Home > Endpoint Management > Profiles and Settings > Privacy Preferences Policy Control (PPPC) on macOS with Systems Manager

Privacy Preferences Policy Control (PPPC) on macOS with Systems Manager

Starting with macOS Mojave (10.14), applications need to be explicitly granted permissions for certain privacy features such as Accessibility, Camera, Microphone, Screen Recording, Input Monitoring, Full Disk Access, and many more. This macOS behavior was designed to protect the end user's privacy, however it can make remote deployment of applications and device more difficult. To solve this, administrators can now use a PPPC profile via Meraki Systems Manager which allows the administrator to grant or deny these permissions to user-approved macOS devices remotely. The Privacy Preferences Policy Control (PPPC) profile payload allows granting or denying of privacy access for specific applications to certain privacy features on macOS. 

 

If you are interested in learning more about this macOS feature, please see the Apple Developer Documentation as well as the Apple WWDC 2019 video - Advanced in macOS Security. Both contain great resources of information on this feature directly from Apple. 

Manually Enabling Privacy Permissions

Privacy permissions can be manually managed by users in System Preferences > Privacy. This is how end users manage these privacy preferences without MDM. 

Screen Shot 2020-01-21 at 11.43.41 AM.png

Screen Shot 2020-01-21 at 11.45.23 AM.png

PPPC Profile in Systems Manager

Privacy preferences policies can be remotely managed through MDM with Meraki Systems Manager.

 
In Systems Manager > Manage > Settings, create a profile and select the profile payload called "Privacy Preferences". For more information on how to configure profiles, reference our documentation on configuration profiles.

 

Screen Shot 2020-01-21 at 11.42.18 AM.png

Then, configure the app you wish to control PPPC for. 
Screen Shot 2020-01-21 at 12.20.01 PM.png

PPPC profile for Systems Manager Agent

For the Meraki Systems Manager Agent, some PPPC must be enabled. The SM Agent requires Accessibility and Screen Capture (only if using Remote Desktop). 

Note: Screen Capture is deny only on macOS, which means it cannot be remotely enabled with a PPPC profile. Users need to explicitly grant "allow" permission for the SM Agent to Screen Capture in macOS System Preferences for Remote Desktop to function. Accessibility can be remotely enabled with this PPPC profile, however. 

SM Agent PPPC profile information 

Identifier type: Path

Path: /Library/Application Support/Meraki/m_agent

Code requirement

identifier "com.meraki.m_agent" and (anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = C73A479R6J)

Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 9234

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community