VinceHWebb
Contributor
Contributor

Privacy Preference profile example for VMware Fusion

Jump to solution

Does anyone have a working profile that grants Full Disk Access to VMware Fusion?  We have a number of applications that we need to provide Full Disk Access and/or Accessibility access for by default (and managed).  I've not been able to get one to work.  The contents of my Fusion profile look like this:

pastedImage_0.png

I got that info from the WS1 online documentation for how to setup Privacy Preferences.  Any guidance would helpful.  I do have a support ticket open but thought maybe someone in the community already has it working that could chime in.  Thanks!

Labels (1)
Tags (1)
0 Kudos
1 Solution

Accepted Solutions
rterakedis
VMware Employee
VMware Employee

VinceHWebb​ - Try these values:

Identifier:  com.vmware.fusion

Identifier Type:   Bundle ID

Code Requirement:   identifier "com.vmware.fusion" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG7KH642X6

Then select the different Services you want enabled (such as "System Policy All Files").  

View solution in original post

0 Kudos
11 Replies
rterakedis
VMware Employee
VMware Employee

VinceHWebb​ - Try these values:

Identifier:  com.vmware.fusion

Identifier Type:   Bundle ID

Code Requirement:   identifier "com.vmware.fusion" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG7KH642X6

Then select the different Services you want enabled (such as "System Policy All Files").  

0 Kudos
VinceHWebb
Contributor
Contributor

Thanks!!  Photo finish with WS1 support answering me too! 🙂  Thanks so much for the help!

0 Kudos
VinceHWebb
Contributor
Contributor

rterakedis​ I do have a followup question about Privacy Prefs and in particular for Fusion.  I didn't notice this until trying on a fresh vanilla setup.  When first launching Fusion I still get the following popup.  I have a ticket open with Support about it but so far no luck.  My current profile gives Accessibility and both System Files options.  My first popup was resolved but no idea how to stop this one?  Also, I'll forward you some Preferences for AV stuff I've discovered later today.  No recognition needed; happy to contribute. Smiley Happy

SystemEvents Error.jpg

0 Kudos
rterakedis
VMware Employee
VMware Employee

VinceHWebb​ -- This looks like an "Apple Events" preference.  Try adding:

Receiver Identifier:

com.apple.systemevents

Receiver Code Requirement:

identifier “com.apple.systemevents” and anchor apple

It would basically look like this:  

0 Kudos
rterakedis
VMware Employee
VMware Employee

pastedImage_0.png

0 Kudos
VinceHWebb
Contributor
Contributor

rterakedis

When I add this to the Fusion profile it fails to install to the device.  When looking at the device in WS1 portal in the Troubleshooting area I found this error:

Error Code: 22 In the payload (UUID: 5762df04-b066-4439-8c44-15e308be7e88), the key 'AEReceiverCodeRequirement' has an invalid value.

0 Kudos
rterakedis
VMware Employee
VMware Employee

VinceHWebb​ - check the quotes on that paste.   I think they need to be the “straight” quotes and not the curly quotes.  

0 Kudos
VinceHWebb
Contributor
Contributor

rterakedis That was the issue causing the error!  I still get the prompt for access to System Events for VMware Fusion though.  😕

SystemEventPersists.jpg

0 Kudos
rterakedis
VMware Employee
VMware Employee

hey VinceHWebb​!

Apologies for the copy/paste fail!  As for the prompt still happening, i wrote this up awhile back to help with troubleshooting:   euc-samples/macOS-Samples/Privacy Preferences Policy Control at master · vmware-samples/euc-samples ...

One of the things that may help is to examine what actually gets saved in the TCC db.   One of the blurbs in that GitHub doc is this:   

You can also review the TCC database after clicking the button to whitelist the app. Run the command echo ".dump" | sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db and echo ".dump" | sudo sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db to view the entries in the TCC databases. You will not be able to read the TCC.db if Terminal is not granted permissions (SystemPolicyAllFiles)

https://github.com/vmware-samples/euc-samples/tree/master/macOS-Samples#tcc-db-reset

The kicker is that Terminal needs to be granted full access in your testing system (either via MDM or using the System Preferences Security & Privacy pane).   If you don't give Terminal Access, you won't be able to read the databases...

0 Kudos
VinceHWebb
Contributor
Contributor

I'll give this a try and share my findings.  Thanks for the continued help!

0 Kudos
MikeAcevedo
Contributor
Contributor

Has anyone been successful using this Profile for TrendMicro Apex One? Did you have to add a kernel extension policy?

0 Kudos