Skip to content

Instantly share code, notes, and snippets.

@rtrouton

rtrouton/Privacy Settings Whitelist - Jamf and AppleScript Notifications.mobileconfig Secret

Created February 11, 2022 16:51
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rtrouton/daa89fd7a27a52137865aff015d474ad to your computer and use it in GitHub Desktop.
Save rtrouton/daa89fd7a27a52137865aff015d474ad to your computer and use it in GitHub Desktop.
Download ZIP
Privacy Settings Whitelist - Jamf and AppleScript Notifications profile
Raw
Privacy Settings Whitelist - Jamf and AppleScript Notifications.mobileconfig
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>This profile allows specified applications to display information to the logged-in user.</string>
<key>PayloadDisplayName</key>
<string>Privacy Settings Whitelist - Jamf and AppleScript Notifications</string>
<key>PayloadIdentifier</key>
<string>com.company.jamf.applescript.notifications.tcc.privacy.whitelist.5D8080B8-9A11-40B4-B3C7-EEA21CA7C357</string>
<key>PayloadOrganization</key>
<string>Company Name</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>5D8080B8-9A11-40B4-B3C7-EEA21CA7C357</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Services</key>
<dict>
<key>AppleEvents</key>
<array>
<dict>
<key>Comment</key>
<string>Allow osascript to send AppleEvents control to System Events</string>
<key>Identifier</key>
<string>/usr/bin/osascript</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>identifier "com.apple.osascript" and anchor apple</string>
<key>IdentifierType</key>
<string>path</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemevents</string>
<key>Allowed</key>
<true />
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemevents" and anchor apple</string>
</dict>
<dict>
<key>Comment</key>
<string>Allow osascript to send AppleEvents control to SystemUIServer</string>
<key>Identifier</key>
<string>/usr/bin/osascript</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>identifier "com.apple.osascript" and anchor apple</string>
<key>IdentifierType</key>
<string>path</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemuiserver</string>
<key>Allowed</key>
<true />
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemuiserver" and anchor apple</string>
</dict>
<dict>
<key>Comment</key>
<string>Allow osascript to send AppleEvents control to Finder</string>
<key>Identifier</key>
<string>/usr/bin/osascript</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>identifier "com.apple.osascript" and anchor apple</string>
<key>IdentifierType</key>
<string>path</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.finder</string>
<key>Allowed</key>
<true />
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.finder" and anchor apple</string>
</dict>
<dict>
<key>Identifier</key>
<string>com.jamf.management.service</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.jamf.management.service" and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemevents</string>
<key>Allowed</key>
<true />
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemevents" and anchor apple</string>
</dict>
<dict>
<key>Comment</key>
<string>Allow Jamf to send AppleEvents control to System Events</string>
<key>Identifier</key>
<string>com.jamf.management.Jamf</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemevents</string>
<key>Allowed</key>
<true />
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemevents" and anchor apple</string>
</dict>
<dict>
<key>Comment</key>
<string>Allow Jamf to send AppleEvents control to SystemUIServer</string>
<key>Identifier</key>
<string>com.jamf.management.Jamf</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemuiserver</string>
<key>Allowed</key>
<true />
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemuiserver" and anchor apple</string>
</dict>
<dict>
<key>Comment</key>
<string>Allow Jamf to send AppleEvents control to Finder</string>
<key>Identifier</key>
<string>com.jamf.management.Jamf</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.finder</string>
<key>Allowed</key>
<true />
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.finder" and anchor apple</string>
</dict>
<dict>
<key>Comment</key>
<string>Allow jamfAgent to send AppleEvents control to System Events</string>
<key>Identifier</key>
<string>/usr/local/jamf/bin/jamfAgent</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>identifier "com.jamfsoftware.jamfAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
<key>IdentifierType</key>
<string>path</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemevents</string>
<key>Allowed</key>
<true />
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemevents" and anchor apple</string>
</dict>
<dict>
<key>Comment</key>
<string>Allow jamfAgent to send AppleEvents control to SystemUIServer</string>
<key>Identifier</key>
<string>/usr/local/jamf/bin/jamfAgent</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>identifier "com.jamfsoftware.jamfAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
<key>IdentifierType</key>
<string>path</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemuiserver</string>
<key>Allowed</key>
<true />
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemuiserver" and anchor apple</string>
</dict>
<dict>
<key>Comment</key>
<string>Allow jamfAgent to send AppleEvents control to Finder</string>
<key>Identifier</key>
<string>/usr/local/jamf/bin/jamfAgent</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>identifier "com.jamfsoftware.jamfAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
<key>IdentifierType</key>
<string>path</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.finder</string>
<key>Allowed</key>
<true />
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.finder" and anchor apple</string>
</dict>
<dict>
<key>Comment</key>
<string>Allow jamf to send AppleEvents control to System Events</string>
<key>Identifier</key>
<string>/usr/local/jamf/bin/jamf</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>identifier "com.jamfsoftware.jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
<key>IdentifierType</key>
<string>path</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemevents</string>
<key>Allowed</key>
<true />
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemevents" and anchor apple</string>
</dict>
<dict>
<key>Comment</key>
<string>Allow jamf to send AppleEvents control to SystemUIServer</string>
<key>Identifier</key>
<string>/usr/local/jamf/bin/jamf</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>identifier "com.jamfsoftware.jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
<key>IdentifierType</key>
<string>path</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemuiserver</string>
<key>Allowed</key>
<true />
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemuiserver" and anchor apple</string>
</dict>
<dict>
<key>Comment</key>
<string>Allow jamf to send AppleEvents control to Finder</string>
<key>Identifier</key>
<string>/usr/local/jamf/bin/jamf</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>identifier "com.jamfsoftware.jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
<key>IdentifierType</key>
<string>path</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.finder</string>
<key>Allowed</key>
<true />
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.finder" and anchor apple</string>
</dict>
<dict>
<key>Identifier</key>
<string>/usr/local/jamf/bin/jamfAgent</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.jamfsoftware.jamfAgent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443")</string>
<key>IdentifierType</key>
<string>path</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.Enterprise-Connect</string>
<key>Allowed</key>
<true />
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.Enterprise-Connect" and anchor apple</string>
</dict>
<dict>
<key>Identifier</key>
<string>/usr/local/jamf/bin/jamfAgent</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.jamfsoftware.jamfAgent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443")</string>
<key>IdentifierType</key>
<string>path</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systempreferences</string>
<key>Allowed</key>
<true />
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systempreferences" and anchor apple</string>
</dict>
<dict>
<key>Identifier</key>
<string>/usr/local/jamf/bin/jamf</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.jamfsoftware.jamf" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443")</string>
<key>IdentifierType</key>
<string>path</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.Enterprise-Connect</string>
<key>Allowed</key>
<true />
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.Enterprise-Connect" and anchor apple</string>
</dict>
<dict>
<key>Identifier</key>
<string>/usr/local/jamf/bin/jamf</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.jamfsoftware.jamf" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443")</string>
<key>IdentifierType</key>
<string>path</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systempreferences</string>
<key>Allowed</key>
<true />
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systempreferences" and anchor apple</string>
</dict>
<dict>
<key>Identifier</key>
<string>/usr/local/jamf/bin/jamf</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.jamfsoftware.jamf" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443")</string>
<key>IdentifierType</key>
<string>path</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemevents</string>
<key>Allowed</key>
<true />
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemevents" and anchor apple</string>
</dict>
</array>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Comment</key>
<string>Allow SystemPolicyAllFiles control for osascript</string>
<key>Identifier</key>
<string>/usr/bin/osascript</string>
<key>CodeRequirement</key>
<string>identifier "com.apple.osascript" and anchor apple</string>
<key>IdentifierType</key>
<string>path</string>
<key>Allowed</key>
<true />
</dict>
<dict>
<key>Identifier</key>
<string>/usr/local/jamf/bin/jamf</string>
<key>CodeRequirement</key>
<string>identifier "com.jamfsoftware.jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string>
<key>IdentifierType</key>
<string>path</string>
<key>Allowed</key>
<true />
</dict>
<dict>
<key>Identifier</key>
<string>com.jamf.management.Jamf</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.jamf.management.Jamf" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443")</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>Allowed</key>
<true />
</dict>
</array>
</dict>
</dict>
</array>
<key>PayloadDescription</key>
<string>This profile allows specified applications to display information to the logged-in user.</string>
<key>PayloadDisplayName</key>
<string>Privacy Settings Whitelist - Jamf and AppleScript Notifications</string>
<key>PayloadIdentifier</key>
<string>com.company.jamf.applescript.notifications.tcc.privacy.whitelist</string>
<key>PayloadOrganization</key>
<string>Company Name</string>
<key>PayloadScope</key>
<string>system</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>5D8080B8-9A11-40B4-B3C7-EEA21CA7C357</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
@matthiasschroder
Copy link

Hi,

I just came across this since I'm struggling with permissions for com.jamf.management.service to SystemEvents. I'm a bit puzzled about your code requirement since from codesign I get 'anchor apple generic and identifier "com.jamf.management.service" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "483DWKW443")', and it seems you dropped the parenthesis around the certificate parameters, doesn't that weaken the requirement significantly?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment