Overview
For student devices running macOS Mojave (10.14) and later Apple introduced new privacy protection systems that must be configured correctly for LanSchool to work. It can be challenging to configure settings correctly so that all installed software works as it should. Because it is impractical to visit each computer to make these approvals, Apple extended its Mobile Device Management (MDM) system to allow remote configuration of many of these approvals.
The macOS privacy approvals necessary to enable full functionality for the LanSchool Student can be configured using a Mobile Device Management (MDM) server. The LanSchool Student application requires four approvals in order to allow all functionality.
Most MDM systems allow importing .mobileconfig template files in order to deploy policies to devices. For the best experience, download this pre-configured privacy policy template provided by LanSchool and deploy it to your devices: LanSchoolClassicStudentPolicy.mobileconfig.
Alternatively, follow the instructions below to manually create a policy.

The Screen Recording Approval cannot be automated. It must be enabled manually on the student device.
Table 1. LanSchool Student approvals
Approval Name
| Approval Description
|
Accessibility
| During Remote Control, allows:
- Keystroke recording and alerting
- Keyboard and mouse input blocking
|
Automation
| Allows LanSchool students to:
- Automate Safari, which e nables teacher control of Safari during web limiting.
- Automate Finder, which allows the teacher to Clear Desktop (closes all windows on the desktop). Clear Desktop can ease transition from one class to another.
|
Microphone
| Allowing LanSchool student to use the microphone permits a:
- Teacher to talk to a student
- Student to talk to the rest of the class
Microphone access cannot be configured with MDM. On the student computer, run:
/Applications/ <LanSchool Student>
Follow the wizard prompts.
|
Full Disk Access
| LanSchool students need access to Safari files for teachers to determine and record student browser history. Teachers can access Firefox history files without granting full disk access permission.
|
Screen Recording
| Only required for macOS Catalina (10.15) and later, the screen recording approval is necessary to allow LanSchool Student to share the student's screen with the teacher.
This approval cannot be configured using an MDM server and must be enabled manually on each student device. |
Procedure
The following instructions use SimpleMDM (
https://simplemdm.com/ ) as an example MDM provider to configure LanSchool Student. Other MDM provider interfaces may look slightly different but have similar features.
Enter information exactly as it is shown. This is especially important for code requirements.
Two applications make up LanSchool Student: LanSchool (lsutil.app) and LanSchool Student (student.app). Follow the steps below to configure them.
In the MDM provider interface, navigate to where profiles can be created. Select the option that creates a profile to configure privacy preferences.
- Select Permissions.
- For the LanSchool application (lsutil.app), enter the settings shown in Tables 2-3 and highlighted in the screen shot below them:
- Select bundle ID as the identifier type.
- Create an app identity for the application bundle ID com.lanschool.lsutil. A bundle ID typically should identify each application.
- Enter anchor trusted for the code requirement. Apple uses the code requirement to verify that it has cryptographically signed applications, and that applications have not been altered or tampered with.
In the Access Permissions section, set Accessibility to Allow.
Table 2: Identifying information for lsutil.app
Identifier
| Setting
|
Identifier type
| bundleID
|
Identifier
| com.lanschool.lsutil
|
Code requirement
| anchor trusted
|
Table 3: Access permissions for lsutil.app
Name
| Setting
|
Accessibility
| Allow
|
Select Save.
Select Permissions.
For the LanSchool application (student.app), enter the settings shown in Tables 4-6 and highlighted in the screen shot below them. Settings that are not listed do not need to be changed.
- Select bundle ID as the identifier type.
- Create an app identity for the application bundle ID com.lanschool.student.
- Enter anchor trusted for the code requirement.
In the Access Permissions section, set the following to Allow:
- Accessibility
- Post event
- Access all files
Create two Apple event targets, one for Finder and another for Safari, using the settings shown in Table 7. These settings allow LanSchool Student to send messages to Finder and Safari.
Table 4. Identifying information for student.app
Name
| Setting
|
Identifier Type
| bundleID
|
Identifier
| com.lanschool.student
|
Code requirement
| anchor trusted
|
Table 5. Access permissions for student.app
Name
| Setting
|
Accessibility
| Allow
|
Post event
| Allow
|
Access all files
| Allow
|
Table 6. Apple event targets for student.app
Name
| Identifier
| Code Requirement
| Access
|
bundle ID
| com.apple.finder
| Identifier "com.apple.finder" and anchor apple
| Allow
|
bundle ID
| com.apple.Safari
| Identifier "com.apple.Safari" and anchor apple
| Allow
|
- Select Save.
- When you have created the profile, use an MDM provider to send the profile to all computers that are running or will run LanSchool Student. You are done!
Apple’s latest operating system macOS 11.0 (Big Sur) prevents 3rd party software from installing Profiles on the system.
Mobile Device Management (MDM) has the ability to install profiles, but anyone else who previously installed them to configure application settings will no longer be able to do so in macOS 11.0.
LanSchool Classic for many years has installed profiles to specify Chrome, and now Edge Browser settings, specifically so that our browser extensions are installed and cannot be removed.
For Big Sur and greater, we recommend adding our Chrome and Edge policies to your MDM settings for those browsers:
Chrome:
ExtensionInstallForcelist:
honjcnefekfnompampcpmcdadibmjhlk;https://clients2.google.com/service/update2/crx
In XML this would look like this:
Edge:
ExtensionInstallForcelist:
hbonijggfojboimdmhilgnikbkeodiha;https://edge.microsoft.com/extensionwebstorebase/v1/crx
In XML this would like like this:
- <key>ExtensionInstallForcelist</key>
- <array>
- <string>hbonijggfojboimdmhilgnikbkeodiha;https://edge.microsoft.com/extensionwebstorebase/v1/crx</string>
- </array>
Our Edge policies also configure two other settings in the browser that you may find desirable in an education setting:
1.Disable Developer Tools. These tools can be used to subvert extensions and other things.
- <dict>
- <key>DeveloperToolsAvailability</key>
- <integer>0</integer>
- </dict>
2. Disable Private Browsing. Our extension cannot record private browsing in any reliable way.
- <dict>
- <key>InPrivateModeAvailability</key>
- <integer>1</integer>
- </dict>