Screenproof — Profile Creator

Builds a .mobileconfig managed-preferences profile for the app.screenproof domain. Everything runs in this page — no data leaves your machine. Every key is optional: an omitted key leaves the app's safe default in force and user-editable. Only settings you explicitly choose below are emitted.

1 · Profile metadata

Shown in System Settings → Profiles and in your MDM.

2 · Capture protection

Bundle IDs whose windows are blocked from capture. The managed list is unioned with each user's own list — users can add entries, never remove yours.

3 · PII detection

Builtin detectors always run at blur-suggested; a managed entry can lock a builtin's action. Custom regex patterns add detectors. Managed wins per name; users can only ever add detection, never weaken yours.

4 · Review & export

Unchecked = emit nothing; app default allows clipboard + folder. Unknown values are dropped by the app with a diagnostic.
Baked into the working copy at capture and re-stamped on every export. The dict replaces the user's watermark config entirely (no merge).

5 · Annotations

Where the editable annotation layer of a working copy persists — never the flattened export.

6 · Agent & audit

SIEM / Splunk HEC endpoint; every audit event is POSTed there as raw JSON. Leave empty to emit nothing.

7 · Licensing

Release builds block exports (never capture or redaction enforcement) until a valid license resolves. LicenseKey is the recommended one-profile route — the license itself travels in the profile, no file deployment — and wins over LicenseFilePath when both are set.

8 · Automatic updates (Sparkle)

Updates download, verify (EdDSA + Developer ID + notarization), and install with no user prompt — the fleet is current within one check interval of each release.

Output

0 keys in profile
Fresh PayloadUUIDs are generated at download time. The preview below uses this page-load's UUIDs.

    
Signing

Every major MDM re-signs (or encrypts) profiles on delivery, so uploading this file unsigned is the norm. If your org wants a signed file anyway (e.g. for manual installs), sign it with a certificate from your keychain:

security cms -S -N "Common Name of signing cert" -i screenproof-managed.mobileconfig -o signed.mobileconfig

More admin guides: Screenproof knowledge base.