6 Replies Latest reply on Feb 12, 2019 12:18 PM by JBnCO

    PPPC payload for TCC on Mojave

    JBnCO Apprentice

      Has anyone or has support released a mobileconfig payload that we can utilize with our MDM of choice to whitelist Ivanti Mac agent components for TCC on Mojave?

       

      As of now, the only binary that has prompted is lddispatch.  I'm assuming that there will be more as time progresses but if Ivanti has a definitive list of binaries and apps that need to be white listed would be really helpful.

       

      If I can get a list of binaries and apps, I can utilize the PPPC utility built to share a payload that other can benefit from.

        • 1. Re: PPPC payload for TCC on Mojave
          Casity.chris SupportEmployee

          Hey JBnCO,

           

          We are currently developing a list of Ivanti applications run on the Mac that you can use to whitelist from AV. However, We do not have a list publicly available yet.

           

          Please keep an eye on the community for this document that will be coming soon. It may even be added to the following page: Macintosh

           

          Best regards,

           

          Chris Casity

          • 2. Re: PPPC payload for TCC on Mojave
            JBnCO Apprentice

            Chris,

             

            Has there been any movement on publishing a list of apps/files/etc that are required for Ivanti?  We have upgraded our MDM environment and need to set up this as a PPPC profile for our 10.14.x systems.

             

            Thanks,

             

            Joe

            • 3. Re: PPPC payload for TCC on Mojave
              Casity.chris SupportEmployee

              Hey Joe,

               

              We haven't had anything published yet. However, I was able to find some folders that you can whitelist:

               

              • /Library/Application Support/LANDesk and its sub-folders
              • /usr/local/LANDesk/common/
              • /usr/local/LANDesk/common/cbaroot

               

              Any applications/binaries under those folders should be whitelisted.

               

              I hope that helps.

               

              Best Regards,

               

              Chris Casity

              • 4. Re: PPPC payload for TCC on Mojave
                JBnCO Apprentice

                Chris,

                 

                There are over 100 binaries and app bundles in the directories listed.  Can Ivanti please give us admins some more guidance on this than to enter over 100 entries in your MDM to ensure the agent works correctly?

                 

                If some binaries or apps call subprocesses, they inherit the TCC permissions so blindly whitelisting all binaries in the directory is overkill and not best practice.

                 

                Joe

                • 5. Re: PPPC payload for TCC on Mojave
                  josh.lander Rookie

                  JBnCO

                   

                  Yes, we use the mobile config that Ivanti provides in 2018.3 for the agent TCC.

                   

                  Under Agent Settings \ macOS Device Configuration it's called "EPM Agent authorization".

                   

                  What version of the core are you running?

                  • 6. Re: PPPC payload for TCC on Mojave
                    JBnCO Apprentice

                    Josh,

                     

                    Thanks for the info.  I contacted support and the location of the mobileconfig that has what needs to be whitelisted for third party MDMs is located here:

                     

                    %ldms_home%\ldlogon\agentbehaviors\macospayloads\whitelisting_profiles

                     

                    It has the services and binaries/app bundles that are needed to build the PPPC profiles.