meraki MDM not able to push Privacy settings

L4d1k
Here to help

meraki MDM not able to push Privacy settings

Hello,

I have spend a week now trying to do something that looked like a simple task as granting Accessibility to our splashtop remote desktop tool for macs.

The primary issue is on Mojave OSX since it was not required before and on Catalina the end user needs to enable Screen Recording settings in Privacy without requirement to have admin rights on the MAC computer. (not ideal but manageable)

Meraki support has been silent with my ticket beside referring me to an old article which is not usable for my situation and not even for meraki remote tool.(https://documentation.meraki.com/SM/Profiles_and_Settings/Privacy_Preferences_Policy_Control_(PPPC)_...)

I even tried using custom settings profile which I have created using tccprofile.py specifically developed for this task:

https://github.com/carlashley/tccprofile#gui-mode

 

But I shouldn't have to do that since the the system manager profile tool has this option build in:

 

All I need Bundle ID, Code requirement and select Accessibility to allowed.

Bundle ID: com.splashtop.Splashtop-Streamer

Code requirement: identifier "com.splashtop.Splashtop-Streamer" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = CPQQ3AW49Y

Screen Shot 2020-04-23 at 2.46.04 PM.png

 

 

Here is good read on how it should work:https://derflounder.wordpress.com/2018/08/31/creating-privacy-preferences-policy-control-profiles-fo...

 

I have tried all the combination and options I could think of and tried it on different MAC systems with zero success.

 

I am very sad to see Meraki support and development fail me like this during time when we need them the most to be able to support our faculty since we had to switch to remote learning model.

 

I hope there is a solution I just missed and Meraki support was just overload due to the current situation and that is why they failed supporting me.

 

 

4 REPLIES 4
BlakeRichardson
Kind of a big deal
Kind of a big deal

@L4d1k I feel your pain, I find SM works great with iOS devices however I wasn't able to get things working on the MacOS Side of things so we moved our Macs to being managed with JAMF

 

I have used a utility called PPPC Utility in the past that allows you to create profiles that can be deployed. I have made two profiles with this app so far deploying one for Teamviewer as it requires accessibility to be able to remotely control another users computer and one for our backup software so that it can backup what Apple considers personal files i.e. pictures folder.

 

https://github.com/jamf/PPPC-Utility

 

If Meraki supported uploading your own privacy preference policy as Jamf does this would solve this problem for many people.  

 

I would suggest using the make a wish feature asking to be able to upload custom privacy profiles.

 

Hi Blake,

 

thank you for your suggestion.

And yes at this point my plan is to move away from meraki and switch back to JAMF as soon as I can unfortunately to switch MDM requires me to physically touch the devices initially and that is not going to be available for some time.

I had used similar tool to create and upload custom profile (this option is available on meraki):

https://github.com/carlashley/tccprofile#gui-mode

unfortunately without luck but I will try the PPPC utility and see if that helps.

Thank you!

 

MattMorg
Meraki Employee
Meraki Employee

I have enabled "Accessibility" in Privacy Preferences Policy Control (PPPC) for several other macOS applications with Systems Manager created PPPC profiles, and I may be able to assist. There are definitely some quirks about enabling/disabling PPPC settings via MDM profiles, but as long as Splashtop application is asking the macOS system for this permission correctly we should be able to enable this permission through a Systems Manager created PPPC profile. 

 

The third party tools mentioned could work to generate a custom .mobileconfig where it can then be push it down to macOS devices as a custom profile via Systems Manager: https://documentation.meraki.com/SM/Profiles_and_Settings/Using_Custom_Apple_Profiles_with_Systems_M...

 

That^ said, a PPPC profile created directly in Systems Manager should also work to enable Accessibility, without needing to create a custom .mobileconfig with another tool.

 

@L4d1k please DM me your support case number, I want to review your setup/problem in more detail and then reach out. 

MattMorg
Meraki Employee
Meraki Employee

@L4d1k thank you for messaging me your support case. I really enjoy trying to figure out the pain points and I think there is an explanation for the behavior you are experiencing.  

 

I was able to get this to work via Systems Manager, and your setup for com.splashtop.Splashtop-Streamer may actually be working too. I believe you may be confused by the macOS System Preferences UI, which is not a good representation for the actual PPPC settings on macOS (let me explain this a bit).

 

First, here is the setting I used to successfully enable Accessibility for com.splashtop.Splashtop-Streamer:

Screen Shot 2020-04-24 at 4.57.36 PM.png

 

"Accessibility" allows you to control the user's screen (control the mouse movement, specifically, with Splashtop). With this^ PPPC profile scoped to a macOS device who has com.splashtop.Splashtop-Streamer installed, I am able to control the user's screen without needing to have the end user enable "Accessibility" for "Splashtop Streamer" in System Preferences. However, if you look at the macOS System Preferences UI, you will notice the checkmark is still unchecked (this is normal!):

Screen Shot 2020-04-24 at 5.17.48 PM.png

 

To further confirm the MDM PPPC profile is working: as soon as I remove the PPPC profile and restart the Splashtop app, I cannot control the user's screen anymore. Once I rescope the MDM PPPC profile again, I can control the screen's mouse movements again. This is working as designed, and the Systems Manager PPPC profile is actually enabling com.splashtop.Splashtop-Streamer, despite it being unchecked in macOS Systems Preferences.

 

Whats displayed on macOS 10.14 and 10.15 in System Preferences > Security & Privacy > Privacy are only the decisions end users made with prompts presented to them, not settings pushed via MDM profiles. Its essentially displaying the values that are stored in the TCC databases that can be found at /Library/Application Support/com.apple.TCC/TCC.db or ~/Library/Application Support/com.apple.TCC/TCC.db.

 

These are some of the quirks with PPPC via MDM on macOS Catalina right now, but it is the behavior all MDMs are facing. The Systems Manager profile is actually working to enable Accessibility for com.splashtop.Splashtop-Streamer, at least in my quick repro. 

 

(Sidenote: if you have a test device, you may find it useful to reset all of the local PPPC settings before trying again with this command: tccutil reset All)

 

Can you confirm that if you use the same PPPC profile from Systems Manager (screenshot above) you are able to control mouse movements with Splashtop? 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels