PPPC & TeamViewer 15 Changes for Mac

TL;DR

The TeamViewer_Desktop code signature has changed as of version 15.0.8397 in both TeamViewer and TeamViewer Host. As of version 15.1.3937, the path to this binary has also changed. If you use MDM to manage PPPC allowances, this will need to be updated for both apps. These differences are bolded below:

  • Old Path: /Applications/TeamViewer.app/Contents/Helpers/TeamViewer_Desktop
  • New Path: /Applications/TeamViewer.app/Contents/MacOS/TeamViewer_Desktop
  • Old Signature: anchor apple generic and identifier "$(PRODUCT_BUNDLE_IDENTIFIER)" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV6)
  • New Signature: anchor apple generic and identifier "com.teamviewer.Desktop" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV6)

More Info:

Back in October, I observed something strange with TeamViewer 14 (and TeamViewer Host). As a result of macOS security changes with Privacy Preferences Policy Control (PPPC), TeamViewer had added a new binary – TeamViewer_Desktop – in order to allow remote control. This binary lived in the app, and per TeamViewer’s documentation indicates it cannot be added manually. To allow this access across our fleet, we had to add the path of this binary as well as its code signature to our MDM. However, running codesign -dr- on the binary revealed the following signature:

anchor apple generic and identifier "$(PRODUCT_BUNDLE_IDENTIFIER)" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV6)

Normally, code signatures include a unique bundle identifier for the app / binary with the signature. For example, the TeamViewer app code signature starts with anchor apple generic and identifier "com.teamviewer.TeamViewer" where com.teamviewer.TeamViewer is the bundle id.

For the TeamViewer_Desktop binary, the identifier is "$(PRODUCT_BUNDLE_IDENTIFIER) … which looks a lot like a script variable. After speaking with TeamViewer support, we were able to confirm that this was an error with their build process where the actual bundle identifier should have been entered. This error exists in all 14.X versions of TeamViewer and TeamViewer Host.

As of the TeamViewer 15.0.8939 release, this error has been finally been addressed:

anchor apple generic and identifier "com.teamviewer.Desktop" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV6

And as of the version15.1.3937, location of the binary has changed as well. As a result, if you are defining the binary path in your MDM both the code signature and path must be updated. In case you missed it in the TL;DR section:

  • Old Path: /Applications/TeamViewer.app/Contents/Helpers/TeamViewer_Desktop
  • New Path: /Applications/TeamViewer.app/Contents/MacOS/TeamViewer_Desktop

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s