Granting macOS Privacy Approvals for LanSchool Using an MDM
Overview
For student devices running macOS Mojave (10.14) and later Apple introduced new privacy protection systems that must be configured correctly for LanSchool to work. It can be challenging to configure settings correctly so that all installed software works as it should.
Because it is impractical to visit each computer to make these approvals, Apple extended its Mobile Device Management (MDM) system to allow remote configuration of many of these approvals.
The macOS privacy approvals are necessary to enable full functionality for the LanSchool Student. They can be configured using a Mobile Device Management (MDM) server. The LanSchool Student application requires four approvals in order to allow all functionality.
Most MDM systems allow importing .mobileconfig template files in order to deploy policies to devices. For the best experience, download this pre-configured privacy policy template provided by LanSchool and deploy it to your devices
Download: LanSchoolClassicStudentPolicy.mobileconfig.
Alternatively, follow the instructions below to manually create a policy.
The Screen Recording Approval cannot be automated. It must be enabled manually on the student device.
Table 1. LanSchool Student approvals
Approval Name
| Approval Description
|
Accessibility
| During Remote Control, allows:
- Keystroke recording and alerting
- Keyboard and mouse input blocking
|
Automation
| Allows LanSchool students to:
- Automate Safari, which e nables teacher control of Safari during web limiting.
- Automate Finder, which allows the teacher to Clear Desktop (closes all windows on the desktop). Clear Desktop can ease transition from one class to another.
|
Microphone
| Allowing LanSchool student to use the microphone permits a:
- Teacher to talk to a student
- Student to talk to the rest of the class
Microphone access cannot be configured with MDM. On the student computer, run:
/Applications/ <LanSchool Student>
Follow the wizard prompts.
|
Full Disk Access
| LanSchool students need access to Safari files for teachers to determine and record student browser history. Teachers can access Firefox history files without granting full disk access permission.
|
Screen Recording
| Only required for macOS Catalina (10.15) and later, the screen recording approval is necessary to allow LanSchool Student to share the student's screen with the teacher.
This approval cannot be configured using an MDM server and must be enabled manually on each student device. |
Configuring the Privacy Approvals
The following instructions use SimpleMDM (
https://simplemdm.com/ ) as an example MDM provider to configure LanSchool Student. Other MDM provider interfaces may look slightly different but have similar features.
Enter information exactly as it is shown. This is especially important for code requirements.
Two applications make up LanSchool Student: LanSchool (lsutil.app) and LanSchool Student (student.app). Follow the steps below to configure them.
Navigate your MDM provider interface to a location where you can create profiles and choose to create a profile to configure privacy preferences:
- Select Permissions.
- For the LanSchool application (lsutil.app), enter the settings shown in Tables 2-3 and highlighted in the screen shot below them:
- Select bundle ID as the identifier type.
- Create an app identity for the application bundle ID com.lanschool.lsutil. A bundle ID typically should identify each application.
- Enter anchor trusted for the code requirement. Apple uses the code requirement to verify that it has cryptographically signed applications, and that applications have not been altered or tampered with.
In the Access Permissions section, set Accessibility to Allow.
Table 2: Identifying information for lsutil.app
Identifier
| Setting
|
Identifier type
| bundleID
|
Identifier
| com.lanschool.lsutil
|
Code requirement
| anchor trusted
|
Table 3: Access permissions for lsutil.app
Name
| Setting
|
Accessibility
| Allow
|
Select Save.
Select Permissions.
For the LanSchool application (student.app), enter the settings shown in Tables 4-6 and highlighted in the screen shot below them. Settings that are not listed do not need to be changed.
- Select bundle ID as the identifier type.
- Create an app identity for the application bundle ID com.lanschool.student.
- Enter anchor trusted for the code requirement.
In the Access Permissions section, set the following to Allow:
- Accessibility
- Post event
- Access all files
Create two Apple event targets, one for Finder and another for Safari, using the settings shown in Table 7. These settings allow LanSchool Student to send messages to Finder and Safari.
Table 4. Identifying information for student.app
Name
| Setting
|
Identifier Type
| bundleID
|
Identifier
| com.lanschool.student
|
Code requirement
| anchor trusted
|
Table 5. Access permissions for student.app
Name
| Setting
|
Accessibility
| Allow
|
Post event
| Allow
|
Access all files
| Allow
|
Table 6. Apple event targets for student.app
Name
| Identifier
| Code Requirement
| Access
|
bundle ID
| com.apple.finder
| Identifier "com.apple.finder" and anchor apple
| Allow
|
bundle ID
| com.apple.Safari
| Identifier "com.apple.Safari" and anchor apple
| Allow
|
- Select Save.
- When you have created the profile, use an MDM provider to send the profile to all computers that are running or will run LanSchool Student.
Browser Extension Profiles for macOS 11.0 (Big Sur)
Appleās latest operating system macOS 11.0 (Big Sur) prevents 3rd party software from installing Profiles on the system.
Mobile Device Management (MDM) has the ability to install profiles, but anyone else who previously installed them to configure application settings will no longer be able to do so in macOS 11.0.
LanSchool Classic for many years has installed profiles to specify Chrome, and now Edge Browser settings, specifically so that our browser extensions are installed and cannot be removed.
For Big Sur and greater, we recommend adding our Chrome, Edge or Firefox policies to your MDM settings for those browsers:
Related Articles
Installing LanSchool Student for macOS
Update March 26, 2024: Release of macOS 14.4 has broken the ability to use SSID Whitelisting. Anyone currently using SSID Whitelisting, it is recommended to delay updating to macOS 14.4 until this issue has been fixed. Overview The following ...
Mass Deploying LanSchool Student for macOS
Update March 26, 2024: Release of macOS 14.4 has broken the ability to use SSID Whitelisting. Anyone currently using SSID Whitelisting, it is recommended to delay updating to macOS 14.4 until this issue has been fixed. Overview LanSchool provides the ...
Deploying LanSchool Classic Using Jamf Pro
Update March 26, 2024: Release of macOS 14.4 has broken the ability to use SSID Whitelisting. Anyone currently using SSID Whitelisting, it is recommended to delay updating to macOS 14.4 until this issue has been fixed. Overview The LanSchool Classic ...
Mass Deploying LanSchool Teacher for macOS
Update March 26, 2024: Release of macOS 14.4 has broken the ability to use SSID Whitelisting. Anyone currently using SSID Whitelisting, it is recommended to delay updating to macOS 14.4 until this issue has been fixed. Overview LanSchool provides the ...
Managing LanSchool Settings on macOS Using a MDM
Update March 26, 2024: Release of macOS 14.4 has broken the ability to use SSID Whitelisting. Anyone currently using SSID Whitelisting, it is recommended to delay updating to macOS 14.4 until this issue has been fixed. Overview A Mobile Device ...
Popular Articles
Limiting Website Use
Overview To block troublesome or distracting websites or limit students to a select few websites pertinent to the class, use the Limit Web feature in LanSchool Classic. The teacher can choose to restrict all web activity, allow only certain websites, ...
LanSchool Classic Teacher Guide
LanSchool Classic Teacher Console The LanSchool Teacher Console is the interface teachers will use to manage their classroom and students. It contains all the tools necessary for a teacher to effectively interact with students and create a ...
Installing LanSchool Teacher for Windows
Overview The following instructions will assist you with manually installing LanSchool Classic Teacher Console on a single Windows device. For information on installing the student client or mass deploying LanSchool throughout your organization, see ...
Latest Release Notes
LanSchool Classic Release Notes Customers with an active LanSchool subscription will have access to download the latest version from the LanSchool Classic Portal. For instructions, see Downloading LanSchool Installers. LanSchool Classic 9.3.0.12 ...
Blanking Student Screens
Overview Blank student screens on your channel and disable student keyboards and mice. This feature is useful when you want to lecture without the distraction of students playing with their computers, or you need to quickly gather their attention. ...
Recent Articles
Using Assessment Mode
Overview Assessment Mode allows an Administrator or Teacher to put student devices into a secure, locked mode in order to take a test or exam. When applied, the students devices enter Assessment Mode. During this mode the Teacher can't interact with ...
Downloading LanSchool Classic Installers
Overview LanSchool Classic Downloads are accessed in LanSchool Air. Classic customers will see all their information, expiration and licensing keys in LanSchool Air. Admins who use both LanSchool Classic and LanSchool Air only need to manage one ...
Configuring LCS Redirection
Overview In multiple LanSchool Connection Service scenarios, LCS Redirection allows administrators to set a default student LCS configuration where a MASTER LCS will send students to their correct LCS. The choice of LCS is configured based on the IP ...
Deploying LanSchool Classic Using Jamf Pro
Update March 26, 2024: Release of macOS 14.4 has broken the ability to use SSID Whitelisting. Anyone currently using SSID Whitelisting, it is recommended to delay updating to macOS 14.4 until this issue has been fixed. Overview The LanSchool Classic ...
Disabling Fast User Switching
Overview LanSchool Classic does not support Windows Fast User Switching feature. The student client will not function properly when the computer is switched to a second user account. It is recommended to disable Fast User Switching in order for the ...