ActivTrak's macOS Agent

ActivTrak’s macOS Agent is available for users operating macOS computers such as Macbooks.  The macOS Agent also fully complies with Apple's Catalina OS notarization requirements.

Check supported OS versions here.

Check ActivTrak's latest macOS Agent version and change log here

Learn more about the macOS Agent in the sections below:

macOS deployment methods

  • Direct methods are an option when an Admin has physical access to the device
  • Remote methods are necessary when an Admin does not have physical access to the device
  • Silent options indicate that the deployment method can be unknown to the user
Method Silent Option

Direct

Deploy via the ActivTrak app

yes

Direct

Deploy via USB

yes

Remote

Deploy via shared link

no

Remote

Deploy via MDM tools

yes

FAQ: macOS screen recording permissions

Why does ActivTrak need the Screen Recording permission?

Note: ActivTrak will never record your screen unless you explicitly use the screenshot actions in the alarms.

With macOS 10.15 Apple has introduced a new Screen Recording permission. According to the name, one would assume that this permission only covers screen recording. Unfortunately, that's not the case. It also protects an API that is used in ActivTrak and to access other app's window titles.

What happens if I don't grant the screen recording permissions?

For the most part, ActivTrak will still work properly. Only a few applications will not be able to use window snapping. Other actions like screenshotting and moving windows between spaces will break.

Why does ActivTrak / need access to other app's window titles?

To track and pull the appropriate data as well as move your windows around. ActivTrak needs to first figure out which window to move. This might seem like a simple task, and that's true for most apps. However, in various cases, it's not as easy as it seems. For example, application windows might have transparent overlays or other invisible parts which in some situations can be hard to identify. In such cases, ActivTrak uses the window titles of these problematic apps to identify whether it is moving the correct window. This has worked quite well during the last 10 years and allowed ActivTrak to work with almost all applications.

Is there any Apple documentation that confirms what you are saying?

Yes. You can watch the video from WWDC: https://developer.apple.com/videos/play/wwdc2019/701/. There is a large part about screen recording, which also talks about window titles now also being protected by this permission.

How did it work before Catalina?

Before macOS Catalina, there were no such permissions. Any app could access the window title of any other app - and any app could record your screen.

Are there other ways to access the window titles?

Yes, ActivTrak could also use the Accessibility API to access other app's window titles. However, this doesn't work in some specific situations and is less performant.

Can I enable/disable the permission later?

Yes, you can always choose to disable/enable the permission via System Preferences => Security & Privacy => Privacy => Screen Recording.

Is there any indication of whether an application is currently recording my screen?

Unfortunately no. Applications that get the Screen Recording permission can record your screen at any time without any indication.

Why did Apple protect window titles with this permission?

We are currently unsure. We will continue to watch and see how the macOS evolves and adjust accordingly to ensure the agent runs properly on Apple machines.

 

macOS Agent troubleshooting

MAC NAMING ISSUES

When installing ActivTrak on multiple Mac computers, what looks like duplicate computers may appear and skew reporting. This is caused by a naming conflict with Apple's networking services. It is important that all Mac computers with the ActivTrak agent installed have unique names.

To change the computer name to something unique, log into the Mac that needs renaming, refer to this Apple user guide and select your specific OS version for instructions.

 

MAC SCREENSHOTS ONLY SHOW DESKTOP WALLPAPER

If you are collecting screenshots for a Mac user and you can only see their desktop wallpaper rather than the actual applications on their screen, this is due to Apple's Security & Privacy settings and you will need to follow these instructions. After completed, restart either the agent or the machine itself for the new screenshot permissions to take effect.

ss5.png

MAC AGENT NOT INSTALLING

1. Ensure that you are installing the software with Admin credentials. ActivTrak can only be installed by an Admin of the machine you are attempting to track.

2. Ensure the installer file was not renamed. This includes your computer adding a (1) or (2) at the end of the file if there were multiple copies in your downloads. Modifying the file name may prevent the agent from being properly installed.

3. If running Catalina or later, the installer may require permission to run. If so, you will see a similar message to below when trying to install the Agent:

 Screen_Shot_2019-10-24_at_12.05.46_PM.png

In order to fix this, click on the Apple icon in the top left of your screen and select 'System Preferences', then click on 'Security and Privacy'. On the 'General' tab you should see the installer listed at the bottom. Click 'Open Anyway':

Screen_Shot_2019-10-24_at_12.08.18_PM.png

After clicking 'Open Anyway', the security pop-up that was shown previously will appear again, but this time with the option to Open. Click 'Open' and the installer will run normally:

Screen_Shot_2019-10-24_at_12.09.38_PM.png

4. MacOS includes a feature called Gatekeeper, which has options to only allow trusted software from the App Store and/or identified developers. If Gatekeeper is preventing the installation of legitimate software such as ActivTrak, the feature can be disabled either temporarily or permanently by following the steps below.

Click on the Apple icon in the top left of your screen and select 'System Preferences', then click on 'Security and Privacy'. On the 'General' tab, click the lock in the lower left corner to allow changes:

mac3party3.png

Enter your computer username and password, then select 'Unlock':

mac3party4.png

In the 'Allow apps downloaded from:' section, select 'Anywhere':

mac3party5.png

Close the window. You can now install applications that you trust.

Note: If the 'Anywhere' option does not appear, you can disable Gatekeeper permanently by following these steps:

Quit System Preferences if it is open and open a new Terminal window using one of the following methods: ⌘ Command + ⇧ Shift + U , OR from /Applications/Utilities folder:

macdisablegate1.jpg

macdisablegate2.jpg

Enter the following command into the Terminal then hit return:

sudo spctl --master-disable

Relaunch System Preferences and go back to the Gatekeeper (Security & Privacy) settings:

macdisablegate4.png

Uninstall ActivTrak and reinstall a fresh copy of the agent.

5. Navigate to /Library/PrivilegedHelperTools, right-click on that folder and Get Info, then look at the bottom under Sharing & Permissions to verify Read & Write privileges for everyone. If it says 'No Access', this will need to be adjusted for a successful installation. 

 

MAC AGENT NOT REPORTING

After installing ActivTrak onto a new machine, data should begin uploading to the platform within a few minutes after the user is logged in. If initial data does not appear, or if a user was reporting for a while and appears to have suddenly stopped, there are several steps that can be taken in order to troubleshoot and identify the issue.

Within the ActivTrak application:

1. Verify that all Date Range and User/Group filters are set correctly as this common mistake can prevent data from appearing and make it seem as if someone isn't reporting. The filters will be located along the top of all applicable pages.

2. If it seems like none of the users are reporting, check whether you are over the license limit by clicking on your account avatar in the top right-hand corner of the ActivTrak app; the dropdown menu displays a ratio of users to licenses. Paid accounts that did not take action on a license overage within the 14-day grace period will see a red warning banner along the top of the screen. Data will still be collected, but it will not be viewable until you either reclaim licenses or purchase new ones.

Note: Free plans are only allowed 3 users and 3GB of storage and have no grace period. Once you exceed either of these limits, data is immediately hidden until you either delete users and/or data, or upgrade to a paid plan.

3. Verify that the user you are expecting to see is not listed under Settings > Users & Groups > Do Not Track. If they are on this list, click the Remove button next to their name to instruct the Agent to start collecting data.

Note: the user will not reappear within the account until they are next active and generate the first log.

4. Confirm that the user(s) are being tracked during the desired time-frame(s). You can view, edit, and apply schedules to users from Settings > Scheduling.

Note: The tracking schedule for each user will be based on their computer's local time zone and not the Account Time Zone.

New users are automatically assigned to the Default Schedule, and the default schedule is automatically 24x7. If you have just installed the Agent but the user is not reporting, check if an Admin modified the Default Schedule to where it is no longer 24x7. If the install happens outside of the scheduled Default times, the user will appear the next time they are active on the machine during the Default Schedule. Then move them to another schedule if desires. Learn more about the Scheduling feature here.

5. Check to see when the Agent last reported and if they are on the latest Agent version. You can view both the Last Log Record and Agent Version from Settings > Users & Groups > Computer Agents. The latest version is listed here. If the Agent Version is outdated, download a new Agent directly from a Home page as that will always host the most recent version. Then deploy using one of these methods.

On the tracked computer:

6. In order for ActivTrak to send and retrieve data, the agent must be running. This can be checked within the Activity Monitor on the monitored machine.  SCTHOST and SCTHOSTP will be listed under the 'CPU' tab. If SCTHOST and SCTHOSTP are shown, click on one of them and then click on 'Force Quit' in the top left. Once one has been done, do the same for the other. They should both reappear within a few seconds and data should begin uploading within a few minutes.

mceclip2.png

mceclip1.png

7. Included with Apple's macOS Catalina release were several changes to privacy settings on the Mac, including the requirement to give applications explicit access to capture the screen. When ActivTrak first attempts to capture a screenshot on a Mac running macOS Catalina or higher, this message will pop up:

Screen_Shot_2019-12-12_at_12.33.42_PM.png

In order to grant ActivTrak permission to capture the screen for screenshot-based alarms, click 'Open System Preferences'. If 'Deny' is clicked, you can update permissions later by clicking on the Apple icon in the top left of your screen and opening 'System Preferences', then clicking on 'Security and Privacy'. On the 'Privacy' tab, check the box next to scthostp under both 'Accessibility' and 'Screen Recording'.

Screen_Shot_2019-12-23_at_12.26.59_PM.png

8. Ensure there are no conflicts due to security software on the monitored computer by following this guide.

Note: It is possible for the Agent to be disabled on some computers but not others, so you should still follow whitelisting even if other computers are reporting normally. It is also possible for the Agent to report for a while and then suddenly stop, for example due to a security software update.

 

Learn more:

 

 

 

 

Was this article helpful?

1 out of 9 found this helpful

Comments

No comments