Unknown ScreenConnect Detection - Macintosh

Summary

Runs the Manage Unknown ScreenConnect Client [Macintosh] automation daily on MacOS where any ScreenConnect Client is installed and cPVAL Unknown ScreenConnect Monitoring is configured. Creates a ticket when non-approved ScreenConnect instances are detected and remain after any configured remediation.

The behavior of the evaluation script depends on the value set in cPVAL Unknown ScreenConnect Monitoring:

• When set to Audit Only, the script audits installed ScreenConnect instances and updates the device custom fields. No alert is raised and no removal is attempted. The compound condition will not trigger in this mode.
• When set to Audit and Alert, the script audits and updates custom fields, then exits with code 1 and outputs Alert: if unknown instances are found. The compound condition triggers and a ticket is created.
• When set to Autofix and Alert on Failure, the script attempts to remove unknown instances, re-audits the device, and updates custom fields. The compound condition triggers and a ticket is created only if unknown instances still remain after the removal attempt.

Details

Name: Unknown ScreenConnect Detection - Macintosh
Description: Runs the Unknown ScreenConnect Client audit and remediation script daily on MacOS with a ScreenConnect Client installed. Triggers an alert when non-approved instances are detected.
Recommended Agent Policies: Mac Policy [Default]

Dependencies

• Custom Field: cPVAL Unknown ScreenConnect Monitoring
• Custom Field: cPVAL Whitelisted ScreenConnect Instances
• Custom Field: cPVAL Installed ScreenConnect Instances
• Custom Field: cPVAL Unknown ScreenConnect Installed
• Automation: Manage Unknown ScreenConnect Client [Macintosh]
• Solution: Unknown ScreenConnect Monitoring

Compound Condition Creation

Compound Condition Configuration

Note: The Allowed Instances parameter on the evaluation script can be set here to define approved identifiers at the policy level, overriding cPVAL Whitelisted ScreenConnect Instances for all devices in the policy. Leave it blank to use the custom field instead.

Note: The Notifications section requires a configured ticket template for the PSA integration in use (ConnectWise Manage, Autotask, HaloPSA, etc.). Without a valid template assigned, NinjaOne will not generate or manage tickets from this compound condition.

Changelog

2026-04-09

• Initial version of the document