Back to school: studentd and Classroom in Mojave 10.14.4

Unless you use Macs in education, you probably missed Apple’s news about Classroom, its updated software for managing Macs and iPads used in that environment. But if you have updated to Mojave 10.14.4 (or, presumably, iOS 12.2), you may be surprised to learn that you’re already running this software. If you don’t believe me, take a look at the list of processes in Activity Monitor: you should find a new process, studentd, listed there. It wasn’t in 10.14.3.

What was in macOS 10.14.3 was a Private Framework, /System/Library/PrivateFrameworks/ClassroomKit.framework, which was presumably used by additional software installed when setting up Classroom. Now every Mac is set up for Classroom, with the following additions:

  • the command tool /usr/libexec/studentd which manages ‘the student experience’,
  • /System/Library/LaunchAgents/, the LaunchAgent which runs studentd,
  • ~/Library/studentd, a new folder which contains user data for studentd,
  • and an updated /System/Library/PrivateFrameworks/ClassroomKit.framework.

Although run from a system LaunchAgent property list, studentd is run as the user from login. If you log into a user account which doesn’t yet have one, it creates a security certificate in that user’s login keychain, with a name starting with ‘member:’ followed by two UUIDs. The first of these is that user’s UserIdentifier given in ~/Library/studentd/AdHocConfiguration.plist, thus is that student’s identifier for the purposes of studentd. That certificate isn’t trusted, but trust is obtained later if the user connects that Mac to a Classroom system.

studentd doesn’t appear to have any options, nor is there a configuration tool. Instead, it relies on keys in its configuration property list, by default ~/Library/studentd/AdHocConfiguration.plist. These include:

  • AutoAssistEnabled, a Boolean;
  • CloudSyncingEnabled, a Boolean;
  • RollingDeviceIdentifierSet, a dictionary including activeIdentityPersistID and userIdentifier;
  • UserIdentifier, the same UUID as userIdentifier, stored as a string.

studentd is active on Macs even when they’re not connected to Classroom. Its first flush of activity is checking and creating the user’s security certificate during login. After that, every half hour or so, studentd records errors in the unified log reporting that it is unconfigured:
09:18:38.563410 Error General studentd studentd studentd is unconfigured because the device is unsupervised
09:18:38.563427 Error General studentd studentd studentd is unconfigured because there are no organizations

studentd writes further log entries intermittently, including:
10:55:38.315876 General studentd studentd Student configuration did change: {(
followed by a list of STUControlGroupEnrollmentRecord entries
10:29:49.737319 Bluetooth studentd ClassroomKit Stop scanning all zones
10:29:49.737362 General studentd studentd DECREMENT invitation browser reference count: 0

and so on.

Unified log entries can be viewed by searching on those containing the service studentd, or on its subsystem

studentd appears to have access to the user’s Address Book, but doesn’t show up in Privacy settings. It maintains an SQLite3 database of logged events at ~/Library/studentd/Events/LogEvents.db, although that doesn’t appear to be used unless Classroom is configured. It has access to two XPC services, BooksService and ResourcesService.

studentd is a complex service. Browsing its embedded strings, it handles certificates which are used in the marking of work, acts in observer and controller roles for the instructor, and records events in its own per-user database.

If you want to look in more detail at Classroom and studentd, the Classroom app is available free from the App Store. These changes are for Classroom version 2.0, which launched with the Mojave 10.14.4 update and seems to require macOS 10.14.4 or iOS 12.2.

The big question with Classroom 2.0 and studentd is whether Apple really intends these to be running on every Mac, or whether the 10.14.4 update was merely misconfigured to enable them on all systems. Maybe we’ll find out when 10.14.5 is released in a couple of months. In the meantime, let’s hope that it is secure, as studentd seems able to do a great deal with your Mac which can’t easily be controlled, although at least it only works over the local network, and not remotely.

I am very grateful to Jeff Johnson @lapcatsoftware and xz4gb8 who have kindly provided much of the information above. Errors, though, are entirely my own. If you have any additional information, please let me know.