Overview
For student devices running macOS Mojave (10.14) and later Apple introduced new privacy protection systems that must be configured correctly for LanSchool to work. It can be challenging to configure settings correctly so that all installed software works as it should.
Because it is impractical to visit each computer to make these approvals, Apple extended its Mobile Device Management (MDM) system to allow remote configuration of many of these approvals.
The macOS privacy approvals are necessary to enable full functionality for the LanSchool Student. They can be configured using a Mobile Device Management (MDM) server. The LanSchool Student application requires four approvals in order to allow all functionality.
Most MDM systems allow importing .mobileconfig template files in order to deploy policies to devices. For the best experience, download this pre-configured privacy policy template provided by LanSchool and deploy it to your devices
Download: LanSchoolClassicStudentPolicy.mobileconfig.
Alternatively, follow the instructions below to manually create a policy.
The Screen Recording Approval cannot be automated. It must be enabled manually on the student device.
Table 1. LanSchool Student approvals
Approval Name
| Approval Description
|
Accessibility
| During Remote Control, allows:
- Keystroke recording and alerting
- Keyboard and mouse input blocking
|
Automation
| Allows LanSchool students to:
- Automate Safari, which e nables teacher control of Safari during web limiting.
- Automate Finder, which allows the teacher to Clear Desktop (closes all windows on the desktop). Clear Desktop can ease transition from one class to another.
|
Microphone
| Allowing LanSchool student to use the microphone permits a:
- Teacher to talk to a student
- Student to talk to the rest of the class
Microphone access cannot be configured with MDM. On the student computer, run:
/Applications/ <LanSchool Student>
Follow the wizard prompts.
|
Full Disk Access
| LanSchool students need access to Safari files for teachers to determine and record student browser history. Teachers can access Firefox history files without granting full disk access permission.
|
Screen Recording
| Only required for macOS Catalina (10.15) and later, the screen recording approval is necessary to allow LanSchool Student to share the student's screen with the teacher.
This approval cannot be configured using an MDM server and must be enabled manually on each student device. |
Configuring the Privacy Approvals
The following instructions use SimpleMDM (
https://simplemdm.com/ ) as an example MDM provider to configure LanSchool Student. Other MDM provider interfaces may look slightly different but have similar features.
Enter information exactly as it is shown. This is especially important for code requirements.
Two applications make up LanSchool Student: LanSchool (lsutil.app) and LanSchool Student (student.app). Follow the steps below to configure them.
Navigate your MDM provider interface to a location where you can create profiles and choose to create a profile to configure privacy preferences:
- Select Permissions.
- For the LanSchool application (lsutil.app), enter the settings shown in Tables 2-3 and highlighted in the screen shot below them:
- Select bundle ID as the identifier type.
- Create an app identity for the application bundle ID com.lanschool.lsutil. A bundle ID typically should identify each application.
- Enter anchor trusted for the code requirement. Apple uses the code requirement to verify that it has cryptographically signed applications, and that applications have not been altered or tampered with.
In the Access Permissions section, set Accessibility to Allow.
Table 2: Identifying information for lsutil.app
Identifier
| Setting
|
Identifier type
| bundleID
|
Identifier
| com.lanschool.lsutil
|
Code requirement
| anchor trusted
|
Table 3: Access permissions for lsutil.app
Name
| Setting
|
Accessibility
| Allow
|
Select Save.
Select Permissions.
For the LanSchool application (student.app), enter the settings shown in Tables 4-6 and highlighted in the screen shot below them. Settings that are not listed do not need to be changed.
- Select bundle ID as the identifier type.
- Create an app identity for the application bundle ID com.lanschool.student.
- Enter anchor trusted for the code requirement.
In the Access Permissions section, set the following to Allow:
- Accessibility
- Post event
- Access all files
Create two Apple event targets, one for Finder and another for Safari, using the settings shown in Table 7. These settings allow LanSchool Student to send messages to Finder and Safari.
Table 4. Identifying information for student.app
Name
| Setting
|
Identifier Type
| bundleID
|
Identifier
| com.lanschool.student
|
Code requirement
| anchor trusted
|
Table 5. Access permissions for student.app
Name
| Setting
|
Accessibility
| Allow
|
Post event
| Allow
|
Access all files
| Allow
|
Table 6. Apple event targets for student.app
Name
| Identifier
| Code Requirement
| Access
|
bundle ID
| com.apple.finder
| Identifier "com.apple.finder" and anchor apple
| Allow
|
bundle ID
| com.apple.Safari
| Identifier "com.apple.Safari" and anchor apple
| Allow
|
- Select Save.
- When you have created the profile, use an MDM provider to send the profile to all computers that are running or will run LanSchool Student.
Apple’s operating system macOS 11.0 (Big Sur) prevents 3rd party software from installing Profiles on the system.
Mobile Device Management (MDM) has the ability to install profiles, but anyone else who previously installed them to configure application settings will no longer be able to do so in macOS 11.0.
LanSchool Classic for many years has installed profiles to specify Chrome, and now Edge Browser settings, specifically so that our browser extensions are installed and cannot be removed.
For Big Sur and greater, we recommend adding our Chrome, Edge or Firefox policies to your MDM settings for those browsers:
macOS 15.0 (Sequoia) Privacy Prompts
Apple's operating system macOS 15.0 (Sequoia) will now issue 2 privacy prompts on the student devices.
Screen Recording Prompt
The LanSchool Classic application has been approved for Screen Recording but a prompt will pop up occasionally.
This prompt will give students two options: continue to allow screen recording for one month or allow them to disable the approval.
- If the Screen Recording approval was approved by an administrator, students (Standard Users) cannot disable the approval.
- If the MDM setting "Allow Standard User to Set System Service" was set and the Screen Recording approval was approved by students (Standard Users), students will be able to disable the approval.
At this time, there is no way to prevent this prompt from appearing.
If the student has disabled the approval, the student thumbnail will display a message saying Screen Recording was not approved.
Allow Privacy Approval Screen Prompt
At random, students may see a prompt appear to allow LanSchool Student Privacy Approvals to find devices on local networks.
Selecting either option will not prevent the client from working.
At this time there is no way to prevent this prompt from appearing.