Documentation · macOS · Admin

macOS Admin Guide

Support matrix, permissions, and Privacy Preferences (PPPC) guidance for deploying BeProof on Apple Silicon endpoints.

Design partner pilot (30 days)

Standard program for platform security teams evaluating BeProof: local evidence week, managed fleet scale-up, admin console governance, and day-30 success metrics.

Open Design Partner Pilot guide

Organization admin console

Web dashboard for fleet posture, device inventory, sanitized review queue, and signed policy bundle publish. Pair with MDM enrollment so managed Macs report into your tenant.

Open Admin Console Guide

Managed deployment (MDM)

PKG builder, PPPC mobileconfig template, org-policy overlay at /Library/Application Support/BeProof/, and step-by-step runbooks for Jamf, Intune, Kandji, and Fleet.

Open Managed deployment guide

Controlled updates (managed endpoints)

When an org-policy overlay is present, BeProof enters managed mode and disables Sparkle in-app updates: no automatic update checks, and Check for Updates… is hidden from the app menu. This keeps MDM pilot and production rings in control of version rollout.

  • Promote new builds with your MDM PKG workflow (pilot ring first, then broad deployment).
  • Run beproof verify-install on a sample machine after each PKG promotion.
  • Personal or developer installs without an org overlay keep Sparkle updates enabled.

Support matrix

DimensionSupportedNotes
macOS version14 Sonoma, 15 SequoiamacOS 13 and earlier
ArchitectureApple Silicon (arm64)Intel x86_64 releases not published
App deploymentSigned + notarized DMG; MDM PKG via build_mdm_pkg.shManaged deployment guide
MDM org overlay/Library/Application Support/BeProof/mdm_profile scan scope when present
In-app updates (Sparkle)Personal installs onlyDisabled in managed mode — use MDM PKG
CLI deploymentHomebrew tap or arm64 tarball
Bundle IDcom.beproof.app
Full Disk AccessNot required
Endpoint SecurityNot shippedOptional future telemetry module

Permissions matrix

Missing permissions surface as CoverageGap records — BeProof does not treat missing evidence as a pass.

CapabilityRequiredMechanismIf denied
Project & agent config pathsYes (scoped)File read within scan rootsscan_scope coverage gap
Keychain metadataOptionalKeychain Services + explicit consent ledgerkeychain_metadata gap
Install inventory (Homebrew, npm/pnpm, IDE extensions)OptionalRead Cellar, npm/pnpm global node_modules, VS Code/Cursor/Windsurf extension dirs (metadata only)install_inventory partial
Cloud provider APIsOptionalHTTPS + configured admin tokensCloud grant / usage gaps
Full Disk AccessNo

PPPC / TCC

Personal installs may see standard macOS prompts. For managed pilots, deploy the signed PPPC mobileconfig template via MDM. See Managed deployment and PPPC & TCC for customization (Team ID, UUIDs, scan-root scope).

TCC serviceWhenGuidance
KeychainFirst keychain-inclusive credential scanAllow BeProofApp.app; CLI inherits terminal TCC context
Files and FoldersAccess outside default readable pathsAllow only approved scan roots

Keychain TCC approval is separate from BeProof's consent ledger. Even with Keychain access, policy evaluation requires an explicit consent record before keychain metadata counts as evidence.

Verify install

beproof verify-install \
  --app /Applications/BeProofApp.app \
  --artifact ./BeProofApp-macos.dmg \
  --provenance ./BeProofApp-macos.provenance.json \
  --format json

Related