Apple has 'buckets' of alerts that sometimes are misleading. In this case, in order to transmit keystrokes and mouse movements to the virtual machine, Fusion has to capture them and uses the accessibility API's to do so. That API includes screen access (for things like screen readers), so triggers the broad alert.
For what it's worth, I work in the cybersecurity field, so am keenly aware of the risk of application privilege abuse. In this particular case, I've no concerns that Fusion is abusing that capability. It's used by nearly all the Fortune 500 companies to conduct business critical work on very sensitive information.
You can disagree, but that doesn't change the facts. In order to control and capture mouse and keyboard and provide them to the guest, Fusion leverages the accessibility API. That triggers the notice. It does not mean that Fusion is monitoring what you're doing and phoning home. There is no privacy violation here.
Correct. We probably wouldn't know what to do with that much data even if we did collect it.
We're not interested in any behavior that doesn't directly influence our product decisions, and there's no personal data that would influence that.
If telemetry is turned off, we don't collect anything.
In vSphere we have a 'sample data collection' feature that shows you exactly what gets sent, and we may consider bringing that to Fusion as well.
But we take privacy pretty seriously.
When CEIP (telemetry) is on, we collect:
- Host Hardware model, # of cores, CPUID, and how much RAM
- Host OS version
- list of guest OS types (not names, just types so we know what to prioritize)
- Display topology (number of monitors, screen resolution)
- Used View mode (Unity, Full-Screen, windowed)
- USB devices that are passed to the VM (surprise, the most popular is the iPhone!)
None of that contains any personally identifiable information.
Now could we do better about those notifications, absolutely.
We used APIs and frameworks from previous years that are now considered part of 'accessibility', so it's just Apple changing how they define what used to be 'normal' behavior and locking things down in the name of security. They're doing it more rapidly and deeper in the stack than they ever have before.
It's the right thing for them to do, but it does mean we have to update our whole stack so we're not nagging users when we just want to run a VM, and that's not trivial.
We'll be continuing to make improvements here tho, but what you're seeing is more like engineering debt, not a trick to collect your personal info.
Seriously, we don't care how you use your VM, we just care what the specs of the system you're using it on are because it helps us prioritize features (and avoid removing things that would negatively impact a large number of users), and you have to opt-in to share that with us.
Many applications, not just Fusion, prompts the same mouse ad keyboard control needed popup as well. so its not Fusion specific,,, Its a security feature in Mojave design to inform the user such actions are taking place. However, i know why this discussion this would come up, because because of Apples changes and more so, because Apple has a stand of no security and privacy etc... unlike Windows, so any "exceptions' to that are instantly raised.
Nothing to worry about.. If it makes you feel better knowing VMWare Fusion is acting as malware by recording keystrokes, then ok
Weather that's true or not, well you can only decide that one. But if you don't give permission, you may not be able to use keyboard. A workaround might be USB keyboard and mouse, but could trigger the same dialog.
Fusion is an Application. Therefore it is able to receive Mouseinput and Keystrokes.
Applications receive post-processed characters, not keystrokes. For example, shift-a will send 'A' to the application (not shift key + 'a' key), and the OS or UI redirect other key combinations (command-x is often 'cut') before they reach the normal character input path. The OS normally won't tell an application if the shift key is pressed and released (nor the control key, nor the option key).
Actual keystrokes, and the other low-level events needed to forward to a virtual machine, are captured with a different API. Hence, "Screen Recording".