In macOS Sequoia (versions 15.1-15.4), Apple enhanced security measures by increasing permission dialogs and notifications while removing certain administrative controls. This guide provides comprehensive deployment options for both silent and transparent installations, helping organizations choose the best approach based on their needs.
Note: Full functionality is available on MacOS 14, upgrading to Sequoia is not required by ActivTrak.
Deployment Options
Transparent Deployment
For organizations that can communicate with end users about the installation. No action is required from the users beyond acknowledging permissions during installation. Learn more about introducing ActivTrak to your organization.
Silent Deployment
For organizations requiring a completely silent deployment without user interaction. The implementation process is dependent on the customer segment, which is detailed in the following table.
Screen Capture Capabilities with Silent Deployment
Important: Silent deployment with screen capture functionality on macOS has specific limitations due to Apple's security framework:
- You can remain silent with screenshots (on macOS 15.1-15.4) only if:
- You accept the permission on install (manual user action required)
- Set MDM controls to not reprompt (automated via MDM)
- There is no fully automated way to accept screen recording permissions on behalf of users. Even with MDM deployment, the user must manually grant screen recording permissions for screenshots to work correctly.
Silent Deployment Options Matrix
| Required Actions |
Notes |
|
|---|---|---|
|
Existing Mac Deployments (Not Using Screen Details) |
|
Optional: Set up MDM controls* to suppress the Screen Capture prompt
|
|
Existing Mac Deployments (Using Screen Details) |
|
MDM controls are required*
The user must have previously granted screen access.
Optional: If you are using an earlier version of macOS, you may use MDM controls to postpone upgrades to Sequoia |
|
New Mac Deployments (No Screen Details) |
|
You can use manual or scripted permission acceptance
Optional: Set up MDM controls |
|
New Mac Deployments (With Screen Details) |
|
MDM controls required*
You can use manual or scripted accessibility permission acceptance |
*Alternative prompt suppression methods are in development.
Managing User Permissions in macOS Sequoia without End User Interaction
Required Permissions
Starting with macOS Mojave (10.14), Apple introduced controls that let users allow or restrict cross-application data requests and permissions such as Camera, Photos, Accessibility, AppleEvents and others. Pre-configuring a Privacy Preferences Policy Control (PPPC) profile through an MDM allows the administrator to grant or deny permissions for apps and system services to ensure compliance with privacy policies and streamline the user experience by reducing the number of permission prompts. For customers not using Screenshot Alarms or Screen View, we recommend deploying a PPPC file that denies screen recording permissions, accepts accessibility permissions, and suppresses all Background Iems notifications.
Screen Recording Permissions
- Purpose: Required for screenshot alarms and screen capture functionality
- Default behavior: Prompts user during installation and monthly
- MDM option: Can be denied via PPPC profile if screen capture isn't needed
Accessibility Permissions
- Purpose: Required for title bar and browser URL capture
- MDM option: Can be accepted via PPPC profile
Background Processing
- Purpose: Allows the agent to run in the background
- MDM option: Notifications can be suppressed via PPPC profile
Firefox Considerations
Firefox on macOS does not support URL capture without the ActivTrak Browser extension (The ActivTrak Assist Browser Extension (For Improved Website Activity Capture); however, the ActivTrak application will display ‘URL Unavailable’ if it is not present. If your ActivTrak deployment is silent, this poses a problem since the extension will be visible in the Firefox browser's ‘Extension’ menu (Firefox Extension (Required for Mac Agents) – ActivTrak Help Center). Firefox is not supported if you maintain a silent deployment.
MDM Deployment Process
Prerequisites
- MDM platform subscription (Intune, Jamf Pro, Kandji, or Mosyle)
- Administrator access to MDM and ActivTrak
- Enrolled macOS devices
- ActivTrak’s Privacy Preferences Policy Control (PPPC) files
- ActivTrak agent (.pkg) file
ActivTrak Install Locations
ActivTrak installs files in the following locations:
- /Library/PrivilegedHelperTools/scthostp
- /Library/PrivilegedHelperTools/scthostu
- /Library/PrivilegedHelperTools/svctcom
- /Library/PrivilegedHelperTools/scthost.app
- /Library/LaunchDaemons/com.bgrove.activtrak.daemon.plist
- /Library/LaunchAgents/com.bgrove.activtrak.agent.plist
PPPC files
Profile to grant/deny needed permissions
Profile to Disable Background Notifications
Implementation Steps
Create a Profile for Accessibility and Screen Recording Preferences
- Go to your MDM’s administrative console and create a new configuration profile
- Choose a ‘Custom’ profile type and upload the required PPPC file "Profile to grant/deny needed permissions"
- Assign the configuration to your devices following the steps provided by your MDM software
Create a Profile for Disabling All Background Notifications
- Go to your MDM’s administrative console and create a second new configuration profile
- Choose a ‘Custom’ profile type and upload the required PPPC file “Profile to Disable Background Notifications"
- Assign the configuration to your devices following the steps provided by your MDM software
- Please be aware that this will disable all background notifications, including those from ActivTrak
Important:
When a device is configured using PPPC, the ActivTrak agent won't appear in the Accessibility permissions list, even though it has the required permissions. This is intentional and beneficial — it prevents users from accidentally disabling these essential permissions. As long as the agent is reporting data correctly, you can be confident that the permissions are properly configured.
Deploy the Agent
- Go to your MDM’s administrative console and create a new Application for deployment
-
Upload the ActivTrak .pkg file without renaming it
- Details on finding the latest agent version can be found here: Deploy Agents via the ActivTrak app – ActivTrak Help Center
- Define the necessary fields (e.g., name, description, publisher and operating system). Take note that the name should not be changed. The App Bundle ID should auto-populate, but if it does not, use “com.bgrove.scthost”
- Assign the app to all enrolled devices or specific device groups
- The deployment will start, and the agent will be installed as the devices check in. Depending on user activity and check-in policies, this can take up to 48 hours
Best Practices
- Plan your deployment strategy based on functionality needs
- Test your deployment process in small groups first
- Prepare user communication if using transparent deployment
- Consider a phased rollout for large organizations
- Document your chosen configuration for future reference
For additional assistance or custom deployment scenarios, contact ActivTrak Support.