PPPC profiles can allow certain applications to access sensitive details removing prompts for the end-user.
Determine Which Apps Need a PPPC Profile
Sometimes it's not always obvious which apps need a PPPC profile; these steps will help you to determine if your app needs additional privacy permissions.
- Install your application on a test device or macOS virtual machine.
- Open the app and note any UI dialogues, such as those requesting access for accessibility or the Downloads folder.
- Open System Preferences and click Security & Privacy.
- Select the Privacy tab.
- Select an option on the left-hand side such as Accessibility. If you see an app listed here it generally means that the app will need this PPPC permission. Deploying a PPPC profile allowing that permission will prevent the end-user from receiving a consent dialogue when opening the app.
- Right-click on the app listed and select Show in Finder. Finder will launch with the app in question selected. You can drag and drop the application into Terminal to get its full path, which will be used in the next step.
Determine the Identifier and Code Requirement
In order to create a PPPC profile, you need to know the application's code requirement and identifier. This information can easily be collected using Terminal on a Mac that has the application installed.
- Launch Terminal on a macOS device on which the application is installed.
- Run the following command, replacing /Applications/zoom.us.app with the path to your application.
codesign -dr - /Applications/zoom.us.app
- When the output results appear, copy all text after the => characters; do not copy any trailing or leading spaces.
Create the PPPC Profile in Kandji
With your application information collected, you can create a PPPC profile in the Kandji web app.
- Navigate to Library in the left-hand navigation bar.
- Click on the Add New button in the upper right-hand corner.
- Click Privacy Profile.
- Click Add & Configure.
- Give your profile a descriptive name such as Zoom PPPC.
- Select the Blueprint you wish to include from the Blueprint dropdown.
- If your output included an identifier in the first part of the code requirement, leave the Identifier type set to Bundle ID, otherwise select Path.
- Paste in the identifier found in the first part of the code requirement, such as us.zoom.xos. If you selected Path above, input the path for the profile.
- Paste in the full code requirement that you copied in Terminal.
- Select an option from the App or Service dropdown. Your selection depends on the application. For Zoom, it is recommended to select both Accessibility and SystemPolicyDownloadsFolder. This would give Zoom access to the user's Downloads folder and Accessibility controls, both of which Zoom would otherwise prompt the user for.
- Click Save in the bottom right corner.
The Statically validate the code requirement option is used only if the process invalidates its dynamic code signature.
If you are unsure about which PPPC permissions your application needs, it is best practice to first install it on a test machine and see what sorts of kext/PPPC approval prompts you receive. For example: "Zoom needs access to the Downloads folder."