Category Filter

How to configure a Privacy Preferences Policy Control profile for macOS devices?

This article explains Apple’s new Privacy Preferences Policy Control (PPPC) profile on macOS devices.

Apple fortifies the security of macOS devices with exciting new features and enhancements. One such feature is the user data protection that comes with macOS Mojave 10.14+ devices. Here, any app or process that needs access to some protected files or application data will require user consent.

However, approval prompts may interrupt the user’s workflow. Moreover, if users do not consent to these requests, the application may fail to function. Also, standard users are no longer capable of allowing app access for services (like Screen Recording) that require admin privileges. With Hexnode’s MDM solution, enterprises can remotely manage these approvals on behalf of the users with the Privacy Preferences Policy Control payload for Mac.

Privacy Preferences Policy Control (PPPC) profile

A PPPC profile allows administrators to remotely manage the settings available on the Privacy tab of the Security & Privacy pane under System Preferences. Here, they can remotely allow or deny certain applications’ requests to access various macOS services like Calendar, Camera, etc. An admin can also leave the entire controls to the end-user by setting the privacy preferences to their default settings. The feature works on macOS 10.14 or later devices.

Allowing application access to certain services via a PPPC profile will ease the app’s setup process. For instance, remotely granting the app access to all protected files on the device will enable the specified app to access any private-sensitive data without prompting the end-users.

There are also cases when organizations need to block certain applications from accessing macOS services like Camera, Screen Recording, etc. A PPPC profile with the required deny permissions for the concerned apps will help you achieve it remotely.

Notes:

  • PPPC profile requires the latest version of the Hexnode MDM app to be installed on the devices.
  • This feature is available only on Ultimate and Ultra pricing editions.

Find privacy permissions of macOS apps

It’s not always obvious which privacy permissions are needed by a particular app. Perform the following steps to determine the permissions required for running a specific app:

  1. Install the app on a test Mac or a virtual machine.
  2. Open the app and check out any UI dialogues, such as requesting access to the camera or the documents folder.
  3. Next, open System Preferences > Security & Privacy > Privacy.
  4. Authenticate with the administrator credentials and select an option from the list of available services, such as Contacts, Camera, Accessibility, etc. If the app is listed for a particular service, it means that the app will require access to that service.

In this way, you can find the various permissions required for running your macOS apps. Deploying a PPPC profile by allowing the required permissions will prevent displaying consent prompts when you open the app.

Configure macOS Privacy Preferences Policy Control profile

Configure a PPPC profile to define settings to allow or deny access to applications within the device’s Security & Privacy pane. You can define PPPC for multiple apps within a single policy. To create a Privacy Preferences Policy Control profile on macOS devices,

  1. Head on to Policies.
  2. Create a new policy with the New Policy button or select an existing policy to edit it. Provide a suitable name and description (optional) for the policy if a new policy is chosen.
  3. Navigate to macOS > Security > Privacy Preferences > Configure.
  4. Click on +Add new preference to create preferences for the following macOS services.

    Privacy Preferences
    Services Description
    Contacts Specify whether to allow or disallow apps access to contact information managed by the Contacts app.
    Calendars Specify whether to allow or deny apps access to the event information managed by Calendar.
    Reminders Manage the app access to information stored on Reminders.
    Photos Control which apps or processes can access the images in Photos available in the Photo Library (/Users/username/Pictures/Photos Library). Denying the access permission for a particular app won’t prevent it from accessing photos not residing on the Photos Library.
    Camera You can either set to default or restrict camera access permission for specified apps. MDM cannot grant access permissions for Camera services.
    Microphone You can either set to default or deny microphone access for specified apps. MDM cannot grant access permissions for Microphone services.
    Accessibility Allow or deny specified apps to control the macOS devices via the Accessibility subsystem.
    All Files Specify whether to allow or deny apps access to all protected files. It includes access to other apps (Safari, Mail, etc.) or data from Time Machine backups, and certain administrative settings. The preferences will work for all users on the Mac.
    System Admin Files Specify whether to allow or deny specified apps access to some files used in system administration.
    Media Library

    (macOS 10.15+)

    Specify whether to allow or deny apps access to Apple Music, images, videos, audios, or other media sources.
    Screen Recording

    (macOS 10.15+)

    You can either set to default or deny access control for screen capture and recording.
    Speech Recognition

    (macOS 10.15+)

    Manage app access to use the system speech recognition capabilities.
    Desktop Folder

    (macOS 10.15+)

    Specify whether to allow or deny apps access to files in the Desktop folder.
    Documents Folder

    (macOS 10.15+)

    Specify whether to allow or deny apps access to files in the Documents folder.
    Downloads Folder

    (macOS 10.15+)

    Specify whether to allow or deny apps access to files in the Downloads folder.
    Network Volumes

    (macOS 10.15+)

    Manage app access to files on network volumes.
    Removable Volumes

    (macOS 10.15+)

    Manage app access to files on removable volumes.

  5. After selecting the required permissions for the services, click on the Select Apps button.
  6. Select the required apps with which you want to associate the configured privacy preferences.
  7. Click Add.

The app or process along with its identifier and allowed or denied services will now be listed. You can also edit the privacy preferences on a per-app basis by clicking on the edit icon on the right side of the respective app.

Edit Privacy Preferences Policy Control profile for macOS devices via MDM

Clicking on the trash icon will remove the corresponding app from the list. If you need to delete all the added preferences, click Remove All.

Notes:

  • Apart from allowing or denying access permissions, you can also set it to Default, which leaves the entire control to the end-users.
  • The user must relaunch the specified apps on the device for the applied configurations to take effect.
  • Even when some preferences are disabled in the portal, they may still be accessible in certain apps developed by Apple, such as Photo Booth, FaceTime, etc.
  • For those apps whose info cannot be fetched (will be greyed out in the app list), initiate the ‘Scan Device’ action for the macOS devices before trying to set privacy preferences for the app.
  • The preference settings pushed via MDM will not display on the Privacy tab of the System Preference’s UI. Even if a user tries to change the privacy preferences from the device-end, only the settings pushed via MDM will prevail.

Associate PPPC profile with target Mac devices

Follow the below steps if you’ve not saved the policy yet,

  1. Navigate to Policy Targets.
  2. Click on Devices/Device Groups/Users/User Groups/Domains.
  3. Choose the targets, click OK and then Save.

In case you’ve already saved the policy without associating any target entities,

  1. Go to Policies and choose the policy.
  2. Click on the Manage drop-down and select Associate Targets.
  3. Now, choose the devices, users, device groups, user groups, and domains as the policy targets.
  4. Click Associate.
Note:

  • Applying multiple conflicting PPPC policies will associate the most restrictive (deny) settings with the devices.