Granting macOS Privacy Approvals for LanSchool Using an MDM
Overview
For student devices running macOS Mojave (10.14) and later Apple introduced new privacy protection systems that must be configured correctly for LanSchool to work. It can be challenging to configure settings correctly so that all installed software works as it should. Because it is impractical to visit each computer to make these approvals, Apple extended its Mobile Device Management (MDM) system to allow remote configuration of many of these approvals.
The macOS privacy approvals necessary to enable full functionality for the LanSchool Student can be configured using a Mobile Device Management (MDM) server. The LanSchool Student application requires four approvals in order to allow all functionality.
Most MDM systems allow importing .mobileconfig template files in order to deploy policies to devices. For the best experience, download this pre-configured privacy policy template provided by LanSchool and deploy it to your devices: LanSchoolClassicStudentPolicy.mobileconfig. Alternatively, follow the instructions below to manually create a policy.
The Screen Recording Approval cannot be automated. It must be enabled manually on the student device.
Table 1. LanSchool Student approvals
| Approval Name | Approval Description |
| Accessibility | During Remote Control, allows:
|
| Automation | Allows LanSchool students to:
|
| Microphone | Allowing LanSchool student to use the microphone permits a:
Microphone access cannot be configured with MDM. On the student computer, run: /Applications/ <LanSchool Student> Follow the wizard prompts. |
| Full Disk Access | LanSchool students need access to Safari files for teachers to determine and record student browser history. Teachers can access Firefox history files without granting full disk access permission. |
| Screen Recording | Only required for macOS Catalina (10.15) and later, the screen recording approval is necessary to allow LanSchool Student to share the student's screen with the teacher. This approval cannot be configured using an MDM server and must be enabled manually on each student device. |
Procedure
The following instructions use SimpleMDM ( https://simplemdm.com/ ) as an example MDM provider to configure LanSchool Student. Other MDM provider interfaces may look slightly different but have similar features.
Enter information exactly as it is shown. This is especially important for code requirements.
Two applications make up LanSchool Student: LanSchool (lsutil.app) and LanSchool Student (student.app). Follow the steps below to configure them.
- In the MDM provider interface, navigate to where profiles can be created. Select the option that creates a profile to configure privacy preferences.
- Select Permissions.
- For the LanSchool application (lsutil.app), enter the settings shown in Tables 2-3 and highlighted in the screen shot below them:
- Select bundle ID as the identifier type.
- Create an app identity for the application bundle ID com.lanschool.lsutil. A bundle ID typically should identify each application.
- Enter anchor trusted for the code requirement. Apple uses the code requirement to verify that it has cryptographically signed applications, and that applications have not been altered or tampered with.
- In the Access Permissions section, set Accessibility to Allow.Table 2: Identifying information for lsutil.app
Identifier Setting Identifier type
bundleID Identifier
com.lanschool.lsutil Code requirement
anchor trusted
Table 3: Access permissions for lsutil.appNameSetting
Accessibility
Allow - Select Save.
- Select Permissions.
- For the LanSchool application (student.app), enter the settings shown in Tables 4-6 and highlighted in the screen shot below them. Settings that are not listed do not need to be changed.
- Select bundle ID as the identifier type.
- Create an app identity for the application bundle ID com.lanschool.student.
- Enter anchor trusted for the code requirement.
- In the Access Permissions section, set the following to Allow:
- Accessibility
- Post event
- Access all files
- Accessibility
- Create two Apple event targets, one for Finder and another for Safari, using the settings shown in Table 7. These settings allow LanSchool Student to send messages to Finder and Safari.Table 4. Identifying information for student.app
Name Setting
Identifier TypebundleID
Identifier
com.lanschool.student
Code requirement
anchor trustedTable 5. Access permissions for student.appName Setting
AccessibilityAllow
Post event
Allow
Access all files
AllowTable 6. Apple event targets for student.appName Identifier Code RequirementAccess
bundle IDcom.apple.finder Identifier "com.apple.finder" and anchor appleAllow
bundle ID
com.apple.SafariIdentifier "com.apple.Safari" and anchor appleAllow
- Select bundle ID as the identifier type.
- Select Save.
- When you have created the profile, use an MDM provider to send the profile to all computers that are running or will run LanSchool Student. You are done!
You can also use your MDM server to configure settings for the LanSchool Teacher and Student. See Managing LanSchool Settings with an MDM
Browser Extension Profiles for macOS 11.0 (Big Sur)
Apple’s latest operating system macOS 11.0 (Big Sur) prevents 3rd party software from installing Profiles on the system.
Mobile Device Management (MDM) has the ability to install profiles, but anyone else who previously installed them to configure application settings will no longer be able to do so in macOS 11.0.
LanSchool Classic for many years has installed profiles to specify Chrome, and now Edge Browser settings, specifically so that our browser extensions are installed and cannot be removed.
For Big Sur and greater, we recommend adding our Chrome and Edge policies to your MDM settings for those browsers:
Chrome:
ExtensionInstallForcelist:
honjcnefekfnompampcpmcdadibmjhlk;https://clients2.google.com/service/update2/crx
In XML this would look like this:
- <key>ExtensionInstallForcelist</key>
- <array>
- <string>honjcnefekfnompampcpmcdadibmjhlk;https://clients2.google.com/service/update2/crx</string>
- </array>
Edge:
ExtensionInstallForcelist:
hbonijggfojboimdmhilgnikbkeodiha;https://edge.microsoft.com/extensionwebstorebase/v1/crx
In XML this would like like this:
- <key>ExtensionInstallForcelist</key>
- <array>
- <string>hbonijggfojboimdmhilgnikbkeodiha;https://edge.microsoft.com/extensionwebstorebase/v1/crx</string>
- </array>
Our Edge policies also configure two other settings in the browser that you may find desirable in an education setting:
1.Disable Developer Tools. These tools can be used to subvert extensions and other things.
- <dict>
- <key>DeveloperToolsAvailability</key>
- <integer>0</integer>
- </dict>
2. Disable Private Browsing. Our extension cannot record private browsing in any reliable way.
- <dict>
- <key>InPrivateModeAvailability</key>
- <integer>1</integer>
- </dict>
Related Articles
Installing LanSchool Student for macOS
Overview The following instructions will assist you with manually installing LanSchool Classic Student on a single macOS student device. For information on installing the teacher client or mass deploying LanSchool throughout your organization, see ...Mass Deploying LanSchool Student for macOS
Overview LanSchool provides the ability to mass deploy the LanSchool Student client for Mac OS through the creation of a custom installation package. Once this package has been created, you will be able to use your software distribution system to ...Mass Deploying LanSchool Teacher for macOS
Overview LanSchool provides the ability to mass deploy the LanSchool teacher client for macOS through the creation of a custom installation package. Once this package has been created, you will be able to use your software distribution system to push ...Managing LanSchool Settings on macOS Using a MDM
Overview A Mobile Device Management (MDM) system can be used to manage LanSchool Student and LanSchool Teacher Console settings. Most MDM systems allow importing .mobileconfig files in order to deploy profiles to devices. LanSchool provides two files ...Installing LanSchool Teacher for macOS
Overview The following instructions will assist you with manually installing LanSchool Teacher on a single MacOS teacher device. For information on installing the student client or mass deploying LanSchool throughout your organization, see Setting up ...
Popular Articles
Limiting Website Use
Overview To block troublesome or distracting websites or limit students to a select few websites pertinent to the class, use the Limit Web feature in LanSchool Classic. The teacher can choose to restrict all web activity, allow only certain websites, ...Installing LanSchool Teacher for Windows
Overview The following instructions will assist you with manually installing LanSchool Classic Teacher Console on a single Windows device. For information on installing the student client or mass deploying LanSchool throughout your organization, see ...Latest Release Notes
LanSchool Classic Release Notes Customers with an active LanSchool subscription will have access to download the latest version from the LanSchool Customer Portal. For instructions, see Downloading LanSchool Installers. LanSchool Classic 9.1.0.82 ...Limiting Application Use
Overview Teachers can control the applications that are allowed to run on the student computers. The application limiting policy can stop ALL applications from running except for those specified in an "allow list" or can allow all application except ...Configuring and Troubleshooting Wake on Lan
Overview LanSchool utilizes Wake on Lan to power on the student computers remotely. This feature is not enabled by default on many systems and will have to be enabled by the user. Your device manufacturer will be able to assist you with the Wake on ...
Recent Articles
Using Enable Channel Select Utility
Overview LanSchool Classic comes packaged with utilities that can help administrators with making changes to already installed clients. The Enable Channel Select utility allows teachers to be able to change their teacher channel, view multiple ...Viewing Student Screens
Overview Screen Monitoring mimics the classroom environment, enabling teachers to provide assistance and encouragement to keep students on task. Opening the LanSchool Teacher Console On a Windows teacher computer, you will see a small LanSchool icon ...Deploying LanSchool Classic Using Intune
Overview The LanSchool Classic for Windows agent supports a number of different deployment methods and tools using a MSI. See Mass Deploying LanSchool Student for Windows for more detailed instructions. Please note that our support team can only ...Using the SetChannel.exe Utility
Overview LanSchool Classic comes packaged with utilities that can help administrators with making changes to already installed clients. The SetChannel.exe utility can be used to update local Teacher or Student Channels, make changes to the LanSchool ...Disabling Speak to Class
Overview By default, LanSchool Classic instructors are able to speak directly to the class using the Teacher Console. Some organizations need to prevent instructors from speaking to students with LanSchool Classic. Administrators can disable the ...