Privacy Preferences Policy Control
Use the Privacy Preferences Policy Control payload to manage the settings in Privacy tab of the Security and Privacy preferences pane. If there is more than one payload of this type, the more restrictive settings are used.
OS and channel
Allows specified apps access to contact information managed by Contacts.
Allows specified apps access to event information managed by Calendar.
Allows specified apps access to information managed by Reminders.
Allows specified apps access to images managed by the Photos app in:
Note: If the user put their photo library somewhere else, it won’t be protected from apps.
Use to deny specified apps access to the camera.
Use to deny specified apps access to the microphone.
Allows specified apps to control the Mac via Accessibility APIs.
Allows specified apps to use CoreGraphics APIs to send CGEvents to the system event stream.
System Policy All Files
Allows specified apps access to data like Mail, Messages, Safari, Home, Time Machine backups, and certain administrative settings for all users on the Mac.
System Policy administrator files
Allows specified apps access to some files used by system administrators.
Allows specified apps to send a restricted AppleEvent to another process.
AppleEvent Receiver Identifier
The identifier of the process receiving an AppleEvent sent by the Identifier process. Required for AppleEvents service; not valid for other services.
AppleEvent Receiver Identifier Type
The type of AppleEvent Receiver Identifier value. Must be either bundleID or path. Required for AppleEvents service; not valid for other services.
AppleEvent Receiver Code Requirement
Code requirement for the receiving binary. Required for AppleEvents service; not valid for other services.
Custom payload settings
To allow or disallow an app or binary to access one of the privacy classes of data, you can create a custom payload and must include the following:
The type of identifier
Specify either bundle ID or file path.
Identifier name or file path
The bundle ID name or the actual file path.
Bundle ID: com.MyOrganization.AppName
File path: /Applications/AppName
Allow or deny
Specify whether the app is allowed or denied access.
The code signing requirement
The actual code signing value. To get the value, open the Terminal app and run the following command:
Note: Apps and binaries not provided by Apple may have much longer designated requirements. Everything after “designated =>” should be included in your profile.
Add an optional comment.
Allows my organization’s app to interact with all files without prompting the user.
To view a complete example of this custom payload, see Privacy Preferences Policy Control custom payload example. After you’ve built and deployed your custom payload, if you’re still seeing dialog prompts, you can use the following command to try to identify—in real-time—the responsible app or binary that you’re attempting to allow access to:
log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'