Deploy Screenproof with Jamf Pro
A package policy for the PKG, and a Configuration Profile for the app.screenproof managed preferences. Deploy the PKG first.
1. Deploy the PKG
- Settings â Computer Management â Packages â upload
Screenproof-<version>.pkg(download the current build fromhttps://updates.screenproof.app/Screenproof-latest.pkg). - Policies â new policy â Packages â add it. Trigger: Enrollment Complete or Recurring Check-in. Scope to the target smart group.
- Verify signature client-side after install:
pkgutil --check-signature Screenproof-<version>.pkgshould show Developer ID Installer, teamS65X5KY399.
The PKG installs /Applications/Screenproof.app and /Library/LaunchAgents/app.screenproof.agent.plist (per-user agent, RunAtLoad â starts at each user's next login, not at boot).
2. Deploy the managed-preferences profile
Two equivalent routes:
- Raw upload (simplest): Computer Configuration Profiles â New â Upload â import the
.mobileconfigdirectly (start fromexamples/managed-preferences.mobileconfigor the Profile Creator). The raw upload preserves thecom.apple.ManagedClient.preferencespayload as-is; no Custom Schema needed. Scope to the target smart group. - Manual entry: Configuration Profiles â New â Application & Custom Settings â enter domain
app.screenproofand the keys yourself, if you prefer Jamf's UI over raw XML.
Deploy the optional restrictions profile the same way (raw upload). For the PPPC denylist, Jamf also has a native editor under Configuration Profiles â Privacy Preferences Policy Control.
3. Verify on a target Mac
- Open Screenproof â Settings â Managed: the managed banner appears with your org's enforced values.
- In the Privacy / Export / License tabs, rows forced by the profile show lock icons and read "Managed by your organization".
- Open Policy Diagnostics: each forced key lists a MANAGED source.
sudo /usr/libexec/mdmclient QueryInstalledProfiles # profile present
defaults read /Library/Managed\ Preferences/app.screenproof
Live-reload under Jamf push: not yet re-validated Screenproof reads managed keys at policy-resolution time â no daemon restart required in principle â but live-reload behavior under Jamf push updates has not been re-validated. Confirm in your trial deploy: push the profile, change one key, re-push, and check Policy Diagnostics picks up the new value without a relaunch.
Next steps
- Screen Recording permission â the one-time user approval MDM cannot skip, plus native-capture lockdown.
- Fleet licensing â add
LicenseKeyto the same profile. - Updates â silent Sparkle updates via three more keys.