A Rose by Any Other Name: PPPC, TCC, User Data Protection and You

Transcript

1. None

2. © JAMF Software, LLC Cyrus Ingraham Software Engineer II Jamf

   Mike Paul Program Manager Jamf

3. © JAMF Software, LLC A rose by any other name:

   PPPC, TCC, User Data Protection, and You Presentation agenda: Intro to the user data protection changes in 10.14+ How to identify the apps that are impacted How to gather the required values to manage these settings How to leverage the Privacy Preference Policy Control framework Troubleshooting Q&A

4. © JAMF Software, LLC AAA: Amazing Acronyms Abound GDPR =

   General Data Protection Regulation TCC = Transparency Consent and Control PPPC = Privacy Preferences Policy Control 3PCo = 3 Ps and a C, ohhh. EUDDDP = End User Decision Driven Data Protection

5. © JAMF Software, LLC TCC Framework TCC Database: /Library/Application Support/com.apple.TCC/TCC.db

   ~/Library/Application Support/com.apple.TCC/TCC.db TCC Framework: /System/Library/PrivateFrameworks/TCC.framework/Versions/A/Resources/tccd TCC Util Binary: /usr/bin/tccutil Logging: subsystem == “com.apple.TCC” Profile Type: com.apple.TCC.configuration-profile-policy

6. © JAMF Software, LLC Privacy Service Dictionary Keys • Contacts

   • Calendar • Reminders • Photos • Camera * • Microphone * • Accessibility • PostEvent • SystemPolicyAllFiles ** • SystemPolicySysAdminFiles • AppleEvents *** * = Deny Only
 ** = Most Powerful - use with caution *** = Unique as its not a target service but acts as a middle man between two processes

7. © JAMF Software, LLC What values do you need? Identifier

   Bundle ID for Apps Path for executables (Binary or signed script) Code Signature codesign -dr - /Applications/Application.app codesign -dr - /path/to/binary Service its trying to access Entitlements*

8. © JAMF Software, LLC Intro to the User Data Protection

   • What it means to end users? • Gives them a choice on what has access • This will mean they will be prompted, a lot

9. © JAMF Software, LLC Intro to the User Data Protection

   • What it means to admins • Education to users about these prompts • Lots of testing prior • Understanding how to read the logs • Understanding parent processes • There is no catch all whitelist

10. © JAMF Software, LLC How to identify the apps that

    are impacted • End users see prompts and reports • Manually launching applications • Watching Logs - subsystem com.apple.TCC • Reading the TCC.DB • Entitlements*

11. © JAMF Software, LLC Admin Testing - Self Service

12. © JAMF Software, LLC Admin Testing - Normal Policy Normal

    Policy Check-in is trigged via a LaunchDaemon in the background so there is no prompts for the end user Might see errors in policy logs Must use Log command with subsystem for com.apple.TCC

13. © JAMF Software, LLC Parent Processes Just because a it’s

    a Jamf policy doesn’t mean the OS will see Jamf as the parent process

14. © JAMF Software, LLC Apple Events Apple Events works as

    a middle man allowing communication between two processes

15. © JAMF Software, LLC Apple Events Cont.

16. © JAMF Software, LLC Apple Events Cont.

17. © JAMF Software, LLC Apple Events Cont.

18. © JAMF Software, LLC How to gather the required values

    to manage these settings • Identify if its an App or an executable • tccprofile.py • ProfileCreator • PPPC Utility • Run codesign manually • Run CodesignatureGather.sh via Policy

19. © JAMF Software, LLC TCCProfile.py

20. © JAMF Software, LLC ProfileCreator

21. © JAMF Software, LLC PPPC Utility

22. © JAMF Software, LLC Troubleshooting • Application Entitlements • Watching

    the log as a post-install script • Periodically running the log command • Reading the TCC.DB * • Reading the /Library/Application Support/ com.apple.TCC/MDMOverrides.plist * = Terminal needs Full Disk Access in System Preferences

23. © JAMF Software, LLC Application Entitlements

24. © JAMF Software, LLC Application Entitlements Example

25. © JAMF Software, LLC Admin Testing - Logs Live But

    Less Specific Live But More Specific Previous Requests But Temporary

26. © JAMF Software, LLC Log Show Previously Granted

27. © JAMF Software, LLC Reading the TCC.db Terminal needs full

    disk access to use Sqlite to read the database Easy Path: https://github.com/carlashley/ tccprofile/blob/master/tccdbRead.py

28. © JAMF Software, LLC TCC.db System Settings

29. © JAMF Software, LLC TCC.db User Settings

30. © JAMF Software, LLC TCC.db Reflects Security & Privacy

31. © JAMF Software, LLC Reading the MDMOverrides.plist

32. © JAMF Software, LLC Reading the MDMOverrides.plist

33. © JAMF Software, LLC Coming Soon to a Jamf Pro

    Server Near You

34. © JAMF Software, LLC Coming Soon to a Jamf Pro

    Server Near You

35. © JAMF Software, LLC Thank you Apple Community Macadmin Slack

    Channel #TCC Carl Ashley Matthew Warren (Haircut) Rich Trouton (Der Flounder) Jamf Nation Community Jamf Developers

36. © JAMF Software, LLC Links (All in One) https://jamf.it/tcc

37. © JAMF Software, LLC Q&A • Easy Questions Only. Please

    and Thank You!

38. © JAMF Software, LL THANK YOU!