Articles in this section

Deploy the Agent on macOS Sequoia (and higher)

ActivTrak Product Team
published
updated

In macOS Sequoia (versions 15.1–15.4), Apple enhanced security measures by increasing permission dialogs and notifications while removing specific administrative controls. This guide provides comprehensive deployment options for both silent and transparent installations, enabling you to select the approach that best fits your needs.

Note: Full functionality is available on macOS 14. Upgrading to Sequoia is not required by ActivTrak.

macOS only

This method is for deploying the macOS Agent. For Windows or ChromeOS, see our installation and deployment guide.

Contents

Manual installation

When installing the ActivTrak Agent, the required accessibility permissions must be granted manually.

  1. Open System Settings
  2. Go to Privacy & Security > Accessibility
  3. Enable scthostp in the list.

If scthostp is not in the list:

  1. Click the +
  2. Navigate to Library > PrivilegedHelperTools. Note: This must be in the System Library folder, not the User Library folder. To ensure you have the correct location, you can go to Finder, click on "Go" in the top menu, Go to Folder, and enter "/Library/PrivilegedHelperTools".
  3. Select scthostp and click Open
Important:
  • Confirm it was applied by running the command below and observing that the auth_value is 2: 

sqlite3 -header -column "/Library/Application Support/com.apple.TCC/TCC.db" "SELECT service, client, auth_value FROM access where client = '/Library/PrivilegedHelperTools/scthostp';"

  • If you are still having trouble enabling the necessary permissions after following these steps, please contact ActivTrak Support

Transparent deployment

Use transparent deployment whenever possible to communicate with end users about the installation. No action is required from users beyond acknowledging permissions during installation. Learn more about introducing ActivTrak to your organization.

Silent deployment

Use silent deployment when you require a completely silent installation without user interaction. The implementation process depends on your customer segment and use case, as detailed in the deployment matrix below.

Screen capture capabilities with silent deployment

Important: Silent deployment with screen capture functionality on macOS has specific limitations because of Apple's security framework.

You can remain silent with screenshots (on macOS 15.1-15.4) only if you:

  • Accept the permission on install (manual user action required)
  • Set MDM controls to not reprompt (automated via MDM)

There is no fully automated way to accept screen recording permissions on behalf of users. Even with MDM deployment, users must manually grant screen recording permissions for screenshots to function correctly.

Silent deployment options

Deployment scenario Required actions Notes
Existing Mac deployments
(not using Screen Details)
  1. Update to the latest ActivTrak Agent: Version 8.4.2 or higher
  2. Upgrade Mac devices to the latest operating system: Version 15.1 or higher
  3. Optional: Set up MDM controls* to suppress the Screen Capture prompt

Optional: If you are using an earlier version of macOS, you may use MDM controls to postpone upgrades to Sequoia.

Existing Mac deployments
(using Screen Details)
  1. Update to the latest ActivTrak Agent: Version 8.4.2 or higher
  2. Set up MDM controls for Screen Capture for screen capture prompt suppression*
  3. Upgrade Mac devices to the latest operating system: Version 15.1 or higher

MDM controls are required*

The user must have previously granted screen access

Optional: If you are using an earlier version of macOS, you may use MDM controls to postpone upgrades to Sequoia

New Mac deployments

(not using Screen Details)

  1. Update to the latest ActivTrak Agent: Version 8.4.2 or higher
  2. Accept permissions during installation
  3. Upgrade Mac devices to the latest operating system: Version 15.1 or higher
You can use manual or scripted permission acceptance

Optional: Set up MDM controls

New Mac deployments

(using Screen Details)

  1. Update to the latest ActivTrak Agent: Version 8.4.2 or higher
  2. Enable Screen Details in installer config
  3. Accept permissions during install
  4. Set up MDM controls for Screen Capture*
  5. Upgrade Mac devices to the latest operating system: Version 15.1 or higher

MDM controls required*

You can use manual or scripted accessibility permission acceptance

*Alternative prompt suppression methods are in development

Managing user permissions

Required permissions

Starting with macOS Mojave (10.14), Apple introduced controls that let users allow or restrict cross-application data requests and permissions, such as Camera, Photos, Accessibility, Apple Events and others. Pre-configuring a Privacy Preferences Policy Control (PPPC) profile through an MDM enables administrators to grant or deny permissions for apps and system services. This ensures compliance with privacy policies and streamlines the user experience by reducing the number of permission prompts.

For customers not using Screenshot Alarms or Screen View, we recommend deploying a PPPC file that denies screen recording permissions, accepts accessibility permissions, and suppresses all Background Items notifications.

Screen recording permissions

  • Purpose: Required for screenshot alarms and screen capture functionality
  • Default behavior: Prompts user during installation and monthly
  • MDM option: Can be denied via PPPC profile if screen capture isn't needed

Accessibility permissions

  • Purpose: Required for title bar and browser URL capture
  • MDM option: Can be accepted via PPPC profile

Background processing

  • Purpose: Allows the agent to run in the background
  • MDM option: Notifications can be suppressed via PPPC profile

Firefox considerations

Firefox on macOS does not support URL capture without the ActivTrak Browser extension (ActivTrak Assist Browser Extension; however, the ActivTrak application will display ‘URL Unavailable’ if it is not present. If your ActivTrak deployment is silent, this poses a problem since the extension will be visible in the Firefox browser's ‘Extension’ menu (Firefox Extension (required for Mac Agents)). Firefox is not supported if you maintain a silent deployment. 

MDM deployment

Prerequisites

  • MDM platform subscription (Intune, Jamf Pro, Kandji or Mosyle)
  • Administrator access to MDM and ActivTrak
  • Enrolled macOS devices
  • ActivTrak’s Privacy Preferences Policy Control (PPPC) files
  • ActivTrak agent (.pkg) file

ActivTrak Install Locations

ActivTrak installs files in the following locations:

  • /Library/PrivilegedHelperTools/scthostp
  • /Library/PrivilegedHelperTools/scthostu
  • /Library/PrivilegedHelperTools/svctcom
  • /Library/PrivilegedHelperTools/scthost.app
  • /Library/LaunchDaemons/com.bgrove.activtrak.daemon.plist
  • /Library/LaunchAgents/com.bgrove.activtrak.agent.plist

PPPC files

Profile to grant/deny needed permissions

Profile to disable background notifications

Implementation steps

Create a profile for accessibility and screen recording preferences

  1. Go to your MDM’s administrative console and create a new configuration profile
  2. Choose a ‘Custom’ profile type and upload the required PPPC file "Profile to grant/deny needed permissions"
  3. Assign the configuration to your devices following the steps provided by your MDM software

Create a profile for disabling all background notifications

  1. Go to your MDM’s administrative console and create a second new configuration profile
  2. Choose a ‘Custom’ profile type and upload the required PPPC file “Profile to Disable Background Notifications"
  3. Assign the configuration to your devices following the steps provided by your MDM software

Note: This will disable all background notifications, including those from ActivTrak.

Important: When a device is configured using PPPC, the ActivTrak agent won't appear in the Accessibility permissions list, even though it has the required permissions. This is intentional and beneficial — it prevents users from accidentally disabling these essential permissions. As long as the agent is reporting data correctly, you can be confident that the permissions are properly configured.

Deploy the Agent

  1. Go to your MDM’s administrative console and create a new Application for deployment
  2. Upload the ActivTrak .pkg file without renaming it. Details on downloading the Agent can be found on this page: Deploy the Agent via the ActivTrak App
  3. Define the necessary fields (e.g., name, description, publisher and operating system). Take note that the name should not be changed. The App Bundle ID should auto-populate; if not, use com.bgrove.scthost
  4. Assign the App to all enrolled devices or specific device groups
  5. The deployment will start, and the agent will be installed as devices check in. Depending on user activity and check-in policies, this can take up to 48 hours

Required step for deployment via SimpleMDM with Munki

SimpleMDM utilizes a tool called "Munki" to populate a PKGINFO file that they need for Application Deployment. By default, the Bundle ID they pull is com.bgrove.ActivTrak. This should be updated to "com.bgrove.scthost"

To customize the PKGINFO inside SimpleMDM, you'll need to do the following:

  1. Upload the ActivTrak installer to SimpleMDM by navigating to Apps & Media > Catalog > Add App > Custom App
  2. Once uploaded, go back to the Catalog and click the installer
  3. Click the Munki tab
  4. Check the box for "Use Custom PKGINFO"
  5. Update the Bundle ID in the text file to "com.bgrove.scthost"
  6. At the bottom of the page, click Save 

Best practices

  • Plan your deployment strategy based on functionality needs
  • Test your deployment process in small groups first
  • Prepare user communication if using transparent deployment
  • Consider a phased rollout for large organizations
  • Document your chosen configuration for future reference

Need help?

For additional assistance or custom deployment scenarios, contact ActivTrak Support at support@activtrak.com.

Was this article helpful?
2 out of 5 found this helpful