Signed x86_64 meshagent for macOS?

[tdobes]

Hello.

I'm looking for a way to automatically enable the Privacy preferences for meshagent (Screen Recording, Accessibility, Full-disk access) on new versions of macOS. In particular, I've found that it's necessary to re-enable these manually from System Preferences each time a new version of meshagent is pushed to all of the Macs.

It looks like it should be possible to do this if the meshagent binaries are signed. It would then be possible for users to enable these permissions by pushing a profile via. their MDM servers. I'm not certain, but I think this might also avoid the need to re-enable these settings each time a meshagent update is pushed for systems where this is enabled manually.

The Apple ARM64 binary (meshagent_osx-arm-64) is signed (which makes sense since this is required on Apple silicon). Would it be possible to also sign the meshagent_osx-universal-64 and meshagent_osx-x86-64 binaries?

[krayon007]

If you are signing the agent, I don't see why you couldn't sign the x86_64 binary. In the past I used to sign the x86_64 binary. As far as the updates tho, is that a new development for the security preferences having to be re-acquired? I've only had to do that on first install, I've never had to do that for self-updates. I just tested that just now with my M1 Mac. It self updated, but all the permissions stayed intact. My M1 is still running Big Sur.

[tdobes]

Sorry -- I was asking for the agent which is distributed by MeshCentral to be signed. Since these agents are deployed from MeshCentral, it is difficult/problematic for them to be manually signed before deployment.

Regarding updates, I have had no issues with needing to adjust security preferences on M1 Macs. This is because the M1 agent binary is signed. I have a lot of problems with the x86_64 binary because it is NOT signed.

You mention that the x86_64 binary was signed in the past. Would it be possible to start signing the x86_64 binary and universal binary again? (in particular, the versions which are picked up by MeshCentral and distributed through MeshCentral to clients) If these versions were signed, I could configure my MDM to allow access based on the signature. Without a signature on these binaries, this is not possible.

[krayon007]

The M1 agent binary actually isn't signed.

[krayon007]

I'm going to look into signing all the mac binaries..

[tdobes]

The M1 agent binary actually isn't signed.

This is the command I've been using to check for the presence of a code signature to apply to an MDM, and why I concluded that a signature was present for the M1 binary, but not the others:

% git clone https://github.com/Ylianst/MeshCentral.git
...
% codesign -dr - MeshCentral/agents/meshagent_osx-x86-64
MeshCentral/agents/meshagent_osx-x86-64: code object is not signed at all
% codesign -dr - MeshCentral/agents/meshagent_osx-universal-64
Executable=/private/tmp/MeshCentral/agents/meshagent_osx-universal-64
MeshCentral/agents/meshagent_osx-universal-64: code object is not signed at all
% codesign -dr - MeshCentral/agents/meshagent_osx-arm-64
Executable=/private/tmp/MeshCentral/agents/meshagent_osx-arm-64
# designated => cdhash H"f0ef445325719d51ebb67792ddc9a1415dc105df"

It's my understanding that code is required to be signed to run on Apple Silicon Macs. Apple's linker will automatically ad-hoc sign binaries targeting this platform, so this is likely happening automatically.

[jgomez696]

I have several computers with macos M1 monterrey I have solved the problem installed from the console with "sudo" and it is perfect. here the reference link. https://coderwall.com/p/lncteg/install-mpkg-package-from-commandline-on-osx

[GPAEALandon]

I'm going to look into signing all the mac binaries..

I would love to see this signed as well so .mobileconfigs can allow permissions. Have you looked at Mac Admins Foundation's free codesigning for opensource?