概要
Apple 社は macOS 10.14 Mojave (モハベ) でユーザー データのプライバシーを保護するための機能強化を導入しました。このセキュリティ強化の結果、アプリやプロセスが特定の機能を利用しようとすると、ユーザーに許可を求めるダイアログが表示されるようになりました。ユーザー操作を阻害することなく Intelligent Hub がこれまでどおり機能できるようにするには、ユーザーによって承認された MDM 加入の macOS 10.14 デバイスに対してのみ、ホワイトリスト プロファイルをインストールするという方法もあります。
注:このプロファイルはデバイスの OS をアップグレードした後にインストールしてください。アップグレード前にインストールしても、設定は適用されません。アップグレード後のデバイスに自動的にインストールされるよう、macOS 10.14 デバイスを対象とする新しいスマート グループを作成して、このプロファイルを割り当てることを推奨します。
すべてのカスタム プロファイルに当てはまることですが、他のプロファイルとの競合が生じることがないよう、展開の前にプロファイルのペイロード UUID (PayloadUUID) を固有の値に変更してください。
Intelligent Hub (以前の AirWatch Agent) 19.04 がリリース済みの最新バージョンです。macOS 10.14 用の下記のプロファイルは、このバージョンに対応しています。Intelligent Hub の将来のバージョンでこのプロファイルを変更する必要が生じた場合は、その都度お知らせします。また、Workspace ONE UEM 1902 リリースにはこのプロファイルが事前に組み込まれており、macOS 10.14 デバイスに自動的にインストールされます。この UEM バージョンを利用している場合は、お客様が各自に作成する必要はありません。
macOS 10.14 で Intelligent Hub の全機能をホワイトリストに指定する方法
macOS 10.14 で Intelligent Hub の全機能をホワイトリストに指定するための XML を以下に示します。この XML の全体をデバイス プロファイルの [カスタム設定] ペイロードに貼り付け、すでに macOS 10.14 がインストールされているすべてのデバイスに展開してください。
<dict>
<key>Services</key>
<dict>
<key>SystemPolicySysAdminFiles</key>
<array>
<dict>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.airwatch.mac.agent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>Identifier</key>
<string>com.airwatch.mac.agent</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow VMware AirWatch Agent to access files used in system administration</string>
</dict>
<dict>
<key>CodeRequirement</key>
<string>identifier "com.vmware.hub.mac" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>Identifier</key>
<string>com.vmware.hub.mac</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow Workspace ONE Intelligent Hub to access files used in system administration</string>
</dict>
<dict>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier airwatchd and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>
<key>IdentifierType</key>
<string>path</string>
<key>Identifier</key>
<string>/Library/Application Support/AirWatch/airwatchd</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow airwatchd to access files used in system administration</string>
</dict>
</array>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.airwatch.mac.agent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>Identifier</key>
<string>com.airwatch.mac.agent</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow VMware AirWatch Agent to access all protected files</string>
</dict>
<dict>
<key>CodeRequirement</key>
<string>identifier "com.vmware.hub.mac" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>Identifier</key>
<string>com.vmware.hub.mac</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow Workspace ONE Intelligent Hub to access all protected files</string>
</dict>
<dict>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier airwatchd and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>
<key>IdentifierType</key>
<string>path</string>
<key>Identifier</key>
<string>/Library/Application Support/AirWatch/airwatchd</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow airwatchd to access all protected files</string>
</dict>
</array>
<key>Accessibility</key>
<array>
<dict>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier airwatchd and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>
<key>IdentifierType</key>
<string>path</string>
<key>Identifier</key>
<string>/Library/Application Support/AirWatch/airwatchd</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow airwatchd in Accessibility</string>
</dict>
<dict>
<key>CodeRequirement</key>
<string>identifier "com.vmware.hub.mac" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>Identifier</key>
<string>com.vmware.hub.mac</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow Workspace ONE Intelligent Hub in Accessibility</string>
</dict>
<dict>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.airwatch.mac.agent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>Identifier</key>
<string>com.airwatch.mac.agent</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow VMware AirWatch Agent in Accessibility</string>
</dict>
</array>
<key>PostEvent</key>
<array>
<dict>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier airwatchd and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>
<key>IdentifierType</key>
<string>path</string>
<key>Identifier</key>
<string>/Library/Application Support/AirWatch/airwatchd</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow airwatchd to send PostEvents</string>
</dict>
<dict>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.airwatch.mac.agent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>Identifier</key>
<string>com.airwatch.mac.agent</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow VMware AirWatch Agent to send PostEvents</string>
</dict>
<dict>
<key>CodeRequirement</key>
<string>identifier "com.vmware.hub.mac" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>Identifier</key>
<string>com.vmware.hub.mac</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow Workspace ONE Intelligent Hub to send PostEvents</string>
</dict>
<dict>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier AWRemoteManagementDaemon and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>
<key>IdentifierType</key>
<string>path</string>
<key>Identifier</key>
<string>/Library/Application Support/AirWatch/AWRemoteManagementDaemon</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow AWRemoteManagementDaemon to send PostEvents</string>
</dict>
<dict>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier AWRemoteTunnelAgent and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>
<key>IdentifierType</key>
<string>path</string>
<key>Identifier</key>
<string>/Library/Application Support/AirWatch/AWRemoteTunnelAgent</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow AWRemoteTunnelAgent to send PostEvents</string>
</dict>
</array>
<key>AppleEvents</key>
<array>
<dict>
<key>Identifier</key>
<string>com.airwatch.mac.agent</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.airwatch.mac.agent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.finder</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.finder" and anchor apple</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow VMware AirWatch Agent to send AppleEvents to Finder.app</string>
</dict>
<dict>
<key>Identifier</key>
<string>com.airwatch.mac.agent</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.airwatch.mac.agent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systempreferences</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systempreferences" and anchor apple</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow VMware AirWatch Agent to send AppleEvents to System Preferences.app</string>
</dict>
<dict>
<key>Identifier</key>
<string>com.airwatch.mac.agent</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.airwatch.mac.agent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemevents</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemevents" and anchor apple</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow VMware AirWatch Agent to send AppleEvents to System Events.app</string>
</dict>
<dict>
<key>Identifier</key>
<string>com.airwatch.mac.agent</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.airwatch.mac.agent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.mail</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.mail" and anchor apple</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow VMware AirWatch Agent to send AppleEvents to Mail.app</string>
</dict>
<dict>
<key>Identifier</key>
<string>com.airwatch.mac.agent</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.airwatch.mac.agent" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>
<key>AEReceiverIdentifier</key>
<string>com.microsoft.Outlook</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.microsoft.Outlook" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow VMware AirWatch Agent to send AppleEvents to Microsoft Outlook.app</string>
</dict>
<dict>
<key>Identifier</key>
<string>com.vmware.hub.mac</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>identifier "com.vmware.hub.mac" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93</string>
<key>AEReceiverIdentifier</key>
<string>com.microsoft.Outlook</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.microsoft.Outlook" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow Workspace ONE Intelligent Hub to send AppleEvents to Microsoft Outlook.app</string>
</dict>
<dict>
<key>Identifier</key>
<string>com.vmware.hub.mac</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>identifier "com.vmware.hub.mac" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.finder</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.finder" and anchor apple</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow Workspace ONE Intelligent Hub to send AppleEvents to Finder.app</string>
</dict>
<dict>
<key>Identifier</key>
<string>com.vmware.hub.mac</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>identifier "com.vmware.hub.mac" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systempreferences</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systempreferences" and anchor apple</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow Workspace ONE Intelligent Hub to send AppleEvents to System Preferences.app</string>
</dict>
<dict>
<key>Identifier</key>
<string>com.vmware.hub.mac</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>CodeRequirement</key>
<string>identifier "com.vmware.hub.mac" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemevents</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemevents" and anchor apple</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow Workspace ONE Intelligent Hub to send AppleEvents to System Events.app</string>
</dict>
<dict>
<key>Identifier</key>
<string>/Library/Application Support/AirWatch/airwatchd</string>
<key>IdentifierType</key>
<string>path</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier airwatchd and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.finder</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.finder" and anchor apple</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow airwatchd to send AppleEvents to Finder.app</string>
</dict>
<dict>
<key>Identifier</key>
<string>/Library/Application Support/AirWatch/airwatchd</string>
<key>IdentifierType</key>
<string>path</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier airwatchd and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>
<key>AEReceiverIdentifier</key>
<string>com.microsoft.Outlook</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.microsoft.Outlook" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow airwatchd to send AppleEvents to Microsoft Outlook.app</string>
</dict>
<dict>
<key>Identifier</key>
<string>/Library/Application Support/AirWatch/airwatchd</string>
<key>IdentifierType</key>
<string>path</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier airwatchd and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = S2ZMFGQM93)</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.systemevents</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.systemevents" and anchor apple</string>
<key>Allowed</key>
<true/>
<key>Comment</key>
<string>Allow airwatchd to send AppleEvents to System Events.app</string>
</dict>
</array>
</dict>
<key>PayloadDescription</key>
<string>Desc: TCC Payload</string>
<key>PayloadDisplayName</key>
<string>Name: TCC Payload</string>
<key>PayloadIdentifier</key>
<string>test.mdm.tcc.SystemPolicySysAdminFiles.1</string>
<key>PayloadOrganization</key>
<string>My Great Company</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadUUID</key>
<string>0D4540F5-35EC-45B8-9F11-46F6CA7721ED</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
Other Languages: English
免責事項:これは英文の記事「Custom XML to Whitelist Workspace ONE Intelligent Hub for macOS 10.14 Mojave」の日本語訳です。記事はベストエフォートで翻訳を進めているため、ローカライズ化コンテンツは最新情報ではない可能性があります。最新情報は英語版の記事で参照してください。
2 Comments