Dual TeamID in a PPPC predicate

Hi,

I'm looking for a way to allow two TeamID in a PPPC predicate. When an app move from one company to another (different TeamIDs) PPPC configuration profiles need to cover the transition period.

However those profiles do not allow duplicated path-based entries. Then the binary /usr/bin/local/sample can have only one PPPC payload for full disk access authorizations.

To solve this problem I'd like to use an OR operator in the predicate, such as:

identifier Sample and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and (certificate leaf[subject.OU] = TEAMID001 or certificate leaf[subject.OU] = TEAMID002)

But I cannot find any documented information about the supported syntax.

Does anybody already did this before ?

Up vote post of Jtasoftware Down vote post of Jtasoftware
433 views
Posted by
Jtasoftware
Reply
Add a Comment

Replies

I’ve no idea what “PPPC” means in “PPPC predicate” but the predicate you posted looks like a code signing requirement. TN3127 Inside Code Signing: Requirements discusses those in general and has links to the official code signing language docs.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Sorry, PPPC stands for Privacy Préférences Policy Control in some MDM. In MDM protocol this is the TCC payload.

According to the doc your provided it seems to be possible. I’ll try this.

Posted by
Jtasoftware
Up vote reply of Jtasoftware Down vote reply of Jtasoftware

  • Good luck!

    eskimo
Add a Comment