pdf icon
Category Filter

Privacy Preferences Policy Control

With the release of macOS Mojave (10.14), Apple introduced controls that let the users allow or restrict cross-application data requests. Subsequently, macOS Catalina (10.15) extended this list of requests to include permissions such as Camera, Photos, Accessibility, AppleEvents, and much more. 

For example, certain apps or services might require users' permission(s) to access specific data or even other apps; similar to the permissions requested on mobile devices. The users must provide their consent, without which the apps and services might fail to function. Certain apps or services like Accessibility might even require admin privileges to grant access, which cannot be manually granted by a standard user.

Configuring Privacy Preferences Policy Control (PPPC) in MDM lets you remotely manage these security preferences/permissions. You can allow or restrict permissions requested by Mac applications, on the users' behalf.

Prerequisite(s)

  • The managed Mac machines must be running macOS 10.14 or later.

Profile Description

Profile SpecificationDescription
Identifier Specify the unique bundle identifier of the app.
Installation path Specify the installation path, if a non-bundled app is used.
Code sign requirement Run the following command on a fresh installation of macOS 10.14 or later to obtain the
Code sign requirement, and specify it here.
codesign --display -r - /path/to/app/binary

For example, if you want to obtain Code sign requirement for the Endpoint Central agent,
run the following command and specify the output displayed after => as the Code sign requirement.
Command: codesign --display -r - /Library/ManageEngine/UEMS_Agent/ManageEngine\ UEMS\ -\ Agent.app

Output: Executable=/Library/ManageEngine/UEMS_Agent/ManageEngine UEMS - Agent.app/Contents/MacOS/ManageEngine UEMS - Agent designated => identifier "com.manageengine.ManageEngine-UEMS---Agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = TZ824L8Y37
Static code validation Enable this only if the app or process invalidates the dynamic Code sign requirement. By default, this will be disabled.
Permissions Allowed Permissions
Specify permissions that you want to provide consent to, on behalf of the users.
Other Permissions
Permissions which are not marked as allowed can be set to user controlled or restricted.
Specify apps for AppleEvents If the app or service requires permission to access other apps or services, individually specify them under AppleEvents.
  • You can configure PPPC for multiple apps within a single policy.
  • Permissions such as Camera, Microphone, and Screen Recording cannot be granted access by any MDM. These can only be restricted or left to user controlled, which is the default option.
  • After applying a PPPC permission to a device, in some cases even if the change is not reflected in the device system settings, the permission will be applied internally to the device.
Jump To