MacOS 10.15 Upgrade

Looks like some of my users are starting to upgrade their Mac to 10.15 and it is breaking Simple-Help. Will 5.2 address this? Any timeline? Will I have to physically visit their machines or ask them to do stuff to upgrade the agent? What is the timeline for this being fixed?

1 Like

I was running into this today myself. The technician won’t run either.

If you delete ~/Library/Application Support/JWrapper-Remote Support from the client machine, then SimpleHelp should start working again. At least, that’s what I’ve had to do to get any sessions working in some 10.14.x and 10.15.

We had several clients upgrade (unfortunately) also.

We just needed to have them:

  • Go into “system preferences”, and then “security & privacy”
  • Go into the “privacy” tab
  • Then for “Accessibility”, “Full Disk Access”, and “Screen Recording” on the left hand side they will need to put a checkmark next to “Remote Access”
  • Some of the things will say that it won’t take effect until the program is quit, and it will provide a dialog box to quit remote access, do that.

You should now be able to remote control again

There are some pictures that will show you what I’m talking about here (but it’s for teamviewer):

Good Luck!

Thanks for this RoT.

It would seem that Mac is moving towards having their computers behave like our phones in that they are compelling users to approve all permissions for all apps.

At any rate, I used your recommended steps to compile a KB article for our users. I tried to keep everything pretty generic in the article, but of course our branding is in the Knowledge Base itself. At any rate, if it is of help to anyone, feel free to refer your users to the article for enabling remote support:

http://www.trailblz.com/kb/?action=view&kb=1383&cat=0&qq=enable

1 Like

Windows was heading that way too with things like microphone permissions.

I understand the reasoning: to protect users from their greatest threat.

I was initially concerned that this would make things interesting for those of us using these means for customer support. I expected more push back. Thus far, however, our users are enabling these things as casually and quickly as if they were signing a 30 page EULA, they had no interest in reading. Therefore, I suppose it would seem that it is ultimately only delaying the process.

1 Like

Use this:

Create your TCCs or PPPCs whatever you want to call it and then push it from Munki or JAMF to allow SimpleHelp access. Quite simple really. Upgrades went smoothly for me with these config profiles in place.

What are TCC, PPPC, Munki, and JAMF? More importantly, how to I update these configurations remotely when I am unable to remotely able to access the computer? Or, are these settings we update on the SimpleHelp server?

Jared, I tried your suggestion and it seemed to work in Mojave but on Catalina the PPPC-Utility doesn’t seem to generate the ability to grant access to screen capture. I am not using JamF enterprise but I am using the JamF school edition and I have to manually copy and paste the strings and for the string that is generated for screen-share it does not work. Did you have to do anything special with this?

Ah well that’s part of the thing that I didn’t try - I don’t use screen recording. I guess I can attempt that next time. You’ll need to find out what SH is attempting to use to grab the screen for recording purposes.

All other aspects (RDP, file grabs, analysis metrics, etc.) seem to work well.

TCC = Transparency, Consent, and Control
PPPC = Privacy Preferences Policy Control

Munki and JAMF are two of the leading Mac Management platforms available - of which makes deploying these config profiles extremely easy.

You may need to apply these configurations manually on the machine if you do not use a management platform. Preferably apply them BEFORE you upgrade to Catalina

If you are unable to remotely access the machine, then you will need to “touch” it anyways.

To be clear pushing PPPC profiles requires a user-approved MDM. Jamf is one, munki is not. I’d recommend Mosyle Business if you don’t have one in place.

Regardless Apple has made Screen Recording TCC a deny only policy. There is NO WAY to programmatically enable screen recording TCC’s. Period. Full Stop. I’ve spent way too much time on this.

UAMDM can push a profile to enable ARD. You could then Use Simple Help to tunnel to the client and ARD/ScreenSharing to access the computer.

Good luck

Thanks Peet for the info. I meant to put out something like “SimpleMDM” or Cisco’s “Systems Manager”. Haven’t played with Mosyle - but I do know that if you’re a mac fleet, JAMF focuses solely on that and is the best at managing them.

Apple is supposed to be releasing more profile preferences for screen recording later in Catalina. Currently things like the mic and camera will only allow a “Deny” option until Apple releases other functionality in the future.

If you’re managing macOS in any way, you really need an MDM and better yet Apple Business Manager tied to an MDM.

Apple’s MDM spec for microphone, camera and screen recording is a conscious choice. “Deny” only for microphone, camera and screen recording is exactly what they want. To Apple, those are choices that require a human to approve regardless of any other management in place.

I long ago gave up on thinking Apple should make decisions that make sense to me as administrator/business owner/Mac user. It’s their party and their rules. That said having screen recording as a Deny only is just so much security theater. User Approved MDM’s can issue a command to enable ARD on the Mac and you can happily view the screen without a physical click by a human. I was and still am irk’d by this, but it is what it is.

As for Casper … I mean JAMF … I’d run munki with a solid MDM like Mosyle any day. It’s just much more nimble and costs a whopping $12/yr/computer and MUUUUUUUUUCH less for edu.

Cheers.Peet

1 Like