Skip to main content
  1. Addigy
  2. Catalog
  3. Device Settings (MDM Configuration Profiles)

How to Create a PPPC Payload for Full Disk Access (FDA)

Updated:

A Privacy Preferences Policy Control (PPPC) payload lets you centrally approve macOS privacy permissions such as Full Disk Access for specific applications, services, and binaries. You can use this to pre-authorize antivirus, backup, and monitoring agents so they can access protected locations that macOS would otherwise block or prompt for.

Prerequisites

Before you create a PPPC payload for FDA, make sure you have the required app identifiers.

  • The application's Bundle Identifier and Code Requirement for every binary that needs FDA (for example, agent, helper tools, daemons).
  • Vendor documentation listing all components that require Full Disk Access; many security products use multiple processes with different identifiers.

How to Gather the Bundle ID and Code Requirement

First gather the Bundle ID and Code Requirement so you can accurately define each app in the PPPC payload. This information may be provided in the software developer's documentation for mass deployment or deployment via MDM. 

If you are unable to find these values in documentation, please reference the following article for steps on how to gather this information: How To Get The Team ID, Bundle ID, and Code Requirement

Note: Security tools often have multiple binaries (agents, background services, helper tools), each with its own identifier and code requirement. Always confirm the full list of components that require FDA with the software vendor’s documentation or support team.

How to Create the PPPC Payload for Full Disk Access

After you gather the identifiers and code requirements, create a PPPC payload in Addigy and enable the FDA-related keys.

  1. Navigate to the Catalog page in Addigy.
  2. Select the Device Settings tab.
  3. Click New near the top right of the Device Settings pane.
  4. Select PPPC as the payload type.
  5. Enter a clear name for the payload, such as <Product Name> - PPPC Full Disk Access.
  6. Check the box to include Access to All Protected and System Administration Files.
  7. Click Add New.
  8. Fill in the Identifier and Code Requirement fields using the values you previously collected.
  9. Make sure the Allowed checkbox is selected so the app is granted access instead of being denied or prompted.
  10. If the application has multiple identifiers, click Add New and repeat the process. 
  11. Save the payload to your Catalog. 

Once configured, the PPPC payload should appear as shown below: 

Addigy___Catalog_MDM_Profiles.png

After creation, the payload appears under Catalog > Device Settings and can be deployed to an individual device using GoLive or added to a policy for bulk deployment. We always suggest deploying the payload to a test device before pushing it out to an entire policy to verify expected behavior. 

Best Practices and Important Notes

Follow these guidelines to avoid user prompts and ensure FDA applies correctly.

  • Install the PPPC/FDA payload before installing the related application so the app launches with all required permissions in place.
  • If the app is installed prior to the payload, users may still encounter system prompts since the payload does not apply permissions retroactively. 
  • Do not deploy multiple overlapping PPPC payloads for the same app; conflicting rules may cause unexpected behavior.

Understanding Full Disk Access in System Settings

After deployment, you may see the application listed under macOS privacy settings even if the checkbox appears disabled.

  • On macOS, go to System Settings > Privacy & Security > Full Disk Access (or System Preferences > Security & Privacy > Full Disk Access on older versions).
  • The app may appear in the list with its checkbox unchecked, but this UI does not accurately reflect the status when FDA has been granted via an MDM PPPC payload.
  • As long as the correct PPPC configuration is deployed and targeted to the device, the app should have the appropriate permissions even if the checkbox does not show as enabled.

Because of this behavior, System Settings should not be your primary verification mechanism for PPPC-based FDA; use functional tests or logs instead.

Troubleshooting

If devices still prompt users for access or the app appears unable to read protected locations, verify the PPPC configuration and deployment.

  • Confirm the Bundle Identifier and Code Requirement match the current version of the application on disk.
  • Check that the PPPC payload is successfully installed on the device in System Settings > General > Device Management (or Profiles on earlier macOS versions).
  • Test the app’s functionality (for example, running a scan or backup) instead of relying solely on UI checkboxes.

For more detailed troubleshooting steps and common causes of PPPC issues, refer to FAQ: Issues Allowing App Permissions via MDM Profiles (PPPC, System Extensions, etc...)

Frequently Asked Questions

Do I need a separate PPPC payload for each application?

Yes, you should generally create one PPPC payload per application to keep permissions clear and avoid conflicting rules for the same identifiers.

What if the vendor changes their app’s identifier or signing certificate?

If an update changes the Bundle ID or Code Requirement, the existing PPPC payload may no longer apply correctly and the app could lose FDA. In that case, re-collect the identifiers from the updated app, update the PPPC payload, and redeploy it to your policies.

How can I verify that Full Disk Access is actually working?

The most reliable check is to use the application as intended—for example, run a full scan or backup and verify it completes across protected directories. Some security vendors also provide logs or status panels that indicate whether required macOS privacy permissions are in place.

Related Articles

Was this article helpful?
5 out of 8 found this helpful
Return to top

Didn’t find what you’re looking for?

Contact our Support Team