This Library Item is available for Mac computers
Overview
The Screen Recording, Camera, Input Monitoring, & Microphone Library Item configures privacy permissions for applications that need access to protected system resources on macOS devices. This Library Item uses the Privacy Preferences Policy Control (PPPC) framework to pre-approve applications for specific services without requiring end-user interaction. Administrators can control access to sensitive system resources including screen recording capabilities, camera access, input monitoring, and microphone permissions. Once configured, approved applications can access these resources automatically, while unauthorized applications are blocked from accessing protected services.How Screen Recording, Camera, Input Monitoring, & Microphone Works
The Library Item leverages macOS’s Transparency, Consent, and Control (TCC) framework, which was introduced in macOS Mojave to enhance system security. TCC requires explicit approval for applications to access protected resources known as “Services.” When an application attempts to access a protected service, macOS checks the TCC database for existing permissions. If no permission exists, the system either prompts the user for approval or blocks access entirely, depending on the configuration. The PPPC profile payload allows IT administrators to pre-approve specific applications for these services, bypassing the user approval process.Prerequisites
Before configuring this Library Item, ensure you have:- Mac computers running macOS Mojave or later
- Administrative access to the Kandji Web App
- Knowledge of which applications require access to protected services
- Understanding of your organization’s privacy and security requirements
Configuring the Screen Recording, Camera, Input Monitoring, & Microphone Library Item
1
Navigate to Library
Navigate to Library in the left-hand navigation bar.
2
Select Library Item
Select Screen Recording, Camera, Input Monitoring, & Microphone from the available Library Items.
3
Add to Assignment Map
Select Add to Assignment Map.
4
Configure settings
Configure the following settings based on your requirements:
Library Item Options
Screen Recording (ScreenCapture)- Deny: Prevents all applications from accessing screen recording capabilities
- Allow Standard User to Approve: Permits standard users to approve screen recording access for applications (macOS Big Sur and later)
- Deny: Blocks all applications from accessing the camera
- Allow Standard User to Approve: Enables standard users to approve camera access for applications
- Deny: Prevents applications from monitoring keyboard and mouse input
- Allow Standard User to Approve: Allows standard users to approve input monitoring permissions (macOS Big Sur and later)
- Deny: Blocks all applications from accessing the microphone
- Allow Standard User to Approve: Permits standard users to approve microphone access for applications
User Experience
When applications attempt to access protected services:- Pre-approved applications: Access granted automatically without user prompts
- Unauthorized applications: Access blocked with no user notification
- Standard user approval: Users see system permission dialogs for applications they can approve
Monitoring and Management
To verify that your PPPC profile is working correctly:1
Open System Information
Open System Information on the target Mac computer.
2
Select Profiles
Select Profiles from the left-hand column.
3
Locate PPPC profile
Locate your profile containing the PPPC payload.
4
Expand profile details
Click the caret icon next to the profile name.
5
Verify TCC policy
Look for the “com.apple.TCC.configuration-profile-policy” entry.
Known Limitations
Platform Restrictions- Only available for Mac computers
- Requires macOS Mojave or later for full functionality
- Some services require macOS Big Sur or later for standard user approval options
- Microphone and Camera: Can only be denied by administrators in macOS Catalina and later
- Screen Recording and Input Monitoring: Can be denied or configured for standard user approval in macOS Big Sur and later
- macOS Catalina: Screen Recording and Input Monitoring can only be denied, not configured for standard user approval
- No workaround exists to bypass macOS PPPC protections
- Profile-managed permissions are not visible in System Preferences
- End users cannot modify administrator-configured permissions
Troubleshooting
Profile Not Applying1
Verify profile assignment
Verify the profile is assigned to the correct device group.
2
Check profile installation
Check that the device has received the profile by viewing System Information > Profiles.
3
Confirm TCC policy entry
Confirm the profile contains the “com.apple.TCC.configuration-profile-policy” entry.
1
Verify application approval
Verify the application is included in the approved applications list.
2
Check service permissions
Check that the correct service permissions are configured for the application.
3
Confirm profile status
Ensure the profile has been applied and is active on the device.
1
Check macOS version
Confirm the device is running macOS Big Sur or later.
2
Verify service configuration
Verify the service is configured for “Allow Standard User to Approve” rather than “Deny”.
3
Check user permissions
Check that the user has the necessary permissions to approve the specific service.
Submitting Feedback
Apple tracks feedback on PPPC items from enterprise customers. To submit feedback:1
Access Feedback Assistant
Access Feedback Assistant.
2
Login with Managed Apple ID
Login with a Managed Apple ID from Apple Business Manager.
3
Categorize feedback
Categorize your request under Enterprise & Education > MDM.