Sign macOS app

Avatar
  • updated
  • Completed

In order to deploy macOS privacy preferences policy via MDM/DEP, the macOS app in Mojave that needs exceptions must be signed. Otherwise, a user has to create exceptions to allow remote control via ConnectWise Control, which isn't ideal. I don't want to have to sign your app to get the payload pushed out to create the exceptions from our management software. If you signed your apps like other developers, this would be much easier for all users, like those of the Addigy and JAMF communities. 

Duplicates 1
Please Implement code signing for MAC OS PKG installers.

This has been an issue for some time and it is getting worse with the latest release of MACOS Mojave. https://control.product.connectwise.com/communities/6/topics/1974-complicated-process-required-to-control-macos-1014-mojave-clients


Security requirements are increasing and there may come a point where we cannot use ScreenConnect to manage/support Macs. If that happens, it will force us to abandon Screenconnect for managing Macs which means less revenue for you.  Since you have a cert in use for the windows EXE, why not sign the PKG files for Macs with the same cert?  Can someone in business development review this and get an internal count of how many hundreds or thousands or tens of thousands of machines are currently under Control?  It's likely a big impact.

Thanks for your time and consideration.

Avatar
0
Nas
Quote from James Logan

Hey Igor, does that profile automagically check off Screen Recording and Accessibility? We use Kandji as our MDM and I can deploy Screen Connect with no problems, but as far as having to check those off its a pain. I got an article form Kanji on creating a PPPC, but it seems SC app identifier is different on every machine. Thoughts?

It only does accessibility, not screen recording so users will see that annoying popup when installed which they will think it's malware :(

Avatar
0
Nas
Quote from Igor Almeida

John,

I deploy through our MDM and I also deploy a custom policy to enable the acessibility permission and to allow the standard user to allow screen record permission for ScreenConnect. Here is the .mobileconfig file so you can do the same: ScreenConnect Client.mobileconfig

This profile allows Accessibility permissions but not the screen record permission. Is it possible to automate this?

Avatar
0
James Logan

Hey Igor, does that profile automagically check off Screen Recording and Accessibility? We use Kandji as our MDM and I can deploy Screen Connect with no problems, but as far as having to check those off its a pain. I got an article form Kanji on creating a PPPC, but it seems SC app identifier is different on every machine. Thoughts?

Avatar
0
John Case
Quote from Igor Almeida

John,

I deploy through our MDM and I also deploy a custom policy to enable the acessibility permission and to allow the standard user to allow screen record permission for ScreenConnect. Here is the .mobileconfig file so you can do the same: ScreenConnect Client.mobileconfig

That seems to have worked. Thank Igor!

Avatar
1
Igor Almeida
Quote from John Case

So there isn't a way to deploy via MDM, and there is no plan to. Correct?

John,

I deploy through our MDM and I also deploy a custom policy to enable the acessibility permission and to allow the standard user to allow screen record permission for ScreenConnect. Here is the .mobileconfig file so you can do the same: ScreenConnect Client.mobileconfig

Avatar
0
Howie Isaacks
Quote from John Case

We have been deploying the PKG file with our MDM (Filewave) for a couple of years now. It's just gotten increasingly frustrating to login as an admin so we can see their screen. Many of these systems are remote and thus, not an option. How did you get Jamf Pro to get around the Accessibility and Screen Recording prompts?

The security prompts are part of macOS. Currently, it is not possible to allow the app to have access on behalf of the user. This is the same with any screen sharing app, except Apple Remote Desktop. ARD continues to work perfectly with no prompts. It does tell the user their screen is being observed but it does not prompt.

Avatar
0
John Case
Quote from Howie Isaacks

It can be deployed through an MDM. I use Jamf Pro to allow users to install the app on demand from Self Service. I do not push the app out automatically since it would cause the users to see a pop up window requesting permission for screen recording and accessibility. Despite the lack of a certificate this does work. It's when a user has to download the package themselves that this becomes an issue. They see the warning and the installer won't launch unless they right click and use the option to open.

We have been deploying the PKG file with our MDM (Filewave) for a couple of years now. It's just gotten increasingly frustrating to login as an admin so we can see their screen. Many of these systems are remote and thus, not an option. How did you get Jamf Pro to get around the Accessibility and Screen Recording prompts?

Avatar
0
Howie Isaacks
Quote from John Case

So there isn't a way to deploy via MDM, and there is no plan to. Correct?

It can be deployed through an MDM. I use Jamf Pro to allow users to install the app on demand from Self Service. I do not push the app out automatically since it would cause the users to see a pop up window requesting permission for screen recording and accessibility. Despite the lack of a certificate this does work. It's when a user has to download the package themselves that this becomes an issue. They see the warning and the installer won't launch unless they right click and use the option to open.

Avatar
0
John Case
Quote from Caitlin M Barnes

Hi John, 

The above thread still applies to the situation with Mac. We've signed and notarized as much as possible, but the installer and pkg won't be signed because of the dynamic nature of agents and the customizations possible. 

So there isn't a way to deploy via MDM, and there is no plan to. Correct?

Avatar
0
Caitlin M Barnes Team Member

Hi John, 

The above thread still applies to the situation with Mac. We've signed and notarized as much as possible, but the installer and pkg won't be signed because of the dynamic nature of agents and the customizations possible. 



Top contributors

Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar