Welcome to our community!

Sign macOS app

Avatar
Alex Hart
  • updated
  • Completed

In order to deploy macOS privacy preferences policy via MDM/DEP, the macOS app in Mojave that needs exceptions must be signed. Otherwise, a user has to create exceptions to allow remote control via ConnectWise Control, which isn't ideal. I don't want to have to sign your app to get the payload pushed out to create the exceptions from our management software. If you signed your apps like other developers, this would be much easier for all users, like those of the Addigy and JAMF communities. 

Duplicates 1
Please Implement code signing for MAC OS PKG installers.

This has been an issue for some time and it is getting worse with the latest release of MACOS Mojave. https://control.product.connectwise.com/communities/6/topics/1974-complicated-process-required-to-control-macos-1014-mojave-clients


Security requirements are increasing and there may come a point where we cannot use ScreenConnect to manage/support Macs. If that happens, it will force us to abandon Screenconnect for managing Macs which means less revenue for you.  Since you have a cert in use for the windows EXE, why not sign the PKG files for Macs with the same cert?  Can someone in business development review this and get an internal count of how many hundreds or thousands or tens of thousands of machines are currently under Control?  It's likely a big impact.

Thanks for your time and consideration.

Replies 101
Avatar
0
Alex Heylin

Thanks @A Simm, in which case it clearly CAN be done, and we need it to be done. The company (we already use) that we consider a direct competitor to LT uses LMI, and while we don't want to use them instead of LT - this is another nail in the coffin for LT / SC having a place in our business. 

Avatar
2
ASimm
Quote from Caitlin M Barnes

Apple’s recent release of the Mojave operating system introduces new features and security measures, offering end users more peace of mind but also introducing new challenges to partners supporting Apple machines. The team at ConnectWise Control is working to ensure that these changes have the least amount of impact possible for partners.

These new security and privacy settings were enacted by Apple and change how all vendors of remote control products are able to deploy to endpoints. One of these new challenges is a change in the way hosts gain control of Mojave devices. When first connecting to a macOS Mojave session, end users must physically allow access to the ConnectWise Control app from the machine itself. The steps to control a macOS Mojave session have been outlined in documentation. After extensive research, the team has determined that this requirement is mandatory on the first connection; signing the application or access agent will not solve this issue.

ConnectWise Control is actively researching the best way to manage the Gatekeeper feature and improve the experience when updating or reinstalling an access agent on macOS Mojave. The team has also planned performance enhancements and improvements to the Mac client, and will communicate more Mojave updates as they become available.

@Caitlin signing the product will fix the problem. Then it can get access to accessibility through an MDM like other applications 

Avatar
0
Derek Schartung

It's been standard practice to sign MacOS packages for years now. So, why not just do it? Please don't let this turn into a dev versus product fight. Side with the customers and do the right thing. Just take the devs out for beers. 

Avatar
2
Alex Hart

I tried posting this as a reply above, but it has been stuck in moderation for 2 days now. I'll try here instead. 

Hi Caitlin (and team),

I'd like to encourage your team to not give up. I respectfully reject your assertions that this isn't possible. I know this is in fact possible, as I've seen it working (with other applications and with your application when signed). Your team unfortunately did not research extensively enough.  While I agree signing the application in and of itself not enough, if you have an Apple MDM setup and deploy your own privacy policy that whitelists the application (a signed application is required), then you can remotely approve the use of CW Control *without* any user intervention on the first connection. Let me try to help by providing some reading material:

https://derflounder.wordpress.com/2018/08/31/creating-privacy-preferences-policy-control-profiles-for-macos/

https://www.jamf.com/jamf-nation/articles/553/preparing-your-organization-for-user-data-protections-on-macos-10-14

https://macadmins.herokuapp.com/ (see mdm channel)

https://github.com/carlashley/tccprofile

I'd love to work with you and your team more directly to make sure this comes to light. If that is at all helpful, please don't hesitate to contact me. Here are the signing requests:

https://control.product.connectwise.com/communities/6/topics/1974-complicated-process-required-to-control-macos-1014-mojave-clients

https://control.product.connectwise.com/communities/6/topics/2014-mac-signed-application

Please note, this is the .app that needs to be signed, not the installer. 

Thank you for considering my feedback on this.

Avatar
0
Yochai Gal

I almost lost a client because of this. They sent me an email about how it costs $100 to become a developer, how can we use this software, etc etc. It made me reconsider using CW Control.

Avatar
0
Alex Hart

Also, another user was able to get this working (only if they have a developer cert from Apple and sign the app themselves, which shouldn't be a requirement, hence this topic):

https://control.product.connectwise.com/communities/6/topics/1974-complicated-process-required-to-control-macos-1014-mojave-clients#comment-6782

Avatar
1
Caitlin M Barnes Team Member

I wanted to give an update on our ongoing work with Mojave. Thanks for your continued suggestions and attention. ConnectWise Control is multi-instance, not multi-tenant like other remote control solutions, which means that changes to compensate for Mojave permission updates are a higher architectural discussion, and something we’re diligently researching. Being a multi-instance product provides additional levels of security for our partners, but also presents new challenges. 

Avatar
4
anonymous
  • Roadmapped
Avatar
4
anonymous
  • Started
Avatar
2
anonymous

I enjoy all the feedback we have gotten on this issue. As we continue development on this issue, I wanted to provide some clarification.

We have started development on signing the macOS installer bundle. When the macOS installer bundle is downloaded, it undergoes dynamic changes related to our customization features. The same is true for all of the installers. However, only for macOS do these changes break the signature of the bundle. Therefore, not signing the application was a tradeoff to allow for the .pkg to have customized branding, naming, etc. However, the release of Mojave changes that calculation for the following reason: permissions granted to unsigned applications to not persist upon reinstall.This is the main reason why we have decided to investigate signing the installer. Doing so requires some significant changes to what/how we customize our application, but we are working hard to maintain all functionality at this point. This is the main sticking point with signing the application.

As Caitlin said, this does not solve this issue because end users will still be required to be admin users and supply permissions to our application. Although signing the application allows it to be distributed with an MDM product, we do not consider that a solution because we can't require our partners to purchase a 3rd-party tool to support ours. Currently, there is no way to get around these permission challenges for any software vendor. That said, we are glad that signing our application has the ancillary benefit of making it compatible with 3rd-party tools in use by our partners.

Hope that helps. We will keep this thread updated as work progresses.



Top contributors
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar