macOS Big Sur Beta 1: Standard user cannot add or approve apps for Screen Recording

I noticed the following issue in macOS Big Sur Beta 1:
Popular video conferencing tools such as Zoom that allow screen sharing will request approval for Screen Recording before someone can share their screen.

Expected behavior:
In macOS 10.15, as a standard user I was able to go into System Preferences > Security & Privacy > Privacy > Screen Recording and add an app without needing to unlock the preference pane with admin credentials.

Actual behavior:
As of macOS 10.16 Beta 1 (20A4299v), as a standard user when I go to System Preferences > Security & Privacy > Privacy > Screen Recording, I need to unlock the preference pane with admin credentials.

This is a regression from macOS 10.15 behavior. In our environment, our users do not have admin credentials to be able to unlock that preference pane. This will severely impact our users who rely on web conferencing tools and need to share their screen. With many of our users working from home, this will severely impact us and affect our ability to also provide remote support. In fact, we rely on Zoom's screen sharing feature for our end-users to show us their screens during remote support sessions. If they do not have admin credentials to unlock the preference pane, they cannot possibly provide screen recording to Zoom and other similar apps. We kindly request that the behavior go back to how it was in macOS 10.15.

Apple at the moment is not providing an alternative way for standard users to be able to approve prompts for Screen Recording access. If you are impacted by this, I sincerely suggest you supply feedback to Apple at https://feedbackassistant.apple.com/.

If you haven't already, please join AppleSeed https://appleseed.apple.com/ and supply feedback to Apple.
Please fix this. This is not expected behavior if you manage a fleet of Macs.
Feedback submitted.


For Big Sur instead of a regression of this setting we need an IMPROVEMENT.


Let us control screen recording with MDM!!!!!!!!
I supplied feedback (FB7776576) the other day on this and got a reply today saying this is working as expected. I've replied that is unacceptable as this is a breaking change with no viable workaround. Ideally, Screen Recording is made a per-user allowance instead of a per-system allowance and the user can enable per-app Screen Recording like they can Microphone and Camera access.

Please, please file feedback if you haven't already. Change can happen if enough noise is generated.
I've already submitted feedback on this breaking change and Apple replied...

"The screen capture service is a system-wide service (not a per-user service) and system-wide services should only be modifiable by an administrator. Starting with macOS Big Sur, granting access to screen recording will require admin authentication."

Are standard users meant to not be able to enable screen recording access moving forward? That would cripple our deployment as it means people wouldn't be able to get help through remote support or share their screen with videoconferencing apps like WebEx, Zoom, and Google Meet.

I would be very happy if the intent is for Apple to provide Mac admins an alternative path to enable screen recording for standard user accounts. If that were the plan they could have communicated that in any number of ways.
  • WWDC sessions

  • AppleSeed or developer release notes

  • What's New for Enterprise and Education

Right now all we have is a Feedback Assistant reply telling us the current behavior is working as expected. Please clarify what the future plan is. Right now this feel tone deaf, especially considering the current work from home conditions.

10
This is a concern as we have management wanting us to restrict admin access to better comply with security guidance and reduce possible risk of damage from user damage.
Given the variety of web video conferencing solutions out there, our end users may be using web conferencing software that we do not manage because it's the vendor's preferred choice and that's who setup the meeting. I would personally prefer that we simply get per-user allowance of what can be allowed in Screen Recording. MDM would imply that I would need to know in advance all the screen recording software out there and enable it across our fleet.
This behavior won't work for organizations deploying macOS devices to users that don't have administrator access enabled. MDM management would help, but would still require advance knowledge of not only our own organization's remote support and video conferencing software, but also advance knowledge of the remote support and video conferencing software that each of our vendors and partners use to communicate with us.

This would result in the need for a support call with every user prior to them starting a new remote meeting, a solution which is untenable in the best of times, and particularly problematic during a time when we have such a large portion of out employees working remotely.

The ideal behavior for this setting would be for each user to be able to turn screen recording on or off as they need it rather than requiring assistance from an administrator to allow it.
If Apple will not change this „issue“ for us admins and users...the best solution for non-Admin Account is to implement the Privileges App to grant access, if needed.
I totally understand if Apple is doing this because it believes children at home should absolutely not be able to allow screen recording for the whole system. This is why parents are admin users, and children should be standard users with parental controls and so forth. If the recent FleetSmith acquisition enables Apple to create an "MDM lite" for family sharing and enhanced parental controls, that's great.

What this thread is about, on the other hand, is ADULTS trying to ADULT.

From apple.com/business:
"Apple products help employees work more simply and productively, solve problems creatively, and collaborate with a shared purpose. And they’re all designed to work together beautifully. When people have the power to work the way they want, with the tools they love, they can do their best work."

This change in Big Sur is making it much harder to continue doing that, and it *will* impact future sales of Mac hardware ... unless Apple makes some concessions for responsible admins trying to make life easier for their end users.

SUGGESTION:
iOS 14 has this new "recording" light feature for the status bar. Why can't MacOS have a similar indicator in the menulet that resembles a tiny computer screen with a blinking red light while screen recording is active?

Here's what I would do:
  1. Add a key for Screen Recording under PPPC in the MDM spec.

  2. Add a key value that allows the above setting ONLY when supervised.

  3. Add a recording light to macOS Big Sur so ALL users know when the screen is being recorded, regardless of how screen recording was approved.

Justification:
Large institutions and schools often have security policies that seek to minimize attack surface and simplify troubleshooting by defaulting users to non-admin (standard) rights unless they have special permission or business justification to be admins on their machines. The same also make heavy use of collaboration and virtual meeting tools like WebEx, Zoom, MS Teams, and so forth. Virtual meetings and remote presentations are on the side due to COVID-19. Screen sharing is an essential function remote support tools like LogMeIn and Bomgar, where the technician must be able to see the user's screen to guide them through troubleshooting.

PS: AppleCare uses a rebranded version of Bomgar, so they're about to find out what a pain this is going to be for some customers who call for help.
This will be untenable in an Enterprise setting where our users are not admins. This is absolutely a breaking change.

Allow us to manage Screen Recording via MDM.
The current implementation is customer-hostile.

Within an ABM/ASM/UAMDM context, Screen Recording must be an MDM-manageable object.
If this is going to happen, please provide a PPPC MDM profile payload for IT admins to allow screen recording access on supervised Macs.

Thank you!
For the admins who are asking to manage this via MDM, if it's like the other privacy areas, that implies you would need to know each and every app that would request screen recording permissions. Unlike like creating a Kernel Extension List, there's no scalable way to know in advance all the apps that will need screen recording.

Assuming Apple implemented this via Configuration Profiles, again, this would be a logistical nightmare to support and would also mean having to either:
  1. micro-manage Configuration Profiles for specific apps on specific computers

or
2. allow that specific app to screen record on all computers which may not necessarily need it or use it.

Neither of those are options I'd like to deal with.

Yes, I understand the current UX for allowing screen sharing and having to quit apps is less than ideal. But that should be a spearate request that Apple works on improving.
In my case all my users are standard users due to PCI, SOC compliance. How will my users unlock screen recording? I would want to have the ability to pre-unlock screen recording on behalf of my users for certain apps (if supervised Mac) while at the same time let them unlock other apps requiring screen recording. In my case we support Zoom and Google Meet but we have department that need to use WebEx, Gotomeeting, Team and other because client requirements. Besides that we use TeamViewer to support our users (all remote right now).

Please give us a solution or we will have a serious problem.
My CISO wants no admin rights for end users. Making this setting administrator only will cause many, many calls to our service desk and show some people increased tickets for macOS. Right now, macOS generates few tickets. This would increase that exponentially.
macOS Big Sur Beta 1: Standard user cannot add or approve apps for Screen Recording
 
 
Q