Privacy Preferences Policy Control MDM payload settings for Apple devices
You can configure Privacy Preferences Policy Control payload settings on Mac computers enrolled in a mobile device management (MDM) solution to manage the settings in the Privacy pane of Security & Privacy preferences. If there is more than one payload of this type, the more restrictive settings are used. Applying this payload using MDM requires supervision.
The Privacy Preferences Policy Control payload supports the following. For more information, see Payload information.
Supported approval method: Requires user approval.
Supported installation method: Requires an MDM solution to install.
Supported payload identifier: com.apple.TCC.configuration-profile-policy
Supported operating systems and channels: macOS device.
Supported enrolment types: Device Enrolment, Automated Device Enrolment.
Duplicates allowed: True — more than one Privacy Preferences Policy Control payload can be delivered to a device.
You can use the settings in the tables below with the Privacy Preferences payload.
General settings
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Accessibility | Allows specified apps to control the Mac via Accessibility APIs. | No | |||||||||
AppleEvents | Allows specified apps to send a restricted AppleEvent to another process. | No | |||||||||
Bluetooth | Allows a specified app to access Bluetooth devices. | No | |||||||||
Calendar | Allows specified apps access to event information managed by Calendar. | No | |||||||||
Camera | Use to deny specified apps access to the camera. | No | |||||||||
Contacts | Allows specified apps access to contact information managed by Contacts. | No | |||||||||
Desktop Folder | Allows specified apps access to the Desktop folder. | No | |||||||||
Documents Folder | Allows specified apps access to the Documents folder. | No | |||||||||
Downloads Folder | Allows specified apps access to the Downloads folder. | No | |||||||||
Input devices | Set which approved apps have specified access to input devices (mouse, keyboard, trackpad). | No | |||||||||
Media library | Allows specified apps access to Apple Music, music and video activity, and the media library. | No | |||||||||
Microphone | Deny specified apps access to the microphone. | No | |||||||||
Network volumes | Allows specified apps access to files on network volumes. | No | |||||||||
Photos | Allows specified apps access to images managed by the Photos app in: /Users/username/Pictures/Photos Library Note: If the user put their photo library somewhere else, it won’t be protected from apps. | No | |||||||||
Post Event | Allows specified apps to use CoreGraphics APIs to send CGEvents to the system event stream. | No | |||||||||
Reminders | Allows specified apps access to information managed by Reminders. | No | |||||||||
Removable volumes | Allows specified apps access to files on removable volumes. | No | |||||||||
Screen recording | Deny specified apps access to capture (read) the contents of the system display. For more information, see the Allow screen recording for an app payload example. | No | |||||||||
Speech recognition | Allows specified apps to use the system Speech Recognition feature and to send speech data to Apple. | No | |||||||||
System Policy All Files | Allows specified apps access to data like Mail, Messages, Safari, Home, Time Machine backups, and certain administrative settings for all users on the Mac. | No | |||||||||
System Policy administrator files | Allows specified apps access to some files used by system administrators. | No | |||||||||
Custom MDM payload settings for Apple devices
To allow or disallow an app or binary to access one of the privacy classes of data, you can create a custom payload and must meet the following requirements:
Requirement | Description | Example | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
The type of identifier | Specify either bundle ID or file path. | Bundle ID | |||||||||
Identifier name or file path | Specify the bundle ID name or the actual file path. | Bundle ID: com.MyOrganization.AppName File path: /Applications/AppName | |||||||||
Allow or deny | Specify whether the app is allowed or denied access. | Allow: True Deny: False | |||||||||
The code signing requirement | Specify the actual code signing value. To get the value, open the Terminal app and run the following command:
| App: Binary: Note: Apps and binaries not provided by Apple may have much longer designated requirements. Everything after “designated =>” should be included in your profile. | |||||||||
Comment | Add an optional comment. | Allows my organisation’s app to interact with all files without prompting the user. | |||||||||
To view a complete example of this custom payload, see Privacy Preferences Policy Control custom payload examples. After you’ve built and deployed your custom payload, if you’re still seeing dialogue prompts, you can use the following command to try to identify — in real-time — the responsible app or binary that you’re attempting to allow access to:
log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'
Note: Each MDM vendor implements these settings differently. To learn how Privacy Preferences Policy Control settings are applied to your devices, consult your MDM vendor’s documentation.