Welcome to our community!

Sign macOS app

Avatar
Alex Hart
  • updated
  • Completed

In order to deploy macOS privacy preferences policy via MDM/DEP, the macOS app in Mojave that needs exceptions must be signed. Otherwise, a user has to create exceptions to allow remote control via ConnectWise Control, which isn't ideal. I don't want to have to sign your app to get the payload pushed out to create the exceptions from our management software. If you signed your apps like other developers, this would be much easier for all users, like those of the Addigy and JAMF communities. 

Duplicates 1
Please Implement code signing for MAC OS PKG installers.

This has been an issue for some time and it is getting worse with the latest release of MACOS Mojave. https://control.product.connectwise.com/communities/6/topics/1974-complicated-process-required-to-control-macos-1014-mojave-clients


Security requirements are increasing and there may come a point where we cannot use ScreenConnect to manage/support Macs. If that happens, it will force us to abandon Screenconnect for managing Macs which means less revenue for you.  Since you have a cert in use for the windows EXE, why not sign the PKG files for Macs with the same cert?  Can someone in business development review this and get an internal count of how many hundreds or thousands or tens of thousands of machines are currently under Control?  It's likely a big impact.

Thanks for your time and consideration.

Replies 101
Avatar
0
Headbolt

Bad news people, this is now Broken again in Catalina, so upgrade with Caution.

There is a new "Screen Recording" Section in PPPC now that ScreenConnect needs to also be added to, but there is no tool or guidance on how to create a Profile to do it at present.


The addition of this Section also breaks 3rd Party Docks by the way, so if you have one, manually add your Dock software to the new section, or hold off the upgrade until any tools are updated to suit.

Avatar
0
Katarina Team Member
  • Completed
Avatar
0
Caitlin M Barnes Team Member
Quote from Brent Pirolli

I have tested that with success... I pushed this update to a mojave machine, had to re-enable permissions, and then could control. I then reinstalled and it worked without intervention. However, when a new version comes out, will I then have to have physical contact again or will it work as well?

The Mojave improvements we made will persist in all new releases. We'll continue to double check that these improvements remain in good order during our QA process, so there shouldn't be any further problems or the need for you to physically access the machines. 

Avatar
0
Brent Pirolli

I have tested that with success... I pushed this update to a mojave machine, had to re-enable permissions, and then could control. I then reinstalled and it worked without intervention. However, when a new version comes out, will I then have to have physical contact again or will it work as well?

Avatar
0
Caitlin M Barnes Team Member
Quote from Brent Pirolli

Does having the signed installer help at all when reinstalling on mac Access clients, or do we still need physical access to each machine to re-grant permissions to control again?  I'm hoping this means physical permissions only need to be granted on initial install and updates/reinstalls are possible without further physical visits.  If not, man... this is becoming a deal breaker.

Hi Brent, 

You should only need to physically grant access to the machine on install (or the first reinstall after moving to the release that has the Mojave changes). Any other reinstalls should be possible without additional physical intervention. 

Caitlin 

Avatar
0
Brent Pirolli

Does having the signed installer help at all when reinstalling on mac Access clients, or do we still need physical access to each machine to re-grant permissions to control again?  I'm hoping this means physical permissions only need to be granted on initial install and updates/reinstalls are possible without further physical visits.  If not, man... this is becoming a deal breaker.

Avatar
0
anonymous
Quote from Alex Hart

@Brandon, what's the status on this?The linked script still references old deploy https://docs.connectwise.com/@api/deki/files/21478/controlclientcleanup.sh?revision=1 connectwisecontrol-...app vs screenconnect-...app, for example. 

We have sent this to the documentation team for an update. Sorry, no ETA on a resolution

Avatar
0
Alex Hart
Quote from Alex Hart

Make sure to update the uninstall script available at

https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Knowledge_base/Manually_remove_an_access_agent

@Brandon, what's the status on this?The linked script still references old deploy https://docs.connectwise.com/@api/deki/files/21478/controlclientcleanup.sh?revision=1 connectwisecontrol-...app vs screenconnect-...app, for example. 

Avatar
0
Tom R

Oh yeah I get it and was expecting it (well not today because Connectwise said our instance would be upgraded next week even though it was today sigh...) but I wanted to make sure other people knew as I don't think Connectwise made that overly clear and it might catch people by surprise.

Avatar
0
Alex Hart
Quote from Tom R

As a heads up if you've signed screen connect with your own developer cert and deployed a PPPC profile this update is probably gonna break that since the app is now signed with Connectwise's cert.

I assume that's self-explanatory and I'm guessing that you may have been impacted unexpectedly. perhaps that is because you have automatic client updates on? If you turn off automatic client updates, then you won't have to worry about this. Simply change out your profile before updating clients. Not only is the cert going to be different, but also the identifiers. The application and changed in this update as well. 



Top contributors
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar