Starting in macOS Big Sur (11), standard (non-admin) users can no longer approve certain sensitive permissions — such as Screen Recording and Listen Events — directly in Privacy & Security settings. This article explains how to configure a PPPC Device Setting in Addigy to allow standard users to approve specific app permissions without granting them administrator rights.
Overview
PPPC controls macOS privacy permissions for protected resources such as Screen Recording, Microphone, Accessibility, and Listen Events. Prior to macOS Big Sur, standard users could approve these permissions themselves. Beginning with macOS 11, macOS blocks standard users from approving certain sensitive permissions, which can prevent required app functionality from working.
By deploying a PPPC Device Setting from Addigy with the Let Standard Users Approve setting, you can explicitly delegate approval rights for specific apps and services — giving standard users the ability to grant access when prompted, while retaining control over which apps are eligible.
How to Configure PPPC for Standard Users
- Navigate to Catalog > Device Settings and click New.
- Select Privacy Preferences Policy Control (PPPC) from the settings list.
- Enter a descriptive Payload Name (e.g.,
PPPC – Screen Recording – Standard User Approval). - Locate the permission type you want to configure (e.g., Ability to Screen Capture or Access to Listen Events).
- Click Add New and enter the app's Identifier (Bundle ID or Team ID) and Code Requirement.
- If using a Team ID, change the Identifier Type dropdown to Team ID.
- Set the Allowed behavior to Let Standard Users Approve.
- Repeat steps 4–6 for any additional services or applications that need standard-user approval.
- Click Create Profile, then assign it to the appropriate policy.
Note: If you see a
CodeRequirementerror when saving or deploying the Device Setting, check the Code Requirement string for typos or formatting issues. See Error: The Key 'CodeRequirement' Has An Invalid Value for guidance.
Best practice: Deploy the Device Setting to a test device before pushing it to an entire policy to verify expected behavior. The PPPC Device Setting should also be deployed before the app is installed — if a user has already denied a permission prompt, see the FAQ below.
End User Experience
After the Device Setting is installed, the app will appear in System Settings > Privacy & Security under the relevant permission category (e.g., Screen Recording). The standard user can enable access by toggling the switch next to the app. They will still see a prompt the first time the app requests access — the payload controls whether macOS allows them to approve it, not whether the prompt appears.
Frequently Asked Questions
What happens if a user previously clicked "Don't Allow"?
If a user denied a PPPC prompt before the payload was deployed, the permission may be stuck in a denied state. To resolve this, you may need to manually adjust the setting on the device, or remove and reinstall the app so the user is prompted again. This is why deploying the PPPC Device Setting before the app is recommended.
Can I auto-approve access without any user interaction?
Yes, for most services you can set the Allowed behavior to Allow to silently grant access without requiring any end-user approval. However, Access to Listen Events and Ability to Screen Capture are exceptions — for these services, macOS only permits deny or standard-user approval; silent allow is not supported.