Privacy Preferences Policy Control MDM payload settings for Apple devices
You can configure Privacy Preferences Policy Control payload settings on Mac computers enrolled in a mobile device management (MDM) solution to manage the settings in the Privacy pane of Security & Privacy preferences. If there is more than one payload of this type, the more restrictive settings are used. Applying this payload using MDM requires supervision.
The Privacy Preferences Policy Control payload supports the following. For more information, see Payload information.
Supported approval method: Requires user approval.
Supported installation method: Requires an MDM solution to install.
Supported payload identifier: com.apple.TCC.configuration-profile-policy
Supported operating systems and channels: macOS device.
Supported enrolment types: Device Enrolment, Automated Device Enrolment.
Duplicates allowed: True — more than one Privacy Preferences Policy Control payload can be delivered to a device.
You can use the settings in the tables below with the Privacy Preferences payload.
Allows specified apps to control the Mac via Accessibility APIs.
Allows specified apps to send a restricted AppleEvent to another process.
Allows specified apps access to event information managed by Calendar.
Use to deny specified apps access to the camera.
Allows specified apps access to contact information managed by Contacts.
Allows specified apps access to the Desktop folder.
Allows specified apps access to the Documents folder.
Allows specified apps access to the Downloads folder.
File Provider presence
Allows specified File Provider apps access to know when the user is using files managed by the File Provider.
Set which approved apps have specified access to input devices (mouse, keyboard, trackpad).
Allows specified apps access to Apple Music, music and video activity, and the media library.
Deny specified apps access to the microphone.
Allows specified apps access to files on network volumes.
Allows specified apps access to images managed by the Photos app in:
Note: If the user put their photo library somewhere else, it won’t be protected from apps.
Allows specified apps to use CoreGraphics APIs to send CGEvents to the system event stream.
Allows specified apps access to information managed by Reminders.
Allows specified apps access to files on removable volumes.
Deny specified apps access to capture (read) the contents of the system display.
For more information, see the Allow screen recording for an app payload example.
Allows specified apps to use the system Speech Recognition feature and to send speech data to Apple.
System Policy All Files
Allows specified apps access to data like Mail, Messages, Safari, Home, Time Machine backups, and certain administrative settings for all users on the Mac.
System Policy administrator files
Allows specified apps access to some files used by system administrators.
Custom MDM payload settings for Apple devices
To allow or disallow an app or binary to access one of the privacy classes of data, you can create a custom payload and must meet the following requirements:
The type of identifier
Specify either bundle ID or file path.
Identifier name or file path
Specify the bundle ID name or the actual file path.
Bundle ID: com.MyOrganization.AppName
File path: /Applications/AppName
Allow or deny
Specify whether the app is allowed or denied access.
The code signing requirement
Specify the actual code signing value. To get the value, open the Terminal app and run the following command:
Note: Apps and binaries not provided by Apple may have much longer designated requirements. Everything after “designated =>” should be included in your profile.
Add an optional comment.
Allows my organisation’s app to interact with all files without prompting the user.
To view a complete example of this custom payload, see Privacy Preferences Policy Control custom payload examples. After you’ve built and deployed your custom payload, if you’re still seeing dialogue prompts, you can use the following command to try to identify — in real-time — the responsible app or binary that you’re attempting to allow access to:
log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'
Note: Each MDM vendor implements these settings differently. To learn how Privacy Preferences Policy Control settings are applied to your devices, consult your MDM vendor’s documentation.