One of the major changes for Mac Admins in the forthcoming operating system Big Sur is that, at least until this past week, non-admin users could not permit screen recording permissions. These permissions are required to share your screen in apps like Zoom, or receive remote support using apps like Bomgar/BeyondTrust, Splashtop, or TeamViewer.
This change in posture was deeply hostile to the people that work with any size fleets of devices because it would mean manual admin intervention to permit apps whose basic functionality is critical in the middle of a pandemic to operate.
I understand that Apple has privacy as a human right, and that some IT organizations don’t share that opinion, and that this was a way to help enforce a user’s right to privacy. Hearing the outcry from admins all over, Apple has provided a fix, in the form of an MDM payload key that would allow a user to approve applications that are specified by the user. However, here’s what it’s wrought:
Last night, an intrepid group of admins and engineers worked together to craft a single MDM profile that includes more than 35 individual applications that might ask for this permission, so that it could be deployed to minimize user interruption for what should be a basic task.
A blanket reprieve isn’t good for security, either, Apple, but it is what we need to do in order to focus on our jobs instead of typing in admin passwords all day, or constantly updating a custom profile to make sure our users are both compliant with security posture requirements that are part of key agreements. I don’t think this is good engineering, but Apple bolting this door when we weren’t even asking it to be closed isn’t good user experience.