Hello.
Looking to create PPPC profile to allow Accessability for the Zoom app using:
Computers: Configuration Profiles: Privacy Preferences Policy Control
While the identifier is:
us.zoom.xos
Identifier Type is:
Bundle ID
I'm not sure what needs to be entered in the Code Requirement
App or Service:
Accessibility
Access:
Allow
In the past I used the GitHub PPPC utility to create the profile.
My Zoom PPPC looks like this.
The screen capture at the bottom is for Big Sur only.
Thank you for the screengrab @geoff.widdowson
I have entered the following in the
Code Requirement field
identifier “us.zoom.xos” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = BJ4HAAB9B3The profile fails to install with the following error:
In the payload (UUID: E9B95040-FD5F-4FCC-8299-5D3960ED0466), the key 'CodeRequirement' has an invalid value.
@atomczynski You will get that error if you are using the "ScreenCapture - Allow Standard Users to Allow Access" option on a machine that is not running Big Sur.
I end up creating a few versions of each PPPC profile (PPPC - Zoom (10.14), PPPC - Zoom (10.15), etc.), adding the specific features for each OS, and scoping them specifically to computers running that OS
Here is the Profile:
Indentifier:
us.zoom.xos
Identifier Type:
Bundle ID
Coder Requirement:
identifier "us.zoom.xos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = BJ4HAAB9B3
And the following app or services:
Calendar: Allow
SystemPolicyAllFiles: Deny
PostEvent: Deny
Accessibility: Allow
SystemPolicySysAdminFiles: Deny
AddressBook: Allow
Photos: Allow
Reminders: Allow
The install command fails with the following Status error:
In the payload (UUID: 7F7BFCEE-07AE-4B6B-8C33-06FE37546025), the key 'CodeRequirement' has an invalid value.
How is the Code Requirement created? It was shared with me, I did not create it.
Found an error in the syntax where
"us.zoom.xos"
needs to be "us.zoom.xos"
The profile installs OK now, however:
1. I still need to open System Privacy, Privacy
Navigate to Accessability, authenticate as admin and browse the /Applications folder and select Zoom.us
2. Even with this selected the support agent is unable to (remote) control
I have restarted the application on the client few times. If I remove the PPPC Profile I'm able to connect to the client and remote control.
The client computer is running macOS 15.7 and Zoom version is 5.4.7 (59780.1220) - current.
I will work on this more tomorrow with another client machine that is not affected by manual interaction with Security & Privacy changes.
@atomczynski I think you need " /<star-char> exists <star-char>/ " to resolve (i.e include a star character after / and before /). For some reason doesn't show in comment box
You will also get that error message if you have AllowStandardUserToSetSystemService in a Configuration Profile for Big Sur if it's in the Access field any other than ListenEvent and ScreenCapture services.
We ran into this issue when we used PPPC to load an Apex One configuration profile into Jamf. When we toggled Big Sur Compatability on within PPPC it for some reason defaulted Allow to AllowStandardUserToSetSystemService in Jamf. So I went into Jamf and had to edit the settings for the Access field by selecting the drop-down and picking Allow for every App or Service showing AllowStandardUserToSetSystemService.
@RobbieReichard...
Thanks so much for that information!!! I too was experiencing failures to install config profiles, but modifying the Access field based on what you reported resolved the issue.
Expanding on what @atomczynski said about the syntax error. If you copy and paste the code requirement, the quotation marks will copy over as curved quotation marks and create a syntax error. Simply delete them and type in the quotation marks so they are neutral.
Just what i needed. Thanks
You can find the code requirement for most apps and binaries by using this command in Terminal:
codesign --display -r - /path/to/app/or/binaryRaising awareness of this awesome PPPC profile compiled by @eholtam. It was posted on reddit, but I couldn't find it on JamfNation:
https://github.com/poundbangbash/community-screenrecording-pppc-profile
The profile currently contains a list of 55 app entitlements to permit non-admins to allow screen recording (ScreenCapture).
Thanks @abyrd for the codesign command; I was able to use this to add Open Broadcaster Studio (OBS) to the profile above. Surprised it wasn't there already...
Trailing whitespace in the Jamf Pro 'Code Requirement' window will also cause the error:
'the key 'CodeRequirement' has an invalid value.'
This can be overlooked as the error is also produced (as others have mentioned) by invalid characters or scoping 'AllowStandardUserToSetSystemService' to non Big Sur machines.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.