Starting in Mojave, you need to add a PPPC profile to machine to enable remote access with tools like Connectwise Control. getting it right confused me a lot (doesn’t take much), but with the help of Mosyle tech support (THANK YOU!) I finally got it…
Requirements- This will only work for DEP enrolled machines or those that have been enrolled by the user locally- you can’t send this out to an unmanaged machine (um, der) to get remote access.
Background- there’s actually 2 bits of software here- Control client (known as the ‘Access Client’, mine is called ‘ConnectwiseControl-9axxxxxxxxx’) which is the bit in /opt that allows you to remotely log into a machine to view its screen.
The second app is stored in /Applications
Mine is called ‘Servicemax Remote Control Client’ (Known as ‘Client’, yes it’s confusing) and this is the app that displays the remote screen when you are the host. In the article below these 2 apps are referred to by their bundle identifiers which are ‘com.screenconnect.client.access’ and ‘com.screenconnect.client’.
And there’s 2 bits of important permissions for each app, so all up we need to add 4 permissions to the profile.
Go to your Mosyle portal and select ‘Manage MacOS’
Scroll down to ‘Security & Privacy’, click on ‘Privacy’ and click ‘Add New Profile’
*Add a name for your profile, make it descriptive!
Tick- Install the PPPC settings for the Mosyle Business
Select
- Configure by Application Bundle Identifier
- Add ‘com.screenconnect.client.access’
- Add ‘app code requirement’ ‘identifier “com.screenconnect.client.access” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = K8M3XDZV9Y’
- ‘Allow’ App to have access to ‘Accessibility’
‘Add New Permission’
Select
- Configure by Application Bundle Identifier
- Add ‘com.screenconnect.client’
- Add ‘app code requirement’ ‘identifier “com.screenconnect.client” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = K8M3XDZV9Y’
- ‘Allow’ App to have access to ‘Accessibility’
‘Add New Permission’
Select
- Configure by Application Bundle Identifier
- Add ‘com.screenconnect.client.access’
- Add ‘app code requirement’ ‘identifier “com.screenconnect.client.access” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = K8M3XDZV9Y’
- ‘Allow’ App to have access to ‘Apple Events’
- ‘Apple Event Receiver Application’ ‘Configure by Application Bundle Identifier’ = ‘com.apple.systemevents’
- ‘App code Requirement’ = ‘identifier “com.apple.systemevents” and anchor apple’
‘Add New Permission’
Select
- Configure by Application Bundle Identifier
- Add ‘com.screenconnect.client’
- Add ‘app code requirement’ ‘identifier “com.screenconnect.client” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = K8M3XDZV9Y’
- ‘Allow’ App to have access to ‘Apple events’
- ‘Apple Event Receiver Application’ ‘Configure by Application Bundle Identifier’ = ‘com.apple.systemevents’
- ‘App code Requirement’ = ‘identifier “com.apple.systemevents” and anchor apple’
Then assign to people/ devices
Now you might not think that’s too hard, and really it isn’t. But all of the stuff I’ve read online seems to target people at a higher level of consciousness than me so I find it hard to parse what they’re saying into acton. I hope this explains things a bit better for normal people…