Privacy Preferences Policy Control MDM payload settings for Apple devices
You can configure Privacy Preferences Policy Control payload settings on Mac computers enrolled in a mobile device management (MDM) solution to manage the settings in the Privacy tab of the Security and Privacy preferences pane. If there is more than one payload of this type, the more restrictive settings are used. This payload must be user approved.
OS and channel | Supported enrollment types | Interaction | Duplicates |
|---|---|---|---|
macOS device | Device Automated Device | Exclusive | Multiple |
General settings
Setting | Description | Required |
|---|---|---|
Accessibility | Allows specified apps to control the Mac via Accessibility APIs. | No |
AppleEvents | Allows specified apps to send a restricted AppleEvent to another process. | No |
Calendar | Allows specified apps access to event information managed by Calendar. | No |
Camera | Use to deny specified apps access to the camera. | No |
Contacts | Allows specified apps access to contact information managed by Contacts. | No |
Desktop Folder | Allows specified apps access to the Desktop folder. | No |
Documents Folder | Allows specified apps access to the Documents folder. | No |
Downloads Folder | Allows specified apps access to the Downloads folder. | No |
File Provider presence | Allows specified File Provider apps access to know when the user is using files managed by the File Provider. | No |
Input devices | Set which approved apps have specified access to input devices (mouse, keyboard, trackpad). | No |
Media library | Allows specified apps access to access Apple Music, music and video activity, and the media library. | No |
Microphone | Deny specified apps access to the microphone. | No |
Network volumes | Allows specified apps access to files on network volumes. | No |
Photos | Allows specified apps access to images managed by the Photos app in: /Users/username/Pictures/Photos Library Note: If the user put their photo library somewhere else, it won’t be protected from apps. | No |
Post Event | Allows specified apps to use CoreGraphics APIs to send CGEvents to the system event stream. | No |
Reminders | Allows specified apps access to information managed by Reminders. | No |
Removable volumes | Allows specified apps access to files on removable volumes. | No |
Screen recording | Deny specified apps access to capture (read) the contents of the system display. | No |
Speech recognition | Allows specified apps to use the system Speech Recognition feature and to send speech data to Apple. | No |
System Policy All Files | Allows specified apps access to data like Mail, Messages, Safari, Home, Time Machine backups, and certain administrative settings for all users on the Mac. | No |
System Policy administrator files | Allows specified apps access to some files used by system administrators. | No |
Custom MDM payload settings for Apple devices
To allow or disallow an app or binary to access one of the privacy classes of data, you can create a custom payload and must include the following requirements:
Requirement | Description | Example | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
The type of identifier | Specify either bundle ID or file path. | Bundle ID | |||||||||
Identifier name or file path | The bundle ID name or the actual file path. | Bundle ID: com.MyOrganization.AppName File path: /Applications/AppName | |||||||||
Allow or deny | Specify whether the app is allowed or denied access. | Allow: True Deny: False | |||||||||
The code signing requirement | The actual code signing value. To get the value, open the Terminal app and run the following command:
| App: Binary: Note: Apps and binaries not provided by Apple may have much longer designated requirements. Everything after “designated =>” should be included in your profile. | |||||||||
Comment | Add an optional comment. | Allows my organization’s app to interact with all files without prompting the user. | |||||||||
To view a complete example of this custom payload, see Privacy Preferences Policy Control custom payload examples. After you’ve built and deployed your custom payload, if you’re still seeing dialog prompts, you can use the following command to try to identify—in real-time—the responsible app or binary that you’re attempting to allow access to:
log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'