Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Rose by Any Other Name: PPPC, TCC, User Data Protection and You

Jamf
October 23, 2018
Technology
0
310

A Rose by Any Other Name: PPPC, TCC, User Data Protection and You

Presentation from JNUC 2018, the world's largest rally of Apple IT administrators.

Session:
A Rose by Any Other Name: PPPC, TCC, User Data Protection and You

Presented by:
Michael Paul, Jamf
Cyrus Ingraham, Jamf

View all session slides, recordings and more at https://www.jamf.com/events/jamf-nation-user-conference/2018/.

Jamf

October 23, 2018
Tweet

More Decks by Jamf

See All by Jamf
MDM for Everyone
jamf
0
77
Off-boarding in a Modern Deployment
jamf
0
350
Sharing Control to Improve Process and Relationships
jamf
0
25
Roll Your Own Configuration Profiles
jamf
0
300
Teaching the Teacher: Leveraging Jamf and Apple Resources for Professional Development with iPad
jamf
0
56
Jamf@SAP: Journey to 100,000 Mobile Devices
jamf
0
170
What's in the Blue Bin: Recycled Malware
jamf
0
160
Who's Afraid of the Command Line
jamf
0
120
Your Internal Beta Test Program: Opt-in/Opt-out via Self Service
jamf
0
110

Other Decks in Technology

See All in Technology
Better PHP - Keep your code up to date
wernerkrauss
1
120
ビジネス向けアプリを開発するときに知っておくべきAndroid Enterpriseの世界
imsaku
0
470
Material 3 やめました / Good-bye M3 design system
yanzm
3
2.3k
KubernetesにおけるSBOMを利用した脆弱性管理/Vulnerability_Management_with_SBOM_in_Kubernetes
takumakume
0
300
DroidKaigi 2023
keiji
0
330
dojo230914
mitsuakitohei
1
200
Boot verification in Android
prashantspol
0
210
Androidアプリの良いユニットテストを考える / Thinking about good unit tests for Android apps
tkmnzm
3
1.5k
JPOUG#7 Oracle Database 23c New Features
nori_shinoda
1
780
リスキリングの特効薬!「技術コミュニティ」のススメ
mamohacy
1
630
Airplay
elcuervo
0
130
LINE 平台與開發生態系介紹
line_developers_tw
PRO
0
240

Featured

See All Featured
KATA
mclloyd
13
11k
We Have a Design System, Now What?
morganepeng
40
6.3k
Being A Developer After 40
akosma
52
580k
A better future with KSS
kneath
230
16k
The Art of Programming - Codeland 2020
erikaheidi
39
12k
GraphQLとの向き合い方2022年版
quramy
24
11k
Testing 201, or: Great Expectations
jmmastey
26
6k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
6
7.1k
Ruby is Unlike a Banana
tanoku
93
9.9k
Web Components: a chance to create the future
zenorocha
304
41k
The Language of Interfaces
destraynor
149
22k
Imperfection Machines: The Place of Print at Facebook
scottboms
257
12k

Transcript

  1. View Slide

  2. © JAMF Software, LLC
    Cyrus Ingraham
    Software Engineer II

    Jamf
    Mike Paul
    Program Manager

    Jamf

    View Slide

  3. © JAMF Software, LLC
    A rose by any other name:
    PPPC, TCC, User Data Protection, and You
    Presentation agenda:

    Intro to the user data protection changes in 10.14+

    How to identify the apps that are impacted

    How to gather the required values to manage these settings

    How to leverage the Privacy Preference Policy Control framework

    Troubleshooting

    Q&A

    View Slide

  4. © JAMF Software, LLC
    AAA: Amazing Acronyms Abound
    GDPR = General Data Protection Regulation

    TCC = Transparency Consent and Control

    PPPC = Privacy Preferences Policy Control

    3PCo = 3 Ps and a C, ohhh.

    EUDDDP = End User Decision Driven Data Protection

    View Slide

  5. © JAMF Software, LLC
    TCC Framework
    TCC Database:

    /Library/Application Support/com.apple.TCC/TCC.db

    ~/Library/Application Support/com.apple.TCC/TCC.db

    TCC Framework:

    /System/Library/PrivateFrameworks/TCC.framework/Versions/A/Resources/tccd

    TCC Util Binary:

    /usr/bin/tccutil

    Logging:

    subsystem == “com.apple.TCC”

    Profile Type:

    com.apple.TCC.configuration-profile-policy

    View Slide

  6. © JAMF Software, LLC
    Privacy Service Dictionary Keys
    • Contacts

    • Calendar

    • Reminders

    • Photos

    • Camera *

    • Microphone *

    • Accessibility

    • PostEvent

    • SystemPolicyAllFiles **

    • SystemPolicySysAdminFiles

    • AppleEvents ***
    * = Deny Only

    ** = Most Powerful - use with caution

    *** = Unique as its not a target service but acts
    as a middle man between two processes

    View Slide

  7. © JAMF Software, LLC
    What values do you need?
    Identifier

    Bundle ID for Apps

    Path for executables (Binary or signed script)

    Code Signature

    codesign -dr - /Applications/Application.app

    codesign -dr - /path/to/binary

    Service its trying to access

    Entitlements*

    View Slide

  8. © JAMF Software, LLC
    Intro to the User Data Protection
    • What it means to end users?

    • Gives them a choice on what has access

    • This will mean they will be prompted, a lot

    View Slide

  9. © JAMF Software, LLC
    Intro to the User Data Protection
    • What it means to admins

    • Education to users about these prompts

    • Lots of testing prior

    • Understanding how to read the logs

    • Understanding parent processes

    • There is no catch all whitelist

    View Slide

  10. © JAMF Software, LLC
    How to identify the apps that are impacted
    • End users see prompts and reports

    • Manually launching applications

    • Watching Logs - subsystem com.apple.TCC

    • Reading the TCC.DB

    • Entitlements*

    View Slide

  11. © JAMF Software, LLC
    Admin Testing - Self Service

    View Slide

  12. © JAMF Software, LLC
    Admin Testing - Normal Policy
    Normal Policy Check-in is trigged via a
    LaunchDaemon in the background so there is no
    prompts for the end user

    Might see errors in policy logs

    Must use Log command with subsystem for
    com.apple.TCC

    View Slide

  13. © JAMF Software, LLC
    Parent Processes
    Just because a it’s a Jamf policy doesn’t mean
    the OS will see Jamf as the parent process

    View Slide

  14. © JAMF Software, LLC
    Apple Events
    Apple Events works as a middle man allowing
    communication between two processes

    View Slide

  15. © JAMF Software, LLC
    Apple Events Cont.

    View Slide

  16. © JAMF Software, LLC
    Apple Events Cont.

    View Slide

  17. © JAMF Software, LLC
    Apple Events Cont.

    View Slide

  18. © JAMF Software, LLC
    How to gather the required values to manage these settings
    • Identify if its an App or an executable

    • tccprofile.py

    • ProfileCreator

    • PPPC Utility

    • Run codesign manually

    • Run CodesignatureGather.sh via Policy

    View Slide

  19. © JAMF Software, LLC
    TCCProfile.py

    View Slide

  20. © JAMF Software, LLC
    ProfileCreator

    View Slide

  21. © JAMF Software, LLC
    PPPC Utility

    View Slide

  22. © JAMF Software, LLC
    Troubleshooting
    • Application Entitlements

    • Watching the log as a post-install script

    • Periodically running the log command

    • Reading the TCC.DB *

    • Reading the /Library/Application Support/
    com.apple.TCC/MDMOverrides.plist
    * = Terminal needs Full Disk Access in System Preferences

    View Slide

  23. © JAMF Software, LLC
    Application Entitlements

    View Slide

  24. © JAMF Software, LLC
    Application Entitlements Example

    View Slide

  25. © JAMF Software, LLC
    Admin Testing - Logs
    Live But Less Specific

    Live But More Specific

    Previous Requests But Temporary

    View Slide

  26. © JAMF Software, LLC
    Log Show Previously Granted

    View Slide

  27. © JAMF Software, LLC
    Reading the TCC.db
    Terminal needs full disk access to use Sqlite to
    read the database

    Easy Path: https://github.com/carlashley/
    tccprofile/blob/master/tccdbRead.py

    View Slide

  28. © JAMF Software, LLC
    TCC.db System Settings

    View Slide

  29. © JAMF Software, LLC
    TCC.db User Settings

    View Slide

  30. © JAMF Software, LLC
    TCC.db Reflects Security & Privacy

    View Slide

  31. © JAMF Software, LLC
    Reading the MDMOverrides.plist

    View Slide

  32. © JAMF Software, LLC
    Reading the MDMOverrides.plist

    View Slide

  33. © JAMF Software, LLC
    Coming Soon to a Jamf Pro Server Near You

    View Slide

  34. © JAMF Software, LLC
    Coming Soon to a Jamf Pro Server Near You

    View Slide

  35. © JAMF Software, LLC
    Thank you Apple Community
    Macadmin Slack Channel #TCC

    Carl Ashley

    Matthew Warren (Haircut)

    Rich Trouton (Der Flounder)

    Jamf Nation Community

    Jamf Developers

    View Slide

  36. © JAMF Software, LLC
    Links (All in One)
    https://jamf.it/tcc

    View Slide

  37. © JAMF Software, LLC
    Q&A
    • Easy Questions Only. Please and Thank You!

    View Slide

  38. © JAMF Software, LL
    THANK YOU!

    View Slide