Privacy Preferences Policy Control (PPPC) for Standard Users

Apple changed how Privacy Preferences Policy Control (PPPC) works starting in macOS Big Sur, which affects what standard (non-admin) users can approve in Privacy & Security settings. This article explains how you can use an MDM PPPC payload in Addigy to let standard users approve specific app permissions - such as Screen Recording - without converting them to admin accounts.

Overview

PPPC controls macOS privacy permissions for items like Screen Recording, Microphone, Accessibility, and other protected resources.

Beginning with macOS Big Sur 11, standard users can no longer approve some sensitive permissions (including Screen Recording and Listen Events) directly, which can block required app functionality.

By deploying a PPPC MDM payload from Addigy, you can explicitly allow or delegate these approvals so standard users can grant access when prompted, while you retain control over which apps are eligible.

Prerequisites

Before configuring PPPC for standard users, make sure you have:

• User Approved MDM enrollment on the target devices.
• The app’s Bundle ID or Team ID, and Code Requirement, obtained using the following workflow: How to Get the Team ID, Bundle ID, and Code Requirement

How to Configure PPPC for Standard Users

Use this workflow when you want standard users to be able to approve specific PPPC prompts (for example, Screen Recording) without requiring admin rights.

1. In Addigy, navigate to Catalog > Device Settings.
2. Click New and choose the PPPC (Privacy Preferences Policy Control) Device Setting.
3. Give the Device Setting a clear Name (for example, PPPC – Screen Recording – Standard User Approval).
4. In the PPPC payload, locate the permission type you want to manage (for example, Ability to Screen Capture, Access to Listen Events, or other relevant services).
5. Add a new app entry and provide the Identifier (Bundle ID or Team ID) and Code Requirement that you gathered for the application. If the Team ID is used, make sure to change the Identifier Type to Team ID. 
6. For the selected service, set the Allowed behavior to Let Standard Users Approve.
7. Repeat steps 4–6 for any additional services or applications that need standard-user approval.
8. Click Create Profile to save it to your Catalog. 

After creation, the payload appears under Catalog > Device Settings and can be deployed to an individual device using GoLive or added to a policy for bulk deployment. We always suggest deploying the payload to a test device before pushing it out to an entire policy to verify expected behavior. 

Note: If you see errors related to CodeRequirement when saving or deploying the PPPC payload, review the Code Requirement string for typos or formatting issues and correct them before redeploying.

System Settings Behavior for Standard Users

After the PPPC payload is installed, standard users can approve the specified permissions for the apps you configured.

For example, when the payload grants “Let Standard Users Approve” for Screen Recording, the user will see the app listed under System Settings > Privacy & Security > Screen Recording and can enable access by checking the box next to the app.

This approach lets you define exactly which apps standard users may approve while still preventing them from granting high‑risk permissions to unapproved software.

Frequently Asked Questions

Do users still see prompts when “Let Standard Users Approve” is set?

Yes. The user will still be prompted the first time the app requests access, but the PPPC payload determines whether a standard user is allowed to approve or whether macOS blocks that approval.

What happens if a user previously clicked “Don’t Allow”?

If a user denied a PPPC prompt before you deployed the updated payload, you may need to adjust the setting manually on the device or remove and re-install the app so the user can be prompted again. PPPC payloads should be installed prior to the app to work as intended. 

Can I instead auto-approve access without user interaction?

For some services, you can configure the PPPC payload to automatically allow access for a trusted app, removing the need for any end-user approval while still controlling which apps receive that access. For Access to Listen Events and Ability to Screen Capture, it is only possible to deny or allow standard users to approve the permissions. 

Related Articles

• How to Create and Deploy a PPPC Payload
• How to Create a PPPC Payload for Full Disk Access (FDA)
• Error: The Key 'CodeRequirement' Has An Invalid Value
• FAQ: Issues Allowing App Permissions via Device Settings (PPPC, System Extensions, etc...)