Skip to main content
This Library Item is available for Mac computers

What is PPPC?

Privacy Preferences Policy Control (PPPC) in macOS helps administrators manage app permissions and protect user data. Using a PPPC profile, you can pre-approve apps’ access to system services like the camera, microphone, and file systems, eliminating the need for manual user approval and simplifying your deployment process.

How PPPC and TCC Controls Work

Due to Apple’s privacy requirements, Camera, Microphone, and Screen Recording access will always require user interaction to approve.
Apple’s PPPC payload allows you to configure Transparency, Consent, and Control (TCC) settings, which are crucial for safeguarding user information. PPPC profiles give administrators the ability to pre-approve or deny app access to system services like the camera, microphone, and file systems. Admins create these profiles using XML files that specify each app’s permissions, bundle IDs, and code requirements. Once created, these profiles are deployed via MDM, which applies the settings to enrolled macOS devices. For more information about PPPC payloads and their capabilities, see Apple’s Privacy Preferences Policy Control documentation.

Considerations

Once you’ve configured permissions through a PPPC profile, they’re managed by the system and won’t show up in System Settings. Users can’t change these settings on their own, and there’s no way to bypass macOS’s PPPC protections.

Determining Which Apps Need a Privacy Profile

To determine if your app needs additional privacy permissions, follow these steps:
1

Install and launch the app

Install your app on a test device or a macOS virtual machine. Launch the app and pay attention to any UI dialogues that appear, such as those requesting access to accessibility features or the Downloads folder.
2

Open System Settings

Navigate to System Settings and click on Privacy & Security.
3

Check app permissions

Select an option on the right-hand side, like Accessibility. If your app is listed here, it indicates that the app requires this PPPC permission.
4

Get the app path

Right-click on the app listed and select Show in Finder. Finder will launch with the app in question selected. You can drag and drop the application into Terminal to get its full path, which will be used in the next step.

Determine the Identifier and Code Requirement

To create a PPPC profile, you need to know the application’s code requirement and identifier. This information can easily be collected using Terminal on a Mac with the application installed.
1

Launch Terminal

Launch Terminal on a macOS device on which the application is installed.
2

Run codesign command

Run the following command, replacing /Applications/zoom.us.app with the path to your application:
codesign -dr - "/Applications/zoom.us.app"
3

Copy the code requirement and identifier

When the output results appear, copy all text after the => characters; do not copy any trailing or leading spaces. This output is the Code Requirement. The portion between the quotes, e.g. “us.zoom.xos”, is the Identifier.

Configuring a Privacy Profile using Iru

Privacy settings deployed via MDM will not appear in the graphical user interface in System Settings.
With your application information collected, you can create a Privacy profile in the Iru Web App.
1

Create the Library Item

Follow the steps in Managing Library to create a Privacy Library Item.
2

Select Blueprints

Select your desired Blueprints.
3

Set identifier type

If your output includes an identifier in the first part of the code requirement, leave the Identifier type set to Bundle ID; otherwise, select Path.
4

Enter identifier or path

Paste in the identifier found in the first part of the code requirement. If you selected Path above, input the path for the profile.
5

Paste code requirement

Paste in the full code requirement that you copied from Terminal. Ensure that there are no leading or trailing spaces in the code requirement; unnecessary characters can prevent the profile from deploying.
6

Validate code requirement (optional)

Optionally, check the Statically validate the code requirement box. This option is used only if the process invalidates its dynamic code signature.
7

Select app or service

Select an option from the App or Service dropdown. This selection depends on the application’s requirements. For more information, refer to the Determine Which Apps Need a Privacy Profile section of this guide.
8

Add additional apps (optional)

If needed, you can add additional app access to a PPPC profile by clicking Add app access.
9

Save the profile

Click Save in the bottom right corner.

Verifying Your PPPC Profile

To verify that your PPPC profile is working correctly:
1

Open System Information

Open System Information on the target Mac computer.
2

Select Profiles

Select Profiles from the left-hand column.
3

Locate PPPC profile

Locate your profile containing the PPPC payload.
4

Expand profile details

Click the disclosure triangle next to the profile name.
5

Verify TCC policy

Look for the com.apple.TCC.configuration-profile-policy entry. This confirms that the profile is actively managing TCC permissions on the device.

Troubleshooting

1

Verify code requirement

Double-check that the code requirement was copied correctly with no leading or trailing spaces. Re-run the codesign -dr - command to verify the code requirement matches what’s in your profile.
2

Check identifier type

Verify you selected the correct identifier type (Bundle ID or Path) and that the identifier matches exactly what was returned from the codesign command.
3

Verify application approval

Confirm the application is included in the approved applications list in your PPPC profile.
4

Check service permissions

Verify the correct service permissions are configured for the application. For example, if an app needs screen recording access, ensure “Screen Recording” is selected in the App or Service dropdown.
5

Use TCC log stream

If you’re still seeing permission prompts, use this command in Terminal to identify which app or binary is requesting access:
log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'
This shows real-time TCC permission requests and can help identify the exact app or binary that needs to be added to your PPPC profile.
1

Test application functionality

In System Settings > Privacy & Security, sliders for certain permissions may appear grayed out even when the app has the necessary permissions. This is a visual quirk and doesn’t necessarily indicate a problem. Test the application’s functionality to confirm it’s working properly.
2

Verify profile is active

Confirm the PPPC profile is installed and active on the device by checking System Information > Profiles.
1

Verify code requirement format

Ensure the code requirement doesn’t have any leading or trailing spaces. Even a single space can prevent the profile from working correctly.
2

Re-verify code requirement

If an app was updated, the code requirement may have changed. Re-run the codesign command to get the updated code requirement and update your PPPC profile accordingly.
3

Check static validation

If you’re using the “Statically validate the code requirement” option, ensure it’s only enabled when the process invalidates its dynamic code signature. Most apps don’t need this option enabled.