Your comments

@Brandon, what's the status on this?The linked script still references old deploy https://docs.connectwise.com/@api/deki/files/21478/controlclientcleanup.sh?revision=1 connectwisecontrol-...app vs screenconnect-...app, for example. 

I assume that's self-explanatory and I'm guessing that you may have been impacted unexpectedly. perhaps that is because you have automatic client updates on? If you turn off automatic client updates, then you won't have to worry about this. Simply change out your profile before updating clients. Not only is the cert going to be different, but also the identifiers. The application and changed in this update as well. 

ConnectWiseControl PPPC.mobileconfig

In case anyone needs it, I've attached a .mobileconfig that you can deploy with your approved MDM/DEP solution. 

Here is the outcome of deploying that:

You should also be including /bin/bash in accessibility and appleevents

That page shows "there are no pre-release versions available at this time."

There really shouldn't be much to test. They just codesign the app and we put the Code Requirement string in our PPPC profiles. 

Don't forget that the privacy permissions manually granted are reset anytime you update the client, which you guys also do very frequently, for better or worse.

Brandon, can you please clarify what it is that ConnectWise is working on (referenced above in https://control.product.connectwise.com/communities/1/topics/2046-sign-macos-app#comment-7007 "You can expect this change to be available in the next stable version of 6.9, or the pre-release of 7.0, before the end of January")? I really hope that the app itself is going to be signed as part of that work, which is what this ticket is for, and not something else. I would expect that the customizations are either held outside the application (in Library or something like most other apps). I could see you signing before download (after customizations are injected server-side), but it seems easier to just move those outside the .app that you sign. Ideally, you aren't signing with any client preference changes on the server side (that requires re-install of client. Bottomline, this request and the outcome of any related work should be a signed app.