Help

Ventura "App Management"

AVmcclint
Honored Contributor

Posted on ‎02-06-2023 05:27 AM

We have encountered the scenario described in this post: https://developer.apple.com/forums/thread/715220

We took a brand new MacBookPro that came with Ventura pre-installed on it and after it enrolled via DEP, we sometimes login as the admin account and run sudo jamf policy to speed up the full enrollment process. This time we discovered that we encountered a problem. It appears that Ventura now doesn't let us run Terminal commands that change apps.  In System Settings > Privacy & Security > App Management Terminal was listed but not enabled.

Is there an MDM setting in Jamf that will allow us to pre-approve Terminal and any other apps we need to have this functionality?

0 Kudos
Reply
7 REPLIES 7

AVmcclint
Honored Contributor

Posted on ‎02-06-2023 05:29 AM

The associated notification:

Screen Shot 2023-02-06 at 8.28.15 AM.png

 

0 Kudos
Reply

sdagley
Esteemed Contributor II

‎02-06-2023 05:47 AM - edited ‎02-06-2023 05:51 AM

@AVmcclint There's a new SystemPolicyAppBundles property with macOS Ventura. It's not in the PPPC payload configuration UI as of Jamf Pro 10.42.1, but the iMazing Profile Editor supports it.

0 Kudos
Reply

kacey3
Contributor II
In response to sdagley

Posted on ‎07-23-2024 08:21 AM

We're on Jamf Pro 11.7.1 and I'm still not seeing the SystemPolicyAppBundles. Am I missing something?

0 Kudos
Reply

AVmcclint
Honored Contributor

Posted on ‎02-06-2023 09:03 AM

Thanks for pointing me to that. I found the setting but there are fields it is asking for input and I can't find any documentation for what it needs.

0 Kudos
Reply

sdagley
Esteemed Contributor II
In response to AVmcclint

Posted on ‎02-06-2023 10:03 AM

@AVmcclint I haven't had occasion to use it yet, but my understanding is it's configured basically the same as the SystemPolicyAllFiles setting (supposedly it's a subset of AllFiles added to Ventura specifically for app bundles so the settings can be more granular)

0 Kudos
Reply

adhuston
Contributor

Posted on ‎08-01-2023 01:08 PM

I'm interested in doing this as well.  Doesn't look like there was a resolution to this post.  Any chance you figured it out and can share your wisdom?

0 Kudos
Reply

A_Collins
Contributor

Posted on ‎11-20-2023 04:47 PM

I wrote a script to allow teminal controls app if anyone still needed this

 

#!/bin/bash

loggedInUser=$(ls -l /dev/console | awk '/ / { print $3 }')
last_modified=$(date "+%s")
db_location="/Users/$loggedInUser/Library/Application Support/com.apple.TCC/TCC.db"

REQ_STR=$(codesign -d -r- /System/Applications/Utilities/Terminal.app/ 2>&1 | awk -F ' => ' '/designated/{print $2}')
echo "$REQ_STR" | csreq -r- -b /tmp/csreq.bin
REQ_HEX=$(xxd -p /tmp/csreq.bin  | tr -d '\n')
mod_REQHEX="X'$REQ_HEX'"


sqlite3 "$db_location" "INSERT INTO access VALUES('kTCCServiceSystemPolicyAppBundles','com.apple.Terminal',0,2,3,1,$mod_REQHEX,NULL,NULL,'UNUSED',NULL,0,$last_modified,NULL,NULL,'UNUSED',$last_modified);"
Reply