Dual TeamID in a PPPC predicate

Code Signing Entitlements
Jtasoftware OP
Created Oct ’23
Replies 2
Boosts 0
Views 662
Participants 2

Hi,

I'm looking for a way to allow two TeamID in a PPPC predicate. When an app move from one company to another (different TeamIDs) PPPC configuration profiles need to cover the transition period.

However those profiles do not allow duplicated path-based entries. Then the binary /usr/bin/local/sample can have only one PPPC payload for full disk access authorizations.

To solve this problem I'd like to use an OR operator in the predicate, such as:

identifier Sample and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and (certificate leaf[subject.OU] = TEAMID001 or certificate leaf[subject.OU] = TEAMID002)

But I cannot find any documented information about the supported syntax.

Does anybody already did this before ?

Replies  2
Boosts  0
Views  662
Participants  2
DTS Engineer OP
Apple
Oct ’23

I’ve no idea what “PPPC” means in “PPPC predicate” but the predicate you posted looks like a code signing requirement. TN3127 Inside Code Signing: Requirements discusses those in general and has links to the official code signing language docs.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Jtasoftware OP
Oct ’23

Sorry, PPPC stands for Privacy Préférences Policy Control in some MDM. In MDM protocol this is the TCC payload.

According to the doc your provided it seems to be possible. I’ll try this.

0
Dual TeamID in a PPPC predicate
First post date Last post date
 
 
Q