Zoom app PPPC Profile using Jamf 10.26

atomczynski
Contributor III

Hello.

Looking to create PPPC profile to allow Accessability for the Zoom app using:
Computers: Configuration Profiles: Privacy Preferences Policy Control

While the identifier is:
us.zoom.xos
Identifier Type is:
Bundle ID

I'm not sure what needs to be entered in the Code Requirement

App or Service:
Accessibility
Access:
Allow

In the past I used the GitHub PPPC utility to create the profile.

14 REPLIES 14

geoff_widdowson
Contributor II

My Zoom PPPC looks like this.

f66adceea78b435eafad86258c622f10
61307ba69ce543fd8084ae298e4eaf05

The screen capture at the bottom is for Big Sur only.

atomczynski
Contributor III

Thank you for the screengrab @geoff.widdowson

I have entered the following in the
Code Requirement field

identifier “us.zoom.xos” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = BJ4HAAB9B3

The profile fails to install with the following error:

In the payload (UUID: E9B95040-FD5F-4FCC-8299-5D3960ED0466), the key 'CodeRequirement' has an invalid value.

remus
New Contributor III

@atomczynski You will get that error if you are using the "ScreenCapture - Allow Standard Users to Allow Access" option on a machine that is not running Big Sur.

JoshRouthier
Contributor

I end up creating a few versions of each PPPC profile (PPPC - Zoom (10.14), PPPC - Zoom (10.15), etc.), adding the specific features for each OS, and scoping them specifically to computers running that OS

atomczynski
Contributor III

Here is the Profile:

Indentifier:
us.zoom.xos

Identifier Type:
Bundle ID

Coder Requirement:
identifier "us.zoom.xos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = BJ4HAAB9B3

And the following app or services:
Calendar: Allow
SystemPolicyAllFiles: Deny
PostEvent: Deny
Accessibility: Allow
SystemPolicySysAdminFiles: Deny
AddressBook: Allow
Photos: Allow
Reminders: Allow

The install command fails with the following Status error:
In the payload (UUID: 7F7BFCEE-07AE-4B6B-8C33-06FE37546025), the key 'CodeRequirement' has an invalid value.

How is the Code Requirement created? It was shared with me, I did not create it.

atomczynski
Contributor III

Found an error in the syntax where

"us.zoom.xos"

needs to be "us.zoom.xos"

The profile installs OK now, however:
1. I still need to open System Privacy, Privacy
Navigate to Accessability, authenticate as admin and browse the /Applications folder and select Zoom.us
2. Even with this selected the support agent is unable to (remote) control

I have restarted the application on the client few times. If I remove the PPPC Profile I'm able to connect to the client and remote control.

The client computer is running macOS 15.7 and Zoom version is 5.4.7 (59780.1220) - current.

I will work on this more tomorrow with another client machine that is not affected by manual interaction with Security & Privacy changes.

nycnewman
New Contributor III

@atomczynski I think you need " /<star-char> exists <star-char>/ " to resolve (i.e include a star character after / and before /). For some reason doesn't show in comment box

RobbieReichard
New Contributor III

You will also get that error message if you have AllowStandardUserToSetSystemService in a Configuration Profile for Big Sur if it's in the Access field any other than ListenEvent and ScreenCapture services.

We ran into this issue when we used PPPC to load an Apex One configuration profile into Jamf. When we toggled Big Sur Compatability on within PPPC it for some reason defaulted Allow to AllowStandardUserToSetSystemService in Jamf. So I went into Jamf and had to edit the settings for the Access field by selecting the drop-down and picking Allow for every App or Service showing AllowStandardUserToSetSystemService.

CCMacTech
New Contributor

@RobbieReichard...

Thanks so much for that information!!! I too was experiencing failures to install config profiles, but modifying the Access field based on what you reported resolved the issue.

rseeley
New Contributor III

Expanding on what @atomczynski said about the syntax error. If you copy and paste the code requirement, the quotation marks will copy over as curved quotation marks and create a syntax error. Simply delete them and type in the quotation marks so they are neutral.

Jordan_Hare
New Contributor II

Just what i needed. Thanks

abyrd
New Contributor

You can find the code requirement for most apps and binaries by using this command in Terminal:

codesign --display -r - /path/to/app/or/binary

bradtchapman
Valued Contributor II

Raising awareness of this awesome PPPC profile compiled by @eholtam. It was posted on reddit, but I couldn't find it on JamfNation:

https://github.com/poundbangbash/community-screenrecording-pppc-profile

The profile currently contains a list of 55 app entitlements to permit non-admins to allow screen recording (ScreenCapture).

Thanks @abyrd for the codesign command; I was able to use this to add Open Broadcaster Studio (OBS) to the profile above. Surprised it wasn't there already...

oliverr
Contributor

Trailing whitespace in the Jamf Pro 'Code Requirement' window will also cause the error:

'the key 'CodeRequirement' has an invalid value.'

This can be overlooked as the error is also produced (as others have mentioned) by invalid characters or scoping 'AllowStandardUserToSetSystemService' to non Big Sur machines.