Recent Searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Create a Privacy Preferences Policy Control (PPPC) Profile

            By Emalee Firestein

            PPPC profiles can allow certain applications to access sensitive details removing prompts for the end user

            Determine Which Apps Need a PPPC Profile


            Sometimes it's not always obvious which apps need a PPPC profile; these steps will help determine if your app needs additional privacy permissions. Preference panes may vary between macOS versions.

            For macOS 13 Ventura or later

            1. Install your application on a test device or macOS virtual machine. 
            2. Open the app and note any UI dialogues, such as those requesting access for accessibility or the Downloads folder. 
            3. Open System Settings and click Privacy & Security.
            4. Select an option on the right-hand side such as Accessibility. If you see an app listed here it generally means that the app will need this PPPC permission. Deploying a PPPC profile allowing that permission will prevent the end user from receiving a consent dialogue when opening the app.
            5. Right-click on the app listed and select Show in Finder. Finder will launch with the app in question selected. You can drag and drop the application into Terminal to get its full path, which will be used in the next step.

            For macOS versions prior to macOS 13 Ventura

            1. Install your application on a test device or macOS virtual machine. 
            2. Open the app and note any UI dialogues, such as those requesting access for accessibility or the Downloads folder. 
            3. Open System Preferences and click Security & Privacy.
            4. Select the Privacy tab.
            5. Select an option on the left-hand side such as Accessibility. If you see an app listed here it generally means that the app will need this PPPC permission. Deploying a PPPC profile allowing that permission will prevent the end user from receiving a consent dialogue when opening the app.
            6. Right-click on the app listed and select Show in Finder. Finder will launch with the app in question selected. You can drag and drop the application into Terminal to get its full path, which will be used in the next step.

            Determine the Identifier and Code Requirement


            To create a PPPC profile, you need to know the application's code requirement and identifier. This information can easily be collected using Terminal on a Mac with the application installed.

            1. Launch Terminal on a macOS device on which the application is installed.
            2. Run the following command, replacing /Applications/zoom.us.app with the path to your application.
              codesign -dr - /Applications/zoom.us.app
            3. When the output results appear, copy all text after the => characters; do not copy any trailing or leading spaces. This output is the Code Requirement. The portion between the quotes, e.g. "us.zoom.xos", is the Identifier.

            Create the PPPC Profile in Kandji


            With your application information collected, you can create a PPPC profile in the Kandji web app.

            1. Navigate to Library in the left-hand navigation bar.
            2. Click on the Add New button in the upper right-hand corner.
            3. Click Privacy.
            4. Click Add & Configure.
            5. Give your profile a descriptive name, such as Zoom PPPC.
            6. Select the Blueprint you wish to include from the Blueprint dropdown. 
            7. Optionally, add Assignment Rules
            8. If your output includes an identifier in the first part of the code requirement, leave the Identifier type set to Bundle ID; otherwise, select Path.
            9. Paste in the identifier found in the first part of the code requirement, such as us.zoom.xos. If you selected Path above, input the path for the profile.
            10. Paste in the full code requirement that you copied in Terminal. 
            11. Select an option from the App or Service dropdown. Your selection depends on the application. For Zoom, it is recommended to select both Accessibility and SystemPolicyDownloadsFolder. This would give Zoom access to the user's Downloads folder and Accessibility controls, which Zoom would otherwise prompt the user for. 
            12. Click Save in the bottom right corner.
            The Statically validate the code requirement option is used only if the process invalidates its dynamic code signature.


            If you are unsure about which PPPC permissions your application needs, it is best practice to first install it on a test machine and see what sorts of PPPC approval prompts you receive. For example: "Zoom needs access to the Downloads folder."		
            Also, note that approval granted via MDM, such as with a Privacy Profile from your library, will not display its effects in the macOS graphical user interface. 
            Preview
            0 of 0