Note: To create a privacy policy exception you can deploy ISL Light Client through the MDM system. MDM solutions are primarily meant to be used by system administrators who are responsible for setting up and configuring many machines.
With Apple's MDM solutions you can, among other things pre-approve certain applications to access system resources without the user having to approve a checkbox on the application requests.
With Apple's MDM solutions you can, among other things pre-approve certain applications to access system resources without the user having to approve a checkbox every time the application requests access to a new resource.
There are many different ways of MDM tools on the market that help you configure your devices, however, in all cases, you will have to provide the following information to create a privacy policy exception:
- Identifier - The unique identifying value for the binary or service. For applications, specify the Bundle ID - it is also possible to use the installation path for supporting binaries.
- Code Requirement - This is a unique string based upon the developer certificate that was used to sign the Identifier (binary or bundle ID). You can obtain this value by running the following command in Terminal.app:
codesign --display -r - /path/to/app/binary
- Static Code Validation - Some applications might intentionally make changes to themselves in memory. If you set Static Code Validation to True, macOS checks only the Code Requirement of the files on disk and not the application loaded in memory. Generally speaking, use this option as a last resort if you are sure the Code Requirement and Identifier are correct.
- Accessibility Privacy preferences - The accessibility section of the macOS Monterey Security & Privacy panel allows apps to control your Mac in various ways. Certain ISL AlwaysOn and ISL Light/ISL Light Client apps and binaries need permission to gain access to Accessibility system services.
For a detailed guide using Intune take a look at ISL Light which can be adapted to ISL Light Client as well:
Deploy ISL Light on macOS (Microsoft Intune)
Application bundle islnetworkstart requests access when a is established with ISL Light Client. Binary issc_daemon requests access when restart and resume functionality is in use (e.g. restart of the computer).
islnetworkstart
The type of identifier:
Bundle id
Bundle Id:
com.islonline.islnetworkstart.dmg
Code Requirement:
identifier "com.islonline.islnetworkstart.dmg" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GP5P6H7RRF
Static Code Validation:
No
issc_daemon
The type of identifier:
Path
Path:
/Library/Application Support/ISL Online/ISSC Daemon/issc_daemon
Code Requirement:
identifier "com.islonline.isllight.issc_daemon" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GP5P6H7RRF
Static Code Validation
No
We have prepared an MDM Configuration file which can be downloaded: MDMConfig.xml
Note: When using MDM solutions, you can use the Allow Authorization option for Accessibility and Full Disk Access TCC services. Screen recording TCC service can only be authorized using the option Allow Standard User to Approve, which means it still needs to be allowed manually by the user.