What exactly are TCC and PPPC on macOS, and how do IT admins use them in managed environments?Solved

Sure thing. Think of TCC as the gatekeeper on macOS. It’s the framework that decides whether an app can access sensitive resources. By default, it always asks the user. 

PPPC profiles are what MDM/UEM solutions (like Hexnode, Jamf, Kandji) use to pre-approve or deny those prompts. For example, you can push a PPPC profile that says “Allow Zoom to use the microphone” so the user doesn’t get nagged with pop-ups. 

Exactly. And that’s where scripts come in. We’ve had cases where Zoom or Teams updates break existing permissions. The PPPC profile is still there, but macOS doesn’t recognize it. Running a script with tccutil reset clears the stale record so the UEM policy re-applies cleanly. 

But why aint you guys talking about that one thing to remember.Apps must be closed for TCC resets to take effect. If you’re resetting Zoom, add killall “zoom.us” at the start of your script. Otherwise, the reset won’t register until the next restart. 

We also use scripts for auditing Full Disk Access. Sometimes users complain that our endpoint security tool isn’t working, and it’s because FDA wasn’t applied correctly.  

Important caveat: Apple’s System Integrity Protection (SIP) limits what you can do. You can’t bypass user consent for things like Screen Recording or Camera. Scripts can only reset or audit, not force-enable. That’s by design, Apple wants the user in control of the most sensitive stuff.