Skip to content
BLOG

How to configure Privacy Preferences profile (PPPC / TCC) in SimpleMDM

SimpleMDM Favicon
Eric McCann|Updated October 1, 2024
Padlock on computer screen
Padlock on computer screen
Sections

Privacy Preferences profiles (PPPCs) configure your Transparency Consent and Control (TCC) settings, protect user data, and secure devices.

In enterprise settings, manual TCC configurations can slow users down. Fortunately, SimpleMDM lets you manage PPPCs, ensuring security won't impede productivity.

Let's explore TCC settings and Privacy Preferences profiles, offering a detailed step-by-step guide on configuring both using SimpleMDM.

What is TCC?

TCC stands for Transparency Consent and Control.

TCC is part of macOS’s security model, designed to restrict applications and processes from accessing certain features and user data without explicit permission.

TCC limits access to various features, including:

  • Camera

  • Microphone

  • Screen recording

  • File systems

  • Etc.

You've probably seen prompts to grant apps these permissions, like this one:

Example of an accessibility access prompt on MacOS

How does TCC work?

TCC protects the user’s privacy and security.

It ensures that apps and processes running on your Mac cannot access system resources containing data or functionalities they should not have.

TCC also guarantees that the user is always notified when an app requests access and requires the user to grant permission manually via System Settings > Privacy & Security.

Example of the Security & Privacy section on the System Preferences panel

Enterprise Challenges with TCC

TCC is a great concept from a security and privacy standpoint. It gives end users insight and control over which apps can access system services and data.

However, in an enterprise environment, TCC prompts can prove troublesome to manage, especially when the apps are preapproved by the IT team and deployed via an MDM service for business use.

Here’s an example:

I'd venture to say that all of us have been on a Zoom call with Mr. "Technology hates me XD" from HR, where they can't share their video, audio, or screen because they had not yet granted Zoom access to these protected resources.

TCC settings can be an additional hurdle to getting a device to a state where it is actually “ready for work” for the average end user.

What is PPPC?

PPPC stands for Privacy Preferences Policy Control. PPPC is the configuration profile used to manage TCC settings.

In SimpleMDM, PPPC is referred to as the Privacy Preference profile. This profile allows an admin to preapprove applications’ access to various system services so that the end user doesn’t have to do it manually.

How to create and deploy a Privacy Preference profile with SimpleMDM

Configure identifying information

1. In SimpleMDM, navigate to Configs > Profiles > and click Create Profile.

Image of the "Create Profile" button in the SimpleMDM Profiles section

2. Select Privacy Preference.

Image of the "Privacy Preference" link on the "Create Profile" menu in SimpleMDM

3. Click Save.

Image of the "Save" button in the New Privacy Preference panel of the SimpleMDM Profiles section

4. After saving, click Add App Identity (this is how you add apps to approve permissions).

Image of the "Add App Identity" button in the Privacy Preference panel of the SimpleMDM Profiles section

Adding App Identity

For more options and examples, read our blog on How to find the bundle ID for an application

To add an app identity, specify either the app bundle ID or the app file path.

If the app is in your SimpleMDM account’s Catalog, you may be able to find the bundle ID under the App Details.

Otherwise, you can run this command in Terminal (on a Mac with the app already installed on that device) to get the bundle ID:

  • Input: osascript -e 'id of app "name_of_app"'

Let’s use the Sonos app as an example:

  • Input: osascript -e 'id of app "Sonos.app"'

  • Output: com.sonos.macController2

Code Requirement

The next step is to obtain the Code Requirement, or code signature on macOS, for the application. You can obtain it by running the following command in Terminal:

codesign -display -r – [path_to_app]

For the Sonos app:

  • Input: codesign –display -r - /Applications/Sonos.app

  • Output: Executable=/Applications/Sonos.app/Contents/MacOS/Sonos designated => identifier "com.sonos.macController" and anchor apple generic

All we need for the code requirement is the part following “designated =>” so we’ll enter this:

  • identifier "com.sonos.macController" and anchor apple generic

As a result, our profile should look like this:

Example Privacy Identity profile in SimpleMDM

Configure Access Permissions

The next part of the profile is the Access Permissions section. This section lets us control which system services, files, and resources the app can access.

In our example, the Sonos app only needs Accessibility access, so we’ll configure the permissions like this:

Image of the Access Permission section within SimpleMDM

Access Permissions considerations:

  • Camera and Microphone access cannot be granted remotely.

    • Apple requires access to these services to be manually approved by the user.

    • Apple enforces this intentionally to protect users’ privacy.

  • Screen Capture (screen sharing, remote screen control, etc.) and Listen Event cannot be forcefully approved via this profile.

    • Instead, standard user accounts can authorize access with this profile.

    • Traditionally, a user would need admin credentials to approve this without the Privacy Preferences profile present.

  • Many antivirus/antimalware services, EDRs, etc., frequently require Access all files permissions to be allowed.

  • It's common for apps to require access to the Downloads folder.

Downloads folder example:

  • Zoom may save recorded meetings to the Downloads folder by default and requires this access.

  • Slack saves downloads automatically to this folder.

    • To do this, it must be granted access.

After configuring the app identities and access permissions:

  • Save the profile

  • Assign it to your device group in SimpleMDM.

Once the profile has been applied, these settings will be automatically configured on your endpoints under System Settings > Privacy & Security.

Note: Sometimes, the permissions don’t appear in the System Settings > Privacy & Security UI right away — but as long as the profile was configured correctly and installed successfully, the settings should take effect immediately (even if they take a little while to show up).

When to use a Privacy Preferences profile

Still unsure when you should use a Privacy Preferences profile?

  • Identify which applications your users need access to and which system services those apps require.

  • If they are preapproved or automatically installed apps requiring additional access, it’s likely worth having a Privacy Preferences profile to configure those settings.

  • If an unapproved app or app you are unaware of is requesting access, you should run it by your team to ensure it is necessary.

For more information on Apple's Privacy Preferences Policy Control profile, see Apple’s guide to PPPC settings.

Ready for the next profile challenge after PPPCs? Learn how to use custom configuration profiles with custom attributes.

Unlock the potential of your macOS devices without compromising security. With a free 30-day trial of SimpleMDM, you can manage your TCC settings and streamline your workforce with Privacy Preference profiles so that you have more time to do.... absolutely nothing. 😎

SimpleMDM Favicon
Eric McCann

Eric McCann is a product manager for SimpleMDM.

Related articles

generalnewbanner

How to reset Mac passwords

GENERAL IT

generalnewbanner

What is an MDM profile?

GENERAL IT

Security teal

How to secure your company's macOS devices — with configuration profiles

SECURITY