Granting macOS Privacy Approvals for LanSchool Using an MDM
Overview
For student devices running macOS Mojave (10.14) and later Apple introduced new privacy protection systems that must be configured correctly for LanSchool to work. It can be challenging to configure settings correctly so that all installed software works as it should.
Because it is impractical to visit each computer to make these approvals, Apple extended its Mobile Device Management (MDM) system to allow remote configuration of many of these approvals.
The macOS privacy approvals are necessary to enable full functionality for the LanSchool Student. They can be configured using a Mobile Device Management (MDM) server. The LanSchool Student application requires four approvals in order to allow all functionality.
Most MDM systems allow importing .mobileconfig template files in order to deploy policies to devices. For the best experience, download this pre-configured privacy policy template provided by LanSchool and deploy it to your devices Download: LanSchoolClassicStudentPolicy.mobileconfig.
Alternatively, follow the instructions below to manually create a policy.
The Screen Recording Approval cannot be automated. It must be enabled manually on the student device.
Table 1. LanSchool Student approvals
| Approval Name | Approval Description |
| Accessibility | During Remote Control, allows:
|
| Automation | Allows LanSchool students to:
|
| Microphone | Allowing LanSchool student to use the microphone permits a:
Microphone access cannot be configured with MDM. On the student computer, run: /Applications/ <LanSchool Student> Follow the wizard prompts. |
| Full Disk Access | LanSchool students need access to Safari files for teachers to determine and record student browser history. Teachers can access Firefox history files without granting full disk access permission. |
| Screen Recording | Only required for macOS Catalina (10.15) and later, the screen recording approval is necessary to allow LanSchool Student to share the student's screen with the teacher. This approval cannot be configured using an MDM server and must be enabled manually on each student device. |
Configuring the Privacy Approvals
The following instructions use SimpleMDM ( https://simplemdm.com/ ) as an example MDM provider to configure LanSchool Student. Other MDM provider interfaces may look slightly different but have similar features.
Enter information exactly as it is shown. This is especially important for code requirements.
Two applications make up LanSchool Student: LanSchool (lsutil.app) and LanSchool Student (student.app). Follow the steps below to configure them.
- Navigate your MDM provider interface to a location where you can create profiles and choose to create a profile to configure privacy preferences:
- Select Permissions.
- For the LanSchool application (lsutil.app), enter the settings shown in Tables 2-3 and highlighted in the screen shot below them:
- Select bundle ID as the identifier type.
- Create an app identity for the application bundle ID com.lanschool.lsutil. A bundle ID typically should identify each application.
- Enter anchor trusted for the code requirement. Apple uses the code requirement to verify that it has cryptographically signed applications, and that applications have not been altered or tampered with.
- In the Access Permissions section, set Accessibility to Allow.Table 2: Identifying information for lsutil.app
Identifier Setting Identifier type
bundleID Identifier
com.lanschool.lsutil Code requirement
anchor trusted
Table 3: Access permissions for lsutil.appNameSetting
Accessibility
Allow - Select Save.
- Select Permissions.
- For the LanSchool application (student.app), enter the settings shown in Tables 4-6 and highlighted in the screen shot below them. Settings that are not listed do not need to be changed.
- Select bundle ID as the identifier type.
- Create an app identity for the application bundle ID com.lanschool.student.
- Enter anchor trusted for the code requirement.
- In the Access Permissions section, set the following to Allow:
- Accessibility
- Post event
- Access all files
- Accessibility
- Create two Apple event targets, one for Finder and another for Safari, using the settings shown in Table 7. These settings allow LanSchool Student to send messages to Finder and Safari.Table 4. Identifying information for student.app
Name Setting
Identifier TypebundleID
Identifier
com.lanschool.student
Code requirement
anchor trustedTable 5. Access permissions for student.appName Setting
AccessibilityAllow
Post event
Allow
Access all files
AllowTable 6. Apple event targets for student.appName Identifier Code RequirementAccess
bundle IDcom.apple.finder Identifier "com.apple.finder" and anchor appleAllow
bundle ID
com.apple.SafariIdentifier "com.apple.Safari" and anchor appleAllow
- Select bundle ID as the identifier type.
- Select Save.
- When you have created the profile, use an MDM provider to send the profile to all computers that are running or will run LanSchool Student.
You can also use your MDM server to configure settings for the LanSchool Teacher and Student. See Managing LanSchool Settings with an MDM
Browser Extension Profiles for macOS 11.0 (Big Sur)
Apple’s operating system macOS 11.0 (Big Sur) prevents 3rd party software from installing Profiles on the system.
Mobile Device Management (MDM) has the ability to install profiles, but anyone else who previously installed them to configure application settings will no longer be able to do so in macOS 11.0.
LanSchool Classic for many years has installed profiles to specify Chrome, and now Edge Browser settings, specifically so that our browser extensions are installed and cannot be removed.
For Big Sur and greater, we recommend adding our Chrome, Edge or Firefox policies to your MDM settings for those browsers:
macOS 15.0 (Sequoia) Privacy Prompts
Apple's operating system macOS 15.0 (Sequoia) will now issue 2 privacy prompts on the student devices.
Screen Recording Prompt
The LanSchool Classic application has been approved for Screen Recording but a prompt will pop up occasionally.
This prompt will give students two options: continue to allow screen recording for one month or allow them to disable the approval.
- If the Screen Recording approval was approved by an administrator, students (Standard Users) cannot disable the approval.
- If the MDM setting "Allow Standard User to Set System Service" was set and the Screen Recording approval was approved by students (Standard Users), students will be able to disable the approval.
At this time, there is no way to prevent this prompt from appearing.
If the student has disabled the approval, the student thumbnail will display a message saying Screen Recording was not approved.
Allow Privacy Approval Screen Prompt
At random, students may see a prompt appear to allow LanSchool Student Privacy Approvals to find devices on local networks.
Selecting either option will not prevent the client from working.
At this time there is no way to prevent this prompt from appearing.
Related Articles
Mass Deploying LanSchool Student for macOS
Update March 26, 2024: Release of macOS 14.4 has broken the ability to use SSID Whitelisting. Anyone currently using SSID Whitelisting, it is recommended to delay updating to macOS 14.4 until this issue has been fixed. Overview LanSchool provides the ...Installing LanSchool Student for macOS
Update March 26, 2024: Release of macOS 14.4 has broken the ability to use SSID Whitelisting. Anyone currently using SSID Whitelisting, it is recommended to delay updating to macOS 14.4 until this issue has been fixed. Overview The following ...Deploying LanSchool Classic Using Jamf Pro
Update March 26, 2024: Release of macOS 14.4 has broken the ability to use SSID Whitelisting. Anyone currently using SSID Whitelisting, it is recommended to delay updating to macOS 14.4 until this issue has been fixed. Overview The LanSchool Classic ...Mass Deploying LanSchool Teacher for macOS
Update March 26, 2024: Release of macOS 14.4 has broken the ability to use SSID Whitelisting. Anyone currently using SSID Whitelisting, it is recommended to delay updating to macOS 14.4 until this issue has been fixed. Overview LanSchool provides the ...Managing LanSchool Settings on macOS Using a MDM
Update March 26, 2024: Release of macOS 14.4 has broken the ability to use SSID Whitelisting. Anyone currently using SSID Whitelisting, it is recommended to delay updating to macOS 14.4 until this issue has been fixed. Overview A Mobile Device ...
Popular Articles
Limiting Website Use
Overview To block troublesome or distracting websites or limit students to a select few websites pertinent to the class, use the Limit Web feature in LanSchool Classic. The teacher can choose to restrict all web activity, allow only certain websites, ...LanSchool Classic Teacher Guide
LanSchool Classic Teacher Console The LanSchool Teacher Console is the interface teachers will use to manage their classroom and students. It contains all the tools necessary for a teacher to effectively interact with students and create a ...Installing LanSchool Teacher for Windows
Overview The following instructions will assist you with manually installing LanSchool Classic Teacher Console on a single Windows device. For information on installing the student client or mass deploying LanSchool throughout your organization, see ...Latest Release Notes
LanSchool Classic Release Notes Customers with an active LanSchool subscription will have access to download the latest version from the LanSchool Classic Portal. For instructions, see Downloading LanSchool Installers. LanSchool Classic 9.3.0.56 ...Unloading LanSchool from the Student Device Temporarily
Overview A teacher can temporarily unload the student agent from Windows or Mac device. This function is useful in situations where students must use an application that requires the LanSchool Student be removed or disabled, such as secure browsers ...
Recent Articles
Troubleshooting WiFi Tampering
Overview With the latest version of Windows 11, LanSchool Classic is unable to retrieve a list of available SSIDs on the student machine unless Location Services is enabled on the device. Enabling Location Services To enable Location Services ...Disabling Edge Split Screen
Overview LanSchool Air is unable to limit the web in Microsoft Edge when the student uses the Edge Split Screen feature. The LanSchool Air extension does not register the second screen and will not block the website. It is recommended to disable Edge ...End of Life LanSchool Classic Chromebook Student
End of Life LanSchool Classic Chromebook Student Google is no longer supporting Chrome OS apps like LanSchool Classic on Chromebooks, as of ChromeOS version 132. However, users now have the option to enable a setting in their Google Workspace Admin ...End of Life LanSchool Classic Android Student
As of August 15, 2024 LanSchool Classic Android Student has reached End of Life and will no longer be developed.Disabling Teacher Console Registration Prompt
Overview New installations of LanSchool Classic Teacher Console will receive a prompt to register LanSchool. This prompt may be disabled to prevent disrupting teachers. Disabling Registration Prompt Using Registry Key Navigate to this policy key: ...