Logmein LMIGUIAgent enable required for remote access

Your image being sideways was killing me...

YES WE GOT IT AS WELL VERY ANNOYING. Thought I did something wrong, glad to see its not just us.

We stay an OS behind for about a year (Maybe 2 moving forward...haha) and are on 10.13 still and use all mac airs. We still do a monolothic base image. A part of the monolothic base image is just a startup script and the quickadd package. The startup script is manually added to the Sec & Priv -> Accessibility pane so the other stuff can happen, I just added the following script as a quick fix and working for us.

tell application "System Events"
    -- Selects 'Start Process'
    click at {875, 330}
    delay 3
    click at {875, 330}
    delay 3
    click at {1111, 127}
    delay 3
    click at {1030, 540}
    delay 3
    -- Selects 'Open System Preferences'
    click at {760, 330}
    delay 3
    -- Unlocks System Pref Pane to Modify
    click at {140, 600}
    delay 3
    -- Selects Text Input Location 'User Name'
    click at {415, 220}
    delay 5
    keystroke "AdminUsernameHere"
    delay 3
    -- Selects Text Input Location 'Password'
    keystroke tab
    delay 3
    keystroke "AdminPasswordHere"
    delay 3
    -- Selects 'Unlock' from Password Authentication prompt
    keystroke return
    delay 3
    -- Selects 'LMIGUIAGENT' in accessibility
    click at {390, 240}
    delay 3
    -- Select 'Pencil' in accessibility
    click at {390, 280}
    -- Locks Sys Pref Pane to Save Modifications
    delay 3
    click at {140, 600}
    delay 3
    -- Closes System Preferences
    click at {117, 73}
    delay 3
    -- Closes Log Me In
    click at {1000, 560}
end tell

Looking for a real solution, so if anyone else can chime in that would be Great!!! TCC.DB being locked down makes me wary of this being automated via JAMF

Hugonaut, this scripted is for new deployments? can it be ran through jamf for users that already have their Mac?

Highly Unlikely because gui scripting is so sensitive.... if they move there system preferences in any direct 5 - 10 pixels, this script breaks. Hence its only for the initial enrollment / startup.

Sure you could devise a way to do it...but I'd reach out to your LogMeIn rep and see what they offer. This was pushed silently without any changelogs or anything..available as of today...

http://help.logmein.com/articles/en_US/ReleaseNote/LogMeIn-Release-Note-for-September-19-2018/?l=en_US&fs=RelatedArticle

We are handling our existing clients on an individual basis and doing it manually because they are not administrators.

Thanks for the info. I contacted logmein and they offered not help or information. I have tried using sqlite3 commands, but have not found a way to make it work. I will continue to work on a solution and hope others will jump in if they do.

welcome!

sqlite3 on the tcc.db?! ... we are sitting ducks for now my friend...it is read only

https://www.jamf.com/jamf-nation/discussions/23921/editing-the-tcc-db-with-sqlite3

wondering what the acquisition of NOMAD is going to bring JAMF

Running this command via ARD gets rid of it:

sudo launchctl remove com.logmein.logmeinserver
killall "LMIGUIAgent"
rm -r "/Library/Application Support/LogMeIn/bin/LogMeIn.app/Contents/Helpers/LMIGUIAgent.app"

LogMeIn turns off and stays off, though.

I have the same message rolling out to my users, and we're on mostly Sierra/High Sierra. Looking for a way to add this as an approved KEXT possibly?

@danny.gutman This is not a kernel extension issue, it's something that must be approved in Accessibility.

Apple is really clamping down on scripts doing automated tasks and whatnot.

I use this command in the "Execute command" section of my policy to force a log out since using the "Log out" option in the Apple Menu doesn't always prompt for a password to kick off FileVault:

osascript -e 'tell application "System Events" to log out'

Starting on Mojave, it gives this prompt:

These pop-ups are due to Apples new Privacy Preference Policy Control functionality which you can find more information about here: https://www.jamf.com/jamf-nation/articles/553/preparing-your-organization-for-user-data-protections-on-macos-10-14.

You will need to build a profile that whitelists LMIGUIAgent to communicate with the Accessibility service. I would recommend using the PPPC Utility available on our GitHub to create that.

@mike.paul

Gave me a project tomorrow. Thank you.

@Hugonaut (or anyone who was able to get this to work, lol)

Did you get this to work in PPPC? I created the profile and uploaded and push out via Jamf, but it doesn't appear to enable it still.

@kpotek @Stefanelli

https://github.com/Hugonauts/configuration-profiles

That works for me. Hope it helps & hope it works for you too!

Have others used this successfully? I'm trying to implement this on 10.13. I'm wondering if the configuration will only work on 10.14?

@Hugonaut -- I am with @JoshF here...we have a large number of 10.13 "kiosks" that we need to deploy logmein to. Obviously the PPPC and config profile will only work with 10.14 (Mojave). For fun, I tried the mobileconfig and also the PPPC payload in JAMF and while they executed "successfully" they did not provide the functionality of actually adding LMIGUIAgent to the Accessibility module.

Is AppleScript truly the only possible way to do this on 10.12 and 10.13?? (Note these kiosks are remote and geographically spread across the globe, so manual intervention is not necessarily an option)

@ryan.s with our enterprise license we were able to reach out to LogMeIn and roll back the update that forced the SEC & P Privvies

I have not been able to create a solution besides gui scripting on 10.12 or 10.13 but I hope there is and I hope im just using the PPPC Utility Wrong!

#block pop-up during initial install. 
/bin/mkdir /Library/Application Support/LogMeIn/bin/LogMeIn.app/Contents/Helpers/backupGUIAgent
/bin/mv -f /Library/Application Support/LogMeIn/bin/LogMeIn.app/Contents/Helpers/LMIGUIAgent.app /Library/Application Support/LogMeIn/bin/LogMeIn.app/Contents/Helpers/backupGUIAgent/
/bin/ps -aef | grep LMIGUIAgent |grep -v grep| awk ‘{print $2}’ | xargs kill -9 $2

Deploy Privacy Preferences Policy Control from MDM

@sfarazi

is that a deploy pkg + script then a PPPC or 1 or the other?

eg:

is your workflow

1. deploy everyone the LMI GUI
2. once pkg is deployed, either in the same policy or another one, you run that script
3. at any point the PPPC is deploy as a config profile.

does that sound accurate?

whitelisting the backupGUIAgent is the app that the user gets right since the LMI console/rescue is called LogMeIn-Rescue.app

Trying to understand the deployment policy/process.

thanks!

Hello Team I am having a really hard time getting the PPPC Policy and LogMeIn to install properly on Big Sur the installation goes well but it still will not silently add the Extensions nor the PPPC settings for the Application or LMIGUIAgent its really frustrating, the pop-up still comes up.

Has anyone been able to install this on Big Sur successfully silently without user intervention?