"jamf" wants access to control "system events"

leonwun
Contributor

Hey there,

I edited a /bin/bash script that automatically checks the devices uptime and tells the user to restart his computer after 2weeks uptime (with the help of https://www.jamf.com/jamf-nation/discussions/17336/user-has-not-restarted-in-x-number-of-days)

The following part generates the ""jamf" wants access to control "system events"" message for end users:

#!/bin/bash

# Discover logged in user
user=`stat -f%Su /dev/console`

#Execute code as logged in user (instead of root)
sudo -u $user /usr/bin/osascript <<-EOF

tell application "System Events"
    activate
    set question to display dialog "The device has not been restared for [...]"
with title "RESTART YOUR COMPUTER" buttons {"Shut Down", "Restart", "Cancel"} ¬
cancel button "Cancel" with icon caution
    set answer to button returned of question
    if answer is equal to "Shut Down" then
        tell application "System Events"
            shut down
        end tell
    end if
    if answer is equal to "Restart" then
        tell application "System Events"
            restart
        end tell
    end if
    if answer is equal to "Cancel" then
        return
    end if
end tell
EOF
exit 0
fi

I already read the thread (https://www.jamf.com/jamf-nation/discussions/30388/loginwindow-wants-access-to-control-system-events) but couldn't find the solution there. The issue seems to be the tell / end tell statement but I can't find a way to change the script.
I tried several PPPCs and gave JAMF access to Accessibility, System Events and everything else that's required.

The script itself works fine.
Can someone help me out here?

da3c46b8cc8a4e86b9472a57ee959fec

108 REPLIES 108

scottb
Honored Contributor

When we slowed down the clicking of windows in our ADE, they went away (Monterey) and I feel like you're right on that... slowing down and letting things finish has rid us of the popup ¯\_(ツ)_/¯ 

Thanks for the idea.  It may not be the reason, but here it has helped alleviate most of these...

franton
Valued Contributor III

@lparnell PERFECT! That's awesome. I ended up building a mobileconfig file version of your work and included it in my most recent project. https://github.com/franton/Mac-Patcher-and-Upgrader

Full credit given.

fredrik_virding
Contributor

Im seeing similar issues as well.

Fresh installed Mac via ADE / DEP.

franton
Valued Contributor III

My eventual solution was to dump as much applescript as possible, stop referring to finder or system events and the issue cleared up.

In the future, I will dump all the applescript as soon as a dialog alternative is around.

GabeShack
Valued Contributor III

@lparnell Did you find not having the "Big Sur Compatibility" turned on making a difference for machines with Big Sur? 

Gabe Shackney
Princeton Public Schools

lparnell
New Contributor II

I've honestly been so lost on this whole thing. I've started running into issues again with this and I don't know if it was one of the last updates that caused issues again or what. The last one I setup worked without utilizing the Big Sur Compatibility even though it was on Big Sur computers. Maybe using it will help with my current issue, but I can only bang my head against the wall for so long before I just give up.

GabeShack
Valued Contributor III

If only they could make this process more complicated...

Gabe Shackney
Princeton Public Schools

TheWarmAtlantic
New Contributor III

anyone have this working with a fresh install of DEP enrolled Big Sur 11.4? I had this working with Big Sur pre 11.4 trying to find out what changed.

vcastro4554
New Contributor II

I was able to resolve this with the following PPPC: 

Identifier: /usr/local/jamf/bin/jamf
Identifier Type: "Path"
Code Requirement
anchor apple generic and identifier "com.jamfsoftware.jamf" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443")

App Or Service = AppleEvents
Access = Allow
Receiver Identifier: com.apple.systemevents
Receiver Identifier Type: "Bundle ID"
Receiver Code Requirement: identifier "com.apple.systemevents" and anchor apple

Update: 
However after a tccutil reset Apple Events, the same pop up came back. Even after restart or reapplying the Configuration Profile. 

Anyone have any other suggestions?

jack_chung88
New Contributor

I managed to solve this one after days of trial and error.

I ended up using this article to monitor the logs as the process was running to call my apple Script. It pointed to the jamf daemon. https://scriptingosx.com/2020/09/avoiding-applescript-security-and-privacy-requests/


I created a PPPC profile just for the jamf daemon and all worked. Has to be the Jamf Daemon binary and not the app - /Library/Application Support/Jamf/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon

 

Creating a monolithic PPPC profile with all the jamf binaries didn't work for me either and I suspect they were causing conflict. 

 

Hope this helps someone.

 

Screenshot 2021-11-15 at 12.06.10.png

teodle
Contributor II

@jack_chung88  This didn't work at all for me. On launching the policy that uses applescript, the user still gets prompted twice: One to let Jamf access  System Events and another for Finder. 

Once the user does that, then the policy works. But end users don't know what to make of prompts like that, nor should they ever have to if IT is managing their computer. Something's wrong with PPPC in Big Sur and the latest version of JAMF. We never had to worry about this before just using the PPPC templates provided by JAMF. 

Bol
Valued Contributor

This one had me pull a few hairs out but it's fixed now.. For anyone still following along, here's what I found..


macOS 12.1 -> user login (or Self Service item) will trigger a policy / script that calls osascript with a Finder tell block. "Jamf want's access to Finder.." began springing up.
Checking the logs below and reading some posts ( https://mjtsai.com/blog/2021/06/01/macos-11-4-breaks-full-disk-access-for-helper-tools/#comment-3465... ), I needed to explicitly whitelist helper executables included in the Jamf.app bundle; com.jamf.management.daemon ( login ), com.jamf.management.service ( self service )

 

/usr/bin/log show --predicate 'subsystem == "com.apple.TCC"' --info --last 1h

( https://krypted.com/mac-os-x/reviewing-tcc-dialog-prompts-using-logs-on-a-mac/  )

 

2022-01-17 22:33:43.340568+1030 0x15a6a    Info        0x45da1              9216   0    tccd: [com.apple.TCC:access] do_TCCAccessRequestIndirect: indirect object information processed

2022-01-17 22:33:43.340574+1030 0x15a6a    Default     0x45da1              9216   0    tccd: [com.apple.TCC:access] target_executable_path_URL: file:///Library/Application%20Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon

2022-01-17 22:33:43.340914+1030 0x15a6a    Info        0x45da1              9216   0    tccd: [com.apple.TCC:access] Constructed 'accessingProcess' from indirect_object_token in message from <TCCDProcess: identifier=com.apple.finder, pid=9338, auid=2041273090, euid=2041273090, binary_path=/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder>

2022-01-17 22:33:43.340943+1030 0x15a6a    Info        0x45da1              9216   0    tccd: [com.apple.TCC:access] AttributionChain: accessing={<TCCDProcess: identifier=com.apple.finder, pid=9338, auid=2041273090, euid=2041273090, binary_path=/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder>}, requesting={<TCCDProcess: identifier=com.apple.finder, pid=9338, auid=2041273090, euid=2041273090, binary_path=/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder>},

 

But I had already done this, entries for both are whitelisted to send Apple Events to Finder etc. Reading on in the TCC logs I saw these below;

 

2022-01-17 22:33:43.341540+1030 0x15a6a Info 0x45da1 9216 0 tccd: [com.apple.TCC:access] -[TCCDAccessIdentity initWithIdentifier:type:executableURL:SDKVersion:platformType:]: self.bundle=0x129b055f0, bundle:<TCCDBundle: bundleID=com.jamf.management.Jamf, version=10.35.0-t1640197529, path=/Library/Application Support/JAMF/Jamf.app>; for: com.jamf.management.daemon, URL: file:///Library/Application%20Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon, /Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon

2022-01-17 22:33:43.342193+1030 0x15a6a    Default     0x45da1              9216   0    tccd: [com.apple.TCC:access] -[TCCDAccessIdentity staticCode]: static code for: identifier com.jamf.management.daemon, type: 0: 0x129b0b1c0 at /Library/Application Support/JAMF/Jamf.app

2022-01-17 22:33:43.369037+1030 0x15a6a    Info        0x45da1              9216   0    tccd: [com.apple.TCC:access] -[TCCDAccessIdentity matchesCodeRequirement:]: SecStaticCodeCheckValidity() static code (0x129b0b1c0) from com.jamf.management.daemon : identifier "com.jamf.management.daemon" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"; status: -67050

2022-01-17 22:33:43.369054+1030 0x15a6a    Info        0x45da1              9216   0    tccd: [com.apple.TCC:access] Override: eval: matched <kTCCServiceAppleEvents, com.jamf.management.daemon>; result: Auth:Unknown (<Unspported Authorization Reason value>); because: code does not meet requirement

 

It seemed my issue was during validation of the code requirement for JamfDaemon executable. As a test, I even tried relaxing that requirement to ( identifier "com.jamf.management.daemon" and anchor apple generic ) but still no change!!  I tried again but this time, using the identifier of the parent bundle eg. Jamf.app

 

Identifier: com.jamf.management.daemon
Code Requirement : identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"

 

Once deployed, everything began working again as normal with no further prompts for approval on login. I did this again forJamfManagementService ( Self Service ) and it also worked by removing user prompts on execution.

 

Identifier: com.jamf.management.service
Code Requirement : identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443" 

 

So for my environment, changing the code requirement identifier on both whitelist entries to match the parent bundle they live in, ( /Library/Application Support/JAMF/Jamf.app : identifier "com.jamf.management.Jamf" ) worked for me.

 

Bol_0-1642518436088.png

Bol_1-1642518451378.png

 

 

 

 

GabeShack
Valued Contributor III

@Bol I started playing around with this as I also started needing to have users click the ok button when it popped the "Jamf" wants access to control "System Events" message.  In our environment this is due to a AppleScript that takes their username and adds our domain name onto it to at least make creative cloud logins one step easier as well as opening safari and (default website) our class link portal, it also types in the username (as well as opens safari extensions so the user can click on the classlink extension).

 

I tried to use your suggestion however after setting the identifier to the generic .Jamf, then it seems to forget to give osascript permission to use accessibility to be able to type in what I want.

 

We are now using 12.2 and from the links you included, it looks like this was indeed broken in 11.4 (and worked previously for my login scripts).

Im still playing around though and will update if I find anything further.

Gabe Shackney
Princeton Public Schools

Bol
Valued Contributor

@GabeShack Did you try using the whole identifier below, this is what worked for me;

Identifier: com.jamf.management.daemon
Code Requirement : identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"

There may be new requirements preventing the relaxed one to work, I would leave your existing profiles and create another to apply along side with more access. I then worked back to find the correct permissions needed.

My pop ups were Jamf accessing Finder, with system events you may need accessibility or try full disk access to start allowing: com.jamf.management.service (Self Service)

Could you post the TCC access logs to see what is requiring the access?

GabeShack
Valued Contributor III

Screen Shot 2022-02-07 at 5.08.57 PM.png

@Bol My logs showed the app I was telling to open with oascript wanted the access.  Creative cloud and its helpers.  So now  im wondering if i can just remove that portion, but even when my script opens safari it asks for that as well.  I used your whole identifier and the same code requirement however it actually ended up prompting for more access.

 

 

Gabe Shackney
Princeton Public Schools

I was having similar issues until I found another discussion where it was mentioned to remove this part of the osascripts

tell application "System Events" 

 Once the tell and end tell were removed that popup just gone. Odd

Bol
Valued Contributor

 @Mauricio  Yes, this is supposed to happen by design. 
We created profiles that allowed AppleScript to access say Finder in the logged on user context, although it looks like the requirement changed for bundled app id’s after security updates.

Making the profile changes I mentioned above, using macOS 12.2, I’ve been able to keep my AppleScript “Tell” blocks of code as below. For now..

Jamf -> Bash -> osascript -> Finder

Bol
Valued Contributor

Include this in a profile, along with all the regular permissions / Apple Events you would normally give Jamf;

Screen Shot 2022-02-08 at 8.40.30 am.pngScreen Shot 2022-02-08 at 8.41.09 am.png

Bol
Valued Contributor

@GabeShack Also, I would include any other application bundle's or binaries that this script touches. So if something from Adobe, also include an Apple Event for Self Service to access it.

GabeShack
Valued Contributor III

@bol Actually we are not using self service for this piece, but a script that happens during the first log in.  If I can make the same thing happen without using the tell command, its fine.  But I don't think it will allow keystrokes to be entered without the tell command.

 

Im still tweaking some of the scripts I used to use since now I don't need it to use the creative cloud app, I changed creative cloud to only use browser sign ins so that it will be locked into our microsoft SSO.

My need is now just to get safari to type in the current users email address and then hit enter.  So I'm going to play around with making this happen with removing the tell command to see what that does in practice.  

@Mauricio I saw that discussion too, but now ive lost it lol.

Gabe Shackney
Princeton Public Schools

Bol
Valued Contributor

Ok, that was the same as me, login script which is kicked off by the daemon.

What worked for me was whitelisting JamfDaemon's identifier, with the code requirement of the Jamf.app bundle it lives inside.

/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon

Identifier: com.jamf.management.daemon


/Library/Application Support/JAMF/Jamf.app

Code Requirement : identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"

Allow it Apple Event access to osascript and you should be good to go. Although my popup was resolved by giving access to Finder (I was calling 'tell application "Finder" make new alias to smbMount at desktop..), yours is asking for system events.

If you run the show log for tcc, you should be able to narrow it down as I did here;

2022-01-17 22:33:43.340574+1030 0x15a6a    Default     0x45da1              9216   0    tccd: [com.apple.TCC:access] target_executable_path_URL: file:///Library/Application%20Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon

2022-01-17 22:33:43.340914+1030 0x15a6a    Info        0x45da1              9216   0    tccd: [com.apple.TCC:access] Constructed 'accessingProcess' from indirect_object_token in message from <TCCDProcess: identifier=com.apple.finder, pid=9338, auid=2041273090, euid=2041273090, binary_path=/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder>

2022-01-17 22:33:43.340943+1030 0x15a6a    Info        0x45da1              9216   0    tccd: [com.apple.TCC:access] AttributionChain: accessing={<TCCDProcess: identifier=com.apple.finder, pid=9338, auid=2041273090, euid=2041273090, binary_path=/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder>}, requesting={<TCCDProcess: identifier=com.apple.finder, pid=9338, auid=2041273090, euid=2041273090, binary_path=/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder>},

 

Bol
Valued Contributor

I removed as many of the Tell commands from my scripts as well but could never quite find a working alternative to creating an alias that reconnected to smb shares.

GabeShack
Valued Contributor III

So I'm testing this again with adding the general .Jamf piece on the code requirement.  However Im now layering these with my previous entries and wondering if they are conflicting with each other.

Gabe Shackney
Princeton Public Schools

Bol
Valued Contributor

From the config profiles being applied, if there are two of the same identifiers declared, I believe it will apply the most restrictive. I had singular profiles for everything originally but then started again, making one larger profile for everything Jamf. I took their example on github and needed to add the daemon / service binaries to it.

Bol_0-1644362704992.png

 

Bol
Valued Contributor

See these logs which will detail the reason it failed which was code requirement. Using PPPC, if you drag the JamfDaemon into the window and upload it, this was what happed.
Editing it's code requirement to match that of the Jamf binary instead is what worked. I believe these helper binaries used to be inherit approval based on the Jamf.app, now it's not so a slight change was needed.

2022-01-17 22:33:43.341540+1030 0x15a6a Info 0x45da1 9216 0 tccd: [com.apple.TCC:access] -[TCCDAccessIdentity initWithIdentifier:type:executableURL:SDKVersion:platformType:]: self.bundle=0x129b055f0, bundle:<TCCDBundle: bundleID=com.jamf.management.Jamf, version=10.35.0-t1640197529, path=/Library/Application Support/JAMF/Jamf.app>; for: com.jamf.management.daemon, URL: file:///Library/Application%20Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon, /Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon

2022-01-17 22:33:43.342193+1030 0x15a6a    Default     0x45da1              9216   0    tccd: [com.apple.TCC:access] -[TCCDAccessIdentity staticCode]: static code for: identifier com.jamf.management.daemon, type: 0: 0x129b0b1c0 at /Library/Application Support/JAMF/Jamf.app

2022-01-17 22:33:43.369037+1030 0x15a6a    Info        0x45da1              9216   0    tccd: [com.apple.TCC:access] -[TCCDAccessIdentity matchesCodeRequirement:]: SecStaticCodeCheckValidity() static code (0x129b0b1c0) from com.jamf.management.daemon : identifier "com.jamf.management.daemon" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"; status: -67050

2022-01-17 22:33:43.369054+1030 0x15a6a    Info        0x45da1              9216   0    tccd: [com.apple.TCC:access] Override: eval: matched <kTCCServiceAppleEvents, com.jamf.management.daemon>; result: Auth:Unknown (<Unspported Authorization Reason value>); because: code does not meet requirement

 

Bol
Valued Contributor

Sorry I just remembered about the script, I haven't test but understand you could remove the following tell statement; 

tell application "Safari" to activate

 Although the others would be required for what you are trying.

GabeShack
Valued Contributor III

@Bol If you'd like to test if you can get it not to prompt, I'd be quite in your debt.  Here is the code which assumes that the Safari window is already opened to the online creative cloud login which is something like this https://auth.services.adobe.com/en_US/index.html

EDIT: I've modified the below script a few time so just posted the new version that I have gotten to work appropriately but still need the get that prompt for Jamf with System Events to go away.

 

 

 

#!/bin/bash 
dockStatus=$(pgrep -x Dock)

echo "Waiting for Desktop..."

while [[ "$dockStatus" == "" ]]
do
  echo "Desktop is not loaded. Waiting."
  sleep 3
  dockStatus=$(pgrep -x Dock)
done
echo "$currentUser has successfully logged on! The Dock appaears to be loaded with PID $dockStatus."
sleep 3
currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
sudo -u $currentUser osascript <<EOF 
delay 2
tell application "System Events"
keystroke "$currentUser"
delay .5
keystroke "@princetonk12.org"
delay 1
keystroke return
delay 5
keystroke "w" using command down
delay 5
keystroke "w" using command down
delay 3
   end tell
EOF
sudo -u $currentUser open http://link.princetonk12.org
sleep 2
sudo -u $currentUser osascript <<EOF 
	
	tell application "Safari" to activate
    
    delay 3
    
    tell application "System Events"
		
		keystroke "$currentUser"
        
    delay 3
	tell application "Safari" to activate
delay 4
  
tell application "System Events" to tell process "Safari"
	
	keystroke "," using command down
    
    	tell window 1
		click button "Extensions" of toolbar 1
		activate "Extensions"
		keystroke return
		end tell
end tell        
end tell
EOF 

 

 

 

 Ive scoured the log files as you listed above and added entries for both Jamf as you have shown and for the helper apps like Safari and of course osascript, but adding them and creating a large jamf tcc profile still didnt fix the prompt.  Happy for any outside eyes on this script and any prompts.

Gabe Shackney
Princeton Public Schools

GabeShack
Valued Contributor III

@Bol Maybe can you share full screen shots of your whole Config Profile and I'll just replicate the individual lines to see if that works?

Gabe Shackney
Princeton Public Schools

GabeShack
Valued Contributor III

Working on this again today.  Im really going nuts trying to get this proper.

Here is the jamf log that show when I click "Deny" on Jamf wants to control message:

41:76: execution error: Not authorized to send Apple events to System Events. (-1743) 105:123: execution error: Not authorized to send Apple events to System Events. (-1743)

I do see in my full log file from the mac im testing on showing the parent process differing, but making the changes you suggest then cause the process to not be whitelisted for Accessibility.  It is like I can get it to not make the Jamf wants to control message, but then Accessibility is gone from the whitelist.  So I can't seem to have both.  

 

Again this is all in the name of making the first user login touchless so the script is just inputting their username and hitting enter which requires system events and accessibility. 

Gabe Shackney
Princeton Public Schools

GabeShack
Valued Contributor III

Im probably just bothering too many people at this point, but Im really spending too much time tearing my hair out so im throwing this out to @talkingmoose and @rtrouton and @bentoms and maybe @donmontalvo and @mm2270  to maybe take a look to see if you can add any of your amazing brains to this issue.  I feel like I've tried to do every variation of the PPPC for Jamf and its processes, as well as OSAScript.  But things are still not working and this is really the last piece of a great (almost) no touch login process and I so don't want my end users clicking the "Allow" button.  My script is listed above and works perfectly once I click approve, but need to get rid of the message which is still squeaking though all my whitelists (that used to work before 11.4).

I can post the logs from the tcc approvals/denials (although they are quite long) if needed.

 

If any of you can help I'd be unbelievably appreciative!

Gabe Shackney
Princeton Public Schools

rtrouton
Release Candidate Programs Tester

Can you post the PPPC profile that you're using? It may not have all the correct permissions for Jamf and osascript.

For comparison, I've posted a PPPC profile which should be comprehensive for Jamf and osascript sending AppleEvents:

https://gist.github.com/rtrouton/daa89fd7a27a52137865aff015d474ad

GabeShack
Valued Contributor III

@rtrouton Thanks so much for the response!

My older Jamf TCC profile which worked before (maybe)11.4 is shown below but I had a 2nd separate TCC profile for osascript.  I have most of the tcc config profiles set separately and again used to work in that regard.  Im going to attempt using just your profile and exclude my two from it, but in looking it over I don't see the access to accessibility that I think it may require to input keyboard typing.  I'll let you know though.

Screen Shot 2022-02-11 at 12.22.25 PM.png

Screen Shot 2022-02-11 at 12.22.17 PM.png

Screen Shot 2022-02-11 at 12.22.06 PM.png

Screen Shot 2022-02-11 at 12.21.56 PM.png

Screen Shot 2022-02-11 at 12.21.44 PM.png

Screen Shot 2022-02-11 at 12.21.27 PM.png

      

 

Gabe Shackney
Princeton Public Schools

GabeShack
Valued Contributor III

@rtrouton So I just tried your profile and it also states the same that Jamf wants access to system events.  (It did also ask for Accessibility as I thought).  Whats interesting if I look at Security & Privacy under Automation as to what got added when I clicked approve, it shows the "Parent" process of JamfDaemon (which looks to be the App and not the process inside the app).

Gabe Shackney
Princeton Public Schools

Bol
Valued Contributor

Whats interesting if I look at Security & Privacy under Automation as to what got added when I clicked approve, it shows the "Parent" process of JamfDaemon (which looks to be the App and not the process inside the app).

@GabeShack 
Yes! This is exactly what I have been saying, I tried to paste a config profile you could upload into Jamf but it didn't work. Just make sure your entries for these binaries match code requirements.

<dict>
						<key>Allowed</key>
						<integer>1</integer>
						<key>CodeRequirement</key>
						<string>identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
						<key>Identifier</key>
						<string>com.jamf.management.service</string>
						<key>IdentifierType</key>
						<string>bundleID</string>
						<key>StaticCode</key>
						<integer>0</integer>
					</dict>
					<dict>
						<key>Allowed</key>
						<integer>1</integer>
						<key>CodeRequirement</key>
						<string>identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
						<key>Identifier</key>
						<string>com.jamf.management.daemon</string>
						<key>IdentifierType</key>
						<string>bundleID</string>
						<key>StaticCode</key>
						<integer>0</integer>
					</dict>




Bol
Valued Contributor

@GabeShack wrote:

@rtrouton So I just tried your profile and it also states the same that Jamf wants access to system events.  (It did also ask for Accessibility as I thought).  Whats interesting if I look at Security & Privacy under Automation as to what got added when I clicked approve, it shows the "Parent" process of JamfDaemon (which looks to be the App and not the process inside the app).


It used to be those helper binaries would be allowed permissions, given we have profiles whitelisting the jamf.app bundle. That's no longer the case.

When we whitelist those binaries (daeomn & service) they need to have the code requirement of the jamf.app bundle they live in, not there own.

Bol
Valued Contributor

@GabeShack Sorry I didn't get back to you earlier, timezones and a full on week back to school.

 

I can take a look at the script, no troubles, but I can already see the problem with your profile. As I mentioned in my original post in this thread, you need to change the code requirement to match the parent jamf.app it's located in, not that of the binary itself.

See your profile picture here;

Bol_0-1644717859564.png

 

Change it to look like this, I posted this above accessing osascript;

Bol_1-1644718038659.png

You need to change this for the daemon (login triggers) and the service (launched from self service)

Identifier: com.jamf.management.daemon
Code Requirement : identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"

 

nagement.service
Code Requirement : identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"

Let me know if that works or not.

GabeShack
Valued Contributor III

@Bol I tried exactly what you stated however as I said earlier, yes it removed the prompt for JAMF wants access, however then it didn’t allow for the keyboard input to happen since changing the parent process confuses the tcc whitelisting for accessibility. So it seems I can either have the message that JAMF wants access or it prompts to allow accessibility. But I cannot have both for this script if we edit the parent and child processes. 

 

do me a favor and try running my script at login. (You’ll need a window of any app opened that has a login screen or input menu showing for it to type something so maybe open a safari webpage to something where it can type as soon as you login. )

Gabe Shackney
Princeton Public Schools

GabeShack
Valued Contributor III

I think I'm going to have to give on having AppleScript type in the login info, I just cant find a way to make this work in its current form.

Gabe Shackney
Princeton Public Schools

Bol
Valued Contributor

@GabeShack wrote:

I think I'm going to have to give on having AppleScript type in the login info, I just cant find a way to make this work in its current form.


I personally think that would be the best bet as you can't guarantee on how long apple will allow what your script is trying to achieve. 

I tried to step through your script in between my own work, you really need to break the line of code which is prompting for TCC access and provide logs so we can take a look, it takes time. 

In the time I had I was seeing the opposite of a "mismatch", running from Self Service it showed;

 

2022-02-15 09:06:11.135978+1030 0x130b9    Info        0x369de              1417   0    tccd: [com.apple.TCC:access] AttributionChain: responsible={<TCCDProcess: identifier=com.jamf.management.service, pid=4004, auid=665241948, euid=665241948, responsible_path=/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService, binary_path=/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService>}, accessing={<TCCDProcess: identifier=com.jamfsoftware.jamf, pid=4007, auid=665241948, euid=0, binary_path=/usr/local/jamf/bin/jamf>}, requesting={<TCCDProcess: identifier=com.apple.mds, pid=115, auid=0, euid=0, binary_path=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds>},

2022-02-15 09:06:11.136035+1030 0x130b9    Default     0x369de              1417   0    tccd: [com.apple.TCC:access] AUTHREQ_CTX: msgID=115.159, function=<private>, service=kTCCServiceReminders, preflight=yes, query=1,

2022-02-15 09:06:11.136078+1030 0x130b9    Default     0x369de              1417   0    tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=115.159, attribution={responsible={<TCCDProcess: identifier=com.jamf.management.service, pid=4004, auid=665241948, euid=665241948, responsible_path=/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService, binary_path=/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService>}, accessing={<TCCDProcess: identifier=com.jamfsoftware.jamf, pid=4007, auid=665241948, euid=0, binary_path=/usr/local/jamf/bin/jamf>}, requesting={<TCCDProcess: identifier=com.apple.mds, pid=115, auid=0, euid=0, binary_path=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds>}, },

2022-02-15 09:06:11.137580+1030 0x130b9    Info        0x369de              1417   0    tccd: [com.apple.TCC:access] IDENTITY_ATTRIBUTION: /Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService[115]: from cache: = com.jamf.management.Jamf, type 0 (32/52)

2022-02-15 09:06:11.137588+1030 0x130b9    Default     0x369de              1417   0    tccd: [com.apple.TCC:access] AUTHREQ_SUBJECT: msgID=115.159, subject=com.jamf.management.Jamf,

2022-02-15 09:06:11.138709+1030 0x130b9    Default     0x369de              1417   0    tccd: [com.apple.TCC:access] -[TCCDAccessIdentity staticCode]: static code for: identifier com.jamf.management.Jamf, type: 0: 0x7f8b8ca18490 at /Library/Application Support/JAMF/Jamf.app

2022-02-15 09:06:11.170246+1030 0x130b9    Info        0x369de              1417   0    tccd: [com.apple.TCC:access] -[TCCDAccessIdentity matchesCodeRequirement:]: SecStaticCodeCheckValidity() static code (0x7f8b8ca18490) from com.jamf.management.Jamf : identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"; status: 0

2022-02-15 09:06:11.170264+1030 0x130b9    Info        0x369de              1417   0    tccd: [com.apple.TCC:access] Override: eval: matched <kTCCServiceReminders, com.jamf.management.Jamf>; result: Auth:Allowed (<Unspported Authorization Reason value>); because: code meets requirement

 

 

GabeShack
Valued Contributor III

@Bol I did get it to stop prompting for Access to System events, however it still prompts for accessibility I think again because of the way the main process uses the child process, so the whitelist is not working correctly for this flag.  But for the life of me, no matter the combination, I cant get it to approve both.

The piece it wants for accessibility is JamfDaemon, the app inside of the Jamf app, not the process inside of JamfDaemon.

 

IM going to try one more thing, I'm wondering if you can make one Profile for the process name, and a 2nd for the path name or if it tries to apply both ways to the same process.  I need a way to make one profile with the changes you suggested and another that is still just allowing accessibility since that breaks when you change the identifier info.

Gabe Shackney
Princeton Public Schools