I have discovered that the script doesn’t set the security permissions on mac OS Mojave and up.
This is a problem since none of our users have admin rights to approve it.
Not sure if there’s any way to set that for them without an MDM. Let me ping our Mac expert @tim.lee for a second opinion.
Thank you,
Yes I am afraid of that and unfortunately we are using Meraki MDM which doesn’t have that option and lacks developers and support help 😦
@L4d1k not familiar with meraki mdm, but you typically find that under privacy preferences
The only option I can see as a possibility is this one:
Unfortunately no luck.
Splashtop requires:
Accessibility
Screen Recording
Accessibility is the only option in meraki MDM but it doesn’t get enabled with any of the options I have tried.
Maybe I will have to use automox to temporarily change all the local mac admin passwords and once I instruct users to grant the permission to splashtop is completed I will change it to a new password using automox.
Apple doesn’t allow Camera or Screen Recording whitelisting even through MDM (they tout because privacy). Accessibility should work though, you will need to get the bundleID and code requirement from the app. It’s a long read, but I think this lays out grabbing that info:
Thank you for the information.
I have tested the accessibility only option enabled unfortunately I wasn’t able to see the users screen correctly.
Only partially the connection was made and I was able to see blank MAC desktop and move the mouse and click with it.
Since I had the test laptop next to me I could see that I am controlling the mac but the problem was I was driving blind since on my end I wasn’t receiving video feed with the current desktop and applications.
here is a screenshot:
on the actual laptop I had System Preferences open.
This is very frustrating situation since we had switched to online remote teaching model and we are trying to support the teachers remotely.
If we are going to lose remote tool the support is going to be very difficult and will take much longer.
Have you talked with Splashtop about this issue yet? I imagine they must have a lot of folks in the same boat.
We’ve run into the issue ourselves just using Zoom internally. Once you upgrade to Catalina, you have to give permissions to Zoom around screensharing and audio. Fortunately we’re all local admins and we can do it ourselves, but not everyone has that luxury. The annoying part is that you have to close your meeting to make the change and then log back in.
Doesn’t look like they have any better solution and just recommend everyone changing the permissions locally: https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/360035055131-macOS-10-15-Catalina-additional-accessibility-requirements-for-Mac-Streamer-and-Mac-Business-App
Maybe the simplest approach is what you suggested around making them admins temporarily and then changing their permissions/passwords after.
Thank you Nic.
Yes that is what I have found on splashtop website too.
I had created ticket with them and waiting but I don’t think I will get any usable solution.
Not giving out admin access saved as many times with a small tech department to prevent users from accidental changes as well as malware and viruses.
I will look at the worklet for MACs to change admin password and will deploy it.
Unless is there a script I could elevate AD mobile account users on macs to admin group temporarily?
Thank you.
Apple really painted everyone in the corner with their new security policies. I get that they want to protect people’s privacy, but their approach just doesn’t work for a business environment.
Yes it is very frustrating.
Thank you for your help.
As I am testing every possible deployment I had discovered that on Catalina all is needed is the “Screen Recording” privacy option which can be enabled by any user without the need of admin rights. (doesn’t help me since we have only couple of Catalina macs)
I am not able to get the meraki MDM change the privacy settings using the build in profile configuration or using the tccprofile tool.
I have tried every possible combination I can think of without any luck.
The profile gets installed but the privacy settings doesn’t get changed (Mojave or Catalina)
I am still waiting on any help from meraki because I think if the MDM sets the Accessibility on Mojave macs I would be good to go.
attached is the profile I created using tccprofile
and here is the configuration I am using for the meraki MDM profile:
bundleID: com.splashtop.Splashtop-Streamer
Code Requirement:
identifier “com.splashtop.Splashtop-Streamer” and anchor apple generic and certificate 1efield.1.2.840.113635.100.6.2.6] /* exists / and certificate leafifield.1.2.840.113635.100.6.1.13] / exists */ and certificate leafisubject.OU] = CPQQ3AW49Y
I have tried the short version of the Code Requirement as well:
identifier “com.splashtop.Splashtop-Streamer” and anchor apple generic
splashtop.mobileconfig.pdf (33.9 KB)
I haven’t messed with any Apple MDM software so unfortunately I’m not going to be much help for this portion of it.
ok thank you.
Maybe tim.lee would know anything about it?
In general yes, but I think he mentioned that he hasn’t used the Meraki MDM before.