macOS Admin Guide
Support matrix, permissions, and Privacy Preferences (PPPC) guidance for deploying BeProof on Apple Silicon endpoints.
Design partner pilot (30 days)
Standard program for platform security teams evaluating BeProof: local evidence week, managed fleet scale-up, admin console governance, and day-30 success metrics.
Open Design Partner Pilot guideOrganization admin console
Web dashboard for fleet posture, device inventory, sanitized review queue, and signed policy bundle publish. Pair with MDM enrollment so managed Macs report into your tenant.
Open Admin Console GuideManaged deployment (MDM)
PKG builder, PPPC mobileconfig template, org-policy overlay at /Library/Application Support/BeProof/, and step-by-step runbooks for Jamf, Intune, Kandji, and Fleet.
Controlled updates (managed endpoints)
When an org-policy overlay is present, BeProof enters managed mode and disables Sparkle in-app updates: no automatic update checks, and Check for Updates… is hidden from the app menu. This keeps MDM pilot and production rings in control of version rollout.
- Promote new builds with your MDM PKG workflow (pilot ring first, then broad deployment).
- Run
beproof verify-installon a sample machine after each PKG promotion. - Personal or developer installs without an org overlay keep Sparkle updates enabled.
Support matrix
| Dimension | Supported | Notes |
|---|---|---|
| macOS version | 14 Sonoma, 15 Sequoia | macOS 13 and earlier |
| Architecture | Apple Silicon (arm64) | Intel x86_64 releases not published |
| App deployment | Signed + notarized DMG; MDM PKG via build_mdm_pkg.sh | Managed deployment guide |
| MDM org overlay | /Library/Application Support/BeProof/ | mdm_profile scan scope when present |
| In-app updates (Sparkle) | Personal installs only | Disabled in managed mode — use MDM PKG |
| CLI deployment | Homebrew tap or arm64 tarball | — |
| Bundle ID | com.beproof.app | — |
| Full Disk Access | Not required | — |
| Endpoint Security | Not shipped | Optional future telemetry module |
Permissions matrix
Missing permissions surface as CoverageGap records — BeProof does not treat missing evidence as a pass.
| Capability | Required | Mechanism | If denied |
|---|---|---|---|
| Project & agent config paths | Yes (scoped) | File read within scan roots | scan_scope coverage gap |
| Keychain metadata | Optional | Keychain Services + explicit consent ledger | keychain_metadata gap |
| Install inventory (Homebrew, npm/pnpm, IDE extensions) | Optional | Read Cellar, npm/pnpm global node_modules, VS Code/Cursor/Windsurf extension dirs (metadata only) | install_inventory partial |
| Cloud provider APIs | Optional | HTTPS + configured admin tokens | Cloud grant / usage gaps |
| Full Disk Access | No | — | — |
PPPC / TCC
Personal installs may see standard macOS prompts. For managed pilots, deploy the signed PPPC mobileconfig template via MDM. See Managed deployment and PPPC & TCC for customization (Team ID, UUIDs, scan-root scope).
| TCC service | When | Guidance |
|---|---|---|
| Keychain | First keychain-inclusive credential scan | Allow BeProofApp.app; CLI inherits terminal TCC context |
| Files and Folders | Access outside default readable paths | Allow only approved scan roots |
Keychain TCC approval is separate from BeProof's consent ledger. Even with Keychain access, policy evaluation requires an explicit consent record before keychain metadata counts as evidence.
Verify install
beproof verify-install \
--app /Applications/BeProofApp.app \
--artifact ./BeProofApp-macos.dmg \
--provenance ./BeProofApp-macos.provenance.json \
--format json