Privacy Preferences Policy Control (PPPC) payloads let you pre-approve app access to sensitive macOS resources such as files, camera, microphone, and accessibility services. By configuring PPPC via MDM, you can reduce end-user prompts, prevent mis-clicks on security dialogs, and keep critical tools like security agents or remote support apps working reliably.
How to Get the Bundle Identifier and Code Requirement
Start by collecting the app identifiers that PPPC requires. You will use these values when building the PPPC payload in Addigy.
- On a Mac with the application installed, open the Terminal app.
- Run the following command to get the Bundle Identifier (replace the path with your app’s path):
codesign -dv /Applications/Google\ Chrome.app - In the output, note the value after
Identifier=; this is the application’s Bundle Identifier. - Run the following command to get the Code Requirement (again, replace the path as needed):
codesign -dr - "/Applications/Utilities/Terminal.app" - In the output, note the value after
designated =>; this is the Code Requirement you will use in the PPPC payload.
Tip: To quickly capture the app’s full path, drag the application from the Applications folder and drop it into the Terminal window.
How to Create a PPPC Payload in Addigy
Once you have the Bundle Identifier and Code Requirement, you can build a PPPC payload in Addigy that defines which permissions to allow or deny for the app.
- Navigate to the Catalog page in Addigy.
- Select the Device Settings tab.
- Click New near the top right of the Device Settings pane.
- Select PPPC as the Device Setting type.
- Enter a clear name for the payload in the Name field, such as
PPPC – SentinelOneorPPPC – Remote Support Tool. - For each privacy area you want the app to access (for example, Accessibility, Full Disk Access, or Screen Recording), check the box and click Add New.
- In the item details, fill in the Identifier field with the Bundle Identifier you retrieved earlier and the Code Requirement field with the Code Requirement value.
- Set the Allowed checkbox for keys where you want to grant access. Optionally, configure the Static Code setting:
- If Static Code is enabled, the Code Requirement is validated against the app on disk.
- If Static Code is disabled, the requirement is validated against the in-memory app.
- Repeat the previous steps for any additional privacy services the app requires.
After creation, the Device Setting appears under Catalog > Device Settings and can be deployed to an individual device using GoLive or added to a policy for bulk deployment. We always suggest deploying the Device Setting to a test device before pushing it out to an entire policy to verify expected behavior.
Frequently Asked Questions
What happens if there are multiple PPPC payloads for the same app?
If more than one PPPC payload applies to the same app and privacy service, macOS enforces the most restrictive effective setting. To avoid conflicts and unexpected behavior, use a single consolidated PPPC payload per app whenever possible.
Why is my app still prompting users after deploying a PPPC payload?
Common causes include incorrect Bundle Identifier, incorrect Code Requirement, targeting the wrong binary, or the device not receiving the Device Setting yet. Verify the identifiers with codesign again, confirm that the Device Setting is assigned to the correct policy, and check the device’s Installed Device Settings list to ensure the PPPC payload is installed and active.
Can I let standard users approve certain permissions but manage others via PPPC?
Yes, PPPC settings support letting standard users approve some prompts while centrally controlling others; use the “Let Standard Users Approve” behavior where appropriate in your PPPC configuration.