Toggle Screenshots on and Off

AdamCraig
Contributor III

I have been asked to look into disabling screenshots for some of our users due to an application that they use that has access to sensitive data.

Because I don't hate our users I want to ONLY disable screenshots when that application is open. I have created a launchdaemon to run frequently and check if the application is open, but have been stuck on the best way of disabling screenshots.

I know it can be done with a config profile, but this overlaps with an existing config profile for other restrictions so I'd have to set something up to scope it out of that config profile and into a different one and I'd rather not remove and reinstall versions of our Default Restrictions config profile 2, 4, or more times per day.

I've also looked into https://www.jamf.com/jamf-nation/discussions/30511/disable-macos-screenshots which disables the hotkeys, but I don't think it'll be long before the users just figure out to quicklook Screenshot.app and do it that way.

Any other ideas for a way to solve this problem?

Also I know they can just take a picture of the screen with their phone.

5 REPLIES 5

shaquir
Contributor III

Hi @strayer,
You can try setting your launchDaemon to run a script to manually install and remove a profile to disable the screenshot (DisableScreenshotCreation.mobileconfig).

Run when the app is opened:

/usr/bin/profiles -I -F /hidden/location/DisableScreenshotCreation.mobileconfig

Then remove when the app closes:

/usr/bin/profiles -R -F /hidden/location/DisableScreenshotCreation.mobileconfig

Anonymous
Not applicable

How to do it system wide across all apps?

tlarkin
Honored Contributor

if you want to disable it when only a specific app is running you will run into all sorts of race conditions. I have a custom MDM payload to disable screenshots on our "secured configs" that apply to a very small subset of systems. The only way I have been able to see it work is binary, it is either globally on or globally off.

Even if you script it with a launchd item, you will still always succumb to a race condition where thee config may not apply in time, or may not apply properly. If you are doing access controls around sensitive data, I would recommend a separation of systems, and have them use another system to access that data.

AdamCraig
Contributor III

@shaquir I don't have the whole thing put together yet. (and now that they're realizing some of the side effects like this the people who told me to figure this out are second guessing if we're going to do it at all) But this solution did work.

First though I needed to modify our existing restrictions config profile to not include anything about screenshots. I used this process Roll Your Own Config Profile - JNUC 2019 to do so. Once that config profile wasn't conflicting installing and uninstalling the config profile you linked worked great.

Anonymous
Not applicable

Is there any way to do it through policies ?