Screenproof Admin KB

Screen Recording permission & native-capture lockdown

What MDM can and cannot do about macOS Screen Recording (TCC), and the two profiles that make Screenproof the sole sanctioned capture path on managed devices.

You cannot pre-grant Screen Recording. Nobody can.

Be accurate about the limit: the com.apple.TCC service ScreenCapture is user-approved only. A PPPC (Privacy Preferences Policy Control) payload cannot pre-grant Screen Recording to Screenproof or any app — Apple requires an explicit user click on the system prompt, full stop. Any vendor claiming otherwise is wrong.

What PPPC can do here: deny the ScreenCapture service to other named apps, so only Screenproof remains a viable capture path once native capture is also disabled (below). It cannot allow-list Screenproof to skip the prompt.

The one-time onboarding step (plan for it)

  1. First launch: Screenproof requests Screen Recording via the standard TCC API — macOS shows the system permission prompt.
  2. The user clicks Open System Settings (macOS routes the in-app prompt there) → Privacy & Security → Screen Recording → toggle Screenproof on.
  3. Screenproof detects the grant and the menu-bar icon flips from "Awaiting permission" to ready.

Document this as a one-time, ~30-second onboarding step in your fleet-wide rollout communication — it is not optional and MDM does not remove it.

Recurring macOS Tahoe re-approval Expect a re-approval nag ("…requesting to bypass the system private window picker…") roughly monthly per user. No MDM-side suppression is confirmed yet; tell users to expect and re-approve it.

Profile 1 — Restrictions: allowScreenShot=false

Use examples/restrictions-allowscreenshot.mobileconfig as-is (payload identifier app.screenproof.restrictions, a com.apple.applicationaccess payload with allowScreenShot=false).

What it does: blocks Cmd+Shift+3 / Cmd+Shift+4 and the screencapture CLI system-wide. What it does not block: Screenproof's own ScreenCaptureKit-based capture — once the user has approved the Screen Recording prompt, Screenproof keeps working normally.

PathResult
Cmd+Shift+3Blocked — OS dialog "Your screenshot can't be saved. Screenshots are not allowed."
screencapture -x CLIBlocked — no file written
ScreenCaptureKit capture (TCC-approved Screenproof)Works — full capture succeeds
Validated 2026-07-06 with an MDM-delivered profile (Mosyle) Screenproof is the sole sanctioned capture path once MDM disables native capture: with allowScreenShot=false delivered by MDM, the native hotkey shows the OS dialog "Your screenshot can't be saved. Screenshots are not allowed." while a Screenproof capture on the same enrolled device succeeds.

Profile 2 — PPPC denylist for other capture apps

Start from examples/pppc-deny-screencapture.mobileconfig. It denies the ScreenCapture TCC service to a starter list of capture tools (QuickTime Player's screen recording, OBS Studio, CleanShot X, Shottr, Snagit) — denied apps get no TCC prompt and no capture. One entry per app:

<key>Services</key>
<dict>
    <key>ScreenCapture</key>
    <array>
        <dict>
            <key>Identifier</key>
            <string>com.example.legacycapturetool</string>
            <key>IdentifierType</key>
            <string>bundleID</string>
            <key>Authorization</key>
            <string>Deny</string>
        </dict>
    </array>
</dict>

Know the constraints:

Deploy via each MDM's native PPPC editor (Jamf: Configuration Profiles → Privacy Preferences Policy Control; Kandji: Library → Privacy Preferences Policy Control; Intune: the PPPC template, or a Custom payload if the built-in UI doesn't expose Deny) — or upload the example .mobileconfig raw, same as the other profiles.

What this posture does and does not achieve