Peter Thorn

I have also used several of @Christian Glattfelders custom fields, located here https://github.com/cglattfelder/fw-scripts

Thanks @AnEngelsen for sharing all your custom fields scripts! Some very useful ones!

Thanks @Pierre-Nicolas for clearing that up.

I will try it out.

Cheers,

Peter

I am trying to check if an application (forticlient) is installed via the Requirement script below. I would like to use exit code - 220, as there is no need for the fileset to try again and again if it has failed (as I read it would be if I use exit -1.

However, it doesn't seem to work - it tries to install no matter. I have tried using both "exit - 220" (as I read the description says) and "exit -220".

Am I using it wrong?

Thanks,

Peter

#!/bin/bash

# For all script types, returning an exit code of 0 (success) means the

# script execution completed successfully.

#

# Requirements scripts can have the following exit codes that

# influence how the Client will handle the Fileset:

#

# - 210: This exit code will cause the Fileset to be treated like the

# installation was successful (unless another requirements script fails,)

# but the Fileset will not be downloaded nor installed.

#

# - 220: This exit code will prevent the installation and cause the client to

# stop retrying unless a manual action is made (verify, reinstall, etc.)

# or the Fileset is updated.

#

# Returning any other exit code but 0 (e.g. 1 or -1) will be reported as a

# "Requirements Failure: Script" in the Client Info window and Fileset Report.

# This will also prevent the contents of the Fileset from downloading and

# installing. In this case, requirements scripts will be executed every 2

# minutes and the Fileset will be installed when they all return 0.

#

# For other types of scripts, any non-zero exit code (e.g. 1 or -1) will cause the

# Fileset installation to fail and a script failure to be reported.

#

# If the script finishes without returning an exit code, the exit code 0

# (success) is assumed by default.

#

# Add the contents of your script below:


# check if forticlient is installed. If yes, skip and exit to -220 so it doesn't try again

FILPLACERING=/Applications/FortiClient.app

if test -f "$FILPLACERING"; then

# do nothing and exit -220

exit -220

else

# forticlient is not installed so proceed

exit 0


fi

20 hours ago, Pierre-Nicolas said:

As far as I know, there is a disconnect between Preferences / Security & Privacy and the profile itself.

I tried on macOS Ventura - deploying a terminal app (Alacritty) and a TCC profile to grant full disk access.

While the profile / management details confirms the value is accepted:

But Preferences say differently:

Doing this, the terminal app I deployed could access all folders (tried as well with Desktop), which I could not before I sent the profile.

So I would not rely on Preferences / Privacy and Security pane, only on Profile details.

 

Thanks @Pierre-Nicolas This replicate my experience. I haven't been able to find documentation that supports it, but your explanation makes absolutely sense (because other apps that I have allowed full disk access seems to get it even though they doesn't look like that in Privacy & Security, as your screenshot also shows).

I guess I have to try and reach out to Trend support again.

On 10/21/2022 at 6:22 PM, Josh Levitsky said:

While I don't know that I have an answer (and perhaps another customer will) I did see this https://success.trendmicro.com/dcx/s/solution/000277823?language=en_US and was wondering if the profiles published there are helpful. They also show FileWave specific info. I didn't get to dig in to this but was hoping maybe that would be helpful. It's also important to make sure the profile hits the device before the software does or likely you'll get prompted still since Apple devices like these profiles to be present before the app launches. 

Thank you, @Josh Levitsky. The Trend site (including the one you're referring to) is unfortunately not complete, in my experience. What they write is almost covering the standard Trend Micro installation (I have another giant profile for that...) but when you have to enable XDR (their basecamp pkg) information is missing. I also have a preflight requirement script to check if the profile is installed. But thank you for giving it a shot

Hi

I am deploying a profile for Trend Micro, allowing some parts full disk access (via the Security & Privacy profile payload).

The profile is the attached. As seen on example 2, the profile is loaded (tilladt means allowed in Danish)

But as seen on example 1 the application/extension is in the list, but the checkbox is not checked.

And Trend Micro prompts the user for allowing access manually.

So: is it normal behaviour that the application/extension is in the list but checkbox not checked, if it has been assigned full disk access via the profile, or have I made a mistake somewhere?

Thanks,

Peter

PS. This is also an issue/a question regarding other apps, not only Trend. I am just in doubt how it should work in general, as I seem to get mixed results, and this time it annoys me too much

Trend Full disk rettigheder.mobileconfig

Hi Raj

We use dockutil (https://github.com/kcrawford/dockutil/releases) with json files. 

It works fine. We tried out the Dock MDM payload but had some problems.

Cheers,

Peter