Splashtop Mac all permissions should not be required

Just been working through how tedious it is getting Splashtop configured for a Mac and one thing in particular springs to mind…

Syncro really needs allow remote connections even if not all the permission are granted.

The only permission you really need is “Screen Recording”. The other three (Full Disk Access, Accessibility, and Microphone) are not required to be able to see the screen. And when you are trying you troublehoot problems over the phone, just being able to see the screen makes a huge difference. (As an aside, requiring microphone access is very bad, as every single user freaks out when you make them enable it).

One you can see the screen it’s much easier to guide users through enabling the other required permissions.

The technical aspects of this are the requirements for Splashtop. One can and should leverage MDM for management of any current version of macOS (Apple has been making this known as first a recommendation and by now a requirement to remotely manage many aspects of the OS) for many years now.

The requirements you need to enable for Splashtop result from Apple’s now longstanding PPPC security mechanism(s). Suggest having a look at mac OS what is PPPC - Google Search

Because Syncro isn’t and doesn’t offer MDM per se, it does mean another technology is needed to properly maintain your Macs - your MDM of choice.
There is a free offering for up to 30 devices (bearing in mind free meaning no official support) for Mosyle, which is a fine choice for MDM. Mosyle.com (I have zero affiliation just a happy user).

There are many other MDM vendors, but they will all be more costly and have a bigger overhead in terms of getting to know the vendor’s system/interface.

1 Like

We primarily use JAMF to push out MDM profiles so I’m well aware of that. (Also aware that a lot of the time you have to add the permissions manually as well because either Syncro or Splashtop don’t correctly recognise it).

I’d be interested to know what the mechanics of the setup is. Does Syncro merely ask Splashtop if it’s ready for a connection, or does Syncro know about the 4 required permissions and waits until they are all given?

We know about the 4 permissions and wait until they are all given.

Ok cool… so in theory you could establish a remote session with just Screen Recording enabled?

If so, can I please add a feature request for that. It would make life a lot easier.

You could even brand it as a “High Security” mode whereby technicians can see the remote screen, but are prohibited from making any direct changes. :slight_smile:

Without these permissions, all of the Splashtop functionality wouldn’t work. I get you only need one component of that in your instance, but this would be confusing for users. I also don’t even know if that would actually work or not.

If you are already adding permissions for one item, it’s not very time consuming to add it to the other areas as well. Normally when managing Macs you’d set your permissions through an MDM regardless, but for manual one-offs I don’t see us changing this requirement.

End users have no clue about these requirements. The techs are the people that care about this. And yes, we set permissions we can through MDM, but too many times I’ve had to add the permissions manually anyway because Syncro refuses to believe the permissions are there, even when Splashtop says they are.

Can you elaborate on what you mean by Syncro doesn’t believe the permissions are enabled, so you have to manually enabled them? I’m trying to better understand what it is you are having to do specifically to get it working. I want to be sure I am not misunderstanding.

Permissions for Splashtop are provided through an MDM profile for Full Disk Access, and Accessibility. Screen Recording permissions are set via MDM as “Standard Users allowed to change” and Microphone permissions are added manually.

The Same for the Syncro agent. MDM profile for Full Disk, MDM (Standard User) for Screen Recording.

This is a screenshot from macOS Monterey.

And here is a couple from Mojave

Curious about this too and awaiting the followup.

If they are all enabled on the Mac but Syncro doesn’t show that they are enabled I’d open a support ticket for that if you haven’t already.

I did. That’s where I found out I need to manually add them, regardless of what MDM profile I have installed. Which is what prompted me to ask if all the permissions really are required just to view the assets screen.

I’ve had a ticket open about this since April (97347). It’s silly that a feature is blocked for use by SyncroMSP but works without issue from Splashtop for business and from NinjaRMM’s Splashtop for RMM on the same endpoints.

I get that macOS is not your top priority, but this does completely block my ability to resell Splashtop or use the feature on macOS. On top of that, if it’s enable on an macOS endpoint Splashtop Streamer steals focus a couple times an hour. If Splashtop is disabled in SyncroMSP, Splashtop does not steal focus. Almost like Syncro is checking permissions on a schedule and bringing Streamer to the front.

@matt12 and @Andy I hope we are all in agreement that manually adding PPPC is not an acceptable solution. This has been an issue for months.

¯_(ツ)_/¯

@David_Core to be clear about this issue @matt12 is delivering PPPC correctly. But Syncro MSP is not checking/ignoring PPPC delivered via MDM. So even when the profiles are correctly applied and Splastop Streamer has every permission needed to function, SyncroMSP throws up a block and does not allow a connection to even be attempted.

More to the point though SyncroMSP has made a deeply flawed assumptions about remote access on macOS and what is “required”.

To be as clear as possible, none of the PPC are required to start a Splastop session. At a minimum, there should be a button to bypass this unnecessary guardrail that SyncroMSP had decided to deploy.

  • Full Disk Access is not required.
  • Accessibility is not required.
  • Screen Recording is not required

The level of success that can be had varies, but blocking sessions just because these aren’t enabled is a decision that was mad by someone who has not supported macOS. It is not a decision that would be made by anyone who’s had to walk end users through manual PPPC or by anyone who’s deployed PPPC via MDM.

Here’s a bit of a break down.
Full Disk Access - This is NEVER required for a remote session it’s help with sharing files but has nothing to do with a successful screen share. Blocking Splashtop sessions because of a lack of Full Disk Access is … silly.
Accessibility - Required only if the mouse and keyboard need to be used during the remote session. As @matt12 has pointed out, by oh boy, is it easier to direct and end user to the proper settings in System Preferences if you can see, but not control their screen. Blocking Splashtop sessions because of a lack of Accessibility permissions is … silly.
Screen Recording - Only required to see what’s on the screen. Again, this is absolutely not required for a successful Splashtop Session. If file transfers are still possible (whether or not FDA is enabled). If Accessibility is allowed, the session has access to the keyboard and mouse. More than a few times I’ve used this to enter admin credentials so an end user could enable Screen Recording. Blocking Splashtop sessions because of a lack of Screen Recoding permissions may seem helpful but it very likely can be the opposite.

Please @Andy beyond just being broken, this feature is fundamentally flawed. It treats the admins that use SyncroMSP like we don’t know what we’re doing and actively makes Splashtop harder to deploy while simultaneously making it less useful.

@peet The post showing permissions was posted chronologically after mine. You see that right?

At any rate, i’ve never had any success with Splashtop when screen recording is not enabled. I can see the screen but it doesn’t update if it all very often.

Please don’t aim your criticisms at me . Your post covers some things I was not even trying to speak to, but you pivoted from not addressing my key point that MDM is needed and Syncro isn’t that, to your larger beef with Syncro.

Ok, best to you and sorry (really not) for speaking.

I’ll throw my $0.02 in here, I’ve been a long time Splashtop Business user. I’ve never seen where you can remotely connect and see anything, without having Screen Recording permissions set. Even their help articles state it, (this is for SOS, but same thing really).

I would never enter creds on a remote machine that I couldn’t see where I was actually entering them. Imagine if the user clicked out of the masked field or something and you just gave up the admin creds.

Yeah you can’t. Every remote access application on Mac requires it.

@David_Core two things. First, I’m sorry I didn’t edit th @ mention out. I started down one path with the above post and expanded as I realized just how frustrated I was at the issue. My original reason for @ ing you was just to point out that this wasn’t a case of the OP not understanding PPPC and MDM. That’s it. No slight or offense intended. If this forum actually had threaded replies, it would have been easier to make that point clearly in a single short reply so that others reading the full thread could be filled in early while moving down the chain. (But hey, sponsored forum is still light years better than just FB!)

Everything after that is 100% for the SyncroMSP folks. I really don’t think this feature was conceived of by a MacAdmin and it definitely wasn’t tested in an MDM managed macOS environment. Support has had a very clear understanding that it’s broken since April. That coupled with Syncro forcing guardrails and all that implies really does have me frustrated.

So again the criticism is aimed at the broken feature and the over all implementation, not in anyway at you.

Thing two, if screen Recording is not enabled, you can only see the windows Splashtop Streamer spawns. But regardless, the session can still copy files and if Accessibility is enabled you can control the mouse and keyboard. So there can easily be reasons to connect without all the PPPC’s enabled.