Privacy Preferences Policy Control (PPPC) profile for macOS devices
1. The user-adjusted app preferences are not taking effect even after removing the policy from the device.
When a Mac Privacy Preference policy is associated, modified or disassociated from a device, the apps under consideration have to be relaunched on the device for the policy to take effect. This is the case even when the app is open while you are associating the policy. Close and relaunch the app during such scenarios for effective policy implementation.
After rolling out the policy modifications, advise the user to open and close the app before adjusting the app preferences. This will probably solve the issue and remove the UEM applied configurations from the device.
2. The app preferences that I choose in the policy are not yet reciprocated on the device System Preferences.
The preferences corresponding to the selected policy configurations will take effect once the specified apps are relaunched. However, the preferences set by the administrative authorities through the UEM console will not be shown under the device System Preferences > Security & Privacy.
Even though it may not be shown under System Preferences, if the policy is properly configured and associated with the device, and if the app is relaunched after attaching the policy, the preferences you have set will work as expected.
Note that on some Apple-developed apps like Photo Booth and FaceTime, the preferences you have disabled via the UEM might still be accessible to the users.
3. App-wise privacy preferences that I have set are not shown under System Preferences > Profiles.
The app-wise configured preferences are not shown under the Profiles section in System Preferences. However, if you want to check whether the device has received the policy, you can do so by looking for a profile for the Policy Preferences payload under System Preferences > Profiles.
4. Users are able to change the app preferences on the device even after restricting it through the UEM.
The users are free to change the app preferences from the device even if a UEM preference policy for the corresponding app is already attached. However, the preferences set via the UEM will take effect on the device irrespective of the end-user preference modifications.
5. I am not able to see an app that I want under the Add new preference table.
For an app preference to be set via Hexnode, the app has to be installed on at least one of the enrolled Macs. If the app is not listed in the Add new preference table under Policies > Mac > Security > Privacy Preferences, it might be because the app is not yet installed on the enrolled devices.
Push the app to the device either via Hexnode or through other mechanisms and complete a device scan. This will add the app to the list of apps whose privacy preferences can be configured through Hexnode.
6. Some apps cannot be selected while trying to set their privacy preferences.
The app remains non-selectable because Hexnode was unable to fetch the required app info. Initiate the action Device Scan on a device with the required app would solve this. Once the device responds with the required info, retry setting the privacy preference settings for the app.
7. Some apps stop responding while trying to request extra permissions on the devices.
Generally, when apps try to request access to protected privacy services on the devices, the users will be prompted to grant or deny permissions for the app. To streamline the process, IT admins can remotely set up these permissions for selected apps using the Privacy Preference policy in the UEM console. When an app tries to access specific permission denied via the UEM, the app will show an error message saying that the permission is denied for the app. However, some apps might not show this message; instead, it stops responding. This can be mistaken as app crashing. This happens because the permission for the app was proactively denied through the policy. Check the app permissions from System Preferences > Security & Privacy > Privacy to see if the permission is already denied for the app.