Privacy Preferences Policy Control (PPPC) payloads are used for granting certain applications access, for example to files or microphone/camera. Enforcing a PPPC payload negates the need for intervention from an Admin to grant access to certain apps that may require extra accessibility privileges such as SentinelOne or Sophos. Before we start creating a PPPC payload we will need to get the Bundle Identifier and the Code Requirement of the application we are giving extended access to.
Note: We recommend having only one PPPC payload per software as multiple PPPC payloads for the same software may conflict and cause unwanted behavior.
Getting the Bundle Identifier and Code Requirement
- Open Spotlight (CMD + Space)
- Type Terminal
- Terminal app is now opened
- To get the Bundle Identifier type codesign -dv "Path of Application" (In this example we use /Applications/Utilities/Terminal.app/) and press return
- Take note of the text after "Identifier=" (this is the Bundle Identifier, image below)
- Get the Code Requirement by typing codesign -dr - "Path of Application" (In this example we will use terminal) and press enter
- Take note of the output after "designated =>" (this is the Code Requirement, image below)
Creating a PPPC payload
- Click Policies in the navigation menu
- Click Catalog
- Click MDM Profiles
- Click New
- Select macOS
- Click PPPC
- Create a name for the Payload (Required)
- Click Add New on any of the items you would like this application to have access to
- Fill in the Identifier and Code Requirement with the information gathered previously
- Depending on the key, make sure the Allowed checkbox is selected (Static Code verifies the Code Requirement of the application on the storage device. If set to false, it verifies the application in-memory)
- Click Save & Review, and Confirm Changes.
You have created your custom PPPC profile. The only thing left to do is deploy it to a policy.
For steps on how to deploy this via Policy, kindly reference our Adding and Removing items from a Policy article.
You're all set! If you experience any issues with allow-listing/whitelisting the app, please refer to our troubleshooting article here:
FAQ: App(s) not Whitelisting via MDM Profile (PPPC, System Extensions, etc..)