Skip to content
Branch: master
Find file History
Andreano Lanusse
Latest commit 12638c0 Apr 29, 2019
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.md Revert "Revert "Merge branch 'master' of https://github.com/vmwaresam… Apr 29, 2019

README.md

Privacy Preferences Policy Control for macOS Mojave 10.14+

Overview

  • Author(s): Robert Terakedis
  • Email(s): rterakedis@vmware.com
  • Date Created: 11/8/2018
  • Supported Platforms: Workspace ONE UEM version 1810
  • Tested on macOS Versions: macOS Mojave (10.14+)

Table of Contents

Purpose

With macOS Mojave, User Consent for Data Access can be managed via MDM through the "Privacy Preferences Policy Control" (PPPC) payload. The settings established through the PPPC payload affect the Transparency Consent and Control (TCC) database, allowing administrators to grant consent to data on behalf of the user for User-Approved MDM enrollments. More details about User Consent for Data Access can be found on VMware's TechZone

Since it's introduction in the macOS Mojave betas, a number of resources have emerged on the Internet aimed at helping macOS admins discover and track the various PPPC rules they may need in their environment. The goal of this VMware Sample is to bring together those various resources into a single reference point.

Please feel free to send us pull requests for updates and add any TCC whitelists for apps that you've discovered!

Determining Required Policies

The following outlines some basic, high-level steps to help you determine what Privacy Preferences Policies are needed in your environment.

Testing Methodology

  1. Start with a clean/fresh installation of macOS Mojave (such as a VMware Fusion VM freshly installed with a snapshot taken)
  2. Install the software you need to verify and use the software for common workflows
  3. Note the permission requests that pop up and the type of permissions required (User data, Accessibility, Apple Events, etc)
  4. If necessary, you can run the following commands to help discover the requested permissions from the Unified Log:
    1. /usr/bin/log show --predicate 'subsystem == "com.apple.TCC"' | grep Prompting
    2. /usr/bin/log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'
    3. log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain" OR eventMessage CONTAINS "synchronous to com.apple.tccd.system"'
  5. Obtain the "Code Requirement" for the app (or receiving app) by running the following command: codesign --display -r - /path/to/binary/or/application
  6. Reset the TCC Database Decisions using /usr/bin/tccutil (See TCC DB Reset below..)ß

NOTE: Carl Ashley posted a great blog about how to read TCC logs in macOS.

TCC DB Reset

  1. Use the tccutil reset <service name> command within Terminal.app to reset one (or more) of the affected services (Great write-up on this at Helping your users reset TCC Privacy Policy Decisions):

    Accessibility
    AddressBook
    All
    AppleEvents
    Calendar
    Camera
    Facebook
    LinkedIn
    Liverpool
    Location
    MediaLibrary
    Microphone
    Photos
    PhotosAdd
    PostEvent
    Reminders
    ShareKit
    SinaWeibo
    Siri
    SystemPolicyAllFiles
    SystemPolicyDeveloperFiles
    SystemPolicySysAdminFiles
    TencentWeibo
    Twitter
    Ubiquity
    Willow
    
  2. Or... use a TCC Reset Script such as tcc-reset.py by Matthew Warren

Common Binaries to Whitelist

The following list of binaries should be common for most admins leveraging UEM and scripting to manage macOS:

NOTE: As of Workspace ONE UEM version 1810, a PPPC profile is automatically delivered to all enrolled macOS devices to automatically whitelist all eventing and access required by the Workspace One Intelligent Hub processes. Pre-1810 Consoles can deploy the whitelist as Custom XML

Description Identifier (Type) Code Requirement Relevant Permissions Apple Event Receivers ++ Code Requirement?
Allow Terminal.app relevant permissions for access and Eventing com.apple.Terminal (bundle ID) identifier “com.apple.Terminal” and anchor apple
  • SystemPolicyAllFiles
  • Accessibility
  • SysAdminFiles
  • com.apple.systemuiserver (bundle id) ++ identifier “com.apple.systemuiserver” and anchor apple
  • com.apple.systemevents (bundle id) ++ identifier “com.apple.systemevents” and anchor apple
Allow AppleEvents control for osascript (AppleScript) /usr/bin/osascript (path) identifier “com.apple.osascript” and anchor apple
  • None
  • com.apple.systemuiserver (bundle id) ++ identifier “com.apple.systemuiserver” and anchor apple
  • com.apple.systemevents (bundle id) ++ identifier “com.apple.systemevents” and anchor apple
  • com.apple.finder (bundle id) ++ identifier “com.apple.finder” and anchor apple
  • com.microsoft.Outlook (bundle id) ++ identifier "com.microsoft.Outlook" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
Allow Events and Access for Installer /usr/bin/installer (path) identifier “com.apple.installer” and anchor apple
  • SysAdminFiles
  • com.apple.systemevents (bundle id) ++ identifier “com.apple.systemevents” and anchor apple
VMware Horizon Client com.vmware.horizon (bundle ID) identifier "com.vmware.horizon" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG7KH642X6
  • Accessibility
------------------------------------------
VMware Fusion 11 (1 of 2) com.vmware.fusion (bundle ID) identifier "com.vmware.fusion" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG7KH642X6
  • Accessibility
------------------------------------------
VMware Fusion 11 (2 of 2) com.vmware.vmware-vmx (bundle ID) identifier "com.vmware.vmware-vmx" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG7KH642X6
  • Accessibility
------------------------------------------
Adobe Photoshop com.adobe.Photoshop (bundle ID) identifier "com.adobe.Photoshop" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JQ525L2MZD
  • Accessibility
------------------------------------------
Bomgar SCC com.bomgar.bomgar-scc (bundle ID) identifier "com.bomgar.bomgar-scc" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = B65TM49E24
  • Accessibility
  • PostEvent
  • com.apple.systemevents (bundle id) ++ identifier “com.apple.systemevents” and anchor apple
Citrix Receiver (1 of 2) com.citrix.receiver.nomas (bundle ID) anchor apple generic and identifier "com.citrix.receiver.nomas" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S272Y5R93J)
  • Accessibility
  • com.apple.systempreferences (bundle ID) ++ identifier "com.apple.systempreferences" and anchor apple
  • com.citrix.XenAppViewer (bundle ID) ++ identifier "com.citrix.XenAppViewer" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S272Y5R93J
  • com.citrix.CitrixReceiverLauncher (bundle ID) ++ anchor apple generic and identifier "com.citrix.CitrixReceiverLauncher" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S272Y5R93J)
  • com.apple.systemuiserver (bundle id) ++ identifier “com.apple.systemuiserver” and anchor apple
  • com.apple.systemevents (bundle id) ++ identifier “com.apple.systemevents” and anchor apple
  • com.apple.finder (bundle id) ++ identifier “com.apple.finder” and anchor apple
Citrix Receiver (2 of 2) com.citrix.XenAppViewer (bundle ID) identifier "com.citrix.XenAppViewer" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S272Y5R93J
  • Accessibility
  • com.citrix.XenAppViewer (bundle ID) ++ identifier "com.citrix.XenAppViewer" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S272Y5R93J
  • com.citrix.CitrixReceiverLauncher (bundle ID) ++ anchor apple generic and identifier "com.citrix.CitrixReceiverLauncher" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S272Y5R93J)
  • com.apple.systempreferences (bundle ID) ++ identifier "com.apple.systempreferences" and anchor apple
  • com.apple.systemuiserver (bundle id) ++ identifier “com.apple.systemuiserver” and anchor apple
  • com.apple.systemevents (bundle id) ++ identifier “com.apple.systemevents” and anchor apple
  • com.apple.finder (bundle id) ++ identifier “com.apple.finder” and anchor apple
Druva InSync Client com.druva.inSync (bundle ID) identifier "com.druva.inSync" and anchor apple generic and certificate leaf[subject.CN] = "3rd Party Mac Developer Application: Druva Technologies PTE LTD (JN6HK3RMAP)" and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */
  • SystemPolicyAllFiles
------------------------------------------
**ESET Endpoint Antivirus ** com.eset.eea.6 (bundle ID) identifier "com.eset.eea.6" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = P8DQRXPVLP
  • SystemPolicyAllFiles
------------------------------------------
Microsoft Outlook com.microsoft.Outlook (bundle ID) identifier "com.microsoft.Outlook" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9 --------------------
  • com.microsoft.SkypeForBusiness (bundle id) ++ identifier "com.microsoft.SkypeForBusiness" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AL798K98FX
Microsoft Remote Desktop Client ------------------ ---------------- -------------------- ------------------------------------------
Microsoft Skype for Business com.microsoft.SkypeForBusiness (bundle ID) identifier "com.microsoft.SkypeForBusiness" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AL798K98FX --------------------
  • com.microsoft.Outlook (bundle id) ++ identifier "com.microsoft.Outlook" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
Zoom Client (1 of 2) us.zoom.xos (bundle ID) identifier "us.zoom.xos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = BJ4HAAB9B3
  • Accessibility
------------------------------------------
Zoom Client (2 of 2) us.zoom.pluginagent (bundle ID) identifier "us.zoom.pluginagent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = BJ4HAAB9B3 --------------------
  • com.microsoft.Outlook (bundle id) ++ identifier "com.microsoft.Outlook" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
Zoom Presence us.zoom.ZoomPresence (bundle ID) identifier "us.zoom.ZoomPresence" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = BJ4HAAB9B3
  • SystemPolicyAllFiles
------------------------------------------

List of Binaries to Verify

More binaries can be found at the following community pages:

Change Log

  • 11/8/2018: Created Initial File

Additional Resources

You can’t perform that action at this time.