Preparing Your Organization for User Data Protections on macOS 10.14
This article explains new user data protections in macOS Mojave 10.14 or later, which are managed by Apple's expanded security framework, Transparency Consent and Control (TCC). Organizations can use mobile device management (MDM) to remotely manage these security preferences with Apple's new Privacy Preferences Policy Control payload on macOS 10.14 or later.
Starting with Jamf Pro 10.9, you can configure the Privacy Preferences Policy Control profile as a separate payload in computer configuration profiles. This payload allows you to configure settings to allow or deny access to applications and services within a target computer's Security & Privacy preferences pane.
- New User Data Protections on macOS 10.14 or later—Information about new user data protections and the implications on end users and Jamf Pro administrators
- Pre-Approval of the Jamf Management Framework—Requirements and content of the automatically installed Privacy Preferences Policy Control profile and resources to create a custom configuration profile
- Pre-Approval of Apple Events—Information for Jamf Pro administrators using Apple Scripts, which may need to approve the Jamf management framework to communicate with built-in applications and services using the Apple Events service
New User Data Protections in macOS 10.14 or Later
On macOS 10.14 or later, access to some user application data will require user approval.
Users can pre-approve apps by adding them to the new "Full Disk Access" category in the System Preferences Security & Privacy pane. By adding apps, the user pre-approves access to all of their private-sensitive data without prompting. Administrator credentials are required to complete this process in System Preferences.
Approvals can also be managed remotely via MDM with the new Privacy Preferences Policy Control payload on macOS 10.14 or later.
Implications for Users
On macOS 10.14 or later, apps attempting to access protected files and app data may prompt end users to "allow" or "deny". If the app developer added purpose strings to the Info.plist, explaining the reasons for the data access request, that will also be presented with the prompt.
Apps compiled with previous versions of Xcode may not display a usage description for the prompt.
Implications for Jamf Pro Administrators
Jamf Pro administrators should prepare for the following behaviors on macOS 10.14 or later:
-
Some policies executed via Self Service may display a prompt for users to either allow or deny "jamfAgent" to execute.
-
Some policies executed via Terminal may display a prompt for users to either allow or deny "Terminal" to execute.
-
Some policies executed in the background by the Jamf binary may cause an error. These failures may inaccurately report as successful.
Privacy Preferences Policy Control Payload
Organizations can use mobile device management to remotely manage security preferences with Apple's new Privacy Preferences Policy Control payload on macOS 10.14 or later.
-
AddressBook
-
Calendar
-
Reminders
-
Photos
-
Camera
-
Microphone
-
Accessibility
-
PostEvent
-
SystemPolicyAllFiles
-
SystemPolicySysAdminFiles
-
AppleEvents
Dictionary Key | Description |
---|---|
Identifier |
A unique identifying value for the app or service. Use a bundle ID for apps or an installation path of the binary. |
Identifier Type |
Must be either the bundle ID or file path depending on if it is an app bundle or the binary. |
Code Requirement |
A unique value based on the developer certificate used to sign the app or service. This value is obtained via the command |
Static Code |
Optional: If an app has already been set to |
Allowed |
Boolean: If set to |
- Code Signature Requirements and Bundle Identifiers
- Jamf Pro administrators creating a custom configuration profile must include the code signature requirement and bundle ID for an app to allow access to protected user data. You can get the code signature requirement and bundle identifier (if needed) by running the following
codesign
commands:codesign -dr - /Applications/Application.ap
codesign -dr - /path/to/binary
See the following table for examples:Input Output codesign -dr - /usr/local/bin/jamf
Executable=/usr/local/jamf/bin/jamf designated => identifier "com.jamfsoftware.jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "483DWKW443"
codesign -dr - /Library/Application\ Support/JAMF/Jamf.app
Executable=/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/Jamf designated => identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "483DWKW443"
Use the following as the code signature:
identifier "com.jamfsoftware.jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "483DWKW443"
Note: If the app developer changes their code signing certificate, the existing profile will be invalidated and will require a new profile with the new code signature. - Identification of Processes and Apps Attempting Data Access
-
To identify the app or binary you are attempting to allow data access, execute the following command:
/usr/bin/log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'
To view previously requested data access, execute the following command:/usr/bin/log show --predicate 'subsystem == "com.apple.TCC"' | grep Prompting
Pre-Approval of the Jamf Management Framework
Jamf Pro administrators can pre-approve the Jamf management framework with the Privacy Preferences Policy Control configuration profile. This profile will be automatically installed on Jamf Pro 10.7.1 or later.
Jamf Pro administrators can also create their own configuration profile with the information in the Privacy Preferences Policy Control pane of a configuration profile for computers.
General Requirements
-
User Approved MDM
-
Target computers with macOS 10.14 or later
-
Push notifications enabled
If installation is denied by a non-User Approved MDM system, the profile will stay queued and automatically attempt to re-install once the computer achieves User Approved MDM status. For more information about User Approved MDM and Jamf Pro, see the Managing User Approved MDM with Jamf Pro article.
If your organization only uses jamf binary without User Approved MDM for management, attempting to install this configuration profile using the profiles command or by manually clicking on the profile will not work. It must be pushed via MDM from a User Approved MDM server.
Privacy Preferences Policy Control Profile Contents
-
jamf agent
-
jamf binary
-
jamf.app
If multiple payloads of this type are installed, the most restrictive settings between the payloads are used.
<key>Services</key>
<dict>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Comment</key>
<string>Allow jamfAgent to access all files</string>
<key>Identifier</key>
<string>/usr/local/jamf/bin/jamfAgent</string>
<key>IdentifierType</key>
<string>path</string>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.jamfsoftware.jamfAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
</dict>
<dict>
<key>Comment</key>
<string>Allow jamf binary to access all files</string>
<key>Identifier</key>
<string>/usr/local/jamf/bin/jamf</string>
<key>IdentifierType</key>
<string>path</string>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.jamfsoftware.jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
</dict>
<dict>
<key>Comment</key>
<string>Allow Jamf.app access to all files</string>
<key>Identifier</key>
<string>com.jamf.management.Jamf</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>Allowed</key>
<true/>
<key>CodeRequirement</key>
<string>identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
</dict>
</array>
</dict>
Automatically Install the Privacy Preferences Policy Control Profile
A configuration profile that pre-approves the Jamf management framework will automatically install in Jamf Pro 10.7.1 or later. The Automatically install a Privacy Preferences Policy Control profile (macOS 10.14 or later) option is enabled by default in the Security settings when upgrading to Jamf Pro 10.7.1 or later. To access this feature, navigate to .
With this option enabled in Security settings, Jamf Pro 10.7.1 or later will automatically collect the macOS version of managed computers at login. This allows Jamf Pro to immediately detect when a computer has been upgraded to macOS 10.14 or later and initiate installation of the Privacy Preferences Policy Control profile. This auto-detection of OS version at login only applies when automatically installing the profile using the option in Security settings. This does not apply if manually deploying a custom configuration profile.
Create a Custom Configuration Profile
If the configuration profile is manually deployed on a computer with macOS 10.13 or earlier, the configuration profile will not be respected once the computer is upgraded to macOS 10.14. The configuration profile will need to be redeployed after upgrading to macOS 10.14 or later.
Pre-Approval of Apple Events
Jamf Pro administrators using AppleScript workflows prompting user interaction may need to approve the Jamf management framework to communicate with built-in applications and services using the Apple Events service within the Privacy Preferences Policy Control payload. To leverage the restricted Apple Events service, Jamf Pro administrators must provide the identifier type and code requirement for both the sending and receiving application.
System Events: |
|
SystemUIServer: |
|
Finder: |
|
A pre-built configuration profile to approve interaction between the Jamf management framework and these three Apple services can be downloaded from the following Jamf's GitHub repository: https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles. Upload the configuration profile in Jamf Pro 10.7.1 or later.
You can upload this profile to Jamf Pro unsigned, and it will automatically generate the Payload UUID values.
In addition, an open source app built by Jamf for the Apple community can help with the identification requirements needed to allow apps to function within the Privacy Preferences Policy Control framework. This app is also available on Jamf's GitHub repository: https://github.com/jamf/PPPC-Utility.
You can upload an unsigned Privacy Preference Policy Control payload to Jamf Pro using the API.
Additional Information
For more information about Apple's Privacy Preferences Policy Control payload, see Privacy Preferences Policy Control MDM payload settings for Apple devices in Apple Platform Deployment