Preparing Your Organization for User Data Protections on macOS 10.14

This article explains new user data protections in macOS Mojave 10.14 or later, which are managed by Apple's expanded security framework, Transparency Consent and Control (TCC). Organizations can use mobile device management (MDM) to remotely manage these security preferences with Apple's new Privacy Preferences Policy Control payload on macOS 10.14 or later.

Note:

Starting with Jamf Pro 10.9, you can configure the Privacy Preferences Policy Control profile as a separate payload in computer configuration profiles. This payload allows you to configure settings to allow or deny access to applications and services within a target computer's Security & Privacy preferences pane.

This article provides information on the following:
  • New User Data Protections on macOS 10.14 or laterInformation about new user data protections and the implications on end users and Jamf Pro administrators
  • Pre-Approval of the Jamf Management FrameworkRequirements and content of the automatically installed Privacy Preferences Policy Control profile and resources to create a custom configuration profile
  • Pre-Approval of Apple EventsInformation for Jamf Pro administrators using Apple Scripts, which may need to approve the Jamf management framework to communicate with built-in applications and services using the Apple Events service

New User Data Protections in macOS 10.14 or Later

On macOS 10.14 or later, access to some user application data will require user approval.

Users can pre-approve apps by adding them to the new "Full Disk Access" category in the System Preferences Security & Privacy pane. By adding apps, the user pre-approves access to all of their private-sensitive data without prompting. Administrator credentials are required to complete this process in System Preferences.

Approvals can also be managed remotely via MDM with the new Privacy Preferences Policy Control payload on macOS 10.14 or later.

Implications for Users

On macOS 10.14 or later, apps attempting to access protected files and app data may prompt end users to "allow" or "deny". If the app developer added purpose strings to the Info.plist, explaining the reasons for the data access request, that will also be presented with the prompt.

Apps compiled with previous versions of Xcode may not display a usage description for the prompt.

Implications for Jamf Pro Administrators

Jamf Pro administrators should prepare for the following behaviors on macOS 10.14 or later:

  • Some policies executed via Self Service may display a prompt for users to either allow or deny "jamfAgent" to execute.

  • Some policies executed via Terminal may display a prompt for users to either allow or deny "Terminal" to execute.

  • Some policies executed in the background by the Jamf binary may cause an error. These failures may inaccurately report as successful.

Privacy Preferences Policy Control Payload

Organizations can use mobile device management to remotely manage security preferences with Apple's new Privacy Preferences Policy Control payload on macOS 10.14 or later.

The Privacy Preferences Policy Control payload controls the following Privacy Service Dictionary Keys:
  • AddressBook

  • Calendar

  • Reminders

  • Photos

  • Camera

  • Microphone

  • Accessibility

  • PostEvent

  • SystemPolicyAllFiles

  • SystemPolicySysAdminFiles

  • AppleEvents

To allow or deny an app or binary to access one of the above Privacy Service Dictionary Keys, you can create a payload that includes the following:
Dictionary KeyDescription

Identifier

A unique identifying value for the app or service. Use a bundle ID for apps or an installation path of the binary.

Identifier Type

Must be either the bundle ID or file path depending on if it is an app bundle or the binary.

Code Requirement

A unique value based on the developer certificate used to sign the app or service. This value is obtained via the command codesign – display -r -

Static Code

Optional: If an app has already been set to Allow=True with the services shown using the /usr/bin/log but still causes prompts, it may require setting this value to true. If set to true, statically validates the code requirement of the app or service on-disk. If set to false, verifies the app in-memory while it is running.This is used only if the process invalidates its dynamic code signature. False is the default setting.

Allowed

Boolean: If set to true, access is granted. If set to false, access is denied. A false value overrides a previously set value by a user in System Preferences.

Code Signature Requirements and Bundle Identifiers
Jamf Pro administrators creating a custom configuration profile must include the code signature requirement and bundle ID for an app to allow access to protected user data. You can get the code signature requirement and bundle identifier (if needed) by running the following codesign commands:
codesign -dr - /Applications/Application.ap
codesign -dr - /path/to/binary
See the following table for examples:
InputOutput
codesign -dr - /usr/local/bin/jamf

Executable=/usr/local/jamf/bin/jamf designated => identifier "com.jamfsoftware.jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "483DWKW443"

codesign -dr - /Library/Application\ Support/JAMF/Jamf.app

Executable=/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/Jamf designated => identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "483DWKW443"

Use the following as the code signature:

identifier "com.jamfsoftware.jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and certificate leaf[subject.OU] = "483DWKW443" 
Note: If the app developer changes their code signing certificate, the existing profile will be invalidated and will require a new profile with the new code signature.
Identification of Processes and Apps Attempting Data Access

To identify the app or binary you are attempting to allow data access, execute the following command:

/usr/bin/log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'
To view previously requested data access, execute the following command:
/usr/bin/log show --predicate 'subsystem == "com.apple.TCC"' | grep Prompting

Pre-Approval of the Jamf Management Framework

Jamf Pro administrators can pre-approve the Jamf management framework with the Privacy Preferences Policy Control configuration profile. This profile will be automatically installed on Jamf Pro 10.7.1 or later.

Jamf Pro administrators can also create their own configuration profile with the information in the Privacy Preferences Policy Control pane of a configuration profile for computers.

General Requirements

To install the Privacy Preferences Policy Control profile on computers, the following requirements must be met:
  • User Approved MDM

  • Target computers with macOS 10.14 or later

  • Push notifications enabled

If installation is denied by a non-User Approved MDM system, the profile will stay queued and automatically attempt to re-install once the computer achieves User Approved MDM status. For more information about User Approved MDM and Jamf Pro, see the Managing User Approved MDM with Jamf Pro article.

Note:

If your organization only uses jamf binary without User Approved MDM for management, attempting to install this configuration profile using the profiles command or by manually clicking on the profile will not work. It must be pushed via MDM from a User Approved MDM server.

Privacy Preferences Policy Control Profile Contents

To approve the Jamf management framework with macOS 10.14 or later, the following three apps and processes must be approved with Systems Policy All Files service:
  • jamf agent

  • jamf binary

  • jamf.app

The following .mobileconfig file will approve these apps and processes and is the same as the configuration profile that will automatically install on computers with macOS 10.14 or later and Jamf Pro 10.7.1 or later.
Note:

If multiple payloads of this type are installed, the most restrictive settings between the payloads are used.

<key>Services</key>
                        <dict>
                                <key>SystemPolicyAllFiles</key>
                                <array>
                                        <dict>
                                                <key>Comment</key>
                                                <string>Allow jamfAgent to access all files</string>
                                                <key>Identifier</key>
                                                <string>/usr/local/jamf/bin/jamfAgent</string>
                                                <key>IdentifierType</key>
                                                <string>path</string>
                                                <key>Allowed</key>
                                                <true/>
                                                <key>CodeRequirement</key>
                                                <string>identifier "com.jamfsoftware.jamfAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
                                        </dict>
                                        <dict>
                                                <key>Comment</key>
                                                <string>Allow jamf binary to access all files</string>
                                                <key>Identifier</key>
                                                <string>/usr/local/jamf/bin/jamf</string>
                                                <key>IdentifierType</key>
                                                <string>path</string>
                                                <key>Allowed</key>
                                                <true/>
                                                <key>CodeRequirement</key>
                                                <string>identifier "com.jamfsoftware.jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
                                        </dict>
                                        <dict>
                                                <key>Comment</key>
                                                <string>Allow Jamf.app access to all files</string>
                                                <key>Identifier</key>
                                                <string>com.jamf.management.Jamf</string>
                                                <key>IdentifierType</key>
                                                <string>bundleID</string>
                                                <key>Allowed</key>
                                                <true/>
                                                <key>CodeRequirement</key>
                                                <string>identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
                                        </dict>
                                </array>
                        </dict>

Automatically Install the Privacy Preferences Policy Control Profile

A configuration profile that pre-approves the Jamf management framework will automatically install in Jamf Pro 10.7.1 or later. The Automatically install a Privacy Preferences Policy Control profile (macOS 10.14 or later) option is enabled by default in the Security settings when upgrading to Jamf Pro 10.7.1 or later. To access this feature, navigate to Settings > Computer Management > Security.

With this option enabled in Security settings, Jamf Pro 10.7.1 or later will automatically collect the macOS version of managed computers at login. This allows Jamf Pro to immediately detect when a computer has been upgraded to macOS 10.14 or later and initiate installation of the Privacy Preferences Policy Control profile. This auto-detection of OS version at login only applies when automatically installing the profile using the option in Security settings. This does not apply if manually deploying a custom configuration profile.

Create a Custom Configuration Profile

Starting with Jamf Pro 10.9, you can configure the Privacy Preferences Policy Control profile as a separate payload in computer configuration profiles. This payload allows you to configure settings to allow or deny access to applications and services within a target computer's Security & Privacy preferences pane. To navigate these settings, navigate to Computers > Configuration Profiles and use the Privacy Preferences Policy Control payload to manage these settings.
Note:

If the configuration profile is manually deployed on a computer with macOS 10.13 or earlier, the configuration profile will not be respected once the computer is upgraded to macOS 10.14. The configuration profile will need to be redeployed after upgrading to macOS 10.14 or later.

Pre-Approval of Apple Events

Jamf Pro administrators using AppleScript workflows prompting user interaction may need to approve the Jamf management framework to communicate with built-in applications and services using the Apple Events service within the Privacy Preferences Policy Control payload. To leverage the restricted Apple Events service, Jamf Pro administrators must provide the identifier type and code requirement for both the sending and receiving application.

Common built-in services and apps receiving restricted Apple Events needed for user interaction include the following:
System Events:
  • Receiver Identifier: com.apple.systemevents
  • Receiver Identifier Type: Bundle ID
  • Receiver Code Requirement: identifier "com.apple.systemevents" and anchor apple
SystemUIServer:
  • Receiver Identifier: com.apple.systemuiserver
  • Receiver Identifier Type: Bundle ID
  • Receiver Code Requirement: identifier "com.apple.systemuiserver" and anchor apple
Finder:
  • Receiver Identifier: com.apple.finder
  • Receiver Identifier Type: Bundle ID
  • Receiver Code Requirement: identifier "com.apple.finder" and anchor apple

A pre-built configuration profile to approve interaction between the Jamf management framework and these three Apple services can be downloaded from the following Jamf's GitHub repository: https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles. Upload the configuration profile in Jamf Pro 10.7.1 or later.

Note:

You can upload this profile to Jamf Pro unsigned, and it will automatically generate the Payload UUID values.

In addition, an open source app built by Jamf for the Apple community can help with the identification requirements needed to allow apps to function within the Privacy Preferences Policy Control framework. This app is also available on Jamf's GitHub repository: https://github.com/jamf/PPPC-Utility.

Note:

You can upload an unsigned Privacy Preference Policy Control payload to Jamf Pro using the API.