When you install and run an application for the first time, you are met with a series of pop-ups requesting permission to access resources or data stored on your device. For example, when you install a social media app, the app may request permission to access the device’s camera, microphone and location.
This way, most apps ask for permissions that are required for them to function properly. Some apps may request permissions that are not necessary for their operation in any way. This opens the door for data breaches and vulnerabilities. This is a serious issue that must be addressed, both from a personal and organizational standpoint.
It’s known that organizations using Unified Endpoint Management (UEM) solutions like Hexnode, can remotely manage app deployment on Macs. What about the remote management of app permissions?
This is where Apple’s Privacy Preferences Policy Control or PPPC payload comes in handy.
What is Privacy Preferences Policy Control and why is it important?
PPPC is a privacy feature introduced for Macs running macOS 10.14 or later. This feature allows users to see what data each app has access to on their Mac device.
The main highlight of this feature is that all these settings can be controlled using a UEM via a configuration profile. Permissions for each app in a device can be sent as Configuration profiles. Single or multiple profiles can be sent to restrict an app’s access to data. When contradictory profiles are applicable applied to the same app, the more restrictive profile prevails.
With the introduction of PPPC, IT admins’ job of remote app management and configuration has become much easier. When a certain app is pushed to a Mac device, the permissions can also be sent to the device so that the app will require zero intervention from the end-user for the initial setup.
When end-users configure app permissions, they typically allow all permissions, even if some of them are unnecessary. This practice can be abused and used to obtain personal information.
PPPC is a powerful feature from a security standpoint. IT administrators can control which apps have access to resources on a Mac. This helps organizations ensure that no apps have access to data that isn’t required.
Permissions that are configurable using Privacy Preferences Policy Control
| Setting | Description |
| Accessibility | Specify whether an app can control the Mac device using the Accessibility APIs. |
| Apple Events | Specify whether or not an app can send restricted Apple events to another process. |
| Calendar | Specify whether or not an app can access the events information stored by the Calendar app. |
| Camera | Can deny an app’s access to Camera services on the device. |
| Contacts | Specify whether or not an app can access the contact information stored by the Contacts app. |
| Desktop Folder | Specify whether or not an app can access the files in the Desktop folder. |
| Documents Folder | Specify whether or not an app can access the files in the Documents folder. |
| Downloads Folder | Specify whether or not an app can access the files in the Downloads folder. |
| File Provider Presence | Specify whether or not a File provider app to access the knowledge of when a user uses a file managed by File provider. |
| Input devices | Specify whether or not an app can access the input devices of the system. |
| Media library | Specify whether or not an app can access Apple Music, music and video activity, and the media library. |
| Microphone | Can deny an app’s access to use Microphone. |
| Network volumes | Specify whether or not an app can access the files in the Network volumes. |
| Photos | Specify whether or not an app can access the photos in the Photo Library. |
| Post Event | Specify whether or not an app can use CoreGraphics APIs to send CGEvents to the system event stream. |
| Reminders | Control an app’s access to data stored on Reminders. |
| Removable volumes | Specify whether or not an app can access the files in Removable volumes. |
| Screen recording | Can deny an apps’s access to capture the contents of the device display. |
| Speech recognition | Specify whether or not an app can use the Speech Recognition of the system. |
| System Policy All Files | Specify whether or not an app can access all the protected files in the device (includes access to other apps like Mail, Safari, etc and app data as well). |
| System Policy administrator files | Specify whether or not an app can access the System admin files on the device. |
Figuring out the permissions required by an app
With the PPPC payload feature, you can configure a lot of permissions, but not all apps need all these permissions. You can find out what all permissions are necessary for an app by performing a small sample use of the app.
- In a test Mac device or even a virtual device install the required app.
- Run the app on the device and find out all the permissions requested by the app.
- In System Preferences, go to Security and Privacy preference and select the Privacy tab.
- If prompted, give the admin credentials and go through each option in the list. If the app is listed in an option, it means that the app requires that function to perform without any hiccups.
After the necessary permissions are figured out for an app, the permissions can be configured properly and easily.
How to configure PPPC
The PPPC settings under the Privacy tab in System Preferences –> Security and Privacy can be configured either manually or remotely using a UEM solution like Hexnode.
Configuring PPPC settings using Hexnode is a very simple process. For this, first, a Policy has to be created, where the configuration for each feature like Camera, microphone, etc. is specified.
Featured resource
Hexnode Mac management
Managing the large fleet of enterprise Mac devices can be tedious without an effective device management solution. Download the datasheet to learn more about Hexnode’s Mac-specific management strategies.
Download datasheetOnce the policy is created, the policy can then be associated with the target device/devices. Using a single policy, the PPPC configuration of either single or multiple apps can be done.
PPPC features that can be setup using Hexnode
| Feature | Default | Deny | Allow |
| Accesibility | ✅ | ✅ | ✅ |
| All files | ✅ | ✅ | ✅ |
| Calendar | ✅ | ✅ | ✅ |
| Camera | ✅ | ✅ | ❌ |
| Contacts | ✅ | ✅ | ✅ |
| Desktop folder | ✅ | ✅ | ✅ |
| Documents folder | ✅ | ✅ | ✅ |
| Downloads folder | ✅ | ✅ | ✅ |
| Media Library | ✅ | ✅ | ✅ |
| Microphone | ✅ | ✅ | ❌ |
| Network volumes | ✅ | ✅ | ✅ |
| Photos | ✅ | ✅ | ✅ |
| Reminders | ✅ | ✅ | ✅ |
| Removable volumes | ✅ | ✅ | ✅ |
| Screen recording | ✅ | ✅ | Let User authorize |
| Speech recognition | ✅ | ✅ | ✅ |
| System admin files | ✅ | ✅ | ✅ |
Privacy Preferences Policy Control or PPPC is useful for enterprises that want to secure end-user data by limiting the personal/confidential info. exposed by apps installed on Macs. PPPC is particularly effective for remote app administration because app permissions can be specified remotely, reducing user intervention during the initial setup.
Sign up for a free trial
Sign up for a 14-day free trial with Hexnode and explore the Mac device management features with Hexnode.
Sign up
Share your thoughts