Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. If you like what you see, join us in person at the ninth annual Jamf Nation User Conference (JNUC) this October for three days of learning, laughter and IT love.

Preparing Your Organization for User Data Protections on macOS 10.14

Overview

This article explains new user data protections in macOS Mojave 10.14, which are managed by Apple's expanded security framework, Transparency Consent and Control (TCC). Organizations can use mobile device management (MDM) to remotely manage these security preferences with Apple's new Privacy Preferences Policy Control payload on macOS 10.14 or later.

This article provides information on the following:

  • New User Data Protections on macOS 10.14 -- Information about new user data protections and the implications on end users and Jamf Pro administrators
  • Pre-Approval of the Jamf Management Framework -- Requirements and content of the automatically installed Privacy Preferences Policy Control profile and resources to create a custom configuration profile
  • Pre-Approval of Apple Events -- Information for Jamf Pro administrators using Apple Scripts, which may need to approve the Jamf management framework to communicate with built-in applications and services using the Apple Events service

New User Data Protections in macOS 10.14

On macOS 10.14, access to some user application data will require user approval.

Users can pre-approve apps by adding them to the new "Full Disk Access" category in the System Preferences "Security & Privacy" pane. By adding apps, the user pre-approves access to all of their private-sensitive data without prompting. Administrator credentials are required to complete this process in System Preferences.

Approvals can also be managed remotely via MDM with the new Privacy Preferences Policy Control payload on macOS 10.14.

Implications for Users

On macOS 10.14, apps attempting to access protected files and app data may prompt end users to "allow" or "deny". If the app developer added purpose strings to the Info.plist, explaining the reasons for the data access request, that will also be presented with the prompt.

Apps compiled with previous versions of Xcode may not display a usage description for the prompt.

Implications for Jamf Pro Administrators

Jamf Pro administrators should prepare for the following behaviors on macOS 10.14:

  • Some policies executed via Self Service may display a prompt for users to either allow or deny "jamfAgent” to execute.
  • Some policies executed via Terminal may display a prompt for users to either allow or deny "Terminal" to execute.
  • Some policies executed in the background by the Jamf binary may cause an error. These failures may inaccurately report as successful.

Privacy Preferences Policy Control Payload

Organizations can use mobile device management to remotely manage security preferences with Apple's new Privacy Preferences Policy Control payload on macOS 10.14 or later.

The Privacy Preferences Policy Control payload controls the following Privacy Service Dictionary Keys:

  • AddressBook
  • Calendar
  • Reminders
  • Photos
  • Camera
  • Microphone
  • Accessibility
  • PostEvent
  • SystemPolicyAllFiles
  • SystemPolicySysAdminFiles
  • AppleEvents

To allow or disallow an app or binary to access one of the above Privacy Service Dictionary Keys, you can create a payload that includes the following:

Dictionary Key Description
Identifier A unique identifying value for the app or service. Use a bundle ID for apps or an installation path of the binary
Identifier Type Must be either the bundle ID or file path depending on if it is an app bundle or the binary.
Code Requirement A unique value based on the developer certificate used to sign the app or service. This value is obtained via the command "codesign – display -r -"
Static Code Optional: If an app has already been set to Allow=True with the services shown using the /usr/bin/log but still causes prompts, it may require setting this value to true. If set to true, statically validates the code requirement of the app or service on-disk. If set to false, verifies the app in-memory while it is running.This is used only if the process invalidates its dynamic code signature. False is the default setting.
Allowed Boolean: If set to true, access is granted. If set to false, access is denied. A false value overrides a previously set value by a user in System Preferences.

Code Signature Requirements and Bundle Identifiers

Jam Pro administrators creating a custom configuration profile must include the code signature requirement and bundle ID for an app to allow access to protected user data. You can get the code signature requirement and bundle identifier (if needed) by running the following codesign commands:

  • codesign -dr - /Applications/Application.app
  • codesign -dr - /path/to/binary

See the following table for examples:

Input Output
codesign -dr - /usr/local/bin/jamf Executable=/usr/local/jamf/bin/jamf
designated => identifier "com.jamfsoftware.jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "483DWKW443"
codesign -dr - /Library/Application\ Support/JAMF/Jamf.app Executable=/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/Jamf
designated => identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "483DWKW443"

Use the following as the code signature:

"identifier "com.jamfsoftware.jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "483DWKW443" "

Note: If the app developer changes their code signing certificate, the existing profile will be invalidated and will require a new profile with the new code signature.

Identification of Processes and Apps Attempting Data Access

To identify the app or binary you are attempting to allow data access, use the following command:
/usr/bin/log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'

Pre-Approval of the Jamf Management Framework

Jamf Pro administrators can pre-approve the Jamf management framework with the Privacy Preferences Policy Control configuration profile. This profile will be automatically installed on Jamf Pro 10.7.1. Jamf Pro administrators can also create their own configuration profile with the information in the "Privacy Preferences Policy Control Profile Contents" section.

Requirements

To install the Privacy Preferences Policy Control profile on computers, the following requirements must be met:

  • User Approved MDM status is required to deploy the Privacy Preferences Policy Control profile on a computer.
  • The profile must be scoped to computers with macOS 10.14 or later.
  • Push notifications must be enabled to distribute the Privacy Preferences Policy Control profile.

If installation is denied by a non-User Approved MDM system, the profile will stay queued and automatically attempt to re-install once the computer achieves User Approved MDM status. For more information about User Approved MDM and Jamf Pro, see the Managing User Approved MDM with Jamf Pro Knowledge Base article.

Note: If your organization only uses jamf binary without User Approved MDM for management, attempting to install this configuration profile using the profiles command or by manually clicking on the profile will not work. It must be pushed via MDM from a User Approved MDM server.

Privacy Preferences Policy Control Profile Contents

To approve the Jamf management framework with macOS 10.14, the following three apps and processes must be approved with Systems Policy All Files service:

  • jamf agent
  • jamf binary
  • jamf.app

The following content will approve these apps and processes and is the same as the configuration profile that will automatically install on macOS 10.14 computers in Jamf Pro 10.7.1.

Note: If multiple payloads of this type are installed, the most restrictive settings between the payloads are used.

<key>Services</key>
                        <dict>
                                <key>SystemPolicyAllFiles</key>
                                <array>
                                        <dict>
                                                <key>Comment</key>
                                                <string>Allow jamfAgent to access all files</string>
                                                <key>Identifier</key>
                                                <string>/usr/local/jamf/bin/jamfAgent</string>
                                                <key>IdentifierType</key>
                                                <string>path</string>
                                                <key>Allowed</key>
                                                <true/>
                                                <key>CodeRequirement</key>
                                                <string>identifier "com.jamfsoftware.jamfAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
                                        </dict>
                                        <dict>
                                                <key>Comment</key>
                                                <string>Allow jamf binary to access all files</string>
                                                <key>Identifier</key>
                                                <string>/usr/local/jamf/bin/jamf</string>
                                                <key>IdentifierType</key>
                                                <string>path</string>
                                                <key>Allowed</key>
                                                <true/>
                                                <key>CodeRequirement</key>
                                                <string>identifier "com.jamfsoftware.jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
                                        </dict>
                                        <dict>
                                                <key>Comment</key>
                                                <string>Allow Jamf.app access to all files</string>
                                                <key>Identifier</key>
                                                <string>com.jamf.management.Jamf</string>
                                                <key>IdentifierType</key>
                                                <string>bundleID</string>
                                                <key>Allowed</key>
                                                <true/>
                                                <key>CodeRequirement</key>
                                                <string>identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
                                        </dict>
                                </array>
                        </dict>

Automatically Install the Privacy Preferences Policy Control Profile

A configuration profile that pre-approves the Jamf management framework will automatically install in Jamf Pro 10.7.1 or later. The Automatically install a Privacy Preferences Policy Control profile (macOS 10.14 or later) option is enabled by default in the Security settings when upgrading to Jamf Pro 10.7.1. To access this feature, navigate to Settings > Computer Management > Security.

With this option enabled in Security settings, Jamf Pro 10.7.1 or later will automatically collect the macOS version of managed computers at login. This allows Jamf Pro to immediately detect when a computer has been upgraded to macOS 10.14 and initiate installation of the Privacy Preferences Policy Control profile. This auto-detection of OS version at login only applies when automatically installing the profile using the option in Security settings. This does not apply if manually deploying a custom configuration profile.

Create a Custom Configuration Profile

Organizations can use mobile device management (MDM) to remotely manage security preferences with Apple's new Privacy Preferences Policy Control payload on macOS 10.14 or later.

By using these custom payload settings, Jamf Pro administrators can create their own configuration profile. Refer to the "Privacy Preferences Policy Control Profile Contents" section above.

Note: If the configuration profile is manually deployed on a computer with macOS 10.13 or earlier, the configuration profile will not be respected once the computer is upgraded to macOS 10.14. The configuration profile will need to be redeployed after upgrading to macOS 10.14.

Pre-Approval of Apple Events

Jamf Pro administrators using AppleScript workflows prompting user interaction may need to approve the Jamf management framework to communicate with built-in applications and services using the Apple Events service within the Privacy Preferences Policy Control payload. To leverage the restricted Apple Events service, Jamf Pro administrators must provide the identifier type and code requirement for both the sending and receiving application.

Common built-in services and apps receiving restricted Apple Events needed for user interaction include the following:

System Events: - Receiver Identifier: com.apple.systemevents
- Receiver Identifier Type: Bundle ID
- Receiver Code Requirement: identifier "com.apple.systemevents" and anchor apple
SystemUIServer: - Receiver Identifier: com.apple.systemuiserver
- Receiver Identifier Type: Bundle ID
- Receiver Code Requirement: identifier "com.apple.systemuiserver" and anchor apple
Finder: - Receiver Identifier: com.apple.finder
- Receiver Identifier Type: Bundle ID
- Receiver Code Requirement: identifier "com.apple.finder" and anchor apple

A pre-built configuration profile to approve interaction between the Jamf management framework and these three Apple services can be downloaded from the following link: https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles. Upload the configuration profile in Jamf Pro 10.7.1 or later.

In addition, an open source app built by Jamf for the Apple community can help with the identification requirements needed to allow apps to function within the Privacy Preferences Policy Control framework. This app is available on Jamf's GitHub repository: https://github.com/jamf/PPPC-Utility.

Note: An upcoming release of Jamf Pro will provide a built-in way to create and deploy Privacy Preferences Policy Control payloads.

Additional Information

Like Comment
Order by:
SOLVED Posted: by chadswarthout

The command listed above is missing a closing single quote:

/usr/bin/log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'
Like
JAMFBadge
SOLVED Posted: by brendon.paucek

Thanks for spotting that missed single quote, @chadswarthout. Closing single quote has been returned to its rightful place!

Like
SOLVED Posted: by bomholmm

I'm not having any luck with this utility. The upload function doesn't seem to work, and profiles I manually upload to jamf fail to deliver :(

Like
SOLVED Posted: by mike.paul

@bomholmm, I am sorry to hear that you are having issues with this process.

If you'd care to elaborate on what you mean by 'upload function doesn't seem to work'; does it give an error, is upload greyed out, does the profile show in Jamf Pro but their is no contents displayed other than the general payload (this is expected till the full GUI for this payload is added in a future version), etc?

In regards to failing to deliver, is there a failure listed management commands history about why the profile won't install? As long as Jamf Pro is 10.7.1+, the computer is 10.14+ and the computer has a UAMDM status of Yes, a properly configured profile should deploy to target computers.

Id recommend creating a support case about the issue with deployment of the profiles if you cannot determine the cause with the above information.

Like
SOLVED Posted: by MatG

We are on 10.7.1 and we can see the JAMF Privacy Pref Control profile is in place, but we still see this...

What do we need to do to stop it.

Like
SOLVED Posted: by mike.paul

@MatG This is likely due to a policy running a script with end user interaction thats interacting with System Events, possibly a osascript or something along those lines. These are the things covered under the Apple Events section at the bottom of the KB and the link to the pre-built profile that whitelists these is included there. https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles

Like
SOLVED Posted: by MatG

Thanks, would of thought though as its a JAMF agent PPPC then it would of been covered by the JAMF PPPC Profile that is auto added in 10.7.1

Like
SOLVED Posted: by mike.paul

This was an intentional thing per guidance given to us to not over grant access to things that are not a part of the product. Since the things that trigger the Apple Events are scripts or applications people are choosing to deploy we didn't automatically whitelist it since we don't know what's in peoples environments. Jamf is just the parent process to things deployed by us so you will see the jamf binary or agent be listed possibly for many other things that we can't account for. I just built that profile and put it on the GitHub since I knew people could be doing these specific things to help make the process easier.

Like
SOLVED Posted: by jtrant

Confirming that there might be additional whitelists needed for the Jamf binary, depending on what you are asking it to do (e.g. interacting with other applications). This is a trial and error process really, and I started with what Jamf provided and added additional profiles based on the prompts I was seeing. So far I have ended up with three:

  • Jamf (automate other applications/filesystem access)
  • McAfee (automate other applications/filesystem access)
  • Apple (notifications, allow osascript to run)

These are based on the steps outlined here, although I combined the two McAfee profiles into one for ease of deployment.

Still a work in progress, but overall there's far less work needed to support Mojave than there was with High Sierra.

Like
SOLVED Posted: by HNTIT

@jtrant

Do you have copies of Sucessful working profiles ?

I just need thr Basic JAMF bits at the moment, and for Login Scripts called by JAMF to be able to run osascripts that call SystemEvents to pop up a user input box.

Giving me nightmares at the moment, followed half a dozen different posts, all that have differing methods to create a profile to get the job done, none of the resultant profiles actually populate the Prvacy Panel and actually do what is needed.

Any Ideas gratefully recieved.

Rumours that Jamf Pro 10.8 will have more of this built in, but documentation does not seem to back this up.

Like
SOLVED Posted: by kniption

I created a CP using the PPPC Utility for the first time today. The host system with the application is running 10.14.1 and when trying to install the CP manually on the same system I get the error "The profile must be a system profile. User profiles are not supported."

Opening the CP in Xcode it does have:

    <key>payloadScope</key>
    <string>system</string>

Is this an issue with the PPPC Utility or 10.14.1?

Like
SOLVED Posted: by KSchroeder

@kniption, I think it is noted somewhere that these Privacy profiles can only be installed via a UAMDM-approved MDM server (i.e. Jamf), so manual installs of this payload at least won't work, regardless of how the payload content is created.

Like
SOLVED Posted: by erict

@kniption I second what @KSchroeder says, you can't set these locally, you can only push them out via MDM.

Like