Configuring a Privacy Preferences Policy Control Profile for macOS

On macOS 10.14 or later, you can allow apps to access certain files used for system administration, and allow access to application data. For example, if an app requests access to your Calendar data, you can allow or deny the request. Jamf School can manage these requests using the Privacy Preferences Policy Control payload.

With the Privacy Preferences Policy Control payload, you can control the settings displayed in System Preferences > Security & Privacy > Privacy. General options are Calendar, Reminders, Photos, Camera, Microphone, and Accessibility. The more advanced options are Post Events, System Policy (sysadmin), All Files, and Apple Events. Those control communication between applications and what access they have to protected files.

What is important to remember is that you can allow a certain application to access the address book but if the user disallows it, the application still will not be able to access the address book.

When configuring the Privacy Preferences Policy Control payload, you need to specify the bundle of an application as well as the code requirement. This enhances the security of the payload. To fetch the code requirement of an app, execute the following command in Terminal: "codesign -display -r - /Applications/".

The result shows what the value should be under designated:

designated => (anchor apple generic and certificate leaf[field.1.2.840.113635.] /* exists */ or anchor apple generic and certificate 1[field.1.2.840.113635.] /* exists */ and certificate leaf[field.1.2.840.113635.] /* exists */ and certificate leaf[subject.OU] = "5Q42VF5GXA") and identifier “”

This way only the specified app can access certain services, whereas an application faking the identifier wouldn’t have access.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.