Create a Privacy Preferences Policy Control (PPPC) Profile

PPPC profiles provide the opportunity to allow certain applications to access sensitive details removing prompts for the end-user.

Determine which apps need a PPPC Profile

Sometimes it's not always obvious which apps need a PPPC Profile, these steps will help you to determine if your app needs additional privacy permissions.  

  1. Install your application on a test device, or a macOS virtual machine. 
  2. Open the app and notate any UI dialogues, such as requesting access for accessibility or the downloads folder. 
  3. Open System Preferences and click Security & Privacy.

  4. Select the Privacy tab.
  5. Select an option on the left-hand side such as Accessibility. If you see an app listed here it generally means that the app will need this PPPC permission. Deploying a PPPC profile allowing that permission will prevent the end-user from receiving a consent dialogue when opening the app.

  6. Right-click on the app listed and select Show in Finder. Finder will launch with the app in question selected. You can drag and drop the application into Terminal to get its full path, which will be used in the next step. 

Determine the identifier and code requirement

In order to create a PPPC profile, you need to know the application's code requirement and identifier. This information can easily be collected using terminal on a Mac that has the application installed. 

  1. Launch Terminal on a macOS device with the application installed.
  2. Run the following command, replace /Applications/zoom.us.app with the path to your application. 
    codesign -dr - /Applications/zoom.us.app 
  3. When you see the output results, copy all text after the => characters. (Do not copy the trailing or leading spaces.)

Create the PPPC Profile in Kandji

With your application information collected, you can create a PPPC profile inside of the Kandji Web App.

  1. Navigate to Library in the left-hand navigation bar.
  2. Click on the Add New button in the upper right-hand corner.

  3. Click Privacy Profile.
  4. Click Add & Configure.
  5. Give your profile a descriptive name such as Zoom PPPC.
  6. Select the Blueprint(s) you wish to include from the Blueprint assignment dropdown. 
  7. If your output included an Identifier in the first part of the code requirement, leave the Identifier type set to Bundle ID, otherwise select Path.
  8. Paste in the Identifier found in the first part of the code requirement, such as us.zoom.xos. If you selected the Path above, input the path for the profile.
  9. Paste in the full Code Requirement that was copied out of the terminal. 
  10. Select an option from the App or Service dropdown. Your selection depends on your application. For Zoom, it is recommended to select both Accessibility and SystemPolicyDownloadsFolder. This would give Zoom access to the user's downloads folder and accessibility controls, both of which Zoom would otherwise prompt the end-user for. 
  11. Click Save in the bottom right corner.

 

The statically validate the code requirement is used only if the process invalidates its dynamic code signature.

If you are unsure about which PPPC permissions your application needs it is best practice to first install it on a test machine and see what sorts of Kext/PPPC approval prompts you receive. Such as "Zoom needs access to the downloads folder" 

Determine the identifier and code requirement

In order to create a PPPC profile, you need to know the application's code requirement and identifier. This information can easily be collected using terminal on a Mac that has the application installed.