[MacTUG] WatSafe - allow system events

Donald Duff-McCracken dsmccrac at uwaterloo.ca
Tue Dec 17 14:14:08 EST 2019 

As Dani and I pointed out, the first issue -- not starting on login -- is reasonably trivial as a launch agent will do the trick.



It is the second issue, regarding the System Events message, that is a bigger issue.



I have tried the solution proposed by Dani and used the PPPC Utility (referred to below and the link is here:    https://github.com/jamf/PPPC-Utility) to create a mobileconfig profile. It is not working stating 2 things:

1 That it is not signed and warning me that I should trust the creator of the profile, but I trust myself 😉 so I click “install”

2 It then says “the profile must be a system profile. User profiles are not supported.”



The second one is the big deal and a bit of digging leads to this page https://www.jamf.com/jamf-nation/articles/553/preparing-your-organization-for-user-data-protections-on-macos-10-14



Partway down that page it states “it is noted somewhere that these Privacy profiles can only be installed via a UAMDM-approved MDM server (i.e. Jamf), so manual installs of this payload at least won't work, regardless of how the payload content is created.”



What this means is that you CANNOT manually install these profiles but must use an MDM! Now JAMF is a full featured MDM. But the lighter-weight server.app Profile Manager that is used by lots of places on campus, may not be able to do this!



ARRRRGGGHHHHHH!



A serious question: This software is not ready for prime time for lab (that are not managed by JAMF). Is Emerge going to continue running for W2020 so we can have some time to resolve this?





------------------------------------

Donald Duff-McCracken

Interim Director

Mapping, Analysis & Design

Faculty of Environment

University of Waterloo

(519) 888-4567 x32151

https://uwaterloo.ca/environment-computing/about/people

------------------------------------

I acknowledge that I work and teach on the traditional territory of the Attawandaron (Neutral), Anishnaabeg, and Haudenosaunee peoples. The University of Waterloo is situated on the Haldimand Tract, land promised and given to Six Nations, which includes six miles on each side of the Grand River.

The information in this message, including any attachments, may contain confidential information intended only for the person(s) named above.  Any other distribution, copying or disclosure which is not necessary and proper in the discharge of the University's functions is strictly prohibited.  If you are not the intended recipient or have received this message in error, please notify us immediately by reply e-mail and permanently delete the original transmission from us, including any attachments, without making a copy.  Thank you.



On 2019-12-17, 12:35 PM, "Paul Dietrich" <paul.dietrich at uwaterloo.ca> wrote:



    >The FIRST issue is that it does not automatically start for each user

    >after installation. This is not too bad for single user machines but terrible for multi user machines. I can kludge a workaround by adding a login daemon to ensure it starts.



    I can definitely ask the vendor about this one.  Can you provide a bit more detail that I can pass on to them?  Just so I understand, when you deploy the package to a machine that has multiple users signed into it at the time of installation it does not auto start for them?  Sorry for a bit of my ignorance on this part as deploying Mac software is not something I have personally done in well over 12 years (since my last job where Apple was one of our clients so we had to 😊).



    >The SECOND & MAJOR issue is the fact the "control system events" dialog

    >box comes up for every user. Expecting them to know they should click this is asking way too much of them. Frankly I dont want to encouraging folks into having to click "OK" for this sort of thing as it will lead to them starting to click on things that they should not.



    As you mentioned in our RT, with the help of Dani and the work she has done with the JAMF profiles, this may address the acceptance of system messages pop up (so no one has to do it and the package auto does it).



    Thanks,



    Paul Dietrich

    System Integration Specialist

    Information Systems and Technology

    University of Waterloo

    519-888-4567, ext. 40000







    -----Original Message-----

    From: Donald Duff-McCracken <dsmccrac at uwaterloo.ca>

    Sent: Tuesday, December 17, 2019 12:15 PM

    To: Dani Roloson <daroloson at uwaterloo.ca>; MacTUG ‎[mactug at mailman.uwaterloo.ca]‎ <mactug at mailman.uwaterloo.ca>

    Cc: Paul Dietrich <p2dietri at uwaterloo.ca>

    Subject: Re: [MacTUG] WatSafe - allow system events



    To keep folks in the loop, I submitted an RT about this as there are some big problems with its for lab use that makes it not acceptable at this time. The problems I identified in the RT were:



    >A trivial point is that the wording on the webpage should changed to

    >state that one should contact IST if one is installing this software in a Mac computer lab environment (of which there are a few on campus) vs it sounding like there is a solution available.

    >

    >There are TWO problems with installing this in a mac lab environment. Here they are in increasing order of severity:

    >

    >The FIRST issue is that it does not automatically start for each user

    >after installation. This is not too bad for single user machines but terrible for multi user machines. I can kludge a workaround by adding a login daemon to ensure it starts.

    >

    >The SECOND & MAJOR issue is the fact the "control system events" dialog

    >box comes up for every user. Expecting them to know they should click this is asking way too much of them. Frankly I dont want to encouraging folks into having to click "OK" for this sort of thing as it will lead to them starting to click on things that they should not.

    >

    >Dani - getting back to the PPPC utility. When I ran it I created a

    >mobile config full of XML junk. Any ideas why and if you have created a

    >mobileconfig that works can you share? (I can share screenshot of this

    >but don’t trust images on this mailing list as they sometimes need

    >moderator approval)

    >

    >BTW I am pulling Paul D into this email thread and it would not hurt if

    >we did “Reply-all” to responses to this thread so we can try to have a unified solution to this.



    Thanks

    don



    ------------------------------------

    Donald Duff-McCracken

    Interim Director

    Mapping, Analysis & Design

    Faculty of Environment

    University of Waterloo

    (519) 888-4567 x32151

    https://uwaterloo.ca/environment-computing/about/people

    ------------------------------------

    I acknowledge that I work and teach on the traditional territory of the Attawandaron (Neutral), Anishnaabeg, and Haudenosaunee peoples. The University of Waterloo is situated on the Haldimand Tract, land promised and given to Six Nations, which includes six miles on each side of the Grand River.



    The information in this message, including any attachments, may contain confidential information intended only for the person(s) named above.  Any other distribution, copying or disclosure which is not necessary and proper in the discharge of the University's functions is strictly prohibited.  If you are not the intended recipient or have received this message in error, please notify us immediately by reply e-mail and permanently delete the original transmission from us, including any attachments, without making a copy.  Thank you.



    From: <mactug-bounces at lists.uwaterloo.ca> on behalf of Dani Roloson <daroloso at uwaterloo.ca>

    Date: Thursday, December 12, 2019 at 12:10 PM

    To: "MacTUG ‎[mactug at mailman.uwaterloo.ca]‎" <mactug at mailman.uwaterloo.ca>

    Cc: Luis Marroquin <lmarroquin at apple.com>

    Subject: Re: [MacTUG] WatSafe - allow system events



    So the Save will generate a mobileconfig while the Upload will put it on a JAMF server, signed by it, and I just needed to adjust the targets to All on the server.













    From: mactug-bounces at lists.uwaterloo.ca <mactug-bounces at lists.uwaterloo.ca> on behalf of Dani Roloson <daroloso at uwaterloo.ca>

    Sent: December 12, 2019 10:04

    To: MacTUG ‎[mactug at mailman.uwaterloo.ca]‎

    Cc: lmarroquin at apple.com

    Subject: Re: [MacTUG] WatSafe - allow system events



    So this seems JAMF related but not JAMF required.

    Testing with other delivery systems would be appreciated.



    https://github.com/jamf/PPPC-Utility



    https://github.com/jamf/PPPC-Utility

    github.com

    Privacy Preferences Policy Control (PPPC) Utility. Contribute to jamf/PPPC-Utility development by creating an account on GitHub.









    From: mactug-bounces at lists.uwaterloo.ca <mactug-bounces at lists.uwaterloo.ca> on behalf of Dani Roloson <daroloso at uwaterloo.ca>

    Sent: December 11, 2019 11:01

    To: MacTUG ‎[mactug at mailman.uwaterloo.ca]‎

    Cc: lmarroquin at apple.com

    Subject: [MacTUG] WatSafe - allow system events



    So 10.14 and 10.15 are paranoid about security but the emergency application https://uwaterloo.ca/watsafe/ wants the user to allow system events on the Mac.



    https://uwaterloo.ca/watsafe/

    uwaterloo.ca

    Does the Managed Macs version actually handle that or does someone know how to allow system events via command line?

    https://uwaterloo.teamdynamix.com/TDClient/1804/Portal/KB/ArticleDet?ID=85108

    https://uwaterloo.teamdynamix.com/TDClient/1804/Portal/KB/ArticleDet?ID=85108

    uwaterloo.teamdynamix.com



    Dani






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.uwaterloo.ca/mailman/private/mactug/attachments/20191217/2b065e8d/attachment-0001.html>

More information about the MacTUG mailing list