Add more information to packages in Apple Business Essentials
You can add more information to your package in Apple Business Essentials. This includes adding a description, system extensions, and privacy policy permissions.
Note: If you have to change any of these settings below, you don’t need to create a new package.
Add a version number
You can add the version number of the application that users see in their Apple Business Essentials app on their Mac.
Add an icon
You can add an icon for the package that users see in their Apple Business Essentials app on their Mac. The icon must be:
An .icns, .jpeg, or .png file.
No larger than 1024 X 1024 pixels.
Under 10 MB in size.
Add a description
You can add a short description that users see in their Apple Business Essentials app on their Mac. For example, this description may include initial instructions on how to configure the application for use in your organization. Descriptions are limited to 300 characters.
Add a system extension
System extensions allow an app additional capabilities, such as network extensions or endpoint security solutions, to extend the functionality of macOS without requiring kernel-level access. When users install applications that have system extensions, they are prompted to enter a local administrator user name and password to approve the extension. Using Apple Business Essentials, you can install these extensions on users’ Mac computers without having users approve each extension. You can approve more than one system extension per package. Before you can approve system extensions in your package, you must know the team ID (a unique value for the extension) and the bundle ID for the extension. A system extension can have more than one bundle ID. If you can’t locate these IDs, contact the application developer.
Add privacy preference permissions
macOS has built-in privacy permissions that restrict what folders and features applications and scripts can access. Using Apple Business Essentials, you can specify permissions related to your package’s applications on behalf of your users. Before you choose permissions to specify for an application you must know either the bundle ID of the application or the path to where the application will be installed. You’ll also need the code signature for the application. The code signature helps identify a specific application or binary and ensures that no one has tampered with it. See Generate a Code Signature.
You can then select the permission (allow or deny) you want to specify for each of the settings in the table below. Some settings can only be set to deny.
Setting | Description | Permission | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Accessibility | Allows specified apps to control the Mac through accessibility APIs. | Allow Deny | |||||||||
AppleEvents | Allows specified apps to send a restricted AppleEvent to another process. | Allow Deny | |||||||||
Calendars | Allows specified apps access to event information managed by Calendar. | Allow Deny | |||||||||
Camera | Use to deny specified apps access to the camera. | Deny | |||||||||
Contacts | Allows specified apps access to contact information managed by Contacts. | Allow Deny | |||||||||
Desktop Folder | Allows specified apps access to the Desktop folder. | Allow Deny | |||||||||
Documents Folder | Allows specified apps access to the Documents folder. | Allow Deny | |||||||||
Downloads Folder | Allows specified apps access to the Downloads folder. | Allow Deny | |||||||||
File Provider | Allows specified File Provider apps access to know when the user is using files managed by the File Provider. | Allow Deny | |||||||||
Input Monitoring | Sets which approved apps have specified access to input devices (mouse, keyboard, trackpad). | Deny | |||||||||
Media Library | Allows specified apps access to access Apple Music, music and video activity, and the media library. | Allow Deny | |||||||||
Microphone | Denies specified apps access to the microphone. | Deny | |||||||||
Network Volumes | Allows specified apps access to files on network volumes. | Allow Deny | |||||||||
Photos | Allows specified apps access to images managed by the Photos app, in /Users/[YourShortUserName]/Pictures/Photos Library. Note: If the user put their photo library somewhere else, it won’t be protected from apps. | Allow Deny | |||||||||
Post Event | Allows specified apps to use Core Graphics APIs to send CGEvents to the system event stream. | Allow Deny | |||||||||
Reminders | Allows specified apps access to information managed by Reminders. | Allow Deny | |||||||||
Removable Volumes | Allows specified apps access to files on removable volumes. | Allow Deny | |||||||||
Screen Recording | Denies specified apps access to capture (read) the contents of the system display. | Deny | |||||||||
Speech Recognition | Allows specified apps to use the system Speech Recognition feature and send speech data to Apple. | Allow Deny | |||||||||
System Policy Administrator Files | Allows specified apps access to some files used by system administrators. | Allow Deny | |||||||||
System Policy All Files | Allows specified apps to access data in apps such as Mail, Messages, Safari, Home, and Time Machine backups, and to access certain administrative settings for all users on the Mac. | Allow Deny | |||||||||
Apple event receivers
In some cases, an application may need to make requests of another application by sending it an Apple event. For example, an application may need the Finder to open a file in that file’s native application before the requesting application can edit it. An application needs permission for each receiving application that it will send events to. When granting this permission to an application, you may allow one or more receiving applications; each one must be specified by its own bundle ID or path and code signature. These are the same attributes you would use if you were to specify a privacy permission for the receiving application, and these attributes can be discovered using the same methods.
Manage login and background items
A package may include items that run when a user logs in to their Mac (or that run in the background). These items can include shell scripts and other files that applications require to function properly. When these items are added to Mac computers with macOS 13 or later, the user is notified, and can disable the items in System Settings > General > Login Items. To prevent users from being able to disable these items, you can provide an identifier for a login or background item. If the identifier matches an item, a user can still see the item, but they can’t remove or disable it. You can choose from one of the following identification types:
Application BundleIdentifier: The bundle identifier of the application to match, which must be an exact match.
Application BundleIdentifierPrefix: The prefix of the bundle identifier of the application to match.
Developer TeamIdentifier: The team identifier from the code signing attributes, which must be an exact match.
Service Label: The value of the
launchd.plist Label parameter to match, which must be an exact match.Service LabelPrefix: The prefix of the
launchd.plist Label parameter to match.
Note: Apple Business Essentials automatically prevents disabling of login and background items for any Apps added from the Apps and Books Store.