Force Client Observe with Privacy Settings

This guide can be used to force a macOS computer to allow the FileWave client's observe process rights to accessibility with out user intervention. It can only be used on applications that meet the requirements.

Requirements to work:

macOS 10.14+
FileWave client, server, and admin 13.0.0+
macOS is MDM enrolled and trusted (see: macOS High Sierra (10.13) & User Approved MDM Enrollment for more info)
Application must be signed

You can follow the guide or feel free to use the attached Filesets.

For Servers on 13.0.X and older

FileWave Accessibility Access .mobileconfig.zip

For 13.1 and newer

Profile - FileWave Observe Accessibility Access .fileset.zip

Step-by-step guide

You will need a few pieces of information to do this:

Either the application path OR Bundle ID for the profile, but you will need the path to figure out the Bundle ID.

App Path:
1. Install and then launch the application so that it prompts for privacy access
2. Open System Preferences → Security & Privacy → Privacy Tab (Figure 1.1)
3. Unlock on the bottom left corner
4. Right-Click the application in the list and choose 'Show in Finder'
  'Observe Client' path is:
  /usr/local/sbin/filewave-vnc-server
Bundle ID:
1. Install and then launch the application so that it prompts for privacy access
2. Open System Preferences → Security & Privacy → Privacy Tab (Figure 1.1)
3. Unlock on the bottom left corner
4. Right-click the application in the list and choose 'Show in Finder'
5. Right-click the application and choose 'Show Package Contents' (Figure 2.1)
6. Browse to the 'Contents' folder then open the 'Info.plist' file in a text editor
7. Look for 'CFBundleIdentifier' (Figure 2.2)
  'Observe Client' Bundle ID is:
  com.filewave.filewave-vnc-server

Code Requirement:

Knowing the path run the following command:
```
sudo codesign --display -r - /path/to/app
```

The output will look something like this:

$ sudo codesign --display -r - /usr/local/sbin/filewave-vnc-server 
Password:
Executable=/usr/local/sbin/filewave-vnc-server
designated => identifier "com.filewave.filewave-vnc-server" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "83S2TRZ3CS"

This is the information you will need for the profile:
From the above example output we can see the observer client only needs:
identifier "com.filewave.filewave-vnc-server" and anchor apple generic

Creating the Fileset:

From FileWave Admin → filesets → New desktop/mobile Fileset → Profiles
Give it a name like "Allow FileWave client Observe"
Find the 'Security & Privacy' payload on the left → Click "configure" → select the 'Privacy' tab
Hit the [ + ] to create a new consent
For 'App path' or 'Bundle ID', input the values from earlier
Click '+' to add a new macOS service to the list and specify the settings for each additional service.
1. Accessibility
2. Post System Events
For 'Code Requirement' fill in the identifier information from from the "codesign" command
It should look something like Figure 3.1
Hit 'OK' to apply the privacy options
Deploy to a test computer and verify in the privacy options of system preferences


Figure 1.1 - Security & Privacy Preferences


Figure 2.1 - Open info.plist for Bundle ID


Figure 2.2 - Find Bundle ID


Figure 3.1 - Profile

Space shortcuts

Page tree

Step-by-step guide