Open macblazer opened 2 years ago
uurazzle
commented
2 years ago New versions of Suspicious Package and Apparency have added features to make it a little easier to discover and create PPPC configuration profiles. Would still love a more direct integration with PPPC Uitlity.
rsaldinger
commented
2 years ago Yes, that's the "merged entitlements" view, described for Suspicious Package here. This collects all of the entitlements requested across all executables in the package, and also provides a way to copy the executable/app information to the clipboard in the "app identity" form required for the PPPC Profile. Apparency has a parallel feature that collects all entitlements for the app and all of the components inside it.
I'm still open to doing something more specific to work with PPPC Utility, but don't know what that might be. FWIW, I mocked up a sort of "executable audit" format for the entitlement/executable information, which can be generated using an as-yet-undocumented option on the "spkg" CLI tool for Suspicious Package v4.2, e.g.:
spkg --exec-audit audit.plist SomePackage.pkg
If you open up the resulting plist, I think the contents should be fairly self-explanatory. Whether something like this is useful or not, I've no clue! (I also added a parallel option to the appy CLI tool for Apparency v1.4.1, but I see now that I broke it at some point thereafter; it could be made to work, though, if it's of value.)
uurazzle
commented
1 year ago Hi @macblazer,
Thanks for adding the entitlements to the help buttons to the 1.5.0 release.
Is there still interest in having tighter integration integration or sharing of entitlements with tools like Suspicious Package and Apparency it would make it easier to discover and create PPPC configuration profiles.
Did you have any additional questions about integration options or benefits?
macblazer
commented
1 year ago I think it would be great if the PPPC Utility could highlight the properties that are entitlement-related to an app selected in the list on the left. This would at least draw attention to the properties that are more likely relevant to control for that app.
Sharing the app information (bundle ID, code signing info, entitlement info, etc) from other apps would definitely be something we could support. We need to do a bit more coding to have our model understand that there can be entitlements associated to an app, and do the highlighting of associated properties.
As an admin I would like to see the entitlements built into the selected app (just like seeing the code signing requirements) so that I know what the app is trying to do, and can more easily grant the correct access to functionality that I want to enable without the system prompting the end user.
See issue #105 for more context.