Skip to main content
Cisco Meraki Documentation

Privacy Preferences Policy Control (PPPC) on macOS with Systems Manager

Starting with macOS Mojave (10.14), applications need to be explicitly granted permissions for certain privacy features such as Accessibility, Camera, Microphone, Screen Capture, Input Monitoring, Full Disk Access, and many more. This macOS behavior was designed to protect the end user's privacy, however it can make remote deployment of applications and device more difficult. To solve this, administrators can now use a PPPC profile via Meraki Systems Manager which allows the administrator to grant or deny these permissions to user-approved macOS devices remotely. The Privacy Preferences Policy Control (PPPC) profile payload allows granting or denying of privacy access for specific applications to certain privacy features on macOS. 

 

If you are interested in learning more about this macOS feature, please see the Apple Developer Documentation as well as the Apple WWDC 2019 video - Advanced in macOS Security. Both contain great resources of information on this feature directly from Apple. 

Manually Enabling Privacy Permissions

Privacy permissions can be manually managed by users in System Preferences > Privacy. This is how end users manage these privacy preferences without MDM. 

Screen Shot 2020-01-21 at 11.43.41 AM.png

Screen Shot 2020-01-21 at 11.45.23 AM.png

PPPC Profile in Systems Manager

Privacy preferences policies can be remotely managed through MDM with Meraki Systems Manager.

 
In Systems Manager > Manage > Settings, create a profile and select the profile payload called "Privacy Preferences". For more information on how to configure profiles, reference our documentation on configuration profiles.

 

Screen Shot 2020-01-21 at 11.42.18 AM.png

Then, configure the app you wish to control PPPC for. 
Screen Shot 2020-01-21 at 12.20.01 PM.png

Note: PPPC profile settings from MDM will not display in the macOS device's System Preference's UI. The System Preferences > Security & Privacy > Privacy checkboxes are only the decisions end users made with prompts presented to them, not settings pushed via MDM profiles.

PPPC profile for Systems Manager Agent

For the Meraki Systems Manager Agent, some PPPC must be enabled. The SM Agent requires Accessibility and Screen Capture (only if using Remote Desktop). 

Note: Screen Capture is deny only on macOS, which means it cannot be remotely enabled with a PPPC profile. Users need to explicitly grant "allow" permission for the SM Agent to Screen Capture in macOS System Preferences for Remote Desktop to function. Accessibility can be remotely enabled with this PPPC profile, however. 

SM Agent PPPC profile information 

Identifier type: Path

Path: /Library/Application Support/Meraki/m_agent

Code requirement

identifier "com.meraki.m_agent" and (anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = C73A479R6J)

  • Was this article helpful?