The Privacy Preferences payload is designated by specifying com.apple.TCC.configuration-profile-policy
value as the PayloadType
value.
It controls the settings that are displayed in the ”Privacy” tab of the ”Security & Privacy” pane in System Preferences.
This profile must be delivered via a user approved MDM server.
Availability: Available in macOS 10.14 and later.
In addition to the settings common to all payloads, this payload defines this key: Key | Type | Value Services | Dictionary | Keys are limited to the privacy service names listed below. Each key is an array of dictionaries describing the app or process to which access is given. In the case of conflicting specifications, the most restrictive setting (deny) will be used.
Key | Type | Value |
---|---|---|
AddressBook | Array of Identity Dictionaries | Contact information managed by Contacts.app. |
Calendar | Array of Identity Dictionaries | Calendar information managed by Calendar.app. |
Reminders | Array of Identity Dictionaries | Reminders information managed by Reminders.app. |
Photos | Array of Identity Dictionaries | Pictures managed by Photos.app in ~/Pictures/.photoslibrary. |
Camera | Array of Identity Dictionaries | A system camera. Access to the camera cannot be given in a profile it can only be denied. |
Microphone | Array of Identity Dictionaries | A system microphone. Access to the microphone cannot be given in a profile; it can only be denied. |
Accessibility | Array of Identity Dictionaries | Control the application via the Accessibility subsystem. |
PostEvent | Array of Identity Dictionaries | Allows the application to use CoreGraphics APIs to send CGEvents to the system event stream. |
SystemPolicyAllFiles | Array of Identity Dictionaries | Allows the application access to all protected files. |
SystemPolicySysAdminFiles | Array of Identity Dictionaries | Allows the application access to some files used in system administration. |
AppleEvents | Array of Identity Dictionaries | Allows the application to send a restricted AppleEvent to another process. |
Key | Type | Value |
---|---|---|
Identifier | String | The bundle ID or installation path of the binary. |
IdentifierType | String | The type of Identifier value. Must be either bundleID or path. Application bundles should be identified by bundle ID. Non-bundled binaries must by identified by installation path. Helper tools embedded within an application bundle will automatically inherit the permissions of their enclosing app bundle. |
CodeRequirement | String | Obtained via the command ”codesign --display -r- app_path”. |
StaticCode | Boolean | Optional. If set to true, statically validate the code requirement. Used only if the process invalidates its dynamic code signature. Defaults to false. |
Allowed | Boolean | If set to true, access is granted. Otherwise the process does not have access. The user is not prompted and cannot change this value. |
AEReceiverIdentifier | String | Optional. The identifier of the process receiving an ApplEvent sent by the Identifier process. Required for AppleEvents service; not valid for other services. |
AEReceiverIdentifierType | String | Optional. The type of AEReceiverIdentifier value. Must be either bundleID or path. Required for AppleEvents service; not valid for other services. |
AEReceiverCodeRequirement | String | Optional. Code requirement for the receiving binary. Required for AppleEvents service; not valid for other services. |
Comment | String | Not used |