Privacy Preferences Policy Control MDM payload settings for Apple devices
You can configure Privacy Preferences Policy Control payload settings on Mac computers enrolled in a mobile device management (MDM) solution to manage the settings in the Privacy tab of the Security and Privacy preferences pane. If there is more than one payload of this type, the more restrictive settings are used. This payload must be user approved.
OS and channel
Supported enrollment types
Allows specified apps to control the Mac via Accessibility APIs.
Allows specified apps to send a restricted AppleEvent to another process.
Allows specified apps access to event information managed by Calendar.
Use to deny specified apps access to the camera.
Allows specified apps access to contact information managed by Contacts.
Allows specified apps access to the Desktop folder.
Allows specified apps access to the Documents folder.
Allows specified apps access to the Downloads folder.
File Provider presence
Allows specified File Provider apps access to know when the user is using files managed by the File Provider.
Set which approved apps have specified access to input devices (mouse, keyboard, trackpad).
Allows specified apps access to access Apple Music, music and video activity, and the media library.
Deny specified apps access to the microphone.
Allows specified apps access to files on network volumes.
Allows specified apps access to images managed by the Photos app in:
Note: If the user put their photo library somewhere else, it won’t be protected from apps.
Allows specified apps to use CoreGraphics APIs to send CGEvents to the system event stream.
Allows specified apps access to information managed by Reminders.
Allows specified apps access to files on removable volumes.
Deny specified apps access to capture (read) the contents of the system display.
Allows specified apps to use the system Speech Recognition feature and to send speech data to Apple.
System Policy All Files
Allows specified apps access to data like Mail, Messages, Safari, Home, Time Machine backups, and certain administrative settings for all users on the Mac.
System Policy administrator files
Allows specified apps access to some files used by system administrators.
Custom MDM payload settings for Apple devices
To allow or disallow an app or binary to access one of the privacy classes of data, you can create a custom payload and must include the following requirements:
The type of identifier
Specify either bundle ID or file path.
Identifier name or file path
The bundle ID name or the actual file path.
Bundle ID: com.MyOrganization.AppName
File path: /Applications/AppName
Allow or deny
Specify whether the app is allowed or denied access.
The code signing requirement
The actual code signing value. To get the value, open the Terminal app and run the following command:
Note: Apps and binaries not provided by Apple may have much longer designated requirements. Everything after “designated =>” should be included in your profile.
Add an optional comment.
Allows my organization’s app to interact with all files without prompting the user.
To view a complete example of this custom payload, see Privacy Preferences Policy Control custom payload example. After you’ve built and deployed your custom payload, if you’re still seeing dialog prompts, you can use the following command to try to identify—in real-time—the responsible app or binary that you’re attempting to allow access to:
log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'