Granting macOS Privacy Approvals for LanSchool Using an MDM

Granting macOS Privacy Approvals for LanSchool Using an MDM

Introduction

For student devices running macOS Mojave (10.14) and later Apple introduced new privacy protection systems that must be configured correctly for LanSchool to work. It can be challenging to configure settings correctly so that all installed software works as it should. Because it is impractical to visit each computer to make these approvals, Apple extended its Mobile Device Management (MDM) system to allow remote configuration of many of these approvals.

The macOS privacy approvals necessary to enable full functionality for the LanSchool Student can be configured using a Mobile Device Management (MDM) server. The LanSchool Student application requires four approvals in order to allow all functionality.

Most MDM systems allow importing .mobileconfig template files in order to deploy policies to devices. For the best experience, download this pre-configured privacy policy template provided by LanSchool and deploy it to your devices: LanSchoolClassicStudentPolicy.mobileconfig

Alternatively, follow the instructions below to manually create a policy.

Table 1. LanSchool Student approvals 
Approval Name 
Approval Description 
Accessibility 
During Remote Control, allows: 
  1. Keystroke recording and alerting 
  2. Keyboard and mouse input blocking 
Automation 
Allows LanSchool students to: 
  1. Automate Safari, which e nables teacher control of Safari during web limiting. 
  2. Automate Finder, which allows the teacher to Clear Desktop (closes all windows on the desktop). Clear Desktop can ease transition from one class to another.  
Microphone 
Allowing LanSchool student to use the microphone permits a: 
  1. Teacher to talk to a student 
  2. Student to talk to the rest of the class  
Microphone access cannot be configured with MDM. On the student computer, run: 

/Applications/ <LanSchool Student> 

Follow the wizard prompts.  
Full Disk Access 
LanSchool students need access to Safari files for teachers to determine and record student browser history. Teachers can access Firefox history files without granting full disk access permission.   
Screen Recording
Only required for macOS Catalina (10.15) and later, the screen recording approval is necessary to allow LanSchool Student to share the student's screen with the teacher.

This approval cannot be configured using an MDM server and must be enabled manually on each student device.

Procedure

The following instructions use SimpleMDM ( https://simplemdm.com/ ) as an example MDM provider to configure LanSchool Student. Other MDM provider interfaces may look slightly different but have similar features.
 
Enter information exactly as it is shown. This is especially important for code requirements. 
Two applications make up LanSchool Student: LanSchool (lsutil.app) and LanSchool Student (student.app). Follow the steps below to configure them.
  1. In the MDM provider interface, navigate to where profiles can be created. Select the option that creates a profile to configure privacy preferences.

  2. Select Permissions.
  3. For the LanSchool application (lsutil.app), enter the settings shown in Tables 2-3 and highlighted in the screen shot below them:
    1. Select bundle ID as the identifier type.
    2. Create an app identity for the application bundle ID com.lanschool.lsutil. A bundle ID typically should identify each application.
    3. Enter anchor trusted for the code requirement. Apple uses the code requirement to verify that it has cryptographically signed applications, and that applications have not been altered or tampered with.
      1. In the Access Permissions section, set Accessibility to Allow.

        Table 2: Identifying information for lsutil.app
        Identifier 
        Setting 

        Identifier type

        bundleID 

        Identifier

        com.lanschool.lsutil 

        Code requirement

        anchor trusted


        Table 3: Access permissions 
        for lsutil.app
        Name
        Setting

        Accessibility

        Allow




    4. Select Save.
    5. Select Permissions.
    6. For the LanSchool application (student.app), enter the settings shown in Tables 4-6 and highlighted in the screen shot below them. Settings that are not listed do not need to be changed.
      1. Select bundle ID as the identifier type.
      2. Create an app identity for the application bundle ID com.lanschool.student.
      3. Enter anchor trusted for the code requirement.
      4. In the Access Permissions section, set the following to Allow:
        • Accessibility
        • Post event
        • Access all files
      5. Create two Apple event targets, one for Finder and another for Safari, using the settings shown in Table 7. These settings allow LanSchool Student to send messages to Finder and Safari.
        Table 4. Identifying information for student.app 
        Name
        Setting

        Identifier Type

        bundleID

        Identifier

        com.lanschool.student

        Code requirement

        anchor trusted

        Table 5. Access permissions for student.app
        Name
        Setting

        Accessibility

        Allow

        Post event

        Allow

        Access all files

        Allow

        Table 6. Apple event targets for student.app
        Name
        Identifier
        Code Requirement
        Access

        bundle ID

        com.apple.finder
        Identifier "com.apple.finder" and anchor apple
        Allow

        bundle ID

        com.apple.Safari
        Identifier "com.apple.Safari" and anchor apple
        Allow


    7. Select Save.
    8. When you have created the profile, use an MDM provider to send the profile to all computers that are running or will run LanSchool Student. You are done!
You can also use your MDM server to configure settings for the LanSchool Teacher and Student. See Managing LanSchool Settings with an MDM.


Browser Extension Profiles for macOS 11.0 (Big Sur)

Appleā€™s latest operating system macOS 11.0 (Big Sur) prevents 3rd party software from installing Profiles on the system.  

Mobile Device Management (MDM) has the ability to install profiles, but anyone else who previously installed them to configure application settings will no longer be able to do so in macOS 11.0.

LanSchool Classic for many years has installed profiles to specify Chrome, and now Edge Browser settings, specifically so that our browser extensions are installed and cannot be removed.  

For Big Sur and greater, we recommend adding our Chrome and Edge policies to your MDM settings for those browsers:


Chrome:

ExtensionInstallForcelist:

honjcnefekfnompampcpmcdadibmjhlk;https://clients2.google.com/service/update2/crx 

In XML this would look like this:

  1. <key>ExtensionInstallForcelist</key>
  2. <array>
  3. <string>honjcnefekfnompampcpmcdadibmjhlk;https://clients2.google.com/service/update2/crx</string>
  4. </array>


Edge: 

ExtensionInstallForcelist:

hbonijggfojboimdmhilgnikbkeodiha;https://edge.microsoft.com/extensionwebstorebase/v1/crx

In XML this would like like this:

  1. <key>ExtensionInstallForcelist</key>
  2. <array>
  3. <string>hbonijggfojboimdmhilgnikbkeodiha;https://edge.microsoft.com/extensionwebstorebase/v1/crx</string>
  4.  </array>


Our Edge policies also configure two other settings in the browser that you may find desirable in an education setting:

1.Disable Developer Tools.  These tools can be used to subvert extensions and other things.
  1. <dict>
  2.    <key>DeveloperToolsAvailability</key>
  3.    <integer>0</integer>
  4. </dict>


2. Disable Private Browsing.   Our extension cannot record private browsing in any reliable way.
  1. <dict>
  2.   <key>InPrivateModeAvailability</key>
  3.   <integer>1</integer>
  4. </dict>





    • Related Articles

    • Mass Deploying LanSchool Student for macOS

      Overview LanSchool provides the ability to mass deploy the LanSchool student client for Mac OS through the creation of a custom installation package. Once this package has been created, you will be able to use your software distribution system to ...
    • Installing LanSchool Student for macOS

      The following instructions will assist you in installing LanSchool on a student's Mac: Copy the student.dmg from the customer download to the student's machine. Double click the student.dmg to mount it. Double click on lanschool_student.pkg Read the ...
    • Mass Deploying LanSchool Teacher for macOS

      Overview LanSchool provides the ability to mass deploy the LanSchool teacher client for macOS through the creation of a custom installation package. Once this package has been created, you will be able to use your software distribution system to push ...
    • Troubleshooting Web Limiting

      Overview With LanSchool, teachers can help students focus on their work by limiting online access to approved websites and even disabling internet access during tests and quizzes. LanSchool relies on the LanSchool Student client running on the ...
    • Managing LanSchool Settings on macOS Using an MDM

      These instructions assume that the Mac devices in your organization are enrolled in and managed by an MDM system.   A Mobile Device Management (MDM) system can be used to manage LanSchool Student and LanSchool Teacher Console settings. Most MDM ...
    • Popular Articles

    • Installing LanSchool Teacher for Windows

      Overview The following instructions will assist you with manually installing LanSchool Teacher on a single Windows teacher device. For information on installing the student client or mass deploying LanSchool throughout your organization, see Setting ...
    • Latest Release Notes

      LanSchool Classic Release Notes Customers with an active LanSchool subscription will have access to download the latest version from the LanSchool Customer Portal. For instructions, see Downloading LanSchool Installers. LanSchool Classic 9.1.0.42 ...
    • Limiting Application Use

      Overview Teachers can control the applications that are allowed to run on the student computers. The application limiting policy can stop ALL applications from running except for those specified in an "allow list" or can allow all application except ...
    • Limiting Website Use

      Overview Limit the websites that can be accessed by one or more student computers. The teacher can choose to restrict all web activity, allow only certain websites, or block only certain websites. This is often used to keep students focused or to ...
    • Configuring and Troubleshooting Wake on Lan

      Wake on Lan Configuration Your device manufacturer will be able to assist you with the Wake on Lan configuration.  That information is proprietary to the devices and is not provided by LanSchool. LanSchool utilizes Wake on Lan to power on the student ...
    • Recent Articles

    • LanSchool Teacher Channel Assignment Using Group Policy

      Overview LanSchool provides an option to utilize a PowerShell script at teacher login to change the LanSchool Teacher channel to a unique channel from a CSV file. This is recommended for customers who are not using a LanSchool Connection Server or ...
    • Logging On or Off Students Remotely

      Overview The LanSchool Teacher console has the ability to only log on wired and wireless Windows devices using Log On Students. The LanSchool Teacher console has the ability to log off wired and wireless Windows and Mac devices using Log Off Students ...
    • LanSchool Classic Video Tutorials

      For detailed information on how to use each feature of LanSchool Classic, visit the Using LanSchool Classic in the Classroom section of our Help Center. For quick, video demonstrations of each feature in action, visit our "LanSchool Classic Features" ...
    • Deploying LanSchool Using Group Policy

      Overview  The LanSchool Group Policy deployment guide is designed to assist with some basic settings and deployment using Active Directory Group Policy settings.  Please note that our support team can only provide limited assistance with configuring ...
    • Adding the LanSchool Teacher Console Shortcut to Desktop

      By default, the LanSchool Teacher Console will always be running the Windows system tray. To make it easier for teachers to launch, consider creating a shortcut for the LanSchool Teacher Console to place on the Desktop or pin to the Taskbar. Open the ...