Createing profile to allow input monitoring

5Y54DMIN
Contributor

Even in jamf itself and using the PPC tool i cant create profiles that allow apps to monitor keyboard. they only option i get is to deny apps.

under security and Privacy-> privacy -> input monitoring, i have to by hand select the apps that need access.

why cant i allow apps using profiles, it appears the only way to do it is by hand...

7215c62294a8467eb1fd32fadda36849

see screen shot.

12 REPLIES 12

Yohan
New Contributor II

This is per Apple's design. There is approved way to pre-give access via MDM to Input Recording, or other services that are Deny only.

5Y54DMIN
Contributor

@Mcgwirej

so there is no way to remotely give that drive access to what it needs it has to be done by hand?

ChadWagner
New Contributor

Is there any solution for this? looks like non-admin users can't enable it themselves. Can I script this or push the allow somehow? If not, I'm stuck with manually touching the computers to log in as admin and allowing. How does this make things better exactly apple?

mm2270
Legendary Contributor III

No, there’s no scripted way to enable these options that I’m aware of, and even if there were, if Apple found out I’m sure they would block it in a future update or OS version.

Again this is by design by Apple. They don’t want things that directly affect user privacy, like monitoring input devices or recording audio/video, etc from being enabled by admins or anyone else other than the end user of the device. We can rail against it all we want, but I doubt this will change.

Sandy
Valued Contributor II

@mm2270 I am running into this for Promethean Software, and contrary to your statement above, ADMIN access is required to enable the required apps: activhardwareservice and activmgr

mm2270
Legendary Contributor III

@Sandy Maybe I should have stated what I said above more clearly, but I wasn't referring to admin privileges, but rather IT/Mac "admins". Meaning Apple doesn't want people like us to be able to enable these monitoring functions without the end user (or an account on the device) authorizing it.
I get that some organizations really want to be able to do these things, but, right now at least, that has been Apple's stance on this issue. Could this change in the future? Sure, Apple has drawn lines in the sand before, only to cross them at some later date, but it's anyone guess. For the moment, there is no way to programmatically allow input monitoring, as well as turning on the camera or microphone for an app thru a profile or scripted means.

Sandy
Valued Contributor II

@mm2270 gotcha. I will add that I like that some privileges, like setting lockscreen settings for example, require authentication by the logged in user. This seems like an excellent way for Apple to go, since the logged in user (even without admin credentials) should be the one deciding some things, like access to camera and microphone, for example. If we cannot manage globally and are in an environment that does not want end users to have admin rights, there will be lots of trips to the office!

pbileci
New Contributor III

I wouldn't have a problem if the OS allowed non-admin users to set this themselves. However, allowing the Wacom tablet to access input monitoring requires admin access, not just the user's. That doesn't make any sense if they want to give the user rights. We have other apps that require the user to allow certain security settings but they can check the boxes without admin rights. So can we at least use a script to open Keyboard Monitoring to users without admin rights? I've been able to do this with other settings in System Preferences, like specific sections of Network and Energy Saver.

donmontalvo
Esteemed Contributor III

AWS Schema Conversion Tool has the same issue. User needs to allow "Input Monitoring" but requires admin rights to do so.

We opened a ticket with Amazon, they told us it's an Apple limitation.

Myea...I get that user has to approve, doesn't make sense that the user now also needs admin rights.

--
https://donmontalvo.com

CasperSally
Valued Contributor II

newest versions of wacom software have this issue too. Put a ticket in with apple if you can. They're aware of the issue and considering allowing non admins to set input monitoring, but their change will be too late for our 2021-2022 school year :/

My enteprise ticket number if anyone wants to reference #20000068396647

JCMBowman
New Contributor III

In case it helps anyone I discovered by trial and error that while it's called "Input Monitoring" in System Preferences it's called "ListenEvent" in the PPPC settings payload. As of Big Sur you can set config profile to allow non-admin users to check that box in System preferences. Like so:

Screen Shot 2021-07-21 at 2.04.50 PM.png

+1 this worked great for me in Big Sur. Adding onto our PPPC Config Profile, and hadn't done one with input monitoring yet.

Big thanks.