Created
February 11, 2022 16:51
-
-
Save rtrouton/daa89fd7a27a52137865aff015d474ad to your computer and use it in GitHub Desktop.
Privacy Settings Whitelist - Jamf and AppleScript Notifications profile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<dict> | |
<key>PayloadContent</key> | |
<array> | |
<dict> | |
<key>PayloadDescription</key> | |
<string>This profile allows specified applications to display information to the logged-in user.</string> | |
<key>PayloadDisplayName</key> | |
<string>Privacy Settings Whitelist - Jamf and AppleScript Notifications</string> | |
<key>PayloadIdentifier</key> | |
<string>com.company.jamf.applescript.notifications.tcc.privacy.whitelist.5D8080B8-9A11-40B4-B3C7-EEA21CA7C357</string> | |
<key>PayloadOrganization</key> | |
<string>Company Name</string> | |
<key>PayloadType</key> | |
<string>com.apple.TCC.configuration-profile-policy</string> | |
<key>PayloadUUID</key> | |
<string>5D8080B8-9A11-40B4-B3C7-EEA21CA7C357</string> | |
<key>PayloadVersion</key> | |
<integer>1</integer> | |
<key>Services</key> | |
<dict> | |
<key>AppleEvents</key> | |
<array> | |
<dict> | |
<key>Comment</key> | |
<string>Allow osascript to send AppleEvents control to System Events</string> | |
<key>Identifier</key> | |
<string>/usr/bin/osascript</string> | |
<key>AEReceiverIdentifierType</key> | |
<string>bundleID</string> | |
<key>CodeRequirement</key> | |
<string>identifier "com.apple.osascript" and anchor apple</string> | |
<key>IdentifierType</key> | |
<string>path</string> | |
<key>AEReceiverIdentifier</key> | |
<string>com.apple.systemevents</string> | |
<key>Allowed</key> | |
<true /> | |
<key>AEReceiverCodeRequirement</key> | |
<string>identifier "com.apple.systemevents" and anchor apple</string> | |
</dict> | |
<dict> | |
<key>Comment</key> | |
<string>Allow osascript to send AppleEvents control to SystemUIServer</string> | |
<key>Identifier</key> | |
<string>/usr/bin/osascript</string> | |
<key>AEReceiverIdentifierType</key> | |
<string>bundleID</string> | |
<key>CodeRequirement</key> | |
<string>identifier "com.apple.osascript" and anchor apple</string> | |
<key>IdentifierType</key> | |
<string>path</string> | |
<key>AEReceiverIdentifier</key> | |
<string>com.apple.systemuiserver</string> | |
<key>Allowed</key> | |
<true /> | |
<key>AEReceiverCodeRequirement</key> | |
<string>identifier "com.apple.systemuiserver" and anchor apple</string> | |
</dict> | |
<dict> | |
<key>Comment</key> | |
<string>Allow osascript to send AppleEvents control to Finder</string> | |
<key>Identifier</key> | |
<string>/usr/bin/osascript</string> | |
<key>AEReceiverIdentifierType</key> | |
<string>bundleID</string> | |
<key>CodeRequirement</key> | |
<string>identifier "com.apple.osascript" and anchor apple</string> | |
<key>IdentifierType</key> | |
<string>path</string> | |
<key>AEReceiverIdentifier</key> | |
<string>com.apple.finder</string> | |
<key>Allowed</key> | |
<true /> | |
<key>AEReceiverCodeRequirement</key> | |
<string>identifier "com.apple.finder" and anchor apple</string> | |
</dict> | |
<dict> | |
<key>Identifier</key> | |
<string>com.jamf.management.service</string> | |
<key>AEReceiverIdentifierType</key> | |
<string>bundleID</string> | |
<key>CodeRequirement</key> | |
<string>anchor apple generic and identifier "com.jamf.management.service" and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string> | |
<key>IdentifierType</key> | |
<string>bundleID</string> | |
<key>AEReceiverIdentifier</key> | |
<string>com.apple.systemevents</string> | |
<key>Allowed</key> | |
<true /> | |
<key>AEReceiverCodeRequirement</key> | |
<string>identifier "com.apple.systemevents" and anchor apple</string> | |
</dict> | |
<dict> | |
<key>Comment</key> | |
<string>Allow Jamf to send AppleEvents control to System Events</string> | |
<key>Identifier</key> | |
<string>com.jamf.management.Jamf</string> | |
<key>AEReceiverIdentifierType</key> | |
<string>bundleID</string> | |
<key>CodeRequirement</key> | |
<string>identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string> | |
<key>IdentifierType</key> | |
<string>bundleID</string> | |
<key>AEReceiverIdentifier</key> | |
<string>com.apple.systemevents</string> | |
<key>Allowed</key> | |
<true /> | |
<key>AEReceiverCodeRequirement</key> | |
<string>identifier "com.apple.systemevents" and anchor apple</string> | |
</dict> | |
<dict> | |
<key>Comment</key> | |
<string>Allow Jamf to send AppleEvents control to SystemUIServer</string> | |
<key>Identifier</key> | |
<string>com.jamf.management.Jamf</string> | |
<key>AEReceiverIdentifierType</key> | |
<string>bundleID</string> | |
<key>CodeRequirement</key> | |
<string>identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string> | |
<key>IdentifierType</key> | |
<string>bundleID</string> | |
<key>AEReceiverIdentifier</key> | |
<string>com.apple.systemuiserver</string> | |
<key>Allowed</key> | |
<true /> | |
<key>AEReceiverCodeRequirement</key> | |
<string>identifier "com.apple.systemuiserver" and anchor apple</string> | |
</dict> | |
<dict> | |
<key>Comment</key> | |
<string>Allow Jamf to send AppleEvents control to Finder</string> | |
<key>Identifier</key> | |
<string>com.jamf.management.Jamf</string> | |
<key>AEReceiverIdentifierType</key> | |
<string>bundleID</string> | |
<key>CodeRequirement</key> | |
<string>identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string> | |
<key>IdentifierType</key> | |
<string>bundleID</string> | |
<key>AEReceiverIdentifier</key> | |
<string>com.apple.finder</string> | |
<key>Allowed</key> | |
<true /> | |
<key>AEReceiverCodeRequirement</key> | |
<string>identifier "com.apple.finder" and anchor apple</string> | |
</dict> | |
<dict> | |
<key>Comment</key> | |
<string>Allow jamfAgent to send AppleEvents control to System Events</string> | |
<key>Identifier</key> | |
<string>/usr/local/jamf/bin/jamfAgent</string> | |
<key>AEReceiverIdentifierType</key> | |
<string>bundleID</string> | |
<key>CodeRequirement</key> | |
<string>identifier "com.jamfsoftware.jamfAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string> | |
<key>IdentifierType</key> | |
<string>path</string> | |
<key>AEReceiverIdentifier</key> | |
<string>com.apple.systemevents</string> | |
<key>Allowed</key> | |
<true /> | |
<key>AEReceiverCodeRequirement</key> | |
<string>identifier "com.apple.systemevents" and anchor apple</string> | |
</dict> | |
<dict> | |
<key>Comment</key> | |
<string>Allow jamfAgent to send AppleEvents control to SystemUIServer</string> | |
<key>Identifier</key> | |
<string>/usr/local/jamf/bin/jamfAgent</string> | |
<key>AEReceiverIdentifierType</key> | |
<string>bundleID</string> | |
<key>CodeRequirement</key> | |
<string>identifier "com.jamfsoftware.jamfAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string> | |
<key>IdentifierType</key> | |
<string>path</string> | |
<key>AEReceiverIdentifier</key> | |
<string>com.apple.systemuiserver</string> | |
<key>Allowed</key> | |
<true /> | |
<key>AEReceiverCodeRequirement</key> | |
<string>identifier "com.apple.systemuiserver" and anchor apple</string> | |
</dict> | |
<dict> | |
<key>Comment</key> | |
<string>Allow jamfAgent to send AppleEvents control to Finder</string> | |
<key>Identifier</key> | |
<string>/usr/local/jamf/bin/jamfAgent</string> | |
<key>AEReceiverIdentifierType</key> | |
<string>bundleID</string> | |
<key>CodeRequirement</key> | |
<string>identifier "com.jamfsoftware.jamfAgent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string> | |
<key>IdentifierType</key> | |
<string>path</string> | |
<key>AEReceiverIdentifier</key> | |
<string>com.apple.finder</string> | |
<key>Allowed</key> | |
<true /> | |
<key>AEReceiverCodeRequirement</key> | |
<string>identifier "com.apple.finder" and anchor apple</string> | |
</dict> | |
<dict> | |
<key>Comment</key> | |
<string>Allow jamf to send AppleEvents control to System Events</string> | |
<key>Identifier</key> | |
<string>/usr/local/jamf/bin/jamf</string> | |
<key>AEReceiverIdentifierType</key> | |
<string>bundleID</string> | |
<key>CodeRequirement</key> | |
<string>identifier "com.jamfsoftware.jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string> | |
<key>IdentifierType</key> | |
<string>path</string> | |
<key>AEReceiverIdentifier</key> | |
<string>com.apple.systemevents</string> | |
<key>Allowed</key> | |
<true /> | |
<key>AEReceiverCodeRequirement</key> | |
<string>identifier "com.apple.systemevents" and anchor apple</string> | |
</dict> | |
<dict> | |
<key>Comment</key> | |
<string>Allow jamf to send AppleEvents control to SystemUIServer</string> | |
<key>Identifier</key> | |
<string>/usr/local/jamf/bin/jamf</string> | |
<key>AEReceiverIdentifierType</key> | |
<string>bundleID</string> | |
<key>CodeRequirement</key> | |
<string>identifier "com.jamfsoftware.jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string> | |
<key>IdentifierType</key> | |
<string>path</string> | |
<key>AEReceiverIdentifier</key> | |
<string>com.apple.systemuiserver</string> | |
<key>Allowed</key> | |
<true /> | |
<key>AEReceiverCodeRequirement</key> | |
<string>identifier "com.apple.systemuiserver" and anchor apple</string> | |
</dict> | |
<dict> | |
<key>Comment</key> | |
<string>Allow jamf to send AppleEvents control to Finder</string> | |
<key>Identifier</key> | |
<string>/usr/local/jamf/bin/jamf</string> | |
<key>AEReceiverIdentifierType</key> | |
<string>bundleID</string> | |
<key>CodeRequirement</key> | |
<string>identifier "com.jamfsoftware.jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string> | |
<key>IdentifierType</key> | |
<string>path</string> | |
<key>AEReceiverIdentifier</key> | |
<string>com.apple.finder</string> | |
<key>Allowed</key> | |
<true /> | |
<key>AEReceiverCodeRequirement</key> | |
<string>identifier "com.apple.finder" and anchor apple</string> | |
</dict> | |
<dict> | |
<key>Identifier</key> | |
<string>/usr/local/jamf/bin/jamfAgent</string> | |
<key>AEReceiverIdentifierType</key> | |
<string>bundleID</string> | |
<key>CodeRequirement</key> | |
<string>anchor apple generic and identifier "com.jamfsoftware.jamfAgent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443")</string> | |
<key>IdentifierType</key> | |
<string>path</string> | |
<key>AEReceiverIdentifier</key> | |
<string>com.apple.Enterprise-Connect</string> | |
<key>Allowed</key> | |
<true /> | |
<key>AEReceiverCodeRequirement</key> | |
<string>identifier "com.apple.Enterprise-Connect" and anchor apple</string> | |
</dict> | |
<dict> | |
<key>Identifier</key> | |
<string>/usr/local/jamf/bin/jamfAgent</string> | |
<key>AEReceiverIdentifierType</key> | |
<string>bundleID</string> | |
<key>CodeRequirement</key> | |
<string>anchor apple generic and identifier "com.jamfsoftware.jamfAgent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443")</string> | |
<key>IdentifierType</key> | |
<string>path</string> | |
<key>AEReceiverIdentifier</key> | |
<string>com.apple.systempreferences</string> | |
<key>Allowed</key> | |
<true /> | |
<key>AEReceiverCodeRequirement</key> | |
<string>identifier "com.apple.systempreferences" and anchor apple</string> | |
</dict> | |
<dict> | |
<key>Identifier</key> | |
<string>/usr/local/jamf/bin/jamf</string> | |
<key>AEReceiverIdentifierType</key> | |
<string>bundleID</string> | |
<key>CodeRequirement</key> | |
<string>anchor apple generic and identifier "com.jamfsoftware.jamf" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443")</string> | |
<key>IdentifierType</key> | |
<string>path</string> | |
<key>AEReceiverIdentifier</key> | |
<string>com.apple.Enterprise-Connect</string> | |
<key>Allowed</key> | |
<true /> | |
<key>AEReceiverCodeRequirement</key> | |
<string>identifier "com.apple.Enterprise-Connect" and anchor apple</string> | |
</dict> | |
<dict> | |
<key>Identifier</key> | |
<string>/usr/local/jamf/bin/jamf</string> | |
<key>AEReceiverIdentifierType</key> | |
<string>bundleID</string> | |
<key>CodeRequirement</key> | |
<string>anchor apple generic and identifier "com.jamfsoftware.jamf" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443")</string> | |
<key>IdentifierType</key> | |
<string>path</string> | |
<key>AEReceiverIdentifier</key> | |
<string>com.apple.systempreferences</string> | |
<key>Allowed</key> | |
<true /> | |
<key>AEReceiverCodeRequirement</key> | |
<string>identifier "com.apple.systempreferences" and anchor apple</string> | |
</dict> | |
<dict> | |
<key>Identifier</key> | |
<string>/usr/local/jamf/bin/jamf</string> | |
<key>AEReceiverIdentifierType</key> | |
<string>bundleID</string> | |
<key>CodeRequirement</key> | |
<string>anchor apple generic and identifier "com.jamfsoftware.jamf" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443")</string> | |
<key>IdentifierType</key> | |
<string>path</string> | |
<key>AEReceiverIdentifier</key> | |
<string>com.apple.systemevents</string> | |
<key>Allowed</key> | |
<true /> | |
<key>AEReceiverCodeRequirement</key> | |
<string>identifier "com.apple.systemevents" and anchor apple</string> | |
</dict> | |
</array> | |
<key>SystemPolicyAllFiles</key> | |
<array> | |
<dict> | |
<key>Comment</key> | |
<string>Allow SystemPolicyAllFiles control for osascript</string> | |
<key>Identifier</key> | |
<string>/usr/bin/osascript</string> | |
<key>CodeRequirement</key> | |
<string>identifier "com.apple.osascript" and anchor apple</string> | |
<key>IdentifierType</key> | |
<string>path</string> | |
<key>Allowed</key> | |
<true /> | |
</dict> | |
<dict> | |
<key>Identifier</key> | |
<string>/usr/local/jamf/bin/jamf</string> | |
<key>CodeRequirement</key> | |
<string>identifier "com.jamfsoftware.jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"</string> | |
<key>IdentifierType</key> | |
<string>path</string> | |
<key>Allowed</key> | |
<true /> | |
</dict> | |
<dict> | |
<key>Identifier</key> | |
<string>com.jamf.management.Jamf</string> | |
<key>CodeRequirement</key> | |
<string>anchor apple generic and identifier "com.jamf.management.Jamf" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443")</string> | |
<key>IdentifierType</key> | |
<string>bundleID</string> | |
<key>Allowed</key> | |
<true /> | |
</dict> | |
</array> | |
</dict> | |
</dict> | |
</array> | |
<key>PayloadDescription</key> | |
<string>This profile allows specified applications to display information to the logged-in user.</string> | |
<key>PayloadDisplayName</key> | |
<string>Privacy Settings Whitelist - Jamf and AppleScript Notifications</string> | |
<key>PayloadIdentifier</key> | |
<string>com.company.jamf.applescript.notifications.tcc.privacy.whitelist</string> | |
<key>PayloadOrganization</key> | |
<string>Company Name</string> | |
<key>PayloadScope</key> | |
<string>system</string> | |
<key>PayloadType</key> | |
<string>Configuration</string> | |
<key>PayloadUUID</key> | |
<string>5D8080B8-9A11-40B4-B3C7-EEA21CA7C357</string> | |
<key>PayloadVersion</key> | |
<integer>1</integer> | |
</dict> | |
</plist> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
I just came across this since I'm struggling with permissions for com.jamf.management.service to SystemEvents. I'm a bit puzzled about your code requirement since from codesign I get 'anchor apple generic and identifier "com.jamf.management.service" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "483DWKW443")', and it seems you dropped the parenthesis around the certificate parameters, doesn't that weaken the requirement significantly?