Sign macOS app

Avatar
  • updated
  • Completed

In order to deploy macOS privacy preferences policy via MDM/DEP, the macOS app in Mojave that needs exceptions must be signed. Otherwise, a user has to create exceptions to allow remote control via ConnectWise Control, which isn't ideal. I don't want to have to sign your app to get the payload pushed out to create the exceptions from our management software. If you signed your apps like other developers, this would be much easier for all users, like those of the Addigy and JAMF communities. 

Duplicates 1
Please Implement code signing for MAC OS PKG installers.

This has been an issue for some time and it is getting worse with the latest release of MACOS Mojave. https://control.product.connectwise.com/communities/6/topics/1974-complicated-process-required-to-control-macos-1014-mojave-clients


Security requirements are increasing and there may come a point where we cannot use ScreenConnect to manage/support Macs. If that happens, it will force us to abandon Screenconnect for managing Macs which means less revenue for you.  Since you have a cert in use for the windows EXE, why not sign the PKG files for Macs with the same cert?  Can someone in business development review this and get an internal count of how many hundreds or thousands or tens of thousands of machines are currently under Control?  It's likely a big impact.

Thanks for your time and consideration.

Avatar
0
Caitlin M Barnes Team Member
  • Under Review
Avatar
0
Caitlin M Barnes Team Member
  • Under Review
Avatar
1
Alex Hart

I just did a fresh install of 6.9.20424.6863 and tried to setup a Privacy Preferences Policy Control whitelist payload, but the /opt/screenconnect-XXXXXXXXXX.app is still coming back as not signed. Here's what I'm seeing:

$ codesign -dv /opt/screenconnect-XXXXXXXXXX.app/
/opt/screenconnect-XXXXXXXXXX.app/: code object is not signed at all

vs:

$ codesign -dv /Applications/iTerm.app
Executable=/Applications/iTerm.app/Contents/MacOS/iTerm2
Identifier=com.googlecode.iterm2
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=79381 flags=0x0(none) hashes=2473+5 location=embedded
Signature size=4620
Signed Time=Nov 11, 2018 at 2:49:13 PM
Info.plist entries=47
TeamIdentifier=H7V7XYVQ7D
Sealed Resources version=2 rules=13 files=153
Internal requirements count=1 size=216
Avatar
0
Alex Heylin

YES PLEASE!

Avatar
1
Derek Schartung

Without signing, supporting this en masse is costing a lot of support hours.

Avatar
-2
Caitlin M Barnes Team Member

Apple’s recent release of the Mojave operating system introduces new features and security measures, offering end users more peace of mind but also introducing new challenges to partners supporting Apple machines. The team at ConnectWise Control is working to ensure that these changes have the least amount of impact possible for partners.

These new security and privacy settings were enacted by Apple and change how all vendors of remote control products are able to deploy to endpoints. One of these new challenges is a change in the way hosts gain control of Mojave devices. When first connecting to a macOS Mojave session, end users must physically allow access to the ConnectWise Control app from the machine itself. The steps to control a macOS Mojave session have been outlined in documentation. After extensive research, the team has determined that this requirement is mandatory on the first connection; signing the application or access agent will not solve this issue.

ConnectWise Control is actively researching the best way to manage the Gatekeeper feature and improve the experience when updating or reinstalling an access agent on macOS Mojave. The team has also planned performance enhancements and improvements to the Mac client, and will communicate more Mojave updates as they become available.

Avatar
0
Derek Schartung

So, if end users do not have admin rights on their machines, what then? 

Avatar
1
Alex Heylin

To add some background to this, we're increasingly seeing our customers moving towards mixed / MacOS workstations, and supporting MacOS for BYOD.  We LOVE ScreenConnect and don't want to replace it - but we need something that will work reliably and easily on MacOS including ad-hoc sessions.  The current situation with signing etc is not good, but if it is going to get worse then we might have to look for another solution even though we REALLY don't want to.  I don't know enough to contribute anything technical on this, but I want to plead with you to really exhaust EVERY option - imagine if you're the only remote control solution to crack this one... that's a unique selling point right there!

Avatar
1
ASimm

@Alex Heylin they won’t be the first. This can already be done for Team Viewer, bomgar and I believe Logmein


https://www.jamf.com/jamf-nation/discussions/29703/allow-apps-in-security-privacy-privacy-accessibility-in-mojave-bomgar




Top contributors

Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar