Custom XML to Whitelist VMware AirWatch Agent for macOS 10.14 Mojave

Overview

In macOS 10.14 Mojave, Apple has introduced enhancements for user data protection and privacy. Due to this security enhancement, apps and processes may now trigger dialogs for the end-user to allow or disallow functionality. To continue allowing Agent functionality with no disruption to the end-user, a whitelisting profile may be installed to only macOS 10.14 devices which are User Approved MDM Enrolled.

Note: This profile must not be installed to devices until after they upgrade, or else the settings will not apply. We recommend creating a new Smart Group for macOS 10.14 devices to assign this profile to have devices automatically pick up the profile on upgrade.

As with all custom profiles, before deploying you must update the Payload UUID to a unique value as to reduce the chance of collisions with other profiles.

Please note AirWatch Agent 3.1.1 is the latest released version and is compatible with macOS 10.14 alongside this profile. If future versions of the Agent require updates to this profile, we will publish them accordingly. Furthermore, the next version of the UEM Console will have this profile automatically seeded so you will not have to create it. Please look out for this in coming release notes.

 

How to whitelist all AirWatch Agent functionality in macOS 10.14

Below is the XML to whitelist all AirWatch Agent functionality in macOS 10.14. Simply paste the entire XML into a Device scope Custom Settings profile and deploy to all devices already on 10.14.

 

<dict>

    <key>Services</key>

    <dict>

        <key>SystemPolicySysAdminFiles</key>

        <array>

            <dict>

                <key>CodeRequirement</key>

                <string>anchor apple generic and identifier "com.airwatch.mac.agent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>

                <key>IdentifierType</key>

                <string>bundleID</string>

                <key>Identifier</key>

                <string>com.airwatch.mac.agent</string>

                <key>Allowed</key>

                <true/>

                <key>Comment</key>

                <string>Allow VMware AirWatch Agent to access files used in system administration</string>

            </dict>

            <dict>

                <key>CodeRequirement</key>

                <string>anchor apple generic and identifier airwatchd and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>

                <key>IdentifierType</key>

                <string>path</string>

                <key>Identifier</key>

                <string>/Library/Application Support/AirWatch/airwatchd</string>

                <key>Allowed</key>

                <true/>

                <key>Comment</key>

                <string>Allow airwatchd to access files used in system administration</string>

            </dict>  

        </array>

        <key>SystemPolicyAllFiles</key>

        <array>

            <dict>

                <key>CodeRequirement</key>

                <string>anchor apple generic and identifier "com.airwatch.mac.agent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>

                <key>IdentifierType</key>

                <string>bundleID</string>

                <key>Identifier</key>

                <string>com.airwatch.mac.agent</string>

                <key>Allowed</key>

                <true/>

                <key>Comment</key>

                <string>Allow VMware AirWatch Agent to access all protected files</string>

            </dict>

            <dict>

                <key>CodeRequirement</key>

                <string>anchor apple generic and identifier airwatchd and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>

                <key>IdentifierType</key>

                <string>path</string>

                <key>Identifier</key>

                <string>/Library/Application Support/AirWatch/airwatchd</string>

                <key>Allowed</key>

                <true/>

                <key>Comment</key>

                <string>Allow airwatchd to access all protected files</string>

            </dict>

        </array>

        <key>Accessibility</key>

        <array>

             <dict>

                <key>CodeRequirement</key>

                <string>anchor apple generic and identifier airwatchd and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>

                <key>IdentifierType</key>

                <string>path</string>

                <key>Identifier</key>

                <string>/Library/Application Support/AirWatch/airwatchd</string>

                <key>Allowed</key>

                <true/>

                <key>Comment</key>

                <string>Allow airwatchd in Accessibility</string>

            </dict>

            <dict>

                <key>CodeRequirement</key>

                <string>anchor apple generic and identifier "com.airwatch.mac.agent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>

                <key>IdentifierType</key>

                <string>bundleID</string>

                <key>Identifier</key>

                <string>com.airwatch.mac.agent</string>

                <key>Allowed</key>

                <true/>

                <key>Comment</key>

                <string>Allow VMware AirWatch Agent in Accessibility</string>

            </dict>

        </array>

        <key>PostEvent</key>

        <array>

            <dict>

                <key>CodeRequirement</key>

                <string>anchor apple generic and identifier airwatchd and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>

                <key>IdentifierType</key>

                <string>path</string>

                <key>Identifier</key>

                <string>/Library/Application Support/AirWatch/airwatchd</string>

                <key>Allowed</key>

                <true/>

                <key>Comment</key>

                <string>Allow airwatchd to send PostEvents</string>

            </dict>

            <dict>

                <key>CodeRequirement</key>

                <string>anchor apple generic and identifier "com.airwatch.mac.agent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>

                <key>IdentifierType</key>

                <string>bundleID</string>

                <key>Identifier</key>

                <string>com.airwatch.mac.agent</string>

                <key>Allowed</key>

                <true/>

                <key>Comment</key>

                <string>Allow VMware AirWatch Agent to send PostEvents</string>

            </dict>

            <dict>

                <key>CodeRequirement</key>

                <string>anchor apple generic and identifier AWRemoteManagementDaemon and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>

                <key>IdentifierType</key>

                <string>path</string>

                <key>Identifier</key>

                <string>/Library/Application Support/AirWatch/AWRemoteManagementDaemon</string>

                <key>Allowed</key>

                <true/>

                <key>Comment</key>

                <string>Allow AWRemoteManagementDaemon to send PostEvents</string>

            </dict>

            <dict>

                <key>CodeRequirement</key>

                <string>anchor apple generic and identifier AWRemoteTunnelAgent and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>

                <key>IdentifierType</key>

                <string>path</string>

                <key>Identifier</key>

                <string>/Library/Application Support/AirWatch/AWRemoteTunnelAgent</string>

                <key>Allowed</key>

                <true/>

                <key>Comment</key>

                <string>Allow AWRemoteTunnelAgent to send PostEvents</string>

            </dict>

        </array>

        <key>AppleEvents</key>

        <array>

            <dict>

                <key>Identifier</key>

                <string>com.airwatch.mac.agent</string>

                <key>IdentifierType</key>

                <string>bundleID</string>

                <key>CodeRequirement</key>

                <string>anchor apple generic and identifier "com.airwatch.mac.agent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>

                <key>AEReceiverIdentifier</key>

                <string>com.apple.finder</string>

                <key>AEReceiverIdentifierType</key>

                <string>bundleID</string>

                <key>AEReceiverCodeRequirement</key>

                <string>identifier "com.apple.finder" and anchor apple</string>

                <key>Allowed</key>                

                <true/>

                <key>Comment</key>

                <string>Allow VMware AirWatch Agent to send AppleEvents to Finder.app</string>

            </dict>

            <dict>

                <key>Identifier</key>

                <string>com.airwatch.mac.agent</string>

                <key>IdentifierType</key>

                <string>bundleID</string>

                <key>CodeRequirement</key>

                <string>anchor apple generic and identifier "com.airwatch.mac.agent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>

                <key>AEReceiverIdentifier</key>

                <string>com.apple.systemuiserver</string>

                <key>AEReceiverIdentifierType</key>

                <string>bundleID</string>

                <key>AEReceiverCodeRequirement</key>

                <string>identifier "com.apple.systemuiserver" and anchor apple</string>

                <key>Allowed</key>                

                <true/>

                <key>Comment</key>

                <string>Allow VMware AirWatch Agent to send AppleEvents to SystemUIServer.app</string>

            </dict>

            <dict>

                <key>Identifier</key>

                <string>com.airwatch.mac.agent</string>

                <key>IdentifierType</key>

                <string>bundleID</string>

                <key>CodeRequirement</key>

                <string>anchor apple generic and identifier "com.airwatch.mac.agent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>

                <key>AEReceiverIdentifier</key>

                <string>com.apple.systempreferences</string>

                <key>AEReceiverIdentifierType</key>

                <string>bundleID</string>

                <key>AEReceiverCodeRequirement</key>

                <string>identifier "com.apple.systempreferences" and anchor apple</string>

                <key>Allowed</key>                

                <true/>

                <key>Comment</key>

                <string>Allow VMware AirWatch Agent to send AppleEvents to System Preferences.app</string>

            </dict>

            <dict>

                <key>Identifier</key>

                <string>com.airwatch.mac.agent</string>

                <key>IdentifierType</key>

                <string>bundleID</string>

                <key>CodeRequirement</key>

                <string>anchor apple generic and identifier "com.airwatch.mac.agent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>

                <key>AEReceiverIdentifier</key>

                <string>com.apple.systemevents</string>

                <key>AEReceiverIdentifierType</key>

                <string>bundleID</string>

                <key>AEReceiverCodeRequirement</key>

                <string>identifier "com.apple.systemevents" and anchor apple</string>

                <key>Allowed</key>                

                <true/>

                <key>Comment</key>

                <string>Allow VMware AirWatch Agent to send AppleEvents to System Events.app</string>

            </dict>

            <dict>

                <key>Identifier</key>

                <string>com.airwatch.mac.agent</string>

                <key>IdentifierType</key>

                <string>bundleID</string>

                <key>CodeRequirement</key>

                <string>anchor apple generic and identifier "com.airwatch.mac.agent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>

                <key>AEReceiverIdentifier</key>

                <string>com.apple.mail</string>

                <key>AEReceiverIdentifierType</key>

                <string>bundleID</string>

                <key>AEReceiverCodeRequirement</key>

                <string>identifier "com.apple.mail" and anchor apple</string>

                <key>Allowed</key>                

                <true/>

                <key>Comment</key>

                <string>Allow VMware AirWatch Agent to send AppleEvents to Mail.app</string>

            </dict>

            <dict>

                <key>Identifier</key>

                <string>com.airwatch.mac.agent</string>

                <key>IdentifierType</key>

                <string>bundleID</string>

                <key>CodeRequirement</key>

                <string>anchor apple generic and identifier "com.airwatch.mac.agent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>

                <key>AEReceiverIdentifier</key>

                <string>com.microsoft.Outlook</string>

                <key>AEReceiverIdentifierType</key>

                <string>bundleID</string>

                <key>AEReceiverCodeRequirement</key>

                <string>identifier "com.microsoft.Outlook" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>

                <key>Allowed</key>                

                <true/>

                <key>Comment</key>

                <string>Allow VMware AirWatch Agent to send AppleEvents to Microsoft Outlook.app</string>

            </dict>

            <dict>

                <key>Identifier</key>

                <string>/Library/Application Support/AirWatch/airwatchd</string>

                <key>IdentifierType</key>

                <string>path</string>

                <key>CodeRequirement</key>

                <string>anchor apple generic and identifier airwatchd and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>

                <key>AEReceiverIdentifier</key>

                <string>com.apple.finder</string>

                <key>AEReceiverIdentifierType</key>

                <string>bundleID</string>

                <key>AEReceiverCodeRequirement</key>

                <string>identifier "com.apple.finder" and anchor apple</string>

                <key>Allowed</key>                

                <true/>

                <key>Comment</key>

                <string>Allow airwatchd to send AppleEvents to Finder.app</string>

            </dict>

             <dict>

                <key>Identifier</key>

                <string>/Library/Application Support/AirWatch/airwatchd</string>

                <key>IdentifierType</key>

                <string>path</string>

                <key>CodeRequirement</key>

                <string>anchor apple generic and identifier airwatchd and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>

                <key>AEReceiverIdentifier</key>

                <string>com.apple.systemuiserver</string>

                <key>AEReceiverIdentifierType</key>

                <string>bundleID</string>

                <key>AEReceiverCodeRequirement</key>

                <string>identifier "com.apple.systemuiserver" and anchor apple</string>

                <key>Allowed</key>                

                <true/>

                <key>Comment</key>

                <string>Allow airwatchd to send AppleEvents to SystemUIServer.app</string>

            </dict>

            <dict>

                <key>Identifier</key>

                <string>/Library/Application Support/AirWatch/airwatchd</string>

                <key>IdentifierType</key>

                <string>path</string>

                <key>CodeRequirement</key>

                <string>anchor apple generic and identifier airwatchd and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>

                <key>AEReceiverIdentifier</key>

                <string>com.microsoft.Outlook</string>

                <key>AEReceiverIdentifierType</key>

                <string>bundleID</string>

                <key>AEReceiverCodeRequirement</key>

                <string>identifier "com.microsoft.Outlook" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>

                <key>Allowed</key>                 

                <true/>

                <key>Comment</key>

                <string>Allow airwatchd to send AppleEvents to Microsoft Outlook.app</string>

            </dict>

            <dict>

                <key>Identifier</key>

                <string>/Library/Application Support/AirWatch/airwatchd</string>

                <key>IdentifierType</key>

                <string>path</string>

                <key>CodeRequirement</key>

                <string>anchor apple generic and identifier airwatchd and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>

                <key>AEReceiverIdentifier</key>

                <string>com.apple.systemevents</string>

                <key>AEReceiverIdentifierType</key>

                <string>bundleID</string>

                <key>AEReceiverCodeRequirement</key>

                <string>identifier "com.apple.systemevents" and anchor apple</string>

                <key>Allowed</key>                

                <true/>

                <key>Comment</key>

                <string>Allow airwatchd to send AppleEvents to System Events.app</string>

            </dict>

        </array>

    </dict>

    <key>PayloadDescription</key>

    <string>TCC Payload for AirWatch Agent</string>

    <key>PayloadDisplayName</key>

    <string>TCC Payload for AirWatch Agent</string>

    <key>PayloadIdentifier</key>

    <string>com.vmware.agent.tcc</string>

    <key>PayloadOrganization</key>

    <string>VMware</string>

    <key>PayloadType</key>

    <string>com.apple.TCC.configuration-profile-policy</string>

    <key>PayloadUUID</key>

    <string>0D4540F5-35EC-45B8-9F11-XXXXXXXXXXXX</string>

    <key>PayloadVersion</key>

    <integer>1</integer>

</dict>

Other Languages: 日本語

Have more questions? Submit a request

0 Comments

Article is closed for comments.