Privacy Preferences Policy Control
With the release of macOS Mojave (10.14), Apple introduced controls that let the users allow or restrict cross-application data requests. Subsequently, macOS Catalina (10.15) extended this list of requests to include permissions such as Camera, Photos, Accessibility, AppleEvents, and much more.
For example, certain apps or services might require users' permission(s) to access specific data or even other apps; similar to the permissions requested on mobile devices. The users must provide their consent, without which the apps and services might fail to function. Certain apps or services like Accessibility might even require admin privileges to grant access, which cannot be manually granted by a standard user.
Configuring Privacy Preferences Policy Control (PPPC) in MDM lets you remotely manage these security preferences/permissions. You can allow or restrict permissions requested by Mac applications, on the users' behalf.
Prerequisite(s)
- The managed Mac machines must be running macOS 10.14 or later.
Profile Description
Profile Specification | Description |
---|---|
Identifier | Specify the unique bundle identifier of the app. |
Installation path | Specify the installation path, if a non-bundled app is used. |
Code sign requirement | Run the following command on a fresh installation of macOS 10.14 or later to obtain the Code sign requirement, and specify it here. codesign --display -r - /path/to/app/binary For example, if you want to obtain Code sign requirement for the Endpoint Central agent, run the following command and specify the output displayed after => as the Code sign requirement. Command: codesign --display -r - /Library/ManageEngine/UEMS_Agent/ManageEngine\ UEMS\ -\ Agent.app
Output: Executable=/Library/ManageEngine/UEMS_Agent/ManageEngine UEMS - Agent.app/Contents/MacOS/ManageEngine UEMS - Agent designated => identifier "com.manageengine.ManageEngine-UEMS---Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = TZ824L8Y37 |
Static code validation | Enable this only if the app or process invalidates the dynamic Code sign requirement. By default, this will be disabled. |
Permissions | Allowed Permissions Specify permissions that you want to provide consent to, on behalf of the users. Other Permissions Permissions which are not marked as allowed can be set to user controlled or restricted. |
Specify apps for AppleEvents | If the app or service requires permission to access other apps or services, individually specify them under AppleEvents. |
- You can configure PPPC for multiple apps within a single policy.
- Permissions such as Camera, Microphone, and Screen Recording cannot be granted access by any MDM. These can only be restricted or left to user controlled, which is the default option.
- After applying a PPPC permission to a device, in some cases even if the change is not reflected in the device system settings, the permission will be applied internally to the device.