Privacy controls on macOS: Screen Recording for standard users

Jul 1, 2021 5 min read
Privacy controls on macOS: Screen Recording for standard users

Introduction

Since macOS 11 Big Sur, Apple has made sweeping changes to the underlying privacy controls within macOS. Aligning with mobile MDM controls allows organizations to increase app security while giving users control over their data and privacy.

The aim of this article is to show how to allow a non-admin user to share their screen with applications deployed and approved by the organization.

Access to camera and microphone controls are accessible to a non-admin user on first launch of an application.

However enabling more sensitive controls such as screen sharing, recording is only available for a local admin user normally. Standard users would need to click the padlock to enable the feature needing details of an admin account.

For the enterprise, macOS devices that are MDM enrolled are now supervised, following the iOS methodology of having extra controls once a device is enterprise controlled. This allows granular settings for end users to be specified. It is on a per app basis so a profile is required for each application that requires this permission.

We have a number of requirements to be able to enable the setting with a custom XML profile until the features are implemented into MDM consoles.

Collecting the application ID and signing information

There are 2 methods to collect the required strings to identify which apps will be "whitelisted" for non-admins. Those methods can be by command line or with a VMware fling that has been provided for this purpose. The application to be configured will need to be available on a device to collect the following information so make sure it is installed on the device ideally via MDM application management.

Fling Method

The application called app finder for tunnel will produce the required results for the XML profile.

https://flings.vmware.com/app-finder-for-tunnel

Download and install the fling from the above URL.

Install and run the app finder application.

Locate the application that you want the identifier information for and drag to the open app finder window. If you have trouble hold option at the same time as dragging the application.

The ID and Requirements can be copied and pasted later into our XML Profile.

Command line method

The alternative way to collect the ID and Requirements using native macOS tools, using terminal. The installed application name will need to be taken from /Applications we can view this by running the following command.

cd /Applications

ls

Resulting in a list of all applications installed.

In this case we are going to use:

OBS.app

To collect the ID and requirements run the command below:

Type:

codesign --display -r - /Applications/OBS.app

This will produce the following result.

Executable=/Applications/Webex.app/Contents/MacOS/OBS

identifier "com.obsproject.obs-studio" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = "2MMRE5MTB8"

This string will be used in the XML as per the examples in red below.

One other item required for the XML will be a unique UDID this can be generated at the following page other uuid creation tools can be used.

https://www.uuidgenerator.net/version4

The above id & identifier code can also be found online collected by 3rd parties, for the sake of completeness it would be recommended to use the above methods with your own applications so make sure the certificates and identifiers are the correct ones.

The XML Profile to set screen recording / sharing

I have highlighted in "Bold" the parts that will need to be customised, the methods below are only to change the screen sharing permission the new string apple have created for this function is called.

AllowStandardUserToSetSystemService

The XML will need to be added to a custom profile. For this article we will be using workspace one. The profile may work for other MDM systems however this is only tested on Workspace One UEM.

<dict>

<key>Services</key>

<dict>

<key>ScreenCapture</key>

<array>

<dict>

<key>CodeRequirement</key>

<string>identifier "com.obsproject.obs-studio" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2MMRE5MTB8"</string>

<key>IdentifierType</key>

<string>bundleID</string>

<key>Identifier</key>

<string>com.obsproject.obs-studio</string>

<key>Authorization</key>

<string>AllowStandardUserToSetSystemService</string>

<key>Comment</key>

<string>Allow non-admin users to enable OBS app for Screen Sharing</string>

</dict>

</array>

</dict>

<key>PayloadDescription</key>

<string>Privacy Preference setting for OBS to allow non-admin users to enable Screen Sharing</string>

<key>PayloadDisplayName</key>

<string>OBS TCC Settings</string>

<key>PayloadIdentifier</key>

<string>com.obsproject.obs-studio.AllowStandardUserToSetSystemService</string>

<key>PayloadOrganization</key>

<string>VMware</string>

<key>PayloadType</key>

<string>com.apple.TCC.configuration-profile-policy</string>

<key>PayloadUUID</key>

<string>16757cdf-2baf-4df5-bead-bdcbd7f1995f</string>

<key>PayloadVersion</key>

<integer>1</integer>

</dict>

Deploying the XML profile

To send the configuration to macOS clients we will use a Workspace One UEM profile with a custom payload. This will be a familiar process for many UEM administrators

Navigate to Groups and settings \ Groups \ Assignment Groups \ Add smart group

Create a smart group for the devices you wish to target.

Then go to Devices \ Profiles \ add

Create a macOS “Device Profile” and configure the general page with the recently created smart group as target.

Enable the custom XML payload and paste in your edited version of XML with your specific application settings.

Save and publish.

The Job is now done !

Summary

As shown in this document the privacy controls for macOS are powerful and configurable to make sure the user has the experience required by AMC. If there is a reason an item should not be allowed the administrator can set this and the user will be unable to access the item.

Great! Next, complete checkout for full access to Mobinergy Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Mobinergy Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.