Skip to content
Contact us Customer portal Sign in
  • There are no suggestions because the search field is empty.

🍏macOS: Granting necessary permissions to Safetica Client after installation

Learn how to grant the necessary permissions to Safetica Client after installing it on a macOS device.

âť—This article applies only to devices with macOS.

In this article, you will learn more about:

 

Introduction: Two ways of granting permissions

After the successful installation of Safetica Client on a macOS device, certain permissions must be granted to the Safetica Client. You can do that either by installing our signed Apple Configuration Profile or manually.

âť—We strongly recommend granting permissions via Apple Configuration Profile. Without it, Safetica Client functionality on macOS cannot be guaranteed and may be limited.

Manual permission configuration often results in errors and issues. With the Apple Configuration Profile, these do not happen.

 

 

How to grant permissions to Safetica Client via a signed Apple Configuration Profile

Apple Configuration Profile contains all the system permissions required for Safetica Client to work correctly on macOS devices.

✍️You can download the Apple Configuration Profile signed by Safetica here.

For Microsoft Intune, use this unsigned Apple Configuration Profile.

âť—Distribution via MDM only: Apple Configuration Profiles can only be distributed and installed on devices via MDM (Mobile Device Management).

To install an Apple Configuration Profile:

  1. Have Safetica Client already installed on the macOS device. Learn more about Safetica Client installation here.
  2. Download the Apple Configuration Profile signed by Safetica here.
  3. Distribute the downloaded profile to macOS devices using your preferred MDM solution. You can find a list of MDM solutions here.
  4. Enable the Sensitive content found extension in the Mail app:

âť—The Sensitive content found extension is only supported on macOS 12 and newer.

    1. In the Mail app , choose Mail > Settings, then click Extensions.
    2. In the list of Mail extensions, find the Sensitive content found extension.
    3. Enable it by selecting its checkbox.

MDM solutions

✍️If you need a free MDM solution, consider:

  • jumpcloud (free for up to 10 devices and users)

Other MDM solutions you can use:

 

How to grant permissions to Safetica Client manually (not recommended)

âť—We strongly recommend granting permissions via Apple Configuration Profile. Without it, Safetica Client functionality on macOS cannot be guaranteed and may be limited.

Manual permission configuration often results in errors and issues. With the Apple Configuration Profile, these do not happen.

For Safetica Client to work correctly on macOS devices, you need to:

  1. Allow Full Disk Access - required for file audit.

  2. Allow notifications - required for user notifications.

  3. Allow access to web browser data in Safari, Chrome, Opera, and Microsoft Edge - required for web audit (Safari, Chrome, Opera, and Microsoft Edge).

  4. Enable the Sensitive content found extension in Mail app - required for audit and protection of outgoing emails through the Mail app.
  5. Allow STUserApp - required for correctly auditing and blocking emails sent via Mail app.

 

1.  Allow Full Disk Access

Full Disk Access is crucial for the correct functioning of Safetica and needs to be allowed manually after Safetica Client is installed.

  a. Go to System preferences > Privacy & Security > Full Disk Access.

  b. You will see our services – STClassiTagger, STContentService, STCService, and STFileMonitor – easily recognizable by the Safetica logo.

  c. Switch their toggle to Allow. This will give these services Full Disk Access.

âť—We strongly recommend not granting the permission to services you do not know or services that you are not specifically willing to grant the permission to.

 

2.  Allow notifications

After the successful installation of Safetica Client, a pop-up related to user notifications and alerts appears. Click Allow.

Further options related to user notifications are available in System preferences > Notifications > STUserApp.

 

3.  Allow access to web browser data in Safari, Chrome, Opera, and Microsoft Edge

When you open the Safari, Chrome, Opera, and Microsoft Edge web browsers for the first time after installing Safetica Client, a pop-up appears. You must click Allow.

âť—This pop-up will be displayed repeatedly in regular intervals when the user works with Safari, Chrome, Opera, or Microsoft Edge. They must always click Allow for web audit to work correctly.

If web browser permissions are not granted, they will be requested automatically after every browser restart.

This issue will not occur if you grant permissions to Safetica Client via the Apple Configuration Profile instead of manually.

 

If you are having issues, you can check that permissions are granted correctly to Safari, Chrome, Opera, and Microsoft Edge in System preferences >Privacy & Security > Automation > STAppMonitor.

 

4.  Enable the Sensitive content found extension in the Mail app

âť—The Sensitive content found extension is only supported on macOS 12 and newer.

  1. In the Mail app , choose Mail > Settings, then click Extensions.

  2. In the list of Mail extensions available on your device, find the Sensitive content found extension.

  3. Enable it by selecting its checkbox.

âť—To make email auditing and blocking policies work correctly, you must allow the STUserApp.

Otherwise, email auditing and blocking will not work correctly. Users will be able to send emails that violate blocking policies by clicking a Send anyway button in a pop-up.

 

5. Allow STUserApp

To correctly audit and block emails sent via the Mail app, you must allow the STUserApp in:

  • System preferences > Privacy & Security > Automation (> Privacy (on older systems)) and in
  • System preferences > Privacy & Security > Accessibility (> Privacy (on older systems))

âť—If you do not see STUserApp in Automation or Accessibility, try sending an email that violates a blocking policy. STUserApp should then appear in those sections.

âť—If you do not allow STUserApp in Automation or Accessibility, email auditing and blocking will not work correctly. Users will be able to send emails that violate blocking policies by clicking the Send anyway button in a pop-up.

âť—After allowing STUserApp, when the user sends an email that violates a blocking policy for the first time, 2 pop-ups will appear:

  1. A pop-up that enables the email to be sent even though it should be blocked. The user must click Cancel.
  2. A pop-up concerning the STUserApp. The user must click Allow.

 Afterward, email blocking should work correctly.

✍️If you have issues with email blocking not working correctly, please check that the STUserApp is allowed in System preferences > Privacy & Security > Automation and in System preferences > Privacy & Security > Accessibility.

 

 

Where to find what permissions are missing

You can see what permissions are missing in Safetica console in Devices Status column.

 

 

FAQ

Q: I have an issue with macOS - I can send emails via Outlook, even though I have a policy that blocks such emails. What should I do?
A: Please check if all the necessary permissions are granted to Safetica based on this article. Also, if you are using Outlook for Mac, you need to activate Outlook protection. Learn more here.
 
Q: What is MDM?
A: MDM (Mobile Device Management) is a technology that allows organizations to remotely manage, secure, and configure mobile devices such as smartphones, tablets, and laptops. It helps enforce security policies, control applications, protect corporate data, and ensure compliance across an organization's device fleet.
 
Q: How can we resolve the "Not enrolled in MDM" error on a macOS device?

A: This status indicates that the device is not enrolled in a Mobile Device Management (MDM) solution. To resolve it, enroll the device in an MDM of your choice. Here are some MDM solutions you can use.

 

Read next

How to install Safetica Client to your devices