Environment:
MacBook Pro 14-inch Nov 2023 (Apple Silicon M3)
macOS 26.5 (25F71) and 26.5.1 (25F80)
MDM: Kandji/Iru enrolled
BeyondTrust EPM-M 26.1.1495 Confirmed chain via epsext exec logs:
The Kandji/Iru Parameter Agent (kandji-parameter-agent) calls /usr/sbin/systemsetup -getusingnetworktime every 15 minutes. Each invocation requests the system.preferences authorization right, waking authd → writeconfig.xpc → SecurityAgent. SecurityAgent then opens a SkyLight connection, calls SetFrontProcess, causes the active window to resign key appearance, and closes — all within 3–15 seconds. Cross-referenced against user-reported times:
User reported focus steal at 10:13, 10:58, 11:13, 11:43 (CDT). SecurityAgent fired at exactly those times to the second in our WindowServer logs. Key finding:
The systemsetup call itself is not the root issue — it's doing its job. The problem is that on macOS 26 Tahoe, this auth request causes SecurityAgent to grab keyboard focus as a side effect, which it should not do for a background/silent authorization check with no user interaction required. BeyondTrust KB0023327 documents the PMCAdapter event as a separate but related trigger. Both are symptoms of the same underlying SecurityAgent behaviour change in macOS 26.
It seems that you’ve already found the existing thread about this issue, and I recommend that you continue the discussion there.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"