With the release of macOS Catalina 10.15, Apple has added few more security enhancements around user data protection and privacy. With the enhancements, macOS prompts the user's consent for an application or process to access specific data. If users do not consent to the data access, the applications and processes might fail to function.

The Privacy Preferences Control profile allows you to manage data access consent on behalf of the user on macOS 10.14 and later devices. Through the Privacy Preferences Control profile, you can allow or disallow the application's request to access various macOS services. For example, if an application requests access to user's Calendar data, you can allow or deny the request.

Note: The profile can only be delivered to devices that are User Approved MDM Enrolled and macOS 10.14 and later devices. The profile must not be installed on devices before the devices are upgraded else the settings cannot apply. It is required to create a Smart Group for macOS 10.14 and later devices to assign the profile, so that the devices automatically pick up the profile on upgrade.

Procedure

  1. Navigate to Resources > Profiles & Baselines > Profiles and select Add. Select Apple macOS, and then select Device Profile.
  2. Configure the profile's General settings.
  3. Select the Privacy Preferences payload.
  4. Select Add App to define the application or the process and configure the following settings.
    Setting Description
    Identifier Enter the bundle ID or installation path of the application or process.
    Identifier Type

    Select the Identifier type either as Bundle ID or Path.

    Application bundles are identified by bundle ID. Non-bundled applications are identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing application bundle.

    Code Requirement

    Enter the designation displayed by running the following command:

    codesign --display -r - /path/to/app/binary

    Static Code Validation

    If enabled, the process or application statically validates the code requirement. Enable this feature only if the process invalidates its dynamic code signature.

    Comment Enter notes for your own use. This is not used by macOS.
    Services

    Following are the services offered by Apple to pre-configure in this profile. If there are conflicting configurations, the most restrictive settings (deny) are used.

    Address Book Allow or disallow the contact information managed by Contacts.app.
    Calendar Allow or disallow the calendar information managed by Calendar.app.
    Reminders Allow or disallow the reminders information managed by Reminders.app.
    Photos

    Allow or disallow the pictures managed by Photos.app

    -/Pictures/.photoslibrary

    Camera Access to the camera cannot be given in a profile, it can only be denied.
    Microphone Access to the microphone cannot be given in a profile, it can only be denied.
    Accessibility Allow or disallow to control the application through the Accessibility subsystem.
    Post Event Allow or disallow the application to send the CoreGraphics APIs to send CG Events to the system event stream.
    System Policy All Files Allow or disallow the application access to all protected files.
    System Policy Sys Admin Files Allow or disallow the application access to some files used in system administration.
    File Provider Presence (macOS 10.15) Allows the application to access documents and directories that are stored and managed by another application's File Provider extension.
    Listen Event (macOS 10.15) Allows the application to monitor events from input devices such as mouse, keyboard, and trackpad.
    Media Library (macOS 10.15) User's collection of images, audio, and video from various media sources, such as iTunes or Aperture.
    Screen Capture (macOS 10.15) Allows the application to access control for screen capture and recording.
    Speech Recognition (macOS 10.15) Allows the application to use speech recognition capabilities.
    System Policy Desktop Folder (macOS 10.15) Allows the application to access files on the Desktop.
    System Policy Documents Folder (macOS 10.15) Allows the application to access files in the Documents folder.
    System Policy Downloads Folder (macOS 10.15) Allows the application to access files in the Downloads folder.
    System Policy Network Volumes (macOS 10.15) Allows the application to access files on Network Volumes.
    System Policy Removable Volumes (macOS 10.15) Allows the application to access files on Removable Volumes.
    Apple Events Allow or disallow the application to send a restricted Apple event to another process. You can add multiple Apple events for an application.
    Receiver Identifier

    Enter the receiver identifier of the process or application receiving an Apple Event sent by the Identifier process. It is required only for the Apple Events service and is not valid for other services.

    Receiver Identifier Type Enter the type of Apple Event Receiver Identifier value. Must be either bundleID or path. It is required only for the Apple Events service and is not valid for other services.
    Receiver Code Requirement

    Enter the Code requirement for the receiving application. It is required only for the Apple Events service and is not valid for other services.

    Note: Receiver Code Requirement is found using the same method as the Code Requirement for the app or service you are defining in the profile.
  5. Select Save.
  6. Navigate back to the Privacy Preferences Control payload's default page to view the list of applications holding the payload policies.