Disable macOS Screenshots

Ricky
Contributor

Hello everyone!

We are currently in the process of updating our CA Secure Browsers for the upcoming standardized testing. It looks like the new requirement for the year is disabling screen shotting abilities. Has anybody done this? I'm not sure if it's something we can tackle with a computer-wide configuration profile so it will be easy to revert once testing is over.

Below is a screenshot depicting the message we are getting.

Secure Browser version 10.6 on macOS 10.14.2 "Mojave"

65c28b95fea945b6ab025418ef717164

1 ACCEPTED SOLUTION

Ricky
Contributor

After fiddling with Mojave for hours of our precious lives, our team has concluded that overwriting custom settings via configuration policy doesn't work for system preferences. We tested this with applying profiles at a user and a computer level on our Mojave instances with no luck.

We did, however, find a method that actually works to get CA Secure Browser (SBAC) compliant in our environment!

Our first step was to generate up our plist files that would be used as our template. The settings were configured in System Preferences > Keyboard > Shortcuts with the following Unchecked:
- Mission Control
- Mission Control (dropdown menu)
- Everything under the Screenshots sidebar
- Spotlight > Show Spotlight search

With that done, it's now time to collect our plists. I navigated to ~/Library/Preferences/ and copied both com.apple.symbolichotkeys.plist and com.apple.spaces.plist to /Users/Shared/

Using composer we built out a pkg that installs on the target machine as /Users/Shared/

Now we need to move those plists into the appropriate location. Thankfully we can use JAMF's handy dandy Scripts module:

#!/bin/sh
sleep 5
mv /Users/Shared/com.apple.symbolichotkeys.plist /Users/$3/Library/Preferences/com.apple.symbolichotkeys.plist
mv /Users/Shared/com.apple.spaces.plist /Users/$3/Library/Preferences/com.apple.spaces.plist

We included the 5 second for good measure. The likelihood of a student logging into a machine and then immediately clicking the CA Secure Browser application is very low. We'd rather give the computer a second to generate up all the Preference files. Then we simply move the files from that /Users/Shared/ folder into the logged in user (JAMF has this pre-defined as $3).

Build out a policy with the following configuration:
Login Trigger
Once per user per computer
Attach the .pkg file that we just generated up in Composer that installs to /Users/Shared/
Run the script with the "After" priority defined
For good measure, we have it check in with JAMF so we can log what happened.
Finally, under User Interaction Complete Message saying the computer is ready for testing. This is nice so we can relay to our end users that they need to wait for the popup message the first time they log in.

That's it! You're done. This resolves both the Spaces / Mission Control issue as well as the shortcuts issue seen when a student logs in for testing.

View solution in original post

7 REPLIES 7

larry_barrett
Valued Contributor

System Preferences - Keyboard - Shortcuts - ScreenShots

I'll be playing with this shortly, seems pretty straight forward. 7bc9b861ed4d4600b9d5f70bc7049835

Ricky
Contributor

Hey @larry_barrett,

I feel like I've been banging my head against a wall for the last month! Did you find a way to remove that configuration by policy? We have over 1000 Macs that would need to be changed, and I assume it's per user profile.

mainelysteve
Valued Contributor II

@Ricky See this thread. My response (galionschools) is about halfway down the page. Trial it out first by deleting com.apple.symbolichotkeys from the user library ( ~/Library/Preferences ) and launching the browser. Not sure if it still applies as they may have changed things since then but it's worth a shot.

hphan
New Contributor III

@Ricky I don't know if you are still looking for an answer but I just got this figured out. We have two configuration profiles: one for all the keyboard shortcuts and the other for the Searching shortcuts.

You modify the keyboard shortcuts according to your finding and @mainelysteve post. Then disable the Searching shortcuts (System Preferences >> Keyboard >> Shortcuts >> Services >> Searching). These changes are made in the com.apple.symbolichotkeys.plist and pbs.plist in ~/Library/Preferences/

You then create a configuration profile and upload these plists in as Custom Settings. You can set the Level to User Level and Limitations to the specific test user.

Hope this help.

Ricky
Contributor

@hphan If you generate out a plist, how do you get the configuration to apply out to machines? Just set the preference domain to com.apple.symbolichotkeys ?

Ricky
Contributor

After fiddling with Mojave for hours of our precious lives, our team has concluded that overwriting custom settings via configuration policy doesn't work for system preferences. We tested this with applying profiles at a user and a computer level on our Mojave instances with no luck.

We did, however, find a method that actually works to get CA Secure Browser (SBAC) compliant in our environment!

Our first step was to generate up our plist files that would be used as our template. The settings were configured in System Preferences > Keyboard > Shortcuts with the following Unchecked:
- Mission Control
- Mission Control (dropdown menu)
- Everything under the Screenshots sidebar
- Spotlight > Show Spotlight search

With that done, it's now time to collect our plists. I navigated to ~/Library/Preferences/ and copied both com.apple.symbolichotkeys.plist and com.apple.spaces.plist to /Users/Shared/

Using composer we built out a pkg that installs on the target machine as /Users/Shared/

Now we need to move those plists into the appropriate location. Thankfully we can use JAMF's handy dandy Scripts module:

#!/bin/sh
sleep 5
mv /Users/Shared/com.apple.symbolichotkeys.plist /Users/$3/Library/Preferences/com.apple.symbolichotkeys.plist
mv /Users/Shared/com.apple.spaces.plist /Users/$3/Library/Preferences/com.apple.spaces.plist

We included the 5 second for good measure. The likelihood of a student logging into a machine and then immediately clicking the CA Secure Browser application is very low. We'd rather give the computer a second to generate up all the Preference files. Then we simply move the files from that /Users/Shared/ folder into the logged in user (JAMF has this pre-defined as $3).

Build out a policy with the following configuration:
Login Trigger
Once per user per computer
Attach the .pkg file that we just generated up in Composer that installs to /Users/Shared/
Run the script with the "After" priority defined
For good measure, we have it check in with JAMF so we can log what happened.
Finally, under User Interaction Complete Message saying the computer is ready for testing. This is nice so we can relay to our end users that they need to wait for the popup message the first time they log in.

That's it! You're done. This resolves both the Spaces / Mission Control issue as well as the shortcuts issue seen when a student logs in for testing.

gajones
New Contributor II

I did this without the need for a script by creating a policy to install the package on login with the "Fill existing user home directories option" selected.