Wacom woes? Lab looking for PPPC for long term relationship.

thebrucecarter
Contributor II

I see on Wacom's site that they have a fully compatible with Apple Silicon and Big Sur driver for the Cintiq displays (among others). So, that has to mean no more kernel extension, right? From their description of granting permissions during the install, I assume they are still not thinking about us higher education lab supporting folks. Since there is no mention anywhere of them supplying a PPPC file to support their hardware, has anyone already generated a functioning one for Big Sur? I'm trying to think ahead to this summer's builds.

1 ACCEPTED SOLUTION

CSCC-JS
Contributor III

(Edit Cleanup)

@thebrucecarter 

Now for my Wacom Tablet Driver - Lab Profile. They have the Pen Displays for our Art, Media, and Design lab which trips a slew of PPPC prompts. This took much testing, trial and error.

com.wacom.wacomtablet -> Access to System Preferences

Capture1.PNG

 com.wacom.Wacom-Desktop-Ceter -> Access to System Preferences & All Files

 

Capture2.PNG

com.wacom.Wacom-Display-Settings -> Access to All Files

Capture3.PNG

com.wacom.RemoveWacomTablet -> Access to All Files

Capture4.PNG

 com.wacom.IOManger -> Access to Accessibility

Capture5.PNG

 com.wacom.TabletDriver -> Access to Accessibility

Capture6.PNG

 com.wacom.WacomTouchDriver -> Access to Accessibility

Capture7.PNG

 

 

View solution in original post

19 REPLIES 19

CSCC-JS
Contributor III

I use Jamf's PPPC Utility to build PPPC profiles. I install the software, run it, and screenshot all the PPPC prompts. I then use the utility to build and upload. link text

I will be testing, but haven't yet, I did find these articles
link text
link text
It sounds like they will have a driver 6.3.42 this month that runs on M1 correctly, and 6.3.41 is the bare minimum to get it to function with some issues.

kwoodard
Valued Contributor

I have see the PPPC Utility and have it downloaded to my computer. Can you elaborate more on what you did? I'm not following...

CSCC-JS
Contributor III

(Edit Post Cleanup)

@kwoodard 

Jamf's PPPC utility allows you to make Privacy Preferences Policy Control (PPPC) profiles more easily.

I use this mainly for lab environment where students don't have admin rights and I want to minimize the distraction from the learning process & prevent confusion.

I first install & run the software on a machine that's never had the software installed. Every single PPPC pop-up of X wants Y access, I take a screenshot (for record keeping). I then also go in to System Preferences -> Security and Privacy -> Privacy Tab and look at all the categories also look for the software for PPPC prompts that may not of tripped yet.

Most software, it's drag the application to the left column select the various drops down options, then upload to Jamf. I then scope the profile to another test machine that's also never had the software, verify the profile is installed, install the software, and see if I still get any PPPC prompts.

An Example - Firefox wants access to the download folder.

You drag firefox app to the left column, and use the drop down to select approve for the download folder.

Screen Shot 2021-08-11 at 8.21.06 PM.png

Upload it to jamf via the PPPC utility, and it creates this for you

 

ff.PNG

When a machine has this profile installed,  when Firefox tries to access the download folder just works without prompting the user.

Important Note - There are some PPPC permissions you can not per-approve, per Apple. Example Camera, Microphone.

Found this Youtube video that shows (with slightly older version of the PPPC utility) good overview

 

CSCC-JS
Contributor III

(Edit Cleanup)

@thebrucecarter 

Now for my Wacom Tablet Driver - Lab Profile. They have the Pen Displays for our Art, Media, and Design lab which trips a slew of PPPC prompts. This took much testing, trial and error.

com.wacom.wacomtablet -> Access to System Preferences

Capture1.PNG

 com.wacom.Wacom-Desktop-Ceter -> Access to System Preferences & All Files

 

Capture2.PNG

com.wacom.Wacom-Display-Settings -> Access to All Files

Capture3.PNG

com.wacom.RemoveWacomTablet -> Access to All Files

Capture4.PNG

 com.wacom.IOManger -> Access to Accessibility

Capture5.PNG

 com.wacom.TabletDriver -> Access to Accessibility

Capture6.PNG

 com.wacom.WacomTouchDriver -> Access to Accessibility

Capture7.PNG

 

 

kwoodard
Valued Contributor

This is awesome! Thank you so much. I am going to be giving this a try right now.

sdrake
New Contributor III

How did you find the IOManager one? I can't find it as a file anywhere. I found the Wacom Tablet Driver, but not that one.

FYI:

Here is a list of binaries, preference domains (aka Bundle IDs) and paths with Wacom Tablet 6.3.44-2:

WacomTabletDriver.app → com.wacom.wacomtablet → Access to System Preferences
Path: /Applications/Wacom Tablet.localized/.Tablet/WacomTabletDriver.app

Wacom Desktop Center.app → com.wacom.Wacom-Desktop-Center → Access to System Preferences & All Files
Path: /Applications/Wacom Tablet.localized/Wacom Desktop Center.app

Wacom Display Settings.app →com.wacom.Wacom-Display-Settings → Access to All Files
Path: Path: /Applications/Wacom Tablet.localized/Wacom Display Settings.app

Wacom Tablet Utility.app → com.wacom.RemoveWacomTablet → Access to All Files
Path: /Applications/Wacom Tablet.localized/Wacom Tablet Utility.app

com.wacom.IOManager.app → com.wacom.IOManger → Access to Accessibility
Path: /Library/PrivilegedHelperTools/com.wacom.IOManager.app

TabletDriver.app → com.wacom.TabletDriver →Access to Accessibility
Path: /Applications/Wacom Tablet.localized/.Tablet/TabletDriver.app

These binaries also have entitlements, but not sure if they are or aren't needed yet...

WacomMultiTouch.framework → com.wacom.MultiTouch → PPPC?
Path: /Library/Frameworks/WacomMultiTouch.framework

WacomCloudSDK.framework → com.wacom.FirmwareUpdater → PPPC?
Path: /Applications/Wacom Tablet.localized/Wacom Desktop Center.app/Contents/Frameworks/WacomCloudSDK.framework

FirmwareUpdater.app → com.wacom.FirmwareUpdater → PPPC?
Path: /Applications/Wacom Tablet.localized/.Tablet/FirmwareUpdater.app

com.wacom.DataStoreMgr.app → com.wacom.WacomTouchDriver → PPPC?
Path: /Library/PrivilegedHelperTools/com.wacom.DataStoreMgr.app

WacomTablet.prefpane → com.wacom.ProfessionalControlPanel → PPPC?
Path: /Library/PreferencePanes/WacomTablet.prefpane

kwoodard
Valued Contributor

@CSCC-JS where did you find com.wacom.wacomtablet ? I am not locating that one and a Google search is not helping. Is it named something else?

Hi @kwoodard 

You can use Suspicious Package open the installer package and search for the Bundle ID...

uurazzle_0-1641597618220.png

 

kwoodard
Valued Contributor

@CSCC-JS I found com.wacom.wacomtablet...

Got Mojave and Catalina setup, Big Sur is giving me an error (even thought the values are the same, and I did check the "Big Sur" slider and have it scoped to Big Sur boxes only). Trying to sort that out at the moment.

Haven't updated the labs to big Sur, that's coming however.

Which prompts are you getting?

kwoodard
Valued Contributor

This is the error that the Big Sur PPPC is throwing...  

In the payload (UUID: BE4BA8FF-C6CF-4C8C-9BF1-0143412146A8), the key 'Authorization' has an invalid value.

Doesn't give me anything more than that. Sigh...

bigben54
New Contributor III

Hi @kwoodard, and anyone else looking for help on this one.

The PPPC Utility profiles (using latest as of this writing, 1.4) still don't completely create Big Sur compatible profiles, oddly. For certain things that changed from previous versions to Big Sur, you still have to manually edit them once they are uploaded to your server.

For instance with SystemPolicyAllFiles access, once you've uploaded it you have to edit the profile, then scroll down and click edit for that app/service and click edit (again), and it will automatically change to a valid choice (in this case from "Allow Standard Users to Access" to  "Allow"). Then click Save for that item, and repeat for every other item in the profile. Anything that has a valid selection already will not automatically change, so can be saved as is.

Once done with every item, save the overall profile, and the installation should succeed on your scoped Big Sur machines.

Screen Shot 2021-09-13 at 9.17.23 PM.pngScreen Shot 2021-09-13 at 9.17.33 PM.png

kwoodard
Valued Contributor

I had to do this and add a few more "app or service" but I got it to deploy. Now I need to test it on a new machine to see if the end user gets any more prompts. Hope to know in the next few days.

dstranathan
Valued Contributor II

When uploading this PPPC profile to Jamf JSS server from the Jamf PPPC Utility 1.4, does the profile need to be signed?

bigben54
New Contributor III

Not in this case. There are circumstances where it needs to be, but generally not needed when doing from the utility in my experience.

donmontalvo
Esteemed Contributor III

Don't forget to add ListenEvent = Allow Standard Users to Allow Access for each of your PPPC items.

--
https://donmontalvo.com

demuthp
New Contributor II

Please forgive if this is a dumb question... is there a fast way to get the text of the code requirements for each of these?

donmontalvo
Esteemed Contributor III

@demuthp wrote:

Please forgive if this is a dumb question... is there a fast way to get the text of the code requirements for each of these?


@demuthp Pretty sure you figured this out by now, but if not, have a look at the Terminal output for the different bits and pieces of Wacom.

https://community.jamf.com/t5/jamf-pro/monterey-m1-and-pppc-you-re-killing-us-wacom/m-p/264566

--
https://donmontalvo.com