Posted on 10-04-2018 06:09 AM
Since upgrading to jamf Pro 10.7.1 I have started testing on Mojave and the additional security considerations around TCC profiles. Using this guide I have used tccprofile.py to generate .mobileconfig files for each application we want to whitelist (and each type of whitelist, e.g. notifications or file system access).
The problem starts when I consider scoping since each .mobileconfig file ends up in its own Configuration Profile. I'd like to avoid having to consider scoping each TCC profile separately. Having said that, I also realize that we may need to add/remove things later so doing so might not be the best idea.
Is there a happy medium such as adding multiple .mobileconfig files into a Configuration Profile as we can do with custom plists? If anyone has a better idea as to how to achieve this I'm all ears.
Thanks a lot,
Posted on 10-04-2018 07:20 AM
You can either have multiple configuration profiles, or combine all your TCC settings into one big profile. I'd go with the first option, that way if you have to make changes down the road, it's a lot easier. This means you might end up with a lot of profiles, and have to do a lot of scoping in Jamf, but it'll save you time down the road. Mojave will scan all the config profiles and apply all of them. If there are two similar/identical ones (let's say you have two config profiles that both deal with approving Terminal.app), the most restrictive of the two profiles will be used.
Posted on 10-04-2018 09:40 AM
That makes sense. I agree that it gets messy, maybe I'll create a separate category for TCC profiles to separate them out from everything else.