Tooo automates
Device enrollment, device signing, policy merge, event archive, alerts, teacher authorization checks, command audit, and MDM profile generation.
School IT owns
Apple School Manager, MDM, Tooo.app/pkg and profile deployment, browser extension force-install, application allowlist, and troubleshooting.
School leadership owns
AUP notice, parent/student signatures, teacher authorization scope, retention policy, and local compliance review.
Each step: what + why + owner
Apply for Apple School Manager
Apply at school.apple.com and prepare school verification. This enables zero-touch MDM enrollment for new Macs.
Leadership · 1-2 weeks review · $0Choose and configure MDM
Mosyle, Jamf School, or Intune all work. MDM installs Tooo.app, pushes profiles, restricts removal, locks browsers, and manages app allowlists.
School IT · 30-60 minutesCreate the school in Tooo Web
Admin logs in to /lab/admin and creates the school. Teacher SafeIDs, student cards, policies, and machines belong to this school.
School IT · 5 minutesDownload the Tooo Lab MDM profile
The console generates a .mobileconfig profile containing root CA trust, browser policy, system extension approval, Transparent Proxy network filtering, and non-removable profile settings.
School IT · 1 minuteDeploy Tooo.app and browser extensions
Tooo.app handles heartbeat, policy, screenshots/recording, commands, and local token bridge. Safari/Chromium extensions report URL, title, search, download, DOM summary, and form metadata.
School IT · 5-15 minutes setupBind Lab Macs
Normal flow: the student Mac shows a 6-digit code and Web admin accepts it. MDM bulk/unattended installs can use enrollment tokens. After binding, the device signs requests with its Keychain device key.
School IT · seconds per Mac or bulk automaticImport students, bind cards, authorize teachers
Students use USB HID cards only. Teachers/admins use SafeID as the authorized identity. Authorization can be scoped by school, tag, or machine for view, classroom commands, and archive access.
School IT / registrar · 30-60 minutes first setupIssue AUP and start class
AUP must explain screenshots/recording, browser events, running apps, network filtering, retention, who can view data, off-campus use, and opt-out/alternatives.
Registrar / legal · recommended 1-2 weeksMac Lab lock mode: AAC + ASAM vs. fullscreen fallback
Tooo Lab uses two paths for the student lock screen on Mac, chosen automatically by deployment context. School IT does not select manually; the table below is for troubleshooting reference. Terminology: SAM = Single App Mode (MDM pushes com.apple.app.lock; device is permanently locked to one app, students cannot use any other app); ASAM = Autonomous Single App Mode (MDM pushes com.apple.asam to allowlist the app bundle id; the app decides at runtime when to enter/exit the lock); AAC = Automatic Assessment Configuration (Apple Education framework — the only official runtime ASAM entry/exit API on macOS; requires the com.apple.developer.automatic-assessment-configuration entitlement). Tooo Lab uses the AAC + ASAM combination (app actively locks while no student is signed in; unlocks on student card-swipe; auto-relocks on logout), not SAM (which would permanently lock the device and prevent students from using authorized apps like the browser).
| Mode | Trigger | Lock strength | Escape risk |
|---|---|---|---|
| AAC + ASAM (Apple's runtime lock framework) | Mac is in ASM/ABM and supervised by MDM; MDM profile includes com.apple.asam allowlisting Tooo.app; Tooo.app has the AAC entitlement requested. Becomes the default path once Apple approves; until then, the runtime automatically falls back to the fullscreen path below. |
OS-level enforcement; Mission Control, Cmd-Tab, Force Quit, logout, and shutdown are all blocked. App enters lock via AEAssessmentSession.begin(); releases via session.end(). |
Released by in-app session.end() or MDM-side removal. No student-side escape path. |
| Fullscreen fallback (toggleFullScreen) | Non-MDM environment, single-machine self-install, or MDM profile not yet applied. Automatic fallback. | App-level enforcement: native fullscreen + hideMenuBar/hideDock/disableProcessSwitching + secondary-screen covers. | Three-finger Mission Control swipe can briefly reveal another Space; the in-app reactivate observer pulls the lock-screen Space back immediately. |
AAC + ASAM enablement (school IT + Tooo)
- School IT: Mac is enrolled in ASM / ABM and supervised
- School IT: MDM pushes
com.apple.asampayload with AllowedApplications containing Tooo.app bundle id (app.tooo) and Team ID (YG785Y343S) — Tooo Lab MDM profile ships this payload by default - Tooo: app signed with the
com.apple.developer.automatic-assessment-configurationentitlement (Apple Education approval pending; effective once approved — fullscreen fallback engages until then)
When the fullscreen fallback is used
- Teacher / small-org single-machine PoC without MDM
- MDM profile push failed or retrying; temporary downgrade
- Awaiting Apple AAC entitlement approval during onboarding
Troubleshooting map
| Symptom | Likely cause | Where to check |
|---|---|---|
| Mac not listed | Not in MDM, code not accepted, or token expired | MDM device list and Tooo Add Device panel |
| Certificate error | Root CA profile missing or removed | macOS Settings -> Profiles |
| Browser not reporting | Extension not force-installed or Tooo.app token bridge not running | Browser extension policy and Tooo.app logs |
| Teacher cannot see Macs | SafeID not authorized or scope mismatch | School settings -> Teacher authorization |
| Command not executed | Device offline, policy blocks command, or server signature rejected | Machine detail, command list, and Tooo.app logs |
Privacy and compliance boundaries
Tooo Lab is for school-owned MDM-managed devices only. It does not use hidden persistence or bypass student/parent/school notice.
Blacklist hits can block and create high-risk alerts. Non-blacklist AI suspicion alerts admins only and does not automatically block student work.