Note: MDM solutions are primarily meant to be used by system administrators who are responsible for setting up and configuring many machines.
With Apple's MDM solutions you can, among other things pre-approve certain applications to access system resources without the user having to approve a checkbox every time the application requests access to a new resource.
There are many different ways of MDM tools on the market that help you configure your devices, however, in all cases, you will have to provide the following information to create a privacy policy exception:
- Identifier - The unique identifying value for the binary or service. For applications, specify the Bundle ID - it is also possible to use the installation path for supporting binaries.
- Code Requirement - This is a unique string based upon the developer certificate that was used to sign the Identifier (binary or bundle ID). You can obtain this value by running the following command in Terminal.app:
codesign --display -r - /path/to/app/binary
- Static Code Validation - Some applications might intentionally make changes to themselves in memory. If you set Static Code Validation to True, macOS checks only the Code Requirement of the files on disk and not the application loaded in memory. Generally speaking, use this option as a last resort if you are sure the Code Requirement and Identifier are correct.
- Accessibility Privacy preferences - The accessibility section of the macOS Monterey Security & Privacy panel allows apps to control your Mac in various ways. Certain ISL AlwaysOn and ISL Light/ISL Light Client apps and binaries need permission to gain access to Accessibility system services.
For a detailed guide using Intune take a look at:
- Deploy ISL AlwaysOn macOS permissions (Microsoft Intune)
- Deploy ISL AlwaysOn on macOS (Microsoft Intune)
Binary ISLAlwaysOn requests access when a session is established using ISL AlwaysOn.
The type of identifier:
Path
Path:
/Library/Application Support/ISLAlwaysOn/ISLAlwaysOn
Note: By using certain customization options the path on your device may be slightly different than in the example above. In that case please modify it accordingly.
Code Requirement:
identifier "com.islonline.islalwayson.main" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GP5P6H7RRF
Static Code Validation:
No
We have prepared an MDM Configuration file which can be downloaded: MDMConfig.xml
Note: When using MDM solutions, you can use the Allow Authorization option for Accessibility and Full Disk Access TCC services. Screen recording TCC service can only be authorized using the option Allow Standard User to Approve, which means it still needs to be allowed manually by the user.