macOS, BESAgent, MDM, and Apple PPPC/TCC

FYI for anyone with BESAgent deployed on macOS, and a third-party MDM system (JAMF, WorkspaceONE, Meraki, etc.)…

If your deployment of PPC profiles for com.bigfix.BESAgent predates BigFix version 9.5.14, you may need to revise your profiles.

When configuring a macOS PPC profile, the admin needs to tell the MDM system the target software’s code signing identifier. This information is captured with the macOS codesign binary:

codesign --display --requirements - "/Library/BESAgent/BESAgent.app/Contents/MacOS/BESAgent"

The BESAgent’s Team ID string changed when the product transitioned to HCL. The new value is seen in BESAgent versions 9.5.14 and later. If your PPC profiles predate the release of 9.5.14 (October 2019), I recommend rechecking the code signing values.

See also:

• BESAgent Client Requirements
• WebUI Full Disk Access

(Many thanks to the HCL friends who helped discover and isolate this information.)

FYI,

• prior to 9.5.14 : macOS BESAgent Team ID = QHQ775CF74
• since 9.5.14: macOS BESAgent Team ID = 4EDX29VVN3

If you are creating such MDM profiles for Agents 9.5.14 or greater, the “CodeRequirement” field for the Identifier “com.bigfix.BESAgent” within the MDM profile should be (exactly as below):

identifier "com.bigfix.BESAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "4EDX29VVN3"