Permission (MDM)
Overview
This page describes the macOS system permissions required by the IBI-aws Client for macOS to operate correctly.
Purpose of pre-assigning permissions
By distributing permissions via MDM, it is ensured that:
No user interaction is required
The initial setup can be skipped (in combination with the Defaults)
Used payload
The payload is uniquely identified and intended exclusively for the IBI-aws Client for macOS.
PayloadIdentifier:
ibi.aws.client.mdm.tccPayloadDisplayName: IBI-aws Client – Permissions
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadIdentifier</key>
<string>ibi.aws.client.mdm.tcc</string>
<key>PayloadDisplayName</key>
<string>IBI-aws Client - Permissions</string>Configured services
Accessibility
Configuration:
Identifier:
ibi.aws.clientIdentifierType:
bundleIDAccess: Allowed
The permission is explicitly bound to the signed application and secured via a CodeRequirement.
<key>Accessibility</key>
<array>
<dict>
<key>IdentifierType</key>
<string>bundleID</string>
<key>Identifier</key>
<string>ibi.aws.client</string>
<key>CodeRequirement</key>
<string>identifier "ibi.aws.client" and anchor apple generic and certificate leaf[subject.OU] = "B7QQ66KZ4Y"</string>
<key>Allowed</key>
<true/>
</dict>
</array>Automation (AppleEvents)
Currently, the following target applications are supported:
Safari
AEReceiverIdentifier:
com.apple.SafariAccess: Allowed
Google Chrome
AEReceiverIdentifier:
com.google.ChromeAccess: Allowed
The permission for Google Chrome can be granted independently of an installed Chrome version. If Google Chrome is not installed, the entry remains inactive and does not cause any errors.
<key>AppleEvents</key>
<array>
<!-- Safari Automation -->
<dict>
<key>IdentifierType</key>
<string>bundleID</string>
<key>Identifier</key>
<string>ibi.aws.client</string>
<key>CodeRequirement</key>
<string>identifier "ibi.aws.client" and anchor apple generic and certificate leaf[subject.OU] = "B7QQ66KZ4Y"</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>AEReceiverIdentifier</key>
<string>com.apple.Safari</string>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.apple.Safari" and anchor apple</string>
<key>Allowed</key>
<true/>
</dict>
<!-- Google Chrome Automation -->
<dict>
<key>IdentifierType</key>
<string>bundleID</string>
<key>Identifier</key>
<string>ibi.aws.client</string>
<key>CodeRequirement</key>
<string>identifier "ibi.aws.client" and anchor apple generic and certificate leaf[subject.OU] = "B7QQ66KZ4Y"</string>
<key>AEReceiverIdentifierType</key>
<string>bundleID</string>
<key>AEReceiverIdentifier</key>
<string>com.google.Chrome</string>
<key>AEReceiverCodeRequirement</key>
<string>identifier "com.google.Chrome" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = EQHXZ8M8AV</string>
<key>Allowed</key>
<true/>
</dict>
</array>Security and signing
All permissions are additionally secured via CodeRequirement entries. This ensures that only the correctly signed application with the bundle ID ibi.aws.client can use the permissions.
This prevents other applications with the same bundle ID from accessing the configured services.
Interaction with Defaults
The permissions are directly related to the following Defaults:
SkipAccessibilityPermissionCheckAtStartupSkipAutomationPermissionCheckAtStartup
If the corresponding permissions are distributed via MDM, these Defaults can be set to true, thereby skipping these checks during setup.
The distribution of permissions is carried out exclusively via MDM.
No subsequent manual adjustment by users is intended.