Ventura "App Management"

AVmcclint
Honored Contributor

We have encountered the scenario described in this post: https://developer.apple.com/forums/thread/715220

We took a brand new MacBookPro that came with Ventura pre-installed on it and after it enrolled via DEP, we sometimes login as the admin account and run sudo jamf policy to speed up the full enrollment process. This time we discovered that we encountered a problem. It appears that Ventura now doesn't let us run Terminal commands that change apps.  In System Settings > Privacy & Security > App Management Terminal was listed but not enabled.

Is there an MDM setting in Jamf that will allow us to pre-approve Terminal and any other apps we need to have this functionality?

6 REPLIES 6

AVmcclint
Honored Contributor

The associated notification:

Screen Shot 2023-02-06 at 8.28.15 AM.png

 

sdagley
Esteemed Contributor II

@AVmcclint There's a new SystemPolicyAppBundles property with macOS Ventura. It's not in the PPPC payload configuration UI as of Jamf Pro 10.42.1, but the iMazing Profile Editor supports it.

AVmcclint
Honored Contributor

Thanks for pointing me to that. I found the setting but there are fields it is asking for input and I can't find any documentation for what it needs.

sdagley
Esteemed Contributor II

@AVmcclint I haven't had occasion to use it yet, but my understanding is it's configured basically the same as the SystemPolicyAllFiles setting (supposedly it's a subset of AllFiles added to Ventura specifically for app bundles so the settings can be more granular)

adhuston
Contributor

I'm interested in doing this as well.  Doesn't look like there was a resolution to this post.  Any chance you figured it out and can share your wisdom?

A_Collins
Contributor

I wrote a script to allow teminal controls app if anyone still needed this

 

#!/bin/bash

loggedInUser=$(ls -l /dev/console | awk '/ / { print $3 }')
last_modified=$(date "+%s")
db_location="/Users/$loggedInUser/Library/Application Support/com.apple.TCC/TCC.db"

REQ_STR=$(codesign -d -r- /System/Applications/Utilities/Terminal.app/ 2>&1 | awk -F ' => ' '/designated/{print $2}')
echo "$REQ_STR" | csreq -r- -b /tmp/csreq.bin
REQ_HEX=$(xxd -p /tmp/csreq.bin  | tr -d '\n')
mod_REQHEX="X'$REQ_HEX'"


sqlite3 "$db_location" "INSERT INTO access VALUES('kTCCServiceSystemPolicyAppBundles','com.apple.Terminal',0,2,3,1,$mod_REQHEX,NULL,NULL,'UNUSED',NULL,0,$last_modified,NULL,NULL,'UNUSED',$last_modified);"