Welcome to our community!

Sign macOS app

Avatar
Alex Hart
  • updated
  • Completed

In order to deploy macOS privacy preferences policy via MDM/DEP, the macOS app in Mojave that needs exceptions must be signed. Otherwise, a user has to create exceptions to allow remote control via ConnectWise Control, which isn't ideal. I don't want to have to sign your app to get the payload pushed out to create the exceptions from our management software. If you signed your apps like other developers, this would be much easier for all users, like those of the Addigy and JAMF communities. 

Duplicates 1
Please Implement code signing for MAC OS PKG installers.

This has been an issue for some time and it is getting worse with the latest release of MACOS Mojave. https://control.product.connectwise.com/communities/6/topics/1974-complicated-process-required-to-control-macos-1014-mojave-clients


Security requirements are increasing and there may come a point where we cannot use ScreenConnect to manage/support Macs. If that happens, it will force us to abandon Screenconnect for managing Macs which means less revenue for you.  Since you have a cert in use for the windows EXE, why not sign the PKG files for Macs with the same cert?  Can someone in business development review this and get an internal count of how many hundreds or thousands or tens of thousands of machines are currently under Control?  It's likely a big impact.

Thanks for your time and consideration.

Replies 101
Avatar
0
DFree

Fellow posters, 

Not trying to hijack this post, but not sure where else to talk to you guys that have this working...

Do you guys only use ConnectWiseControl via https:<domain>.screenconnect.com or do you all use ConnectWiseAutomate, which has two components, the Remote Agent for monitoring, and the second ConnectWiseControl piece that is basically the same piece that is a part of the screenconnect product?

We have been trying to migrate from the former to the latter.  We use Jamf for pushing out things. After ConnectWise started signing the screenconnect.com installer for Mac, things were gravy.  However in the ConnectWiseAutomate side of things, I have issues.  The mpkg installer from the Automate console supposedly fails to install and gives the following error: 

"Script result: installer: Package name is <br/>installer: Installing at base path /<br/>installer: The install failed (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.)<br/>"

However, the mac shows up in the Automate console and the LTTray icon appears in the tray.  In order to install the ConnectWiseControl software, I have to double click control and it asks me to install the control piece of the software.  Doing that pops up a PPPC-related request (see below) with ltechagent, even though I've separately put in a PPPC config profile for the path "/usr/local/ltechagent/ltechagent" (see below).  It must somehow be running from another path, but I can't find a trace of another ltechagent on the test Mac I'm using.

I have all of the suggested PPPC profile items in place for Bash and the signed screenconnect stuff (all courtesy of mobileconfigs from here.)  The additional PPPC I tried to use to get rid of the PPPC prompt:

Prompt I'm getting when I believe ltechagent tries to install ConnectWiseControl:

' "ltechagent" wants to access to control "Finder". Allowing control will provide access to dcouments and data in "Finder", and to perform actions within that app.'

PPPC for LTechAgent:
identifier: /usr/local/ltechagent/ltechagent
identifier type: Path
code requirement: identifier "com.labtechsoftware.ltechagent"
Accessibility- ALLOW
AppleEvents- ALLOW
com.apple.systemevents
BundleID / identifier "com.apple.systemevents" and anchor apple
AppleEvents- ALLOW
com.apple.systemuiserver
BundleID / identifier "com.apple.systemuiserver" and anchor apple
AppleEvents- ALLOW
com.apple.finder
BundleID / identifier "com.apple.finder" and anchor apple

Some questions:

1. Is the Remote Agent installer from ConnectWiseAutomate supposed to install both the LTray/ltechagent and the ConnectWiseControl software? 

2. How do I troubleshoot the installer error I see?

3. Is the installer error related to the installer trying to install the ConnectWiseControl software too?

4. If the answer to 1 is no, is there another way to install the ConnectWiseControl automagically without needing to double-click connect in the ConnectWise Automate console?

Avatar
0
Headbolt

OK, even worse news.


Finally got my hands on some apple documentation.

https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services

Sadly it seems the "Feature" actually dubbed "Screen Capture" at the backend, cannot be allowed by policy, you can only deny apps, even though everything is seemingly denied by default. So unless a U Turn is in the works, we can basically upgrade no further than Mojave.

Way to go Apple, will hopefully be the final nail we need to abandon MAC's entirely as the overpriced, overrated, and despite Apple's continued assurances and continued broken promises most definitely NOT Enterprise class products.

Avatar
-1
Howie Isaacks
Quote from Caitlin M Barnes

We are currently working on the necessary notaries and signing for Catalina's public release in mid-September. 

That's great. I'm not holding my breath waiting for it though. And what are you doing about the issue with Screen Connect activating the discrete GPU? That's not necessary. The Apple Remote Desktop agent doesn't do that and neither do other remote support agents. There is no need to do this. That issue has been open for over 2 years. This is Mac marginalization.

Avatar
0
Howie Isaacks

A lot of my users WILL upgrade to Catalina because they need to. They're developers. Also, what are we supposed to do with Macs that come preinstalled? Imaging on Mac is dead and a new Mac model will not boot up properly on an older macOS. ConnectWise had the opportunity to upgrade their software but it's obviously not important. I'm going to build the case to abandon Screen Connect for Macs. I have never liked this software anyway. It's poorly designed and it activated the discrete GPU in MacBook Pros which causes excessive battery drain. That alone makes this software bad for Mac users.

Avatar
0
Headbolt

Alex

Again, i posted this as a warning for Enterprise/Business people to NOT upgrade to Catalina yet, this is not something within ConnectWise's control and there is nothing for them to fix.

There is a simple Tickbox within Catalina to fix this issue, so Connectwise's software works just fine and as intended, this is a simple addition/extension to the "sandboxing" of any non Apple application that was introduced in Mojave, and like that introduction in Mojave, this one in Catalina was also not announced or documented, it simply appeared without warning in one of the last Beta's before final release, giving Administrators no time to react and no tools or information to react with.

The issue here is that the only Administrative or Enterprise mechanism available to push this setting out to MAC's en-masse has not been documented yet BY APPLE so we are unlikely to have the information on how to create config profiles to do this until after launch.

Bear in mind that the documentation for the Mojave changes came very late, and the only Apple Supplied tool to create proper config files these days (Apple Configurator) still hasnt been updated to deal with the Mojave additions. 

Avatar
0
Howie Isaacks
Quote from Headbolt

I posted this as an FYI and warning, it's not connectwise's fault.


Be fair Howie, this security change was unannounced and only appeared in Catalina Beta 6 and that was only released 10 days ago, there is no remote control software on the market that is ready for this yet and I'd imagine 3rd party dock vendors are going nuts to get this fixed for release as well.

Naturally Apple docks and Apples own ARD are exempt from this, for all the good ARD does when devices are out of the office.


these unannounced features trip up everyone on every release, I'm sure Apple do it to nudge people into sticking to all Apple peripherals etc 


This update will break many things, and while there is a manual fix, Apple has provided no documentation on how to automate this for enterprises.

BTW if the manual route is ok for you, simply go to the PPPC system preference and tick screen connect or your dock app in the Screen Recording section.

I am being fair. ConnectWise is marginalizing Mac users. Any GOOD developer would download and install macOS Catalina developer beta and begin working on making needed changes their software. It took ConnectWise MONTHS to give us a signed agent that could be whitelisted using a configuration profile. They have not bothered to do anything about how this software activates the discrete GPU which causes excessive battery drain. I can go a whole 8-10 hour day without plugging in my MacBook Pro to power but I couldn't do that if I had Screen Connect installed. I will not tell Apple to change their security settings because I support them 100%. Sure, it's annoying to have to whitelist some apps and processes, but that's my job. It's ConnectWise's job to produce a quality product. They. Have. Failed.

Avatar
0
Alex Heylin

Any chance of getting ahead of this game in future so support is ready before the OS is released?

We don't control when our customers update - and Mac users seem to LOVE updating on release day.

Thanks

Avatar
0
Headbolt
Quote from Howie Isaacks

I'm going to push to remove this crapware from every Mac that we manage. ConnectWise does not care about the user experience on Macs. If they did they would stay on top of this. They would also create an agent that doesn't activate the discrete GPU on MacBook Pros. That issue has been going on for over 2 years. It's very clear that Apple users are not the priority at ConnectWise. 

I posted this as an FYI and warning, it's not connectwise's fault.


Be fair Howie, this security change was unannounced and only appeared in Catalina Beta 6 and that was only released 10 days ago, there is no remote control software on the market that is ready for this yet and I'd imagine 3rd party dock vendors are going nuts to get this fixed for release as well.

Naturally Apple docks and Apples own ARD are exempt from this, for all the good ARD does when devices are out of the office.


these unannounced features trip up everyone on every release, I'm sure Apple do it to nudge people into sticking to all Apple peripherals etc 


This update will break many things, and while there is a manual fix, Apple has provided no documentation on how to automate this for enterprises.

BTW if the manual route is ok for you, simply go to the PPPC system preference and tick screen connect or your dock app in the Screen Recording section.

Avatar
0
Caitlin M Barnes Team Member

We are currently working on the necessary notaries and signing for Catalina's public release in mid-September. 

Avatar
-1
Howie Isaacks

I'm going to push to remove this crapware from every Mac that we manage. ConnectWise does not care about the user experience on Macs. If they did they would stay on top of this. They would also create an agent that doesn't activate the discrete GPU on MacBook Pros. That issue has been going on for over 2 years. It's very clear that Apple users are not the priority at ConnectWise. 



Top contributors
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar