Welcome to our community!

Sign macOS app

Avatar
Alex Hart
  • updated
  • Completed

In order to deploy macOS privacy preferences policy via MDM/DEP, the macOS app in Mojave that needs exceptions must be signed. Otherwise, a user has to create exceptions to allow remote control via ConnectWise Control, which isn't ideal. I don't want to have to sign your app to get the payload pushed out to create the exceptions from our management software. If you signed your apps like other developers, this would be much easier for all users, like those of the Addigy and JAMF communities. 

Duplicates 1
Please Implement code signing for MAC OS PKG installers.

This has been an issue for some time and it is getting worse with the latest release of MACOS Mojave. https://control.product.connectwise.com/communities/6/topics/1974-complicated-process-required-to-control-macos-1014-mojave-clients


Security requirements are increasing and there may come a point where we cannot use ScreenConnect to manage/support Macs. If that happens, it will force us to abandon Screenconnect for managing Macs which means less revenue for you.  Since you have a cert in use for the windows EXE, why not sign the PKG files for Macs with the same cert?  Can someone in business development review this and get an internal count of how many hundreds or thousands or tens of thousands of machines are currently under Control?  It's likely a big impact.

Thanks for your time and consideration.

Replies 101
Avatar
0
DFree

Fellow posters, 

Not trying to hijack this post, but not sure where else to talk to you guys that have this working...

Do you guys only use ConnectWiseControl via https:<domain>.screenconnect.com or do you all use ConnectWiseAutomate, which has two components, the Remote Agent for monitoring, and the second ConnectWiseControl piece that is basically the same piece that is a part of the screenconnect product?

We have been trying to migrate from the former to the latter.  We use Jamf for pushing out things. After ConnectWise started signing the screenconnect.com installer for Mac, things were gravy.  However in the ConnectWiseAutomate side of things, I have issues.  The mpkg installer from the Automate console supposedly fails to install and gives the following error: 

"Script result: installer: Package name is <br/>installer: Installing at base path /<br/>installer: The install failed (The Installer encountered an error that caused the installation to fail. Contact the software manufacturer for assistance.)<br/>"

However, the mac shows up in the Automate console and the LTTray icon appears in the tray.  In order to install the ConnectWiseControl software, I have to double click control and it asks me to install the control piece of the software.  Doing that pops up a PPPC-related request (see below) with ltechagent, even though I've separately put in a PPPC config profile for the path "/usr/local/ltechagent/ltechagent" (see below).  It must somehow be running from another path, but I can't find a trace of another ltechagent on the test Mac I'm using.

I have all of the suggested PPPC profile items in place for Bash and the signed screenconnect stuff (all courtesy of mobileconfigs from here.)  The additional PPPC I tried to use to get rid of the PPPC prompt:

Prompt I'm getting when I believe ltechagent tries to install ConnectWiseControl:

' "ltechagent" wants to access to control "Finder". Allowing control will provide access to dcouments and data in "Finder", and to perform actions within that app.'

PPPC for LTechAgent:
identifier: /usr/local/ltechagent/ltechagent
identifier type: Path
code requirement: identifier "com.labtechsoftware.ltechagent"
Accessibility- ALLOW
AppleEvents- ALLOW
com.apple.systemevents
BundleID / identifier "com.apple.systemevents" and anchor apple
AppleEvents- ALLOW
com.apple.systemuiserver
BundleID / identifier "com.apple.systemuiserver" and anchor apple
AppleEvents- ALLOW
com.apple.finder
BundleID / identifier "com.apple.finder" and anchor apple

Some questions:

1. Is the Remote Agent installer from ConnectWiseAutomate supposed to install both the LTray/ltechagent and the ConnectWiseControl software? 

2. How do I troubleshoot the installer error I see?

3. Is the installer error related to the installer trying to install the ConnectWiseControl software too?

4. If the answer to 1 is no, is there another way to install the ConnectWiseControl automagically without needing to double-click connect in the ConnectWise Automate console?

Avatar
0
Caitlin M Barnes Team Member

Catalina updates are out! Check out the Output Stream for more information. 

Avatar
0
ASimm

Hello @Catalina, there is not way to automate the approval of the PPPC Screen Recording option on macs with macOS 10.15 installed. ConnectWise ScreenConnect prompts for this to be approved after installation. On managed devices with macOS 10.15 installed it doesn't look like this installation can be completed without manual intervention, which isn't realistic when managing devices at multiple locations.


Avatar
0
Caitlin M Barnes Team Member
Quote from ASimm

Hello @Catalina, there is not way to automate the approval of the PPPC Screen Recording option on macs with macOS 10.15 installed. ConnectWise ScreenConnect prompts for this to be approved after installation. On managed devices with macOS 10.15 installed it doesn't look like this installation can be completed without manual intervention, which isn't realistic when managing devices at multiple locations.


Hi ASimm, 

Unfortunately, we're at the mercy of Apple and their security decisions. We've done what we can do smooth the process of remotely connecting to Macs, and will continue to look for ways to improve this process as later Catalina versions come out. However, as with Mojave, it is required that some manual intervention take place on the end users machine. However, some users have reported that with Apple MDM you can setup/deploy your own privacy policy that whitelists the application, which allows you to remotely approve the use of CW Control without any enduser intervention on the first connection. There is some discussion of that in the thread above.

Best, 

Caitlin 

Avatar
-1
Howie Isaacks

I'm going to push to remove Screen Connect from all of our managed Macs. This is not the first time the ConnectWise has failed to deliver a quality product on the Mac. I asked over 2 years ago when or if you would create a native client for ConnectWise on the Mac so I could stop using the web client. I was told that one was coming. Obviously that wasn't true because I'm still waiting. We need a quality remote support agent, and Screen Connect isn't it. You can tell us not to upgrade to Catalina, but that's a very ignorant suggestion. New Macs will come preinstalled with it, and they will not boot properly from an older version of macOS, if at all. Using the excuse that you're at the mercy of Apple is lame. You have had macOS Catalina since it was released to developers in June. Your top priority should have been to make Screen Connect work. And one more thing... I don't appreciate that I have to reissue my configuration profile whitelisting Screen Connect every time there's an update for it. Why?

Avatar
0
Ryan Morash

We are trying to deploy the ScreenConnect Access agent to our Macs through our MDM but are unable to do so as the pkg is not signed or notarized. Are there any plans to solve this?

Avatar
0
AMcCabe
Quote from Ryan Morash

We are trying to deploy the ScreenConnect Access agent to our Macs through our MDM but are unable to do so as the pkg is not signed or notarized. Are there any plans to solve this?

I'm not aware of any plans to sign/notarize the pkg at the moment, but a workaround would be to first deploy the support guest client, and then from the Support tab select all sessions and Install Access (though this is assuming that your license allows support sessions)

Avatar
0
Tom R

The current version should be signed. At least it is for us. Also if you deploy through MDM siding should not be a factor (depending on the MDM) as most install software as root which is not affected by Gatekeeper requirements. 

Might you be getting hit by PPPC settings that need to be whitelisted? Accessibility or Screen Recording?

Avatar
0
Ryan Morash
Quote from Tom R

The current version should be signed. At least it is for us. Also if you deploy through MDM siding should not be a factor (depending on the MDM) as most install software as root which is not affected by Gatekeeper requirements. 

Might you be getting hit by PPPC settings that need to be whitelisted? Accessibility or Screen Recording?

The access agent installer is not signed, the agent itself is. Our MDM documentation states that apps must be signed. I just ended up signing and notarizing it from my personal developer account.

Avatar
0
Tom R

Oh sorry the pkg. Correct. Still though most MDMs should handle that. I know JAMF does.



Top contributors
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar