Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Corresponding Entitlement Keys to Properties Help #105

Closed
uurazzle opened this issue Jan 7, 2022 · 10 comments · Fixed by #108
Closed

Add Corresponding Entitlement Keys to Properties Help #105

uurazzle opened this issue Jan 7, 2022 · 10 comments · Fixed by #108
Labels
enhancement New feature or request

Comments

@uurazzle
Copy link

uurazzle commented Jan 7, 2022

It would be a nice feature enhancement to list corresponding entitlement keys to the PPPC utility properties help descriptions. This would aid in limiting confusion build configuration profiles referencing Apple documentation for key and were it maps to PPPC Utilities property.

@macblazer
Copy link
Contributor

I believe this was added as part of issue #79. If you look closely at the text in the Help button next to each property it should have the MDM key at the end of the text.

If there is more to do here, please let us know.

@uurazzle
Copy link
Author

uurazzle commented Jan 20, 2022 via email

@macblazer
Copy link
Contributor

@uurazzle Thanks for the clarification. Unfortunately, the image attachments were not imported to the Github issue so we can't see those. If you could use Github's editor to attach the images I'm sure we'd get a much better understanding of it.

@uurazzle
Copy link
Author

Hi @macblazer,

Ok, updated my comment and the images appear to be viewable. Let me know if you still have issues or need additional clarification.

@macblazer
Copy link
Contributor

I see now. This is an interesting place to bring the information together.

This would involve mapping info here about entitlements: https://developer.apple.com/documentation/bundleresources/entitlements

with corresponding PPPC payload keys from here:
https://support.apple.com/guide/deployment/privacy-preferences-policy-control-payload-dep38df53c2a/web

Of course, not every entitlement has a corresponding PPPC key, and at first glance, I'm not sure that every PPPC key requires an entitlement built-in to the app. But definitely interesting information to be added to the description of the PPPC keys.

We could read the entitlements of the specific app that is selected, and display those entitlements in the top app information bar. I'll open a different issue with that idea.

@uurazzle
Copy link
Author

uurazzle commented Jan 20, 2022 via email

@macblazer
Copy link
Contributor

Found another source of entitlements for sandboxed macOS apps here:

https://developer.apple.com/documentation/security/app_sandbox

@rsaldinger
Copy link

With the proviso that I have never built a PPPC profile and know absolutely nothing about what is involved, but for what it's worth...

What I’d suggest is that we define a new (probably plist-based) file format that can be used to communicate the pertinent bits of a collection of (signed/entitled) app bundles or other executables. Suspicious Package could create this file based on everything it finds inside a package. PPPC Utility could read this file and use it to populate its Applications list (as an alternative to reading the apps directly off the disk).

So, you'd open a package in Suspicious Package, choose something like File > Export PPPC Information, and then add the resulting file to PPPC Utility. Then you'd configure the permissions for the individual apps (and other executables) using the entitlement info imported from Suspicious Package.

This file could definitely include the bundle identifier, the code-signing (designated) requirement string, and the actual entitlements (in plist representation). A simple array of dictionaries would probably suffice; we’d just need to “standardize” the keys. We could define a file extension and UTI to make e.g. drag-and-drop work nicely, too.

Apparency could also produce this file for all of the entitled components inside a single app, although in that case, the app is already on-disk, so I don’t know how much this actually adds.

(That said, it doesn’t look like PPPC Utility searches inside an app for other components that might impact the PPPC profile. Can things like helper apps or app extension plugins complicate constructing a PPPC profile? I’d have thought so, but again, this is totally outside of my expertise! Anyway, if the entitlements of components within an app are meaningful, Apparency might be able to add something useful, by creating the same sort of file.)

macblazer added a commit to macblazer/PPPC-Utility that referenced this issue Jan 27, 2022
macblazer added a commit to macblazer/PPPC-Utility that referenced this issue Jan 27, 2022
macblazer added a commit to macblazer/PPPC-Utility that referenced this issue Jan 27, 2022
macblazer added a commit to macblazer/PPPC-Utility that referenced this issue Jan 27, 2022
@macblazer
Copy link
Contributor

The PR for this issue includes a json file that includes a mapping from PPPC Services keys used for the config profiles to codesigning entitlements that are at least somewhat related. Depending on the specific app and PPPC key there is no hard requirement in either direction. Some of the entitlements are only enforced for sandboxed apps (every app from the Mac App Store is sandboxed), and some of the PPPC keys relate to multiple entitlements, especially around file access.

For example, in the PPPC profile admins can grant apps access to the Documents folder so that when the user tries to save/read files from the Documents folder they are not prompted. If the user tries to save/read files from elsewhere they are still prompted. For sandboxed Mac apps this is mostly covered under the entitlements com.apple.security.files.user-selected.read-only or com.apple.security.user-selected.read-write. But those same entitlements relate to multiple other PPPC keys for protecting the Downloads folder, network volumes, removable volumes, etc.

For the very specific ask of displaying the related entitlements in the help of the PPPC keys this PR will suffice.

@rsaldinger I propose we move the discussion of a shared file format for app information or other collaboration between this project and Suspicious Package and/or Apparency to a new Github issue.

macblazer added a commit to macblazer/PPPC-Utility that referenced this issue Jan 28, 2022
macblazer added a commit that referenced this issue Feb 1, 2022
Help buttons list related codesigning entitlements (#105, #104)
@rsaldinger
Copy link

@rsaldinger I propose we move the discussion of a shared file format for app information or other collaboration between this project and Suspicious Package and/or Apparency to a new Github issue.

@macblazer Do you want to use #107 as the starting point for that discussion? I think anything we do here should be driven from what PPPC Utility can usefully do with new information produced by Suspicious Package or Apparency, rather than by what information they could provide... I'm happy to consider providing whatever information I can, in whatever form is most useful, but just don't think I'm the right person to drive the feature that results!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants