Categories
Mac admin'ing

Allowing Outset-run scripts to have access to user folders

Because of TCC/PPPC, which Apple introduced in macOS 10.14, scripts and applications have to ask for permissions to do certain things, especially things like reading user home directory files.

If you have an Outset login script that tries to access something in the home directory, you may find in the ~/Library/Logs/outset.log that you get a Failure processing [name of script, command that failed] Operation not permitted error.

I tried creating a PPPC profile for the script itself. That didn’t work. I tried creating a PPPC profile for /usr/local/outset/outset. That didn’t work. I tried creating a PPPC profile for /bin/zsh. That didn’t work. I tried creating a PPPC profile that allowed all three to have access to all files. That didn’t work.

So, finally, I ran a tccutil reset All to reset the database, and then I logged in again, and it asked for Python to have access to the home folder the script was trying to read.

So I created a PPPC profile to allow Python (the one Outset is using) to have access to the home folder the script was trying to read, and the script ran just fine.

I’m not an expert on this, and any follow-up questions you have would probably be best directed to the #outset channel on the MacAdmins Slack (I’m over there too) instead of in the comments of this post (blog comments aren’t a great venue for tech support), but I thought sharing one case that worked might be helpful for others running into the same issue.

Categories
Mac admin'ing

Scripting SSH off/on without needing a PPPC/TCC profile

You used to be able to use /usr/sbin/systemsetup -f -setremotelogin off or /usr/sbin/systemsetup -f -setremotelogin on to script disabling or enabling SSH on macOS.

Now that macOS has Privacy Preferences Policy Control, which needs a profile delivered by a user-approved MDM, you may get this error: setremotelogin: Turning Remote Login on or off requires Full Disk Access privileges., which can be especially annoying if the script’s parent process isn’t code-signed (and thus can’t be used in a PPPC profile), as /usr/sbin/period isn’t, for example. (Read more at Use the systemsetup command-line utility on macOS Catalina 10.15.)

For now, a workaround for this is to simply load or unload the launch daemon that enables/disables SSH: /bin/launchctl load -w /System/Library/LaunchDaemons/ssh.plist or /bin/launchctl unload -w /System/Library/LaunchDaemons/ssh.plist

P.S. Since these are things you’re scripting via something like Munki or Jamf, I’m assuming you’re testing the commands as root.

Categories
Mac admin'ing

Double-checking details of deployed PPPC/TCC profile from MDM

If you’ve deployed a PPPC/TCC profile from your user-approved MDM to a Mac, and you see the profile in System Preferences > Profiles, you can also verify all the details of the deployed profile on the Mac itself by going to /Library/Application Support/com.apple.TCC/MDMOverrides.plist (which is an SIP-protected directory, by the way).