MacOS Sequoia Weekly Screen Recording notifications

AJPinto
Honored Contributor III

I don't usually discuss beta stuff in public channels, but this new "feature" is already being discussed publicly so I figured we should be good.

macOS Sequoia adds weekly permission prompt for screenshot and screen recording apps - 9to5Mac

 

Is it just me, or has Apple gone way past crossing the line of security notifications that they used to criticize Windows Vista over with UAC?

Get a Mac - Vista Vs Mac - Security - New Mac Add (youtube.com)

20 REPLIES 20

jamf-42
Valued Contributor II

yup seen it.. Im thinking while devs say its an 'Apple feature'  , I'm expecting dev feedback and then backlash from Joe Public will see it removed / tweaked.. it does seem a tad overkill.. 

AJPinto
Honored Contributor III

Ya, we have already submitted a few feedback’s over this. My hopes are not high, but this does not seem to be a step in the right direction.

 

I totally understand a well informed user, but we are past the point where users get so many system notifications they just ignore them. Maybe, if this is absolutely necessary, as @obi-k suggested, do notifications these less frequently. 

obi-k
Valued Contributor III

Weekly is a bit much. Could see customers, especially executive Mac users getting annoyed. Maybe a monthly, or quarterly notification?

jartron3030
New Contributor III

Yes we are also seeing this on our Sequoia beta machine. I was hoping it was a bug in the beta, but if not this is going to cause issues for us as we rely heavily on VNC.

pete_c
Contributor III

My IT leadership is going to hate this, and my tickets will increase. It's not a Deployment Blocker for my org, but its making it painfully obvious that Apple doesn't really understand what the rest of the enterprise market wants or expects.

mschlosser
Contributor II

agreed; a truly awful idea; feedback filed.

I also thought it was strange that these permissions were referred to as Screen Recording, I mean technically that may be what is occurring, but I always thought that was a poor way to name the permission for remote access. The whole pricay and security UI and concept needs to be rethought if you ask me. THe UI, the concept, the commands that are outside of MDM, even for company bought devices, the whole thing is a mess, rant over.

a_Moose
New Contributor III

This will certainly be a blocker for us - we have users who will be very unhappy with the frequency of these prompts. Feedback filed.

--
AGE QVOD AGIS

AJPinto
Honored Contributor III

We also very heavily rely on remote assist tools, which users already have to manually authorize one due to our use of 0-touch. Im waiting for the first support situation where some VIP disables a Conferencing Apps screen recording (Teams, Zoom, WebEx, etc) due to the notifications, then has a call where they need to present and it's not working. Contrary to Apples belief, most users do not know how to toggle this stuff off and on at will.

 

It wont be a blocker for us, but it will be a headache for our support team. I anyone has not yet, I suggest filing feedback on this. If anyone wants insperation this is the template I used to submit feedback for this.

 

INTRO: With macOS 15.0 (24A5309e) Beta Apple changed the behavior of the behavior of how macOS notifies users of Applications with Screen Recording access. The original behavior was a user had to manually grant this access once for each individual application, the new behavior is they have to "regrant" this access weekly for each application.

This feedback is about a change in default behavior for macOS Sequoia that, if left unmanaged, will impact our ability to upgrade existing Macs and deploy new ones.

SCOPE OF IMPACT:

* ### Macs eligible (or likely) to upgrade to Sequoia;

* ### Macs refreshed annually;

* ### Macs across the entire organization;

* ### computers across all operating systems.

PROBLEM: Many organizations like (company name) have several applications on devices that request or require Screen Recording access. Mac users are already inundated with user awareness popups, and this workflow is just adding more. What is being done with the good intentions of making users more aware and secure, its just creating noise that users dismiss and don't read.

 

ISSUES & CONCERNS:

1. Users ignoring important system notifications due to the amount of notifications the system is giving them.

2. Users requiring support due to disabling Screen Recording on tools they use that need the access.

3. Distracting users with frequently and needless notifications.

 

WHY THIS MATTERS:

Each of our devices are loaded with multiple conferencing tools like (list tools); as well as remote assist tools such as (list tools); as well as productivity tools like (list tools). Each time this pops up it gives a chance for a user to "break" one of their applications, which will lead to support events to advise a user they need to re-enable Screen Recording.

 

 

### Further details on why this matters###

 

Dependent Applications

1. Teams

2. WebEx

3. Snagit

4. Display Link

5. Zoom

6. Many more applications I cannot even think of to list

 

 

REQUESTS &/OR SUGGESTIONS:

Provide a new MDM payload that facilitates management & control of:

- Limiting the number of popups, for example if MDM is has a configuration deployed to allow non-admin users to approve screen recording access for an app bundle, disable these notification for that app bundle.

- Add functionality to ScreenCapture to allow an MDM to deploy a force "Allow" to manage Screen Recording on Supervised devices to reduce the touch points of a user on the OS configuration. Currently MDM can only issue Deny or AllowStandardUserToSetSystemService.

- Ultimately these Supervised devices are organizationally owned, Organizations have every right to set the configuration on their own devices for both security and user simplicity.



 

mschlosser
Contributor II

feedback can be easily entered by entering applefeeback:// into safari

jamf-42
Valued Contributor II

that link only works if you have the feedback app installed.. 

AJPinto
Honored Contributor III

It is best to use the feedback app. Log in with your managed AppleID, and file the feedback under your organization (bottom section). This will give you a feedback number you can provide to your Apple reps if you want some attention on a feedback. The feedback app is basically a ticketing system and Apple usually responds to them in there. The website is literally yelling in to the void.

pete_c
Contributor III

And don't file into the 'Something Not On This List' bucket either. If you do, its somewhere between the bottom of the pile and /dev/null.

scottlep
Contributor II

I am running Beta 24A5298h and see this daily and/or any time I quit and relaunch Teams, not weekly. So it already has bugs and needs to just go away :)

Update to beta 5 and you'll see the new behavior.

cwaldrip
Valued Contributor

Hopefully developers will have some API call they can make if their app is signed/notorized/sealed with a kiss/watermarked to bypass this. If I install an app that meets all of Apple's requirements I'd appreciate the ability to permanently approve screen recording (at least until the annual OS upgrade or app upgrade). Now, apps that don't meet all of Apple's requirements... sure, weekly prompts with the optional additional step to verify them in the Security System Settings is fine too.

obi-k
Valued Contributor III

cwaldrip
Valued Contributor

I've updated my request to ask what the point of signing & notarizing an app is if it still prompts the user for system access 'regularly'. I should get the message once, be required to go through the manual steps to give it access, and then not worry about it unless the app or the OS receives a major upgrade. Monthly or quarterly is still an annoyance as my first thought would be - what changed in the app? Didn't I already do this? Why do I have to keep doing this?

Make it more frequent for non-'approved' Apple apps and give the developer a reason to get the app approved. But it's already been reviewed by Apple and /should/ be as non-malicious as possible. These warning would make me second guess that review process.

At least they listened when they got enough blowback...

jartron3030
New Contributor III

I have received the following response from Apple regarding the feedback I submitted:


As mentioned in Developer and AppleSeed for IT release notes, applications utilizing deprecated APIs for content capture such as CGDisplayStream & CGWindowListCreateImage can trigger system alerts indicating they may be able to collect detailed information about the user. Developers need to migrate to both ScreenCaptureKit and SCContentSharingPicker to prevent these alerts.

 

jamf_pro_admin
New Contributor II

I'm hoping Apple will release a payload to bypass this or at least setup a custom permitted list to reduce the number of prompts and reduce the noise.

 

I've submitted feedback via the AppleSeed program and others should be doing the same too if you want Apple to do something about it!

scottlep
Contributor II

I would assume if the capability was there that Jamf would have included the payload in 11.9. I can't find it if they have. I might open a ticket with Jamf to ask. We usually allow new major versions on day zero, so if we cannot control this from MDM then we will have to create a KBA and notify users of the new prompts.