How to configure a Privacy Preferences Policy Control profile for macOS devices?

This article explains Apple’s new Privacy Preferences Policy Control (PPPC) profile on macOS devices.

Apple fortifies the security of macOS devices with exciting new features and enhancements. One such feature is the user data protection that comes with macOS Mojave 10.14+ devices. Here, any app or process that needs access to some protected files or application data will require user consent.

However, approval prompts may interrupt the user’s workflow. Moreover, if users do not consent to these requests, the application may fail to function. Also, standard users are no longer capable of allowing app access for services (like Screen Recording) that require admin privileges. With Hexnode’s MDM solution, enterprises can remotely manage these approvals on behalf of the users with the Privacy Preferences Policy Control payload for Mac.

Privacy Preferences Policy Control (PPPC) profile

A PPPC profile allows administrators to remotely manage the settings available on the Privacy tab of the Security & Privacy pane under System Preferences. Here, they can remotely allow or deny certain applications’ requests to access various macOS services like Calendar, Camera, etc. An admin can also leave the entire controls to the end-user by setting the privacy preferences to their default settings. The feature works on macOS 10.14 or later devices.

Allowing application access to certain services via a PPPC profile will ease the app’s setup process. For instance, remotely granting the app access to all protected files on the device will enable the specified app to access any private-sensitive data without prompting the end-users.

There are also cases when organizations need to block certain applications from accessing macOS services like Camera, Screen Recording, etc. A PPPC profile with the required deny permissions for the concerned apps will help you achieve it remotely.

Find privacy permissions of macOS apps

It’s not always obvious which privacy permissions are needed by a particular app. Perform the following steps to determine the permissions required for running a specific app:

1. Install the app on a test Mac or a virtual machine.
2. Open the app and check out any UI dialogues, such as requesting access to the camera or the documents folder.
3. Next, open System Preferences > Security & Privacy > Privacy.
4. Authenticate with the administrator credentials and select an option from the list of available services, such as Contacts, Camera, Accessibility, etc. If the app is listed for a particular service, it means that the app will require access to that service.

In this way, you can find the various permissions required for running your macOS apps. Deploying a PPPC profile by allowing the required permissions will prevent displaying consent prompts when you open the app.

Configure macOS Privacy Preferences Policy Control profile

Configure a PPPC profile to define settings to allow or deny access to applications within the device’s Security & Privacy pane. You can define PPPC for multiple apps within a single policy. To create a Privacy Preferences Policy Control profile on macOS devices,

1. Head on to Policies.
2. Create a new policy with the New Policy button or select an existing policy to edit it. Provide a suitable name and description (optional) for the policy if a new policy is chosen.
3. Navigate to macOS > Security > Privacy Preferences > Configure.
4. Click on +Add new preference to create preferences for the following macOS services.
   

   Privacy Preferences

   Services	Description
   Contacts	Specify whether to allow or disallow apps access to contact information managed by the Contacts app.
   Calendars	Specify whether to allow or deny apps access to the event information managed by Calendar.
   Reminders	Manage the app access to information stored on Reminders.
   Photos	Control which apps or processes can access the images in Photos available in the Photo Library (/Users/username/Pictures/Photos Library). Denying the access permission for a particular app won’t prevent it from accessing photos not residing on the Photos Library.
   Camera	You can either set to default or restrict camera access permission for specified apps. MDM cannot grant access permissions for Camera services.
   Microphone	You can either set to default or deny microphone access for specified apps. MDM cannot grant access permissions for Microphone services.
   Accessibility	Allow or deny specified apps to control the macOS devices via the Accessibility subsystem.
   All Files	Specify whether to allow or deny apps access to all protected files. It includes access to other apps (Safari, Mail, etc.) or data from Time Machine backups, and certain administrative settings. The preferences will work for all users on the Mac.
   System Admin Files	Specify whether to allow or deny specified apps access to some files used in system administration.
   Media Library (macOS 10.15+)	Specify whether to allow or deny apps access to Apple Music, images, videos, audios, or other media sources.
   Screen Recording (macOS 10.15+)	You can either set it to Default, Deny or Let user authorize. The latter option is applicable only on macOS 11.0+. If this option is configured, the end-users will be able to grant permission to record the screen.
   Speech Recognition (macOS 10.15+)	Manage app access to use the system speech recognition capabilities.
   Desktop Folder (macOS 10.15+)	Specify whether to allow or deny apps access to files in the Desktop folder.
   Documents Folder (macOS 10.15+)	Specify whether to allow or deny apps access to files in the Documents folder.
   Downloads Folder (macOS 10.15+)	Specify whether to allow or deny apps access to files in the Downloads folder.
   Network Volumes (macOS 10.15+)	Manage app access to files on network volumes.
   Removable Volumes (macOS 10.15+)	Manage app access to files on removable volumes.

5. To select apps:
   • Search and add the required Enterprise, VPP or Store apps.
   • Or, add apps by specifying Bundle IDs/paths.

   To add apps with Bundle IDs/paths,

   • Select Identifier type as Bundle ID or Path.
   • Enter the Bundle ID/ Path of the app in the Identifier field.
   • Provide Code Requirement of the app.
   • Enable the Validate code requirement checkbox. It statically validates the code requirement of the app.

   You can add multiple apps using the “Add more” option.

6. Select the required apps with which you want to associate the configured privacy preferences.
7. Click Add.

The app or process along with its identifier and allowed or denied services will now be listed. You can also edit the privacy preferences on a per-app basis by clicking on the edit icon on the right side of the respective app.

Clicking on the trash icon will remove the corresponding app from the list. If you need to delete all the added preferences, click Remove All.

Associate PPPC profile with target Mac devices

Follow the below steps if you’ve not saved the policy yet,

1. Navigate to Policy Targets.
2. Click on Devices/Device Groups/Users/User Groups/Domains.
3. Choose the targets, click OK and then Save.

In case you’ve already saved the policy without associating any target entities,

1. Go to Policies and choose the policy.
2. Click on the Manage drop-down and select Associate Targets.
3. Now, choose the devices, users, device groups, user groups, and domains as the policy targets.
4. Click Associate.

What happens at the device end?

The preference settings pushed via Hexnode will be applied on the target Macs.

The settings may not be displayed actively under System Preference > Security & Privacy > Privacy but when the user attempts to change the privacy preferences of an app already configured via the policy, the settings deployed via Hexnode will prevail.