Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

Preparing Your Organization for User Data Protections on macOS 10.14

Note: Starting with Jamf Pro 10.9, you can configure the Privacy Preferences Policy Control profile as a separate payload in computer configuration profiles. This payload allows you to configure settings to allow or deny access to applications and services within a target computer's Security & Privacy preferences pane.

Overview

This article explains new user data protections in macOS Mojave 10.14 or later, which are managed by Apple's expanded security framework, Transparency Consent and Control (TCC). Organizations can use mobile device management (MDM) to remotely manage these security preferences with Apple's new Privacy Preferences Policy Control payload on macOS 10.14 or later.

This article provides information on the following:

  • New User Data Protections on macOS 10.14 or later -- Information about new user data protections and the implications on end users and Jamf Pro administrators
  • Pre-Approval of the Jamf Management Framework -- Requirements and content of the automatically installed Privacy Preferences Policy Control profile and resources to create a custom configuration profile
  • Pre-Approval of Apple Events -- Information for Jamf Pro administrators using Apple Scripts, which may need to approve the Jamf management framework to communicate with built-in applications and services using the Apple Events service

New User Data Protections in macOS 10.14 or Later

On macOS 10.14 or later, access to some user application data will require user approval.

Users can pre-approve apps by adding them to the new "Full Disk Access" category in the System Preferences "Security & Privacy" pane. By adding apps, the user pre-approves access to all of their private-sensitive data without prompting. Administrator credentials are required to complete this process in System Preferences.

Approvals can also be managed remotely via MDM with the new Privacy Preferences Policy Control payload on macOS 10.14 or later.

Implications for Users

On macOS 10.14 or later, apps attempting to access protected files and app data may prompt end users to "allow" or "deny". If the app developer added purpose strings to the Info.plist, explaining the reasons for the data access request, that will also be presented with the prompt.

Apps compiled with previous versions of Xcode may not display a usage description for the prompt.

Implications for Jamf Pro Administrators

Jamf Pro administrators should prepare for the following behaviors on macOS 10.14 or later:

  • Some policies executed via Self Service may display a prompt for users to either allow or deny "jamfAgent” to execute.
  • Some policies executed via Terminal may display a prompt for users to either allow or deny "Terminal" to execute.
  • Some policies executed in the background by the Jamf binary may cause an error. These failures may inaccurately report as successful.

Privacy Preferences Policy Control Payload

Organizations can use mobile device management to remotely manage security preferences with Apple's new Privacy Preferences Policy Control payload on macOS 10.14 or later.

The Privacy Preferences Policy Control payload controls the following Privacy Service Dictionary Keys:

  • AddressBook
  • Calendar
  • Reminders
  • Photos
  • Camera
  • Microphone
  • Accessibility
  • PostEvent
  • SystemPolicyAllFiles
  • SystemPolicySysAdminFiles
  • AppleEvents

To allow or deny an app or binary to access one of the above Privacy Service Dictionary Keys, you can create a payload that includes the following:

Dictionary Key Description
Identifier A unique identifying value for the app or service. Use a bundle ID for apps or an installation path of the binary
Identifier Type Must be either the bundle ID or file path depending on if it is an app bundle or the binary.
Code Requirement A unique value based on the developer certificate used to sign the app or service. This value is obtained via the command "codesign – display -r -"
Static Code Optional: If an app has already been set to Allow=True with the services shown using the /usr/bin/log but still causes prompts, it may require setting this value to true. If set to true, statically validates the code requirement of the app or service on-disk. If set to false, verifies the app in-memory while it is running.This is used only if the process invalidates its dynamic code signature. False is the default setting.
Allowed Boolean: If set to true, access is granted. If set to false, access is denied. A false value overrides a previously set value by a user in System Preferences.

Code Signature Requirements and Bundle Identifiers

Jamf Pro administrators creating a custom configuration profile must include the code signature requirement and bundle ID for an app to allow access to protected user data. You can get the code signature requirement and bundle identifier (if needed) by running the following codesign commands:

  • codesign -dr - /Applications/Application.app
  • codesign -dr - /path/to/binary

See the following table for examples:

Input Output
codesign -dr - /usr/local/bin/jamf Executable=/usr/local/jamf/bin/jamf
designated => identifier "com.jamfsoftware.jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "483DWKW443"
codesign -dr - /Library/Application\ Support/JAMF/Jamf.app Executable=/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/Jamf
designated => identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "483DWKW443"

Use the following as the code signature:

"identifier "com.jamfsoftware.jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "483DWKW443" "

Note: If the app developer changes their code signing certificate, the existing profile will be invalidated and will require a new profile with the new code signature.

Identification of Processes and Apps Attempting Data Access

To identify the app or binary you are attempting to allow data access, execute the following command:
/usr/bin/log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'

To view previously requested data access, execute the following command:
/usr/bin/log show --predicate 'subsystem == "com.apple.TCC"' | grep Prompting

Pre-Approval of the Jamf Management Framework

Jamf Pro administrators can pre-approve the Jamf management framework with the Privacy Preferences Policy Control configuration profile. This profile will be automatically installed on Jamf Pro 10.7.1 or later.

Jamf Pro administrators can also create their own configuration profile with the information in the Privacy Preferences Policy Control pane of a configuration profile for computers.

Requirements

To install the Privacy Preferences Policy Control profile on computers, the following requirements must be met:

  • User Approved MDM
  • Target computers with macOS 10.14 or later
  • Push notifications enabled

If installation is denied by a non-User Approved MDM system, the profile will stay queued and automatically attempt to re-install once the computer achieves User Approved MDM status. For more information about User Approved MDM and Jamf Pro, see the Managing User Approved MDM with Jamf Pro Knowledge Base article.

Note: If your organization only uses jamf binary without User Approved MDM for management, attempting to install this configuration profile using the profiles command or by manually clicking on the profile will not work. It must be pushed via MDM from a User Approved MDM server.

Privacy Preferences Policy Control Profile Contents

To approve the Jamf management framework with macOS 10.14 or later, the following three apps and processes must be approved with Systems Policy All Files service:

  • jamf agent
  • jamf binary
  • jamf.app

The following .mobileconfig file will approve these apps and processes and is the same as the configuration profile that will automatically install on computers with macOS 10.14 or later and Jamf Pro 10.7.1 or later.

Note: If multiple payloads of this type are installed, the most restrictive settings between the payloads are used.

<key>Services</key>
                        <dict>
                                <key>SystemPolicyAllFiles</key>
                                <array>
                                        <dict>
                                                <key>Comment</key>
                                                <string>Allow jamfAgent to access all files</string>
                                                <key>Identifier</key>
                                                <string>/usr/local/jamf/bin/jamfAgent</string>
                                                <key>IdentifierType</key>
                                                <string>path</string>
                                                <key>Allowed</key>
                                                <true/>
                                                <key>CodeRequirement</key>
                                                <string>identifier "com.jamfsoftware.jamfAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
                                        </dict>
                                        <dict>
                                                <key>Comment</key>
                                                <string>Allow jamf binary to access all files</string>
                                                <key>Identifier</key>
                                                <string>/usr/local/jamf/bin/jamf</string>
                                                <key>IdentifierType</key>
                                                <string>path</string>
                                                <key>Allowed</key>
                                                <true/>
                                                <key>CodeRequirement</key>
                                                <string>identifier "com.jamfsoftware.jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
                                        </dict>
                                        <dict>
                                                <key>Comment</key>
                                                <string>Allow Jamf.app access to all files</string>
                                                <key>Identifier</key>
                                                <string>com.jamf.management.Jamf</string>
                                                <key>IdentifierType</key>
                                                <string>bundleID</string>
                                                <key>Allowed</key>
                                                <true/>
                                                <key>CodeRequirement</key>
                                                <string>identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
                                        </dict>
                                </array>
                        </dict>

Automatically Install the Privacy Preferences Policy Control Profile

A configuration profile that pre-approves the Jamf management framework will automatically install in Jamf Pro 10.7.1 or later. The Automatically install a Privacy Preferences Policy Control profile (macOS 10.14 or later) option is enabled by default in the Security settings when upgrading to Jamf Pro 10.7.1 or later. To access this feature, navigate to Settings > Computer Management > Security.

With this option enabled in Security settings, Jamf Pro 10.7.1 or later will automatically collect the macOS version of managed computers at login. This allows Jamf Pro to immediately detect when a computer has been upgraded to macOS 10.14 or later and initiate installation of the Privacy Preferences Policy Control profile. This auto-detection of OS version at login only applies when automatically installing the profile using the option in Security settings. This does not apply if manually deploying a custom configuration profile.

Create a Custom Configuration Profile

Starting with Jamf Pro 10.9, you can configure the Privacy Preferences Policy Control profile as a separate payload in computer configuration profiles. This payload allows you to configure settings to allow or deny access to applications and services within a target computer's Security & Privacy preferences pane. To navigate these settings, navigate to Computers > Configuration Profiles and use the Privacy Preferences Policy Control payload to manage these settings.

Note: If the configuration profile is manually deployed on a computer with macOS 10.13 or earlier, the configuration profile will not be respected once the computer is upgraded to macOS 10.14. The configuration profile will need to be redeployed after upgrading to macOS 10.14 or later.

Pre-Approval of Apple Events

Jamf Pro administrators using AppleScript workflows prompting user interaction may need to approve the Jamf management framework to communicate with built-in applications and services using the Apple Events service within the Privacy Preferences Policy Control payload. To leverage the restricted Apple Events service, Jamf Pro administrators must provide the identifier type and code requirement for both the sending and receiving application.

Common built-in services and apps receiving restricted Apple Events needed for user interaction include the following:

System Events: - Receiver Identifier: com.apple.systemevents
- Receiver Identifier Type: Bundle ID
- Receiver Code Requirement: identifier "com.apple.systemevents" and anchor apple
SystemUIServer: - Receiver Identifier: com.apple.systemuiserver
- Receiver Identifier Type: Bundle ID
- Receiver Code Requirement: identifier "com.apple.systemuiserver" and anchor apple
Finder: - Receiver Identifier: com.apple.finder
- Receiver Identifier Type: Bundle ID
- Receiver Code Requirement: identifier "com.apple.finder" and anchor apple

A pre-built configuration profile to approve interaction between the Jamf management framework and these three Apple services can be downloaded from the following Jamf's GitHub repository:: https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles. Upload the configuration profile in Jamf Pro 10.7.1 or later.

Note: You can upload this profile to Jamf Pro unsigned, and it will automatically generate the Payload UUID values.

In addition, an open source app built by Jamf for the Apple community can help with the identification requirements needed to allow apps to function within the Privacy Preferences Policy Control framework. This app is also available on Jamf's GitHub repository: https://github.com/jamf/PPPC-Utility.

Note: You can upload an unsigned Privacy Preference Policy Control payload to Jamf Pro using the API.

Additional Information

Like Comment
Order by:
SOLVED Posted: by chadswarthout

The command listed above is missing a closing single quote:

/usr/bin/log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'
Like
JAMFBadge
SOLVED Posted: by brendon.paucek

Thanks for spotting that missed single quote, @chadswarthout. Closing single quote has been returned to its rightful place!

Like
SOLVED Posted: by bomholmm

I'm not having any luck with this utility. The upload function doesn't seem to work, and profiles I manually upload to jamf fail to deliver :(

Like
SOLVED Posted: by mike.paul

@bomholmm, I am sorry to hear that you are having issues with this process.

If you'd care to elaborate on what you mean by 'upload function doesn't seem to work'; does it give an error, is upload greyed out, does the profile show in Jamf Pro but their is no contents displayed other than the general payload (this is expected till the full GUI for this payload is added in a future version), etc?

In regards to failing to deliver, is there a failure listed management commands history about why the profile won't install? As long as Jamf Pro is 10.7.1+, the computer is 10.14+ and the computer has a UAMDM status of Yes, a properly configured profile should deploy to target computers.

Id recommend creating a support case about the issue with deployment of the profiles if you cannot determine the cause with the above information.

Like
SOLVED Posted: by MatG

We are on 10.7.1 and we can see the JAMF Privacy Pref Control profile is in place, but we still see this...

What do we need to do to stop it.

Like
SOLVED Posted: by mike.paul

@MatG This is likely due to a policy running a script with end user interaction thats interacting with System Events, possibly a osascript or something along those lines. These are the things covered under the Apple Events section at the bottom of the KB and the link to the pre-built profile that whitelists these is included there. https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles

Like
SOLVED Posted: by MatG

Thanks, would of thought though as its a JAMF agent PPPC then it would of been covered by the JAMF PPPC Profile that is auto added in 10.7.1

Like
SOLVED Posted: by mike.paul

This was an intentional thing per guidance given to us to not over grant access to things that are not a part of the product. Since the things that trigger the Apple Events are scripts or applications people are choosing to deploy we didn't automatically whitelist it since we don't know what's in peoples environments. Jamf is just the parent process to things deployed by us so you will see the jamf binary or agent be listed possibly for many other things that we can't account for. I just built that profile and put it on the GitHub since I knew people could be doing these specific things to help make the process easier.

Like
SOLVED Posted: by jtrant

Confirming that there might be additional whitelists needed for the Jamf binary, depending on what you are asking it to do (e.g. interacting with other applications). This is a trial and error process really, and I started with what Jamf provided and added additional profiles based on the prompts I was seeing. So far I have ended up with three:

  • Jamf (automate other applications/filesystem access)
  • McAfee (automate other applications/filesystem access)
  • Apple (notifications, allow osascript to run)

These are based on the steps outlined here, although I combined the two McAfee profiles into one for ease of deployment.

Still a work in progress, but overall there's far less work needed to support Mojave than there was with High Sierra.

Like
SOLVED Posted: by HNTIT

@jtrant

Do you have copies of Sucessful working profiles ?

I just need thr Basic JAMF bits at the moment, and for Login Scripts called by JAMF to be able to run osascripts that call SystemEvents to pop up a user input box.

Giving me nightmares at the moment, followed half a dozen different posts, all that have differing methods to create a profile to get the job done, none of the resultant profiles actually populate the Prvacy Panel and actually do what is needed.

Any Ideas gratefully recieved.

Rumours that Jamf Pro 10.8 will have more of this built in, but documentation does not seem to back this up.

Like
SOLVED Posted: by kniption

I created a CP using the PPPC Utility for the first time today. The host system with the application is running 10.14.1 and when trying to install the CP manually on the same system I get the error "The profile must be a system profile. User profiles are not supported."

Opening the CP in Xcode it does have:

    <key>payloadScope</key>
    <string>system</string>

Is this an issue with the PPPC Utility or 10.14.1?

Like
SOLVED Posted: by KSchroeder

@kniption, I think it is noted somewhere that these Privacy profiles can only be installed via a UAMDM-approved MDM server (i.e. Jamf), so manual installs of this payload at least won't work, regardless of how the payload content is created.

Like
SOLVED Posted: by erict

@kniption I second what @KSchroeder says, you can't set these locally, you can only push them out via MDM.

Like
SOLVED Posted: by spalmer

On Jamf's GitHub pages, https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles the documentation states:

If you are using Jamf Pro 10.7.1+ you can upload this profile to the server unsigned and it will automatically generate the PayloadUUID values.

Also, at https://github.com/jamf/PPPC-Utility it states:

Starting in Jamf Pro 10.7.1 the Privacy Preferences Policy Control Payload can be uploaded to the API without being signed before uploading.

Jamf, please document this here in this article since this would save some people time in trying to hunt this information down.

Like
JAMFBadge
SOLVED Posted: by brendon.paucek

This article has been updated to include changes related to Jamf Pro 10.9.

Like
SOLVED Posted: by DFree

How do we connect the PPPC utility to Cloud instance of JSS?

Jamf Pro Server: https://company.jamfcloud.com:8443
Username: My JSS username
Password: My JSS password

I tried the above and click check connection, but that doesn't appear to work. Thoughts?

Thanks.

Like
SOLVED Posted: by AHolmdahl

@DFree Wrong port - it should be 443

Like
SOLVED Posted: by DFree

@AHolmdahl Thanks - that worked. I should have realized 8443 was only for local instances.

Like
SOLVED Posted: by bethjohnson

I have an app that is requesting access to control Safari and Google Chrome. If I manually allow it, it shows up in the System Preferences -> Privacy pane under Automations, with a checkbox for each browser.

My question is: what are the settings in the PPPC Utility that correlate to those System Preferences settings? Or do I need to use another method to generate my whitelist for that app?

Like
SOLVED Posted: by mike.paul

@bethjohnson, Depending on how its trying to access those other applications you could try to use the Apple Events service to allow communication between them. Just do drag and drop of the applications you want to whitelist, similar to this screenshot if Composer needed access to Safari and Chrome:

Like
SOLVED Posted: by bethjohnson

Thanks @mike.paul -- worked like a charm.

Like
SOLVED Posted: by Eben.Holub

I am trying to do something similar with "WebExPluginAgent" and "Microsoft Outlook" but not having any success.

This looks to be what I need to do to get this working but I still get the prompt even after uploading this profile from these settings:

Like
SOLVED Posted: by strayer

@eben.holub I am having a similar issue. I see the profile listed in profiles on my test computer but the settings are not actually applied in system preferences.

Like
SOLVED Posted: by kwsenger

@mike.paul When using the PPPC utility, should the checkbox within the Privacy tab be CHECKED after the config profile was successful? When launching the Read&Write.app it is no longer displaying a dialog box asking for the box in the Security & Privacy > Accessibility > Privacy to be checked and the app is working as if the box has been manually checked which was the procedure in 12.13.6. We thought the checkbox would get checked.

Thanks for confirming.

Karl


Like
SOLVED Posted: by mike.paul

Yea, this is a common confusion point. Your only methods to verify whats installed/controlled via mdm deployed configuration profiles is to look at the Profiles pane in System Preferences for the payloads pushed down or look at the MDMOverrides.plist with the following command:

/usr/libexec/PlistBuddy -c "print" /Library/Application\ Support/com.apple.TCC/MDMOverrides.plist

FYI, Terminal needs Full Disk Access/SystemPolicyAllFiles to read that file otherwise you get the message Error Reading File: /Library/Application Support/com.apple.TCC/MDMOverrides.plist. So basically it's a chicken or the egg scenario, you need TCC access granted to read MDM TCC applied settings. Fun times.

Whats displayed in System Preferences > Security & Privacy > Privacy are only the decisions end users made with prompts presented to them and not settings pushed via Profiles. Its essentially displaying the values that are stored in the TCC databases that can be found at /Library/Application Support/com.apple.TCC/TCC.db or ~/Library/Application Support/com.apple.TCC/TCC.db

Like
SOLVED Posted: by NightFlight

Looks like the PPPC Utility connection is broken by SSO authentication

Like
SOLVED Posted: by TomDay

How long upon enrollment does it take for the "Automatically Install the Privacy Preferences Policy Control Profile" to get pushed? We have this enabled, but after getting a new computer enrolled via DEP/prestage enrollment, our first step on the new OS is to open Self Service and run a couple of policies to customize the new computer. We get the "jamf agent needs control" message. Wondering if we should be running a command in terminal before heading to Self Service so the profile gets installed quicker?

Like
SOLVED Posted: by ccsben

Thanks for the information.

I'd like some further clarification for the JamfPrivacyPreferencePolicyControlProfiles. After applying this profile, are we supposed to see jamf binary, jamf agent and jamf app listed under System Preferences > Security & Privacy > Privacy > Automation with the System Events, SystemUIServer and Finder ticked?

If anyone can help, it would be really appreciated.

Like
SOLVED Posted: by talkingmoose

@ccsben, when applying PPPC settings using a Configuration Profile, you will not see those settings reflected under the Privacy tab of Security & Privacy. What you see there may not be reflective of the actual settings that are applied.

Unfortunately, that's a limitation of the PPPC framework that Jamf doesn't control.

I don't know of a way to view the resultant set of policies when both end-user and administrator policies have been applied.

Like