Screenproof Admin KB

Deploy Screenproof with Jamf Pro

A package policy for the PKG, and a Configuration Profile for the app.screenproof managed preferences. Deploy the PKG first.

1. Deploy the PKG

  1. Settings → Computer Management → Packages → upload Screenproof-<version>.pkg (download the current build from https://updates.screenproof.app/Screenproof-latest.pkg).
  2. Policies → new policy → Packages → add it. Trigger: Enrollment Complete or Recurring Check-in. Scope to the target smart group.
  3. Verify signature client-side after install: pkgutil --check-signature Screenproof-<version>.pkg should show Developer ID Installer, team S65X5KY399.

The PKG installs /Applications/Screenproof.app and /Library/LaunchAgents/app.screenproof.agent.plist (per-user agent, RunAtLoad — starts at each user's next login, not at boot).

2. Deploy the managed-preferences profile

Two equivalent routes:

Deploy the optional restrictions profile the same way (raw upload). For the PPPC denylist, Jamf also has a native editor under Configuration Profiles → Privacy Preferences Policy Control.

3. Verify on a target Mac

  1. Open Screenproof → Settings → Managed: the managed banner appears with your org's enforced values.
  2. In the Privacy / Export / License tabs, rows forced by the profile show lock icons and read "Managed by your organization".
  3. Open Policy Diagnostics: each forced key lists a MANAGED source.
sudo /usr/libexec/mdmclient QueryInstalledProfiles   # profile present
defaults read /Library/Managed\ Preferences/app.screenproof
Live-reload under Jamf push: not yet re-validated Screenproof reads managed keys at policy-resolution time — no daemon restart required in principle — but live-reload behavior under Jamf push updates has not been re-validated. Confirm in your trial deploy: push the profile, change one key, re-push, and check Policy Diagnostics picks up the new value without a relaunch.

Next steps