Wacom tablet privacy policy preference profile

dtmille2
Contributor II

By any chance has anyone here had any luck creating a privacy preference policy profile for Wacom tablets? All that is required to enable is Accessibility but for some reason when I create the policy with the PPPC utility the tablets don't respond properly.

32 REPLIES 32

blackholemac
Valued Contributor III

I have but will need to be back in the office to download and share it . I tested it in my art labs...Was kind of a pain in the butt

dgreening
Valued Contributor II

Every release Wacom seems to further run afoul of TCC/Accessibility requirements. GET IT TOGETHER!

dtmille2
Contributor II

So I believe I has this working now.

I followed Wacom's instructions here: https://www.wacom.com/en-us/support?linkId=57350690&guideTitle=Is-there-a-compatible-driver-for-Mac-OS-10.14-Mojave%3F&guideId=014-001

However, the apps they tell you to find, I found in the locations below shown in the screenshots, and deploying these in a PPP profile created in PPPC Utility appears to have configured the tablets correctly:

7607d73273e14b31933046ae65d6c75f
4d7141dd712e434ab2414a0fce31db95

The WacomTabletDriver.app they tell you to find in the Resources folder is actually located at /Library/Application Support/Tablet/WacomTabletDriver.app

The second driver IS located at /Library/Application Support/Tablet/WacomTabletDriver.app/Contents/Resources/WacomTouchDriver.app.

There is a "TabletDriver.app" in /Library/Application Support/Tablet/WacomTabletDriver.app/Contents/Resources/, but that didn't work when creating a profile in the PPCUtility.

RyanDahl
New Contributor II

So what values did you wind up using in Privacy Preferences Policy Control?

kricotta
Contributor II

would love a follow-up on this one as well...

Sincerely,

Kevin Ricotta
Jamf Technical Support

dtmille2
Contributor II

Hi guys,

Here are some screen shots of what it looks like in Jamf Pro. I made this in the PPPC Utility with https://www.wacom.com/en-us/support?linkId=57350690&guideTitle=Is-there-a-compatible-driver-for-Mac-OS-10.14-Mojave%3F&guideId=014-001 as a guide.

Does this help?

789e2e8294be437ebba00eff1ebcc342
8260109f760441ff84400f15f37cdff7
b8f4c8e0379d444ead0fc3cb2f44cef9
f9fd05e51ff246f683a6020533bd0746

kwoodard
Contributor II

Thanks for this. I am going to be needing to do this soon.

siripati
New Contributor

How to create Preference profile for "input monitoring" on catalina os using pppc utility?

carlo_anselmi
Contributor III

@dtmille2 I have been able to specify "allow" for all the required Wacom items for Accessibility in PPPC utility but I miss how to automatically "tick" their boxes on client side. I noticed you also have "Apple Events" for each item but "Receiver code requirement" is not visibile in your screen shots.
Is that the same that appears within "code requirement" ?
The Wacom items appear client side within security but an admin is required to unlock and tick the checkboxes
I likely miss something obvious
Many thanks!
Carlo

dtmille2
Contributor II

@carlo.anselmi , if memory serves me I believe I looked into the issue of the client side boxes not checking off in system preferences, and discovered that they may not when managing this with a configuration profile. However, if the profile is accomplishing its intended function, you are all good. In other words, this may be expected behavior.

The "Receiver code requirement" in my profile was created by the PPPC Utility. In taking a look at it just now, yes, it does look identical to what appears in "Code requirement".

carlo_anselmi
Contributor III

@dtmille2 many thanks again! I'll try some more testing with your info
Great to understand the unchecked boxes is the expected behavior!

TheDecline
New Contributor III

In the newest version of the wacom driver 6.3.38-3 as of today, the file you need to drag into PPPC Utility is located in /Library/PrivilegedHelperTools/com.wacom.IOManager. By doing this I was able to stop the nag and wacom driver issue we were seeing.

mlope653
New Contributor II

@TheDecline I was going through and trying to create the Profile for the com.wacom.IOManager.

However no matter what configs I set either through PPPC Utility, it doesn't work.

Do you mind sharing the config you made for this?

K_K_
New Contributor II

Anyone got this working on Catalina? I understand Apple won't let people manage the Input Monitoring, but it would be nice to have the accessibility working. The profile I created using the PPPC Utility for com.wacom.IOManager and Wacom Desktop Center didn't work. Any ideas?

snowfox
Contributor II

@K.K. Yes I have this working under Catalina 10.15.6
I used Jamfs PPPC Utility to make it:
https://github.com/jamf/PPPC-Utility
https://github.com/jamf/PPPC-Utility/releases/tag/1.2.0

Add to accessibility
/Library/PrivilegedHelperTools/com.wacom.IOManger.app

CANT Add to input monitoring via PPPC file 😞
/Applications/Wacom Tablet/.Tablet/FirmwareUpdater.app
/Applications/Wacom Tablet/.Tablet/TabletDriver.app
/Applications/Wacom Tablet/.Tablet/WacomTabletDriver.app
/Applications/Wacom Tablet/.Tablet/WacomTouchDriver.app

Add to full disk access
/Applications/Wacom Tablet/Wacom Desktop Center.app
/Applications/Wacom Tablet/Wacom Display Settings.app
/Applications/Wacom Tablet/Wacom Tablet Utility.app

When you import the finished PPPC mobileconfig file into Jamf, you also need to tick the 'Validate the static code requirement' tick box (for each app/setting listed, I have 4 as above.) in the Privacy Preferences Policy Control payload section in the Jamf interface to ensure you don't still get PPPC prompts in macOS. I do it as standard for every PPPC file I create.

The above settings got the pen & tablet working for me as regards drawing, pen buttons, scrolling and moving the mouse pointer around. If you need to monitor keyboard input, it has to be added manually to the input monitoring section unfortunately.

You will also get extra PPPC prompts when using the device utlity software that comes with the tablet:
Wacom Desktop Center wants access to control System Preferences
Wacom Tablet Driver wants access to control System Preferences
Again the Jamf PPPC Utility can silence those.

snowfox
Contributor II
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadDescription</key>
            <string>PPPC - Wacom Tablet</string>
            <key>PayloadDisplayName</key>
            <string>PPPC - Wacom Tablet</string>
            <key>PayloadIdentifier</key>
            <string>F14CB25C-8E2D-42AF-A404-EC8F22E4EF24</string>
            <key>PayloadOrganization</key>
            <string>YOUR-ORGANIZATION</string>
            <key>PayloadType</key>
            <string>com.apple.TCC.configuration-profile-policy</string>
            <key>PayloadUUID</key>
            <string>6A9F734F-B0AA-4F3B-A16B-5B86AA85180F</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>Services</key>
            <dict>
                <key>Accessibility</key>
                <array>
                    <dict>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>anchor apple generic and identifier "com.wacom.IOManager" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>com.wacom.IOManager</string>
                        <key>IdentifierType</key>
                        <string>bundleID</string>
                    </dict>
                </array>
                <key>SystemPolicyAllFiles</key>
                <array>
                    <dict>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>anchor apple generic and identifier "com.wacom.Wacom-Desktop-Center" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>com.wacom.Wacom-Desktop-Center</string>
                        <key>IdentifierType</key>
                        <string>bundleID</string>
                    </dict>
                    <dict>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>anchor apple generic and identifier "com.wacom.Wacom-Display-Settings" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>com.wacom.Wacom-Display-Settings</string>
                        <key>IdentifierType</key>
                        <string>bundleID</string>
                    </dict>
                    <dict>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>anchor apple generic and identifier "com.wacom.RemoveWacomTablet" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>com.wacom.RemoveWacomTablet</string>
                        <key>IdentifierType</key>
                        <string>bundleID</string>
                    </dict>
                </array>
            </dict>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>PPPC - Wacom Tablet</string>
    <key>PayloadDisplayName</key>
    <string>PPPC - Wacom Tablet</string>
    <key>PayloadIdentifier</key>
    <string>F14CB25C-8E2D-42AF-A404-EC8F22E4EF24</string>
    <key>PayloadOrganization</key>
    <string>YOUR-ORGANIZATION</string>
    <key>PayloadType</key>
    <string>com.apple.TCC.configuration-profile-policy</string>
    <key>PayloadUUID</key>
    <string>4192846A-74DE-4C8F-9F59-A6309BB4F82D</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>payloadScope</key>
    <string>system</string>
</dict>
</plist>

snowfox
Contributor II

The above works for me with a Wacom Intuos Tablet + latest driver 6.3.40-2 on macOS 10.15.6
and then these 2 posts below to get rid of the extra PPPC messages from the tablet utility software

snowfox
Contributor II
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadDescription</key>
            <string>Wacom Desktop Center wants access to control System Preferences</string>
            <key>PayloadDisplayName</key>
            <string>Wacom Desktop Center wants access to control System Preferences</string>
            <key>PayloadIdentifier</key>
            <string>93492BF7-C238-4518-98F0-6728C31E8023</string>
            <key>PayloadOrganization</key>
            <string>YOUR-ORGANIZATION</string>
            <key>PayloadType</key>
            <string>com.apple.TCC.configuration-profile-policy</string>
            <key>PayloadUUID</key>
            <string>1F49F6A3-E677-4933-9A00-605A7C5675C7</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>Services</key>
            <dict>
                <key>AppleEvents</key>
                <array>
                    <dict>
                        <key>AEReceiverCodeRequirement</key>
                        <string>identifier "com.apple.systempreferences" and anchor apple</string>
                        <key>AEReceiverIdentifier</key>
                        <string>com.apple.systempreferences</string>
                        <key>AEReceiverIdentifierType</key>
                        <string>bundleID</string>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>anchor apple generic and identifier "com.wacom.Wacom-Desktop-Center" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>com.wacom.Wacom-Desktop-Center</string>
                        <key>IdentifierType</key>
                        <string>bundleID</string>
                    </dict>
                </array>
            </dict>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Wacom Desktop Center wants access to control System Preferences</string>
    <key>PayloadDisplayName</key>
    <string>Wacom Desktop Center wants access to control System Preferences</string>
    <key>PayloadIdentifier</key>
    <string>93492BF7-C238-4518-98F0-6728C31E8023</string>
    <key>PayloadOrganization</key>
    <string>YOUR-ORGANIZATION</string>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>DCCC5E4C-CBB4-4012-AB53-8E141C792AF5</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

snowfox
Contributor II
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadDescription</key>
            <string>Wacom Tablet Driver wants access to control System Preferences</string>
            <key>PayloadDisplayName</key>
            <string>Wacom Tablet Driver wants access to control System Preferences</string>
            <key>PayloadIdentifier</key>
            <string>8A9C2C5F-F2A6-47B4-9756-41D61A8FCDDF</string>
            <key>PayloadOrganization</key>
            <string>YOUR-ORGANIZATION</string>
            <key>PayloadType</key>
            <string>com.apple.TCC.configuration-profile-policy</string>
            <key>PayloadUUID</key>
            <string>EACEF9F1-D8DE-4AB5-8270-7F63A29E8A1C</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>Services</key>
            <dict>
                <key>AppleEvents</key>
                <array>
                    <dict>
                        <key>AEReceiverCodeRequirement</key>
                        <string>identifier "com.apple.systempreferences" and anchor apple</string>
                        <key>AEReceiverIdentifier</key>
                        <string>com.apple.systempreferences</string>
                        <key>AEReceiverIdentifierType</key>
                        <string>bundleID</string>
                        <key>Allowed</key>
                        <true/>
                        <key>CodeRequirement</key>
                        <string>anchor apple generic and identifier "com.wacom.wacomtablet" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG27766DY7)</string>
                        <key>Comment</key>
                        <string></string>
                        <key>Identifier</key>
                        <string>com.wacom.wacomtablet</string>
                        <key>IdentifierType</key>
                        <string>bundleID</string>
                    </dict>
                </array>
            </dict>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Wacom Tablet Driver wants access to control System Preferences</string>
    <key>PayloadDisplayName</key>
    <string>Wacom Tablet Driver wants access to control System Preferences</string>
    <key>PayloadIdentifier</key>
    <string>8A9C2C5F-F2A6-47B4-9756-41D61A8FCDDF</string>
    <key>PayloadOrganization</key>
    <string>YOUR-ORGANIZATION</string>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>1E290FCD-E266-457C-A550-AA412F6D8EEF</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

K_K_
New Contributor II

@snowfox Thank you so much, I did use PPPC utility to create the profile but didn't tick the 'Validate the static code requirement' tick box. I will give it a try on Monday and let you know. Have a good weekend!

snowfox
Contributor II

@K.K. No problem. The above will work as-is on macOS 10.15.5 I'm just testing it here on 10.15.6 and it's now complaining about legacy system (kernel) extensions will be deprecated in a future version of macOS and Wacom Technology Corp has tried to load one. Please approve it in Security & Privacy.

If you're running the current Wacom tablet driver on 10.15.6 you may have to whitelist the kernel extension in Jamf.
Good article here for Jamf School on how to find the Team ID and Bundle ID
https://docs.jamf.com/jamf-school/deploy-guide-docs/Whitelisting_Kernel_Extensions.html

sudo sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy

SELECT * FROM kext_policy;

Team ID: EG27766DY7
Bundle ID: com.FTDI.driver.D2XXHelper

Team ID: EG27766DY7
Bunde ID: com.silabs.driver.CP210xVCPDriver64

Add the Team ID and 2x Bundle IDs into the 'Approved Kernel Extensions' payload in a Jamf Configuration Profile.
Have a good weekend too 🙂

kwoodard
Contributor II

@snowfox I would have given you a thousand likes if I could. These are great! I had just started looking into this for Catalina since my old ones for Mojave worn't working properly. Thank you for your hard work!

K_K_
New Contributor II

@snowfox I was using the 'Approved Kernel Extensions' payload(only had Team ID) from before on 10.15.6 and it didn't complain. However, I still don't see any of the profile applied under the priacy tab and the Wacom Desktop Center wants access to control System Preferencesare is still unchecked. Are they invisible? Thank you. c18cf4bf6d294e8aa16bb0814fe3ab41

c390baa0fca44f3289aa36329930a7d2

snowfox
Contributor II

@kwoodard Welcome! 😄

@K.K. Yes they are invisible. When you set PPPC preferences via a mobileconfig file, they don't typically show up in the GUI interface in macOS (Security & Privacy). This goes for most settings set by a PPPC profile.

It's possible the teamID is enough to suppress the legacy system extension message without the bundle IDs. We have standard users that can't authenticate as Administrators to approve the setting in Security & Privacy so I just include both per the Jamf School article to be sure.

Wacom Desktop Centre wants to access system preferences - pops up when you run it and try to use the diagnostics utility for the tablet.
You'll see the popups if you test the Wacom utlity software on a machine without the PPPCs applied.

carlo_anselmi
Contributor III

@snowfox Many thanks! Wow that's quite different from the profiles I am currently using for Mojave and Wacom 6.3.38-3 (with some random issues)
I will try to see if I can use your profiles/PPPC for Mojave and 6.3.38-3/6.3.40-2

K_K_
New Contributor II

@snowfox Yay, it did apply even though Wacom Desktop Centre wants to access system preferences still shows unchecked. It works like the notification profiles, not very easy to troubleshoot. So glad that we only got 23 Wacom Cintiqs! And thank you for the article too.

jwojda
Valued Contributor II

nevermind. 1D10T error 🙂

MacConsultant
New Contributor II

user-MBYyizmheH
New Contributor

thanks , it help me a lot although I don't use a wacom tablet but a xp-pen drawing pad . it's similar to that.

bozemans
New Contributor III

Has anyone had success on a student laptop where they don't have administrative privileges. I've got the PPPC set up, I even manually moved all the "apps" to the proper location in the system preferences...but I still can get the Cintiq 16 to link up to the student MacBook Air running Catalina 10.15.7. I believe it may have something to do with the "third party" settings. The students can't access any third part apps in the System Preference pane. Any suggestions?

lparnell
New Contributor II

This isn't a perfect solution by far, but I put together a script that will unlock Security & Privacy. We have this available in Self Service so if a user needs to change any settings they just run this and can make whatever changes they need. I hope this helps someone, or if you have a suggestion on how this script could be better let me know I am still fairly new to AppleScript.

#!/bin/sh

#       Security - Unlock Security & Privacy
#
#   This script unlocks Security & Privacy so standard
#   user accounts can make changes.
#
#   This script is only meant to run from a standard user
#   account. For some reason, it doesn't quite work when the
#   user is an admin.

# Define Variables
adminUser=$4
adminPass=$5

# Start AppleScript
/usr/bin/osascript << EOF

-- Define Variables
set thePane to "Security & Privacy"
set theUN to "$adminUser"
set thePW to "$adminPass"

-- Close System Preferences if it is running
try 
    quit application "System Preferences"
    delay 2
end try

-- Open System Preferences
activate application "System Preferences"
delay 1

tell application "System Events"
    tell process "System Preferences"
        activate

        -- Open Privacy & Settings
        click menu item thePane of menu "View" of menu bar 1
        delay 3

        -- Click the Lock icon
        if title of button 1 of window 1 is "Click the lock to make changes." then
            click button 1 of window 1
            delay 1
            activate
        end if
    end tell
end tell

-- Make the password prompt the active window
activate application "System Preferences"

tell application "System Events"
    tell process "System Preferences"
        delay 3
        -- Set the User Name field
        set value of text field 2 of sheet 1 of window 1 to theUN
        -- Set the Password field
        set value of text field 1 of sheet 1 of window 1 to thePW
        keystroke return
    end tell
end tell

EOF

SFRANCIS004
New Contributor III

Afternoon,

I found this on Adobe's site and it's working on Catalina.

 

[macOS 10.15 (Catalina) only] Eraser tool does not work