macOS 10.14+ introduces a system-wide privacy layer (“TCC”) that requires user consent before apps may access protected services (Camera, Microphone, Calendar, Desktop Folder, etc.). Swif’s Privacy Preferences Policy lets you centrally manage these settings and pre‑approve or block specific apps, eliminating end‑user prompts.
Prerequisites
Devices must be running macOS 10.14 or later.
Devices must be supervised and enrolled via MDM (Swif Installer).
Swif Agent v1.XXX+ installed and connected.
Creating a Privacy Preferences Policy
Go to Device Management > Policies, then click Create New Policy.
Select Privacy Preferences Policy from the policy list and click Continue.
Enter a Policy Name (e.g. “Privacy Preferences Policy”) and an optional Policy Description.
Under Settings, you’ll see a list of all macOS privacy services:
Accessibility
Address Book
Apple Events
Bluetooth Always
Calendar
Camera
File Provider Presence
Listen Event
Media Library
Microphone
Photos
Post Event
Reminders
Screen Capture
Speech Recognition
System Policy All Files
System Policy App Bundles
System Policy App Data
System Policy Desktop Folder
System Policy Documents Folder
System Policy Downloads Folder
System Policy Network Volumes
System Policy Removable Volumes
System Policy SysAdmin Files
Configuring Code Requirement
You can use the following command to fill in the Code Requirement section in the Policy.
codesign -display -r - {{APP_PATH}}
Configuring a Service
For each service you want to manage:
Click the green + Add button next to the service.
In the Add Privacy Preference dialog:
Application: Enter the app’s bundle identifier (e.g.
com.apple.Safari
) or click Browse to upload a custom.app
bundle.Access Type: Choose one of:
Allow – Pre‑approve without prompting.
Allow with Standard Prompt – Let macOS show its standard “Allow/Don’t Allow” prompt.
Deny – Block access permanently.
Minimum OS (optional): Specify the earliest macOS version this rule applies to (e.g.
10.15
).
Click Save to return to the Settings list.
Repeat for each app + service combination your organization requires.
Example: Allow Zoom to Use Camera & Microphone
Service | Bundle ID | Access Type | Minimum OS |
Camera | us.zoom.xos | Allow | 10.14 |
Microphone | us.zoom.xos | Allow | 10.14 |
Click + Add beside Camera → specify
us.zoom.xos
, select Allow, set 10.14, Save.Repeat under Microphone.
Deploying the Policy
After adding all desired settings, click Continue.
Select Devices or Device Groups to target.
Click Review, then Create Policy.
Devices will receive the new PPPC profile on their next check‑in, and the specified apps will be whitelisted or blocked accordingly—without any further user interaction.
Verifying PPPC Settings via MDMOverrides.plist
When you deploy a Privacy Preferences Policy Control (PPPC) with Swif, the settings no longer appear in System Preferences > Security & Privacy > Privacy for end users. Instead, macOS enforces them directly via the MDMOverrides database.
To confirm your PPPC rules on a device:
Open Terminal
Grant Terminal Full Disk Access (System Preferences → Security & Privacy → Privacy → Full Disk Access)
Without Full Disk Access (or the broader SystemPolicyAllFiles entitlement), you’ll see:
Error Reading File: /Library/Application Support/com.apple.TCC/MDMOverrides.plist
Run the following command:
sudo /usr/libexec/PlistBuddy -c "print" "/Library/Application Support/com.apple.TCC/MDMOverrides.plist"
This will dump all of the PPPC entries currently managed by MDM.
Why it's hidden in System Preferences
Apple routes MDM-managed PPPC entries through MDMOverrides.plist
, so end users cannot tamper with them in the Privacy UI. By reading this file directly, you can audit exactly which apps and services have been granted (or denied) access under your Swif policy.
What's displayed in System Preferences > Security & Privacy > Privacy are only the decisions end users made with prompts presented to them, and not settings pushed via Profiles. It's essentially displaying the values that are stored in the TCC databases that can be found at /Library/Application Support/com.apple.TCC/TCC.db
or ~/Library/Application Support/com.apple.TCC/TCC.db
Troubleshooting
Policy Not Applying?
Ensure the device is supervised and re‑enrolled if necessary.
Verify the bundle identifier exactly matches the app’s
Info.plist
.Check in Profiles on the Mac ( > System Settings > Privacy & Security > Profiles) that the Swif PPPC profile is installed.
“Prompt” Still Appearing?
If you chose Allow with Standard Prompt, macOS will always prompt first. Switch to Allow for silent approval.
Managing Native vs. Custom Apps
Built‑in Apple apps (Calendar, Photos) can be managed by specifying their system bundle IDs (e.g.
com.apple.Calendar
).
By centrally defining your macOS privacy‑preference rules in Swif, you can eliminate help‑desk tickets and ensure consistent, secure behavior across your fleet.