Skip to main content

Managing macOS Privacy Preferences (PPPC) with Swif

Updated over 2 weeks ago

macOS 10.14+ introduces a system-wide privacy layer (“TCC”) that requires user consent before apps may access protected services (Camera, Microphone, Calendar, Desktop Folder, etc.). Swif’s Privacy Preferences Policy lets you centrally manage these settings and pre‑approve or block specific apps, eliminating end‑user prompts.

Prerequisites

  • Devices must be running macOS 10.14 or later.

  • Devices must be supervised and enrolled via MDM (Swif Installer).

  • Swif Agent v1.XXX+ installed and connected.

Creating a Privacy Preferences Policy

  1. Go to Device Management > Policies, then click Create New Policy.

  2. Select Privacy Preferences Policy from the policy list and click Continue.

  3. Enter a Policy Name (e.g. “Privacy Preferences Policy”) and an optional Policy Description.

  4. Under Settings, you’ll see a list of all macOS privacy services:

    • Accessibility

    • Address Book

    • Apple Events

    • Bluetooth Always

    • Calendar

    • Camera

    • File Provider Presence

    • Listen Event

    • Media Library

    • Microphone

    • Photos

    • Post Event

    • Reminders

    • Screen Capture

    • Speech Recognition

    • System Policy All Files

    • System Policy App Bundles

    • System Policy App Data

    • System Policy Desktop Folder

    • System Policy Documents Folder

    • System Policy Downloads Folder

    • System Policy Network Volumes

    • System Policy Removable Volumes

    • System Policy SysAdmin Files

Configuring Code Requirement

You can use the following command to fill in the Code Requirement section in the Policy.

codesign -display -r - {{APP_PATH}}

Configuring a Service

For each service you want to manage:

  1. Click the green + Add button next to the service.

  2. In the Add Privacy Preference dialog:

    • Application: Enter the app’s bundle identifier (e.g. com.apple.Safari) or click Browse to upload a custom .app bundle.

    • Access Type: Choose one of:

      • Allow – Pre‑approve without prompting.

      • Allow with Standard Prompt – Let macOS show its standard “Allow/Don’t Allow” prompt.

      • Deny – Block access permanently.

    • Minimum OS (optional): Specify the earliest macOS version this rule applies to (e.g. 10.15).

  3. Click Save to return to the Settings list.

Repeat for each app + service combination your organization requires.

Example: Allow Zoom to Use Camera & Microphone

Service

Bundle ID

Access Type

Minimum OS

Camera

us.zoom.xos

Allow

10.14

Microphone

us.zoom.xos

Allow

10.14

  1. Click + Add beside Camera → specify us.zoom.xos, select Allow, set 10.14, Save.

  2. Repeat under Microphone.

Deploying the Policy

  1. After adding all desired settings, click Continue.

  2. Select Devices or Device Groups to target.

  3. Click Review, then Create Policy.

Devices will receive the new PPPC profile on their next check‑in, and the specified apps will be whitelisted or blocked accordingly—without any further user interaction.

Verifying PPPC Settings via MDMOverrides.plist

When you deploy a Privacy Preferences Policy Control (PPPC) with Swif, the settings no longer appear in System Preferences > Security & Privacy > Privacy for end users. Instead, macOS enforces them directly via the MDMOverrides database.

To confirm your PPPC rules on a device:

  1. Open Terminal

  2. Grant Terminal Full Disk Access (System Preferences → Security & Privacy → Privacy → Full Disk Access)

    Without Full Disk Access (or the broader SystemPolicyAllFiles entitlement), you’ll see:

    Error Reading File: /Library/Application Support/com.apple.TCC/MDMOverrides.plist

  3. Run the following command:

    sudo /usr/libexec/PlistBuddy -c "print" "/Library/Application Support/com.apple.TCC/MDMOverrides.plist"

    This will dump all of the PPPC entries currently managed by MDM.

Why it's hidden in System Preferences
Apple routes MDM-managed PPPC entries through MDMOverrides.plist , so end users cannot tamper with them in the Privacy UI. By reading this file directly, you can audit exactly which apps and services have been granted (or denied) access under your Swif policy.

What's displayed in System Preferences > Security & Privacy > Privacy are only the decisions end users made with prompts presented to them, and not settings pushed via Profiles. It's essentially displaying the values that are stored in the TCC databases that can be found at /Library/Application Support/com.apple.TCC/TCC.db or ~/Library/Application Support/com.apple.TCC/TCC.db

Troubleshooting

  • Policy Not Applying?

    • Ensure the device is supervised and re‑enrolled if necessary.

    • Verify the bundle identifier exactly matches the app’s Info.plist.

    • Check in Profiles on the Mac ( > System Settings > Privacy & Security > Profiles) that the Swif PPPC profile is installed.

  • “Prompt” Still Appearing?

    • If you chose Allow with Standard Prompt, macOS will always prompt first. Switch to Allow for silent approval.

  • Managing Native vs. Custom Apps

    • Built‑in Apple apps (Calendar, Photos) can be managed by specifying their system bundle IDs (e.g. com.apple.Calendar).

By centrally defining your macOS privacy‑preference rules in Swif, you can eliminate help‑desk tickets and ensure consistent, secure behavior across your fleet.

Related Articles
Deploying Swif Silently on Mac/macOS Machines
Managing BYOD Enrollment for macOS in Swif
Configuring macOS Dock Policies in Swif
Enforcing Google SSO at macOS Login with Swif
Enforcing Okta SSO at macOS Login with Swif
Did this answer your question?