This Library Item is available for Mac computers
What is PPPC?
Privacy Preferences Policy Control (PPPC) in macOS helps you manage app permissions and protect user data. With a PPPC profile, you can pre-approve apps’ access to system services like the camera, microphone, and file systems. This eliminates manual user approval and simplifies your deployment process.How PPPC and TCC Controls Work
Starting with macOS Mojave (10.14), Apple’s PPPC payload lets you configure Transparency, Consent, and Control (TCC) settings for safeguarding user information. PPPC profiles let you pre-approve or deny app access to system services like the camera, microphone, and file systems. You create these profiles using XML files that specify each app’s permissions, bundle IDs, and code requirements. Once created, you deploy these profiles via MDM to apply the settings to enrolled Mac computers.Due to Apple’s privacy requirements, Camera, Microphone, and Screen Recording access will always require user interaction to approve.
Determining Which Apps Need a Privacy Profile
To determine if your app needs additional privacy permissions, follow these steps. Note that preference panes may vary between different macOS versions.For macOS 13 Ventura or later
1
Install App
Install your app on a test device or a macOS virtual machine.
2
Launch App
Launch the app and pay attention to any UI dialogues that appear, such as those requesting access to accessibility features or the Downloads folder.
3
Check Privacy Settings
Navigate to System Settings and select Privacy & Security.
4
Check App Permissions
Select an option on the right-hand side, like Accessibility. If your app is listed here, it indicates that the app requires this PPPC permission.
5
Get App Path
Right-click on the app listed and select Show in Finder. Finder will launch with the app in question selected. You can drag and drop the application into Terminal to get its full path, which will be used in the next step.
For macOS versions prior to macOS 13 Ventura
1
Install App
Install your app on a test device or a macOS virtual machine.
2
Launch App
Launch the app and pay attention to any UI dialogues that appear, such as those requesting access to accessibility features or the Downloads folder.
3
Navigate to Security & Privacy
Navigate to System Settings and select Security & Privacy
4
Select Privacy Tab
Select the Privacy tab.
5
Check App Permissions
Select an option on the right-hand side, like Accessibility. If your app is listed here, it indicates that the app requires this PPPC permission.
6
Get App Path
Right-click on the app listed and select Show in Finder. Finder will launch with the app in question selected. You can drag and drop the application into Terminal to get its full path, which will be used in the next step.
Determine the Identifier and Code Requirement
To create a PPPC profile, you need the application’s code requirement and identifier. You can collect this information using Terminal on a Mac with the application installed.1
Launch Terminal
Launch Terminal on a macOS device on which the application is installed.
2
Run Code Sign Command
Run the following command, replacing /Applications/zoom.us.app with the path to your application.
3
Copy Code Requirement
When the output results appear, copy all text after the => characters; do not copy any trailing or leading spaces. This output is the Code Requirement. The portion between the quotes, e.g. “us.zoom.xos”, is the Identifier.
Configuring a Privacy Profile using Iru
With your application information collected, you can create a Privacy profile in the Iru web app.Privacy settings deployed via MDM will not appear in the graphical user interface in System Settings.
1
Name the Profile
Give your profile a descriptive Name.
2
Select Blueprints
Select your desired Blueprints.
3
Set Identifier Type
If your output includes an identifier in the first part of the code requirement, leave the Identifier type set to Bundle ID. Otherwise, select Path.
4
Paste Identifier
Paste in the identifier found in the first part of the code requirement.
- If you selected Path above, input the path for the profile.
5
Paste Code Requirement
Paste in the full code requirement that you copied from Terminal. Make sure there are no leading or trailing spaces in the code requirement, as unnecessary characters can prevent the profile from deploying.
6
Validate Code Requirement
Optionally, check the Statically validate the code requirement box. This option is only used if the process invalidates its dynamic code signature.
7
Select App or Service
Select an option from the App or Service dropdown.
- This selection depends on the application’s requirements. For more information, see the Determine Which Apps Need a Privacy Profile section of this guide.
8
Add Additional App Access
If needed, you can add additional app access to a PPPC profile by selecting Add app access.
9
Save Profile
Select Save in the bottom right corner.