Privacy Preferences Policy Control

Starting in macOS 10.14 you can allow apps to access certain files used for system administration, and to allow access to application data. For example, if an app requests access to your Calendar data, you can allow or deny the request. Jamf School can manage these requests using the Privacy Preferences Policy Control payload.
With the new Privacy Preferences Policy Control Payload you can control the settings that are displayed in the ”Privacy” tab of the ”Security & Privacy” pane in System Preferences. General options are Calendar, Reminders, Photos, Camera, Microphone and Accessibility. The more advanced options are Post Events, System Policy (sysadmin), All Files and Apple Events. Those control communication between applications and what access they have to protected files.
What is important to remember is that you can allow a certain application to access the address book but if the user disallows it, the application still will not able to access the address book.
You need to specify the bundle of an application as well as the code requirement. This enhance the security of the payload. To fetch the code requirement of an app, execute the following command in the Terminal: "codesign -display -r - /Applications/".
The result shows what the value should be under designated:
designated => (anchor apple generic and certificate leaf[field.1.2.840.113635.] /* exists */ or anchor apple generic and certificate 1[field.1.2.840.113635.] /* exists */ and certificate leaf[field.1.2.840.113635.] /* exists */ and certificate leaf[subject.OU] = "5Q42VF5GXA") and identifier “”
This way only the specified App can access certain services and an application faking the identifier wouldn’t be able to. You can still leave it empty but that could impact security.
Have more questions? Submit a request


Article is closed for comments.