We just upgraded our Jamf Pro server to 10.7.1. After doing so, we noticed that our computers running Mojave ask the user for access to several types of data the first time inventory is updated. This includes contacts, calendar, and photos. Our users will be extremely uncomfortable with these messages, and I'd like to know how to turn that off, or else we will need to revert our Jamf server to an older version.
For the time being, I've had to turn off our policy to automatically update inventory, which obviously is not ideal.
See the screenshot below for an example of what this looks like when running "sudo jamf recon" from the terminal. When this runs as part of a policy, "Terminal" is replaced with "jamfAgent"
Thank you for your insight!
It's got to do with the updated security policy by Apple in Mojave (https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf). Sounds like it was added last minute so things are not setup to work fully in v10.7.
The Jamf agents have been approved to run since you have v10.7.1 installed (you can verify this in sys prefs/profiles/privacy Prefs Policy) but it's very likely that you have scripts or policy's that calls individual apps (in this case Terminal) which hasn't been approved yet.
Trouton did a write up on it which seems to be the one everyone is referring to (https://derflounder.wordpress.com/2018/08/31/creating-privacy-preferences-policy-control-profiles-for-macos/).
JAMF stipulates that it will be included in a later version of JSS (https://www.jamf.com/jamf-nation/articles/553/preparing-your-organization-for-user-data-protections-on-macos-10-14)
I'm working on a similar issue but haven't rolled out any changes as yet. Jamf released a tool (https://github.com/jamf/PPPC-Utility) which allows you to roll out approved app configs but I'm trying to wrap my head around "which and what" needs to be approved.
@kevin.v The quickest workaround is just unchecking "Include home directory sizes" in your inventory collection settings. Otherwise, you'll need to create PPPC profiles to whitelist this behavior so users don't get those messages.