Questions about Apple implementation of their TCC framework

TimRice 2019-10-29 13:51:09 UTC #1

Starting with macOS 10.14, Apple began implementing a new security framework in their systems.
It limits/restricts access to User Private/Sensitive data. The impact is that the uses must each approve an application (like the BigFix client) before it can access certain sections of a computer. On macOS 10.14, or later, access to some user application data will require user approval. Approvals can also be managed remotely via MDM with the new Privacy Preferences Policy Control payload on macOS 10.14 or later.

So far, this has not been a direct issue for my company, but that looks like it’s about to change.

The Antivirus software that we use needs to be “Approved” on all the Apple systems. I’m being asked if BigFix can do it. Apparently, it requires certain MDM functions be approved via Apple. The Antivirus software only mentions JAMF in their documentation when it comes to remote deployment of the software under macOS.

Has anyone had any experience with this new security setup on Mac’s and working with it via BigFix?

I need to find a way to deploy the software and get it configured on 1,700+ macOS systems without relying on the users to manually authorize the software.

alinder 2019-10-29 14:36:57 UTC #2

Ah, the joys of modern macOS management.

You’re right that starting with macOS 10.14, Apple began requiring devices be enrolled in MDM — specifically User-Approved MDM — to configure certain administrative settings. The PPPC settings are one such action, approving kernel extensions is another. BigFix is not an MDM tool, so it can solve some pieces of this problem but not others.

First, what can BigFix do? BigFix can push out .mobileconfig profiles, including PPPC profiles. It can also report on their installation status. There is a link to an open source tool for creating such profiles here: https://derflounder.wordpress.com/2018/08/31/creating-privacy-preferences-policy-control-profiles-for-macos/

You can install them using a fixlet making use of the built-in macOS profiles Command, something along the lines of:

wait profiles -I -F __Download/MyConfigProfile.mobileconfig

For the profile to have any effect, however, the computer must be enrolled in UAMDM. Computers can become enrolled in UAMDM two ways: the first is to be provisioned as part of a Device Enrollment Program (DEP) at time of purchase, and the second is for a user to actually consent to the enrollment in the GUI. That is not automatable or obfuscatable. Some human will have to click that they accept on every computer out in the field. This is true even taking BigFix out of the equation. If you bought some MDM product and tried to enroll your existing device base, either your techs or your users would have to complete UAMDM enrollment by hand.

Once a device is enrolled in UAMDM, you can use BigFix to push out configuration profiles, including PPPC profiles.

rustymyers 2019-10-30 12:06:34 UTC #3

User-Approved MDM (UAMDM) was first added in 10.13.4 and any system that was enrolled in an MDM prior to that was automatically made UAMDM. User Approved Kernel Extension Loading (UAKEL) was the only UAMDM required setting at the time. With Catalina, we now have PPPC, UAKEL, and Remote Control requiring UAMDM.

As you need UAMDM for these to work, pushing the configuration profiles through an MDM is the supported and required method. Side loading profiles with BigFix is a temporary solution and will soon disappear, if it even works on the latest macOS (I’m unsure). Rumors are the profiles command will be discontinued soon and that an MDM will be the only way of providing profiles.

I would not count on the profiles command working on future operating systems.

I highly suggest you implement an MDM immediately.

Device Enrollment will allow you to add your serial numbers to an MDM and request that users enroll. A enrollment notification can be shown on users systems with the command:

sudo profiles renew -type enrollment

With some MDM solutions you can make a pkg to enroll systems. This package can be pushed with BigFix, but does not enroll as UAMDM for systems 10.13.4 and newer. Enrolling systems before they upgrade past 10.13.4 is highly suggested.

With both the Device Enrollment request and pkg enrollment, you can prompt users to enroll and do user approval with the UMAD tool:

BigFix does poorly with reporting Profiles status, requiring a task to output the status to update any analysis or relevance. Apple is pushing MDM very hard and it’s going to be the way of managing your systems in any appreciable way moving forward.

I’d suggest Jamf, Moysle, Filewave, micromdm, or a similar solution.

fermt 2019-10-30 15:21:52 UTC #4

Can somebody from HCL clarify if there are plans in the roadmap to make BigFix a full MDM for MAC OSX Devices?

If that’s not the case, it sounds like BigFix will become useless for managing Apple devices.

JonL 2019-10-30 15:32:57 UTC #5

I agree, we need clarification from HCL here. MDM hooks with Bigfix sound like they are becoming critical to continued usage of Bigfix on Macs.

atlauren 2019-10-30 17:17:16 UTC #6

Apple’s direction draws a clear distinction of “ownership authority” over the system – the traditional “user is owner” model versus the business/enterprise “company is owner” model. Traditional PC management approaches have effectively done a MITM on the end-user, under the supposition physical possession and proper credentials is effective proof of ownership. Thus, they have pushed on UAMDM. The trick here is that, if a machine is institutionally-owned and DEP-enrolled into the company’s MDM, the user-authentication part is granted automatically.

In my own regard, “UAMDM” isn’t the right name. It should really be “Owner-Authenticated MDM”. But that’s my take.

Under Apple’s notion, institutionally-managed machines should be provisioned within a DEP workflow that enrolls the machine in an MDM system; via this, the company can manage anything requiring UAMDM. From there, one would issue MDM policies that manage things managed by MDM, supplemented as needed by agents doing thing as root.

Until UAMDM happened, BigFix could effectively “manage” MDM policies by copying and installing .mobileconfig files. This is no longer sufficient. Further, Apple has stated that installing enrollment profiles via the profiles command will be removed in a future release.

Our Macs are enrolled in both Airwatch and BigFix. We’re not fully deployed with DEP yet, but the eventual provisioning workflow will be:

macOS activates, is recognized by DEP
DEP enrolls machine in Airwatch
Airwatch installs needed MDM profiles
Airwatch installs BigFix agent (with actionsite and clientsettings.cfg)
BigFix does all the BigFix things