May 4, 2020
Featured / IT Philosophy

Understanding the hurdles MacOS Catalina imposed on IT Teams

Written by Zach Sherf

Part 1: Screen Sharing and Privacy Preferences

If you manage macOS devices, chances are you’ve had to plan around regular macOS updates, Catalina is no exception to the rule. Like every macOS update that has come before, it introduces new features, as well as new challenges for IT teams and MSPs to solve.

Apple is a user-centric company and its intentions, first and foremost, are to protect user data. There is no such thing as a backdoor just for the good guys (IT Departments and management), so Apple works hard to balance user experience, security, and enterprise management.

As an Apple-focused MSP, it’s not only been a task, but our mission to understand and implement best practices within Apple’s security frameworks and management tools. In this series, we aim to share some insight on how we solved some of the challenges introduced by these new tools and frameworks.

“It broke our tools.”

Every IT professional after upgrading to macOS Catalina

Probably the biggest challenge IT teams have faced following the most recent macOS update updated to the security and privacy preferences and their underlying frameworks. To better understand what changed and how to fix it, we need to take a look at PPPC profiles. Simply put, in MacOS 10.13 High Sierra, Apple fundamentally changed the way apps could access different parts of the computer, effectively requiring the users to allow access to the users’ files, control of the computer, and camera/microphone separately. This change also introduced a new tool for MDM administrators called PPPC profiles.

PPPC profiles allow administrators to automatically allow access to these categories as outlined above, without the users needing to give permission manually. This is important for IT admins because our tools, remote access, RMM, in-house apps, should inherently be trusted and have that access. These profiles could also be used to deny access to certain apps. Don’t want Zoom to have access to your users’ files? Set an explicit deny policy on the “full disk access” category for Zoom using a PPPC profile.

MacOS Catalina changed these permissions by making them more granular, separating categories, overall increasing user privacy at the expense of enterprise control. Another change that was made was that some of these categories can be controlled only to deny access, instead of to allow it. The most prominent example of this is the newly introduced Screen Sharing privacy setting. Administrators can use PPPC profiles to deny access to apps, but only users can allow them.

What challenges does this introduce?

It makes it harder to help our users! Our remote assistance tools require this permission, and when our users need help most, they don’t want to be bothered by allowing screen sharing by navigating deep into the system preferences app.

How did Team Interlaced solve this problem?

Steve Jobs famously said, “It is in Apple’s DNA that technology alone is not enough—it’s technology married with liberal arts, married with the humanities, that yields us the results that make our heart sing.” How does this relate to our approach? We combined our knowledge of what the PPPC profiles could do, with a unique user training approach. We had to put trust in our users, and be confident that we gave them the training and tools they need to help us.

For an app like TeamViewer, it needs access to 3 capabilities:

  • Screen Sharing
  • Accessibility
  • Full Disk Access

As outlined above, we can still use PPPC profiles to help us and simplify the steps the user needs to take to get our tools working. We developed training materials and partnered with key managers and points of contact to create a push to enable screen sharing access on individual machines proactively. Verified that no administrator access was required, so even managed and standard users could complete. Then, we created PPPC profiles giving TeamViewer access to Accessibility and Full Disk and distributed them remotely, effectively simplifying the user responsibility down to one step.

The result?

A significant decrease in the barriers to remote assistance that were introduced in Catalina. Increased user understanding and participation due to the training materials. The biggest win, however, was the collaboration within our teams in coming up with a creative solution to a problem that could have prevented us from delivering the experience our users had come to expect.

If you are interested in more information about the problems we faced in the most recent macOS update, stay tuned to this blog for more parts in this series.

Zach Sherf

Zach Sherf

Zach is a data privacy evangelist and Apple fanatic. As Director of Cybersecurity, he works with both internal and external teams to drive the dialog around the ever-evolving relationship between people, security, and technology.