Save 37% off PRO during our Black Friday Sale! »

A Rose by Any Other Name: PPPC, TCC, User Data Protection and You

9d350fa2294e1192f8f12b0ebf1a1d8b?s=47 Jamf
October 23, 2018

A Rose by Any Other Name: PPPC, TCC, User Data Protection and You

Presentation from JNUC 2018, the world's largest rally of Apple IT administrators.

Session:
A Rose by Any Other Name: PPPC, TCC, User Data Protection and You

Presented by:
Michael Paul, Jamf
Cyrus Ingraham, Jamf

View all session slides, recordings and more at https://www.jamf.com/events/jamf-nation-user-conference/2018/.

9d350fa2294e1192f8f12b0ebf1a1d8b?s=128

Jamf

October 23, 2018
Tweet

Transcript

  1. None
  2. © JAMF Software, LLC Cyrus Ingraham Software Engineer II Jamf

    Mike Paul Program Manager Jamf
  3. © JAMF Software, LLC A rose by any other name:

    PPPC, TCC, User Data Protection, and You Presentation agenda: Intro to the user data protection changes in 10.14+ How to identify the apps that are impacted How to gather the required values to manage these settings How to leverage the Privacy Preference Policy Control framework Troubleshooting Q&A
  4. © JAMF Software, LLC AAA: Amazing Acronyms Abound GDPR =

    General Data Protection Regulation TCC = Transparency Consent and Control PPPC = Privacy Preferences Policy Control 3PCo = 3 Ps and a C, ohhh. EUDDDP = End User Decision Driven Data Protection
  5. © JAMF Software, LLC TCC Framework TCC Database: /Library/Application Support/com.apple.TCC/TCC.db

    ~/Library/Application Support/com.apple.TCC/TCC.db TCC Framework: /System/Library/PrivateFrameworks/TCC.framework/Versions/A/Resources/tccd TCC Util Binary: /usr/bin/tccutil Logging: subsystem == “com.apple.TCC” Profile Type: com.apple.TCC.configuration-profile-policy
  6. © JAMF Software, LLC Privacy Service Dictionary Keys • Contacts

    • Calendar • Reminders • Photos • Camera * • Microphone * • Accessibility • PostEvent • SystemPolicyAllFiles ** • SystemPolicySysAdminFiles • AppleEvents *** * = Deny Only
 ** = Most Powerful - use with caution *** = Unique as its not a target service but acts as a middle man between two processes
  7. © JAMF Software, LLC What values do you need? Identifier

    Bundle ID for Apps Path for executables (Binary or signed script) Code Signature codesign -dr - /Applications/Application.app codesign -dr - /path/to/binary Service its trying to access Entitlements*
  8. © JAMF Software, LLC Intro to the User Data Protection

    • What it means to end users? • Gives them a choice on what has access • This will mean they will be prompted, a lot
  9. © JAMF Software, LLC Intro to the User Data Protection

    • What it means to admins • Education to users about these prompts • Lots of testing prior • Understanding how to read the logs • Understanding parent processes • There is no catch all whitelist
  10. © JAMF Software, LLC How to identify the apps that

    are impacted • End users see prompts and reports • Manually launching applications • Watching Logs - subsystem com.apple.TCC • Reading the TCC.DB • Entitlements*
  11. © JAMF Software, LLC Admin Testing - Self Service

  12. © JAMF Software, LLC Admin Testing - Normal Policy Normal

    Policy Check-in is trigged via a LaunchDaemon in the background so there is no prompts for the end user Might see errors in policy logs Must use Log command with subsystem for com.apple.TCC
  13. © JAMF Software, LLC Parent Processes Just because a it’s

    a Jamf policy doesn’t mean the OS will see Jamf as the parent process
  14. © JAMF Software, LLC Apple Events Apple Events works as

    a middle man allowing communication between two processes
  15. © JAMF Software, LLC Apple Events Cont.

  16. © JAMF Software, LLC Apple Events Cont.

  17. © JAMF Software, LLC Apple Events Cont.

  18. © JAMF Software, LLC How to gather the required values

    to manage these settings • Identify if its an App or an executable • tccprofile.py • ProfileCreator • PPPC Utility • Run codesign manually • Run CodesignatureGather.sh via Policy
  19. © JAMF Software, LLC TCCProfile.py

  20. © JAMF Software, LLC ProfileCreator

  21. © JAMF Software, LLC PPPC Utility

  22. © JAMF Software, LLC Troubleshooting • Application Entitlements • Watching

    the log as a post-install script • Periodically running the log command • Reading the TCC.DB * • Reading the /Library/Application Support/ com.apple.TCC/MDMOverrides.plist * = Terminal needs Full Disk Access in System Preferences
  23. © JAMF Software, LLC Application Entitlements

  24. © JAMF Software, LLC Application Entitlements Example

  25. © JAMF Software, LLC Admin Testing - Logs Live But

    Less Specific Live But More Specific Previous Requests But Temporary
  26. © JAMF Software, LLC Log Show Previously Granted

  27. © JAMF Software, LLC Reading the TCC.db Terminal needs full

    disk access to use Sqlite to read the database Easy Path: https://github.com/carlashley/ tccprofile/blob/master/tccdbRead.py
  28. © JAMF Software, LLC TCC.db System Settings

  29. © JAMF Software, LLC TCC.db User Settings

  30. © JAMF Software, LLC TCC.db Reflects Security & Privacy

  31. © JAMF Software, LLC Reading the MDMOverrides.plist

  32. © JAMF Software, LLC Reading the MDMOverrides.plist

  33. © JAMF Software, LLC Coming Soon to a Jamf Pro

    Server Near You
  34. © JAMF Software, LLC Coming Soon to a Jamf Pro

    Server Near You
  35. © JAMF Software, LLC Thank you Apple Community Macadmin Slack

    Channel #TCC Carl Ashley Matthew Warren (Haircut) Rich Trouton (Der Flounder) Jamf Nation Community Jamf Developers
  36. © JAMF Software, LLC Links (All in One) https://jamf.it/tcc

  37. © JAMF Software, LLC Q&A • Easy Questions Only. Please

    and Thank You!
  38. © JAMF Software, LL THANK YOU!