Screenproof Admin KB

Deploy Screenproof with Mosyle

PKG plus a custom-settings profile. Mosyle is the tenant Screenproof's managed-preferences flow was validated on (2026-07-06), including MDM-delivered allowScreenShot and silent Sparkle updates.

1. Deploy the PKG

  1. Go to Management → Apps and choose Add PKG (an "Enterprise App" in Mosyle's terms).
  2. In step "URL of your .PKG file", paste the public download URL: https://updates.screenproof.app/Screenproof-latest.pkg. No authentication needed. Mosyle Add PKG dialog with the Screenproof download URL
  3. Check "This app is Signed" — the PKG is signed with an Apple Developer ID Installer certificate. You can leave MD5 file-integrity validation off (the URL is HTTPS and the installer's signature is verified by macOS), or compute a checksum of the downloaded file if your org requires it.
  4. Click Add Enterprise App, then assign it to the target device group.

The PKG installs /Applications/Screenproof.app and /Library/LaunchAgents/app.screenproof.agent.plist (per-user agent, RunAtLoad — Screenproof starts at each user's next login, not at boot). To verify the installer's signature on a client: pkgutil --check-signature Screenproof-<version>.pkg should show Developer ID Installer, team S65X5KY399.

2. Deploy the managed-preferences profile

  1. Build your profile: start from examples/managed-preferences.mobileconfig or the Profile Creator. Every key is optional — force only what your org needs.
  2. Go to Certificates / Custom Profiles and upload the raw .mobileconfig. Mosyle delivers the com.apple.ManagedClient.preferences payload as-is.
  3. Assign to the same device group and save. Deploy after the PKG.

Deploy the optional restrictions and PPPC profiles the same way — raw .mobileconfig uploads under Custom Profiles.

3. Verify on a target Mac

  1. Open Screenproof → Settings → Managed: the managed banner appears with your org's enforced values. Screenproof Settings, Managed tab: Managed by your organization banner and enforced values
  2. In the Privacy / Export / License tabs, rows forced by the profile show lock icons and read "Managed by your organization". Privacy tab: profile-enforced blocked app and locked PII detectors Export tab: locked destinations and watermark rows
  3. Open Policy Diagnostics: each forced key lists a MANAGED source. Policy Diagnostics: every forced key showing a MANAGED source

From Terminal, if you prefer:

sudo /usr/libexec/mdmclient QueryInstalledProfiles   # profile present
defaults read /Library/Managed\ Preferences/app.screenproof
Policy changes Screenproof reads managed keys at policy-resolution time — no daemon restart required in principle. Confirm in your trial deploy: change one key, re-push the profile, and check Policy Diagnostics picks up the new value without a relaunch.

Next steps