Add Corresponding Entitlement Keys to Properties Help

[uurazzle]

It would be a nice feature enhancement to list corresponding entitlement keys to the PPPC utility properties help descriptions. This would aid in limiting confusion build configuration profiles referencing Apple documentation for key and were it maps to PPPC Utilities property.

[macblazer]

I believe this was added as part of issue #79. If you look closely at the text in the Help button next to each property it should have the MDM key at the end of the text.

If there is more to do here, please let us know.

[uurazzle]

Actually, the corresponding entitlements would be nice too….

For example, you can use an application like Suspicious Package to audit an installer for a hit list of applications

Then use an application like Apparency to get the corresponding Entitlements. Just need a mapping from the entitlements to MDM keys to make it easier to build the PPPC Utility configuration profile.

For example...

I have discussed adding a feature to Suspicious Package to directly get a list of the entitlements which will greatly simplify the process and he is investigating adding it in a new release, but the next step is a mapping from entitlements to MDM keys to building the PPPC configuration profile. Which I was hoping might be added to a future release of PPPC Utility.

Thanks:

Richard Glaser (he, him, his)

I believe this was added as part of issue #79https://github.com/jamf/PPPC-Utility/issues/79. If you look closely at the text in the Help button next to each property it should have the MDM key at the end of the text.

If there is more to do here, please let us know.

— Reply to this email directly, view it on GitHubhttps://github.com/jamf/PPPC-Utility/issues/105#issuecomment-1016652061, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABPQEGRDWBLHUZOZEIKULE3UW3SNVANCNFSM5LPQPRTQ. You are receiving this because you authored the thread.Message ID: @.***>

[macblazer]

@uurazzle Thanks for the clarification. Unfortunately, the image attachments were not imported to the Github issue so we can't see those. If you could use Github's editor to attach the images I'm sure we'd get a much better understanding of it.

[uurazzle]

Hi @macblazer,

Ok, updated my comment and the images appear to be viewable. Let me know if you still have issues or need additional clarification.

[macblazer]

I see now. This is an interesting place to bring the information together.

This would involve mapping info here about entitlements: https://developer.apple.com/documentation/bundleresources/entitlements

with corresponding PPPC payload keys from here: https://support.apple.com/guide/deployment/privacy-preferences-policy-control-payload-dep38df53c2a/web

Of course, not every entitlement has a corresponding PPPC key, and at first glance, I'm not sure that every PPPC key requires an entitlement built-in to the app. But definitely interesting information to be added to the description of the PPPC keys.

We could read the entitlements of the specific app that is selected, and display those entitlements in the top app information bar. I'll open a different issue with that idea.

[uurazzle]

And the developer, Randy Saldinger of Suspicious Package & Apparency is interested in collaborate if the applications and PPPC Utility can share the mapping information? I have cc’d him on this reply and he can make suggestions on the best way to collaborate. On Jan 20, 2022, 1:43 PM -0700, Kyle Hammond @.***>, wrote:

I see now. This is an interesting place to bring the information together.

This would involve mapping info here about entitlements: https://developer.apple.com/documentation/bundleresources/entitlements

with corresponding PPPC payload keys from here: https://support.apple.com/guide/deployment/privacy-preferences-policy-control-payload-dep38df53c2a/web

Of course, not every entitlement has a corresponding PPPC key, and at first glance, I'm not sure that every PPPC key requires an entitlement built-in to the app. But definitely interesting information to be added to the description of the PPPC keys.

We could read the entitlements of the specific app that is selected, and display those entitlements in the top app information bar. I'll open a different issue with that idea.

— Reply to this email directly, view it on GitHubhttps://github.com/jamf/PPPC-Utility/issues/105#issuecomment-1017911099, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABPQEGS2PKEEX5JHU5WWTRLUXBXVHANCNFSM5LPQPRTQ. You are receiving this because you were mentioned.Message ID: @.***>

[macblazer]

Found another source of entitlements for sandboxed macOS apps here:

https://developer.apple.com/documentation/security/app_sandbox

[rsaldinger]

With the proviso that I have never built a PPPC profile and know absolutely nothing about what is involved, but for what it's worth...

What I’d suggest is that we define a new (probably plist-based) file format that can be used to communicate the pertinent bits of a collection of (signed/entitled) app bundles or other executables. Suspicious Package could create this file based on everything it finds inside a package. PPPC Utility could read this file and use it to populate its Applications list (as an alternative to reading the apps directly off the disk).

So, you'd open a package in Suspicious Package, choose something like File > Export PPPC Information, and then add the resulting file to PPPC Utility. Then you'd configure the permissions for the individual apps (and other executables) using the entitlement info imported from Suspicious Package.

This file could definitely include the bundle identifier, the code-signing (designated) requirement string, and the actual entitlements (in plist representation). A simple array of dictionaries would probably suffice; we’d just need to “standardize” the keys. We could define a file extension and UTI to make e.g. drag-and-drop work nicely, too.

Apparency could also produce this file for all of the entitled components inside a single app, although in that case, the app is already on-disk, so I don’t know how much this actually adds.

(That said, it doesn’t look like PPPC Utility searches inside an app for other components that might impact the PPPC profile. Can things like helper apps or app extension plugins complicate constructing a PPPC profile? I’d have thought so, but again, this is totally outside of my expertise! Anyway, if the entitlements of components within an app are meaningful, Apparency might be able to add something useful, by creating the same sort of file.)

[macblazer]

The PR for this issue includes a json file that includes a mapping from PPPC Services keys used for the config profiles to codesigning entitlements that are at least somewhat related. Depending on the specific app and PPPC key there is no hard requirement in either direction. Some of the entitlements are only enforced for sandboxed apps (every app from the Mac App Store is sandboxed), and some of the PPPC keys relate to multiple entitlements, especially around file access.

For example, in the PPPC profile admins can grant apps access to the Documents folder so that when the user tries to save/read files from the Documents folder they are not prompted. If the user tries to save/read files from elsewhere they are still prompted. For sandboxed Mac apps this is mostly covered under the entitlements com.apple.security.files.user-selected.read-only or com.apple.security.user-selected.read-write. But those same entitlements relate to multiple other PPPC keys for protecting the Downloads folder, network volumes, removable volumes, etc.

For the very specific ask of displaying the related entitlements in the help of the PPPC keys this PR will suffice.

@rsaldinger I propose we move the discussion of a shared file format for app information or other collaboration between this project and Suspicious Package and/or Apparency to a new Github issue.

[rsaldinger]

@rsaldinger I propose we move the discussion of a shared file format for app information or other collaboration between this project and Suspicious Package and/or Apparency to a new Github issue.

@macblazer Do you want to use #107 as the starting point for that discussion? I think anything we do here should be driven from what PPPC Utility can usefully do with new information produced by Suspicious Package or Apparency, rather than by what information they could provide... I'm happy to consider providing whatever information I can, in whatever form is most useful, but just don't think I'm the right person to drive the feature that results!