How to configure Privacy Preferences profile (PPPC / TCC) in SimpleMDM

SimpleMDM Favicon
Eric McCann|October 13, 2022
Stylized product illustration
Stylized product illustration

Privacy Preferences profiles (also known as PPPCs) configure your Transparency Consent and Control (TCC) settings, protect user data, and secure devices — but in enterprise settings, they can slow users down. Luckily, SimpleMDM lets you manage PPPCs so that security won’t hamper your workforce.

In this article, we’ll walk through TCC settings, Privacy Preferences profiles, and how to configure both with SimpleMDM.

What is TCC?

TCC stands for Transparency Consent and Control. TCC is a mechanism of macOS’s security model that helps protect users’ data and privacy by restricting applications and processes from accessing features like the camera, microphone, file systems, etc. You might be familiar with prompts to grant apps these permissions, like this one:

Example of an accessibility access prompt on MacOS

How does TCC work?

TCC protects the user’s privacy and security. It ensures that apps and processes running on your Mac can’t get access to other system resources that may contain data or functionalities that they should not have. It ensures that the user is aware of the app requesting access, and it requires the user to manually grant these permissions to the app via System Preferences > Security & Privacy.

Example of the Security & Privacy section on the System Preferences panel

From a security and privacy standpoint, TCC is generally a very positive thing — it provides end users with insight and control over which apps have access to system services and data. However, in an enterprise environment, this step can prove troublesome to manage, especially when the apps are preapproved by the IT team and deployed via an MDM service for business use.

Here’s an example: Many of us have been on a video call at some point and have witnessed someone run into an issue where they are unable to share their video, audio, or screen because they had not yet approved the virtual meeting application to have access to one of these services. TCC settings can be an additional hurdle to getting a device to a state where it is truly “ready for work” for an end user.

What is PPPC, and how does it work?

Enter PPPC, which stands for Privacy Preferences Policy Control. In short, PPPC is the configuration profile used to manage TCC settings. In SimpleMDM, PPPC is referred to as the Privacy Preferences profile. This profile allows an admin to preapprove applications’ access to various system services so that the end user doesn’t have to do it manually.

How to create and deploy a Privacy Preferences profile with SimpleMDM

Configure identifying information

First, go to the Profiles section of SimpleMDM and create a new profile.

Image of the "Create Profile" button in the SimpleMDM Profiles section

Then select “Privacy Preferences” and save.

Image of the "Privacy Preference" link on the "Create Profile" menu in SimpleMDM
Image of the "Save" button in the New Privacy Preference panel of the SimpleMDM Profiles section

Next, click “Add App Identity” — this is how you add apps to approve permissions.

Image of the "Add App Identity" button in the Privacy Preference panel of the SimpleMDM Profiles section

To add an app identity, you’ll either need to specify the app bundle ID or the app file path. If the app is in your SimpleMDM account’s Catalog, you may be able to find the bundle ID under the App Details. Otherwise, you can run this command in Terminal on a Mac with the app installed to get the bundle ID:

  • Input: osascript -e ‘id of app “name_of_app”’

Let’s use the Sonos app as an example:

  • Input: osascript -e ‘id of app “Sonos.app”’

  • Output: com.sonos.macController2

The next step is to obtain the Code Requirement, or code signature on macOS, for the application. You can obtain it by running the following command in Terminal:

  • codesign -display -r – [path_to_app]

For the Sonos app:

  • Input: codesign –display -r - /Applications/Sonos.app

  • Output: Executable=/Applications/Sonos.app/Contents/MacOS/Sonos designated => identifier “com.sonos.macController” and anchor apple generic

All we need for the code requirement is the part following “designated =>”, so we’ll enter this:

  • identifier "com.sonos.macController" and anchor apple generic

As a result, our profile should look like this:

Example Privacy Identity profile in SimpleMDM

Configure Access Permissions

The next part of the profile is the Access Permissions section. This section allows us to control which system services, files, and resources the app has access to. In our example, the Sonos app only needs Accessibility access, so we’ll configure the permissions like so:

Image of the Access Permission section within SimpleMDM

Looking at these Access Permissions options, there are a few things worth mentioning:

  • Camera and Microphone access cannot be granted remotely — Apple requires access to these services to be manually approved by the user. Apple enforces this intentionally to protect users’ privacy.

  • Screen Capture (used for screen sharing, remote screen control, etc.) and Listen Events cannot be forcefully approved via this profile, but standard user accounts can approve access. Traditionally, a user would need admin credentials to approve this without the Privacy Preferences profile present.

  • Many antivirus/antimalware services, EDRs, etc., frequently require “Access all files” permissions to be allowed.

  • It is not uncommon for apps to require access to the “Downloads” folder — for example, Zoom may save recorded meetings to the Downloads folder by default and require this access, or Slack saves downloads automatically to this folder. To do this, they must be granted access.

After you have configured all the app identities and access permissions that you need, save the profile and assign it to your device group in SimpleMDM. Once the profile has been applied, these settings will be automatically configured under System Preferences > Security & Privacy.

Note: Sometimes the permissions don’t appear in the System Preferences > Security & Privacy UI right away — but as long as the profile was configured correctly and installed successfully, the settings should take effect immediately (even if they take a little while to show up).

When to use a Privacy Preferences profile

Still not sure when you should use a Privacy Preferences profile? To find that out, first identify which applications are required for your users, along with the system services that those apps need access to. If they are preapproved or automatically installed apps that require additional access, it’s likely worth having a Privacy Preferences profile in place to configure those settings.

If an unapproved app or an app you are not aware of is requesting access, you may want to run it by your team to ensure the access it’s asking for is actually necessary.

For more information on the Privacy Preferences Policy Control profile that Apple offers, see Apple’s guide to PPPC settings.

SimpleMDM Favicon
Eric McCann

Eric McCann is a product manager for SimpleMDM.

Related articles