Privacy Preferences Policy Control (PPPC) on macOS with Systems Manager
Starting with macOS Mojave (10.14), applications need to be explicitly granted permissions for certain privacy features such as Accessibility, Camera, Microphone, Screen Capture, Input Monitoring, Full Disk Access, and many more. This macOS behavior was designed to protect the end user's privacy, however it can make remote deployment of applications and device more difficult. To solve this, administrators can now use a PPPC profile via Meraki Systems Manager which allows the administrator to grant or deny these permissions to user-approved macOS devices remotely. The Privacy Preferences Policy Control (PPPC) profile payload allows granting or denying of privacy access for specific applications to certain privacy features on macOS.
If you are interested in learning more about this macOS feature, please see the Apple Developer Documentation as well as the Apple WWDC 2019 video - Advanced in macOS Security. Both contain great resources of information on this feature directly from Apple.
Manually Enabling Privacy Permissions
Privacy permissions can be manually managed by users in System Preferences > Privacy. This is how end users manage these privacy preferences without MDM.
PPPC Profile in Systems Manager
Privacy preferences policies can be remotely managed through MDM with Meraki Systems Manager.
In Systems Manager > Manage > Settings, create a profile and select the profile payload called "Privacy Preferences". For more information on how to configure profiles, reference our documentation on configuration profiles.
Then, configure the app you wish to control PPPC for.
Note: PPPC profile settings from MDM will not display in the macOS device's System Preference's UI. The System Preferences > Security & Privacy > Privacy checkboxes are only the decisions end users made with prompts presented to them, not settings pushed via MDM profiles.
PPPC profile for Systems Manager Agent
For the Meraki Systems Manager Agent, some PPPC must be enabled. The SM Agent requires Accessibility and Screen Capture (only if using Remote Desktop).
Note: Screen Capture is deny only on macOS, which means it cannot be remotely enabled with a PPPC profile. Users need to explicitly grant "allow" permission for the SM Agent to Screen Capture in macOS System Preferences for Remote Desktop to function. Accessibility can be remotely enabled with this PPPC profile, however.
SM Agent PPPC profile information
Identifier type: Path
Path: /Library/Application Support/Meraki/m_agent
Code requirement:
identifier "com.meraki.m_agent" and (anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = C73A479R6J)