Mac Agent and Apple Privacy Controls

This topic describes Mac Agent and Apple privacy and system preferences that may be required when the Mac Agent is installed.

Due to Apple security controls, you also need to do the following: 

Configuration Profiles and Apple System Preferences

When using MDM (such as JAMF) to deploy the agents, you must download the Configuration Profile script that automatically enables all permissions Apple allows to be granted remotely. Configuration Profiles are located in observeit-OSX-management-tools-<version>.tar.gz file located and downloaded from EndpointsDownloadsManagement Tools section in the Administration application. (See Management Tools).

Screen Recording Permissions

Due to Apple security controls that prevent granting Screen recording permission remotely, when the Mac Agent is installed, screen recording requires user permissions. Permission can be granted by the user manually or via UI automation script will perform the steps of the manual process.

Granting Permissions Manually

You can manually grant permissions when a pop-up Screen & System Audio Recording pop-up displays prompting you to turn on and allow the logger process for screen recording.

Click Open system settings and select the logger process.

Granting Permissions Automatically

You can turn on permissions from the Agent Realm. A UI automation script runs that grants permissions to capture screens shots.

To enable this script, turn on the Automatically Grant Permissions to Capture Screenshots (MacOS) setting at the Realm level. (AdministrationEndpoints > Agent RealmsAdvanced SettingsRecordingAutomatically Grant Permissions to Capture Screenshots (MacOS)).

When enabled, the logger is automatically selected, screen recording is allowed, and pop-up no longer displays.

As the UI automation script runs, the interactions may be visible.

macOS Sequoia and Privacy Controls

Due to Sequoia’s enhanced privacy controls, third-party applications have limited ability to suppress notifications.

You can configure screenshot recording on macOS Sequoia while controlling display of the following notifications:

Screenshot Permissions Pop-ups

When screenshot recording is enabled on the Mac Agent in macOS Sequoia, an automatic pop-up appears that indicates screenshots are being taken and requests the user’s permission to continue. This pop-up continues to appear periodically remaining visible for a few seconds, and then disappears automatically.

This is not a Proofpoint Agent issue and can be resolved by doing the following:

  1. Deploy the latest Configuration Profile (version 4.2.1) included within management tools package. (See Management Tools.) (EndpointsDownloadsManagement Tools section in the Admin app.)

  2. Always use a Signed profile. You can do this with either available Configuration Profile:

    • IT Viewer macOS 11.signed.mobileconfig: Configuration Profile signed by Proofpoint.  The default process name logger is used with this option.

    • IT Viewer macOS 11.mobileconfig: The unsigned Configuration Profile, which must be signed by the customer. Choose this option if you want to change the process name from logger to a name of your choice.

    For information about signed and unsigned profiles, see this article.

Control Center Privacy Indicator

In the Control Center on Mac, a purple dot displays, indicating that the system audio and/or screenshots are being recorded. This is a privacy indicator, introduced by Apple in Sequoia is not specific to Proofpoint. Any application that records the screen (e.g. Zoom, Teams) will trigger this indicator.

This indicator cannot be turned off or hidden when screenshot recording is enabled for the Proofpoint Agent. If screenshot recording is not required, disable the Screenshot Allowed option in the Agent Realm.

EndpointsAgent RealmsAdvanced Settings > RecordingScreenshot Allowed)

Clicking on the purple dot displays the applications sharing the screen. By default, the Proofpoint process logger displays when the Agent is recording.

You can rename the logger process. This does not eliminate the purple dot, but it allows you to choose the process name. To change the name, sign the Unsigned Configuration Profile IT Viewer macOS 11.mobileconfig with the name you want.


Related Topic:

Mac Agent ITM/ Endpoint DLP Bundle Installation