Jamf Nation Community

gmce87 · ‎01-08-2018

Hi, I've been asked if we can disable screen capture capabilites on our macOS devices, our company deals with personal and confidential info so management have asked if we can lock this down as much as possible. I've been doing a bit of reading and I've tried the methods below so far.

Added "screencapture" to Restricted Software, attempting to prevent /usr/sbin/screencapture from running, however this doesn't seem to work, my test end user was still able to take screenshots.
Tried using "sudo chmod 744 /usr/sbin/screencapture" to remove the execute flag for users on the binary, but I get "operation not permitted", presumably because it's in the sbin directory and is protected.
Added "Grab.app" to Restricted Software, but that doesn't stop users using the shortcut keys to invoke screencapture.
I'm aware that I could use defaults.write to change the default screenshot location from the user's Desktop folder to somewhere non-writable like /private/var/ but I've read that this doesn't stop users from using the Control key in the key combo to store the capture in their clipboard. We ideally need to stop users from saving screenshots to the clipboard also.

Is this a requirement that anyone else has dealt with? Any ideas would be appreciated, ideally without having to purchase new software or some sort of DLP solution.

Josh_Smith · ‎01-08-2018

Normal disclaimers: Don't do this, tell 'em you can't, unsupported, bad idea, fake security, FUD, oh the humanity! :)

But if you are going to try anyway...I'd start by looking at the the Keyboard Shortcuts in System Preferences. You can turn them off there...and see what happens when you toggle them on and off in this preference domain:

defaults read com.apple.symbolichotkeys

On my 10.12.6 machine 28-31 change from enabled to disabled. Now whether you can create a custom configuration profile for that or script it and have it work consistently without breaking anything else....you'll have to decide if it's worth your time to test it out. Good luck.

scottb · ‎01-08-2018

Just tell them that people can take screen shots of the Mac(s) with their phones. Security bypassed.
I agree with @Josh.Smith.

gachowski · ‎01-08-2018

also ... Another possible answer.. I'll open a ticket with Apple for that request.

C

gmce87 · ‎01-09-2018

@Josh.Smith Thanks for the suggestion, I was trying to find the plist for keyboard shortcuts yesterday to look at doing exactly that as a test. I'll try it and see how feasible it is.

@scottb We're one of those companies that ruthlessly enforces a "no personal devices in production areas" policy so that shouldn't be an issue, much to my sadness.

gmce87 · ‎01-09-2018

Hm, I've tried updating this using defaults write, and although the plist is updating to reflect the change, the shortcuts in Keyboard preferences aren't being unticked, and the hotkeys still work.

I've manually unticked the hotkeys in the System Preferences > Keyboard, and then used defaults read com.apple.symbolichotkeys and confirmed that those four keys modify in the same manner that the script attempts to do (changing the boolean enabled value from 1 to 0), so I'm not sure what's going wrong.

I'm using the script below to modify hotkeys 28-31:

#!/bin/bash

defaults write com.apple.symbolichotkeys AppleSymbolicHotKeys -dict-add 28 "{enabled = 0; value = { parameters = (51, 20, 1179648); type = 'standard';};}"
defaults write com.apple.symbolichotkeys AppleSymbolicHotKeys -dict-add 29 "{enabled = 0; value = { parameters = (51, 20, 1441792); type = 'standard';};}"
defaults write com.apple.symbolichotkeys AppleSymbolicHotKeys -dict-add 30 "{enabled = 0; value = { parameters = (52, 21, 1179648); type = 'standard';};}"
defaults write com.apple.symbolichotkeys AppleSymbolicHotKeys -dict-add 31 "{enabled = 0; value = { parameters = (52, 21, 1441792); type = 'standard';};}"

exit 0

After I run this script, my ~/Library/Preferences/com.apple.symbolichotkeys.plist file updates accordingly, the enabled value changes from 1 to 0, but even if I close the Keyboard Preferences pane and re-open it, the screen capture options are all still ticked, and the hotkeys still work. I've also tried running "killall SystemUIServer" afterwards, however this makes no difference.

I've also tried opening Composer and taking a snapshot comparison of what's happening when I manually untick the options in Prefs, but the only other files that have been recorded as being modified are symlinks to the same symbolichotkeys.plist file in my user profile's Preferences. If I copy the before and after of the plist file and throw them into a differencing tool, the only things I'm seeing highlighted are the enabled values.

Very bizarre!

mm2270 · ‎01-09-2018

@gmce87 My experience with trying to affect the keyboard shortcuts against that plist has never gone well. There is some service that might need to be restarted or kicked in to have it take any effect, and I've never been able to figure it out. I'm not sure how successful you'll be in manipulating those keyboard shortcut settings I'm sorry to say. I wish I had a good answer, but it seems disabling those keyboard shortcut options (along with the other restrictions you mentioned) would be the only way to truly disable screen captures.

gmce87 · ‎01-10-2018

@mm2270 Thanks for the reply, I've messed around with it some more but I'm getting nowhere fast. I've gone back to our Compliance team advising that this seems to be infeasible to implement to the degree that's been requested, at least using the native OS functionality and JSS.

scottb · ‎01-10-2018

Might be a dumb idea, but can you change the key commands for those? In other words, don't disable, but make them some other combo of keys that they won't know?
If it works, it may well be reflected in the Keyboard pref pane, but I'd wager most wouldn't even know where to look.
Just a thought - may be a bad one at that...

Jamf Nation Community

Disabling printscreen capability in macOS