standard user.
You can use the command below to show all logs that caused a prompt for tcc;
/usr/bin/log show -style syslog --predicate 'subsystem == "com.apple.TCC"' --info --last 1h | grep Prompting
This will allow you to check back over the last hour and hopefully pinpoint which binary (and it's path) is requesting access. Also, you could allow the prompt then run;
/usr/bin/log show --predicate 'subsystem == "com.apple.TCC"' --info | grep Allow | grep binary_path
There's a lot of information to sift through but you will eventually find exactly the cause and how to action. If you get stuck, post some more logs and we can take a look.
Good luck!
Posted on 07-17-2023 12:08 AM
So we've been having issues with users needing handholding to grant full-disk access to apps like TeamViewer and Malwarebytes. We'll soon be deploying Jamf Protect and will have the same woes.
Now that all our users are on Big Sur, I thought I'd get back to PPPC and deploy some configs to help out.
Signing a mobile config seems to be the crux of my fumbles. When I use the direct Upload function of the PPPC Utility, I'm not allowed to change the "Signing Identity" It's greyed out with "Profile signed by server". This leads to an error when installing
In the payload (UUID: xxxxxx-xxxxxx-xxxxx), the key 'Authorization' has an invalid value.
Fine. I chose to save the mobileconfig, unsigned. I get the same issue.
Then I chose to save the mobileconfig and actually do sign it and it works...kinda
The apps are now working or longer reporting on not having Full Disk Access, but their boxes in Sec&Priv remain unchecked. Is this expected behavior or a byproduct of how I've setup the PPPC config?