In this post, you will learn how to deploy PPPC Utility on macOS using Intune. Let’s explore Privacy Preferences Policy Control (PPPC) configurations on managed macOS devices using Intune MDM Solution, similar to the Privacy Preferences Policy Control (PPPC) utility used in JAMF.
Before we dive in, it’s essential to understand what PPPC stands for, its benefits and purpose on macOS devices. We’ll go into detail about these aspects in this article and demonstrate by deploying a sample configuration on Intune. With this knowledge, admins can use it similarly for other apps and use cases.
Microsoft’s Intune is a brilliant MDM solution that supports multiple platforms, including Windows, macOS, iOS/iPadOS, Linux, and Android devices, all in one convenient portal. This makes it an ideal solution for organizations looking to manage multiple devices.
However, before implementing Intune in production, Administrators should evaluate whether it meets all their requirements and aligns with their organization’s purpose. By doing so, administrators can ensure they’re making the best decisions for their organization and setting themselves up for success.
This article will equip you with the necessary knowledge to configure privacy settings effectively. You’ll discover how to create and deploy these configurations on managed macOS devices, which will result in a better end-user experience. By working together, we can ensure this process is successful. So, let’s jump right in and explore these methods together!
- Get Intune Environment Ready for iOS / Mac Devices Microsoft Endpoint Manager
- Microsoft Intune Vs Jamf macOS Device Management Enhancements
Before proceeding any further, I kindly request that you take a moment to review all the restriction policies available in the Microsoft Intune MDM Solution for managed macOS devices. This can greatly improve the end-user experience and contribute to better security and compliance in the organisation environment.
If you would like to learn more about the various restriction policies that can be deployed on Apple MacOS devices using Microsoft Intune, as well as how to deploy them on managed macOS devices, please refer to my previously published article titled “How to deploy Device Restriction Settings for macOS Devices using Intune“.
What is the PPPC Utility and its Purpose
PPPC stands for Privacy Preferences Policy Control, so as the name suggests PPPC Utility are payloads that can be deployed via MDM to control preferences for applications. With the help of PPPC Utility, Admins can easily control the settings that are displayed in the ‘Privacy’ tab of the ‘Security & Privacy’ pane in System Settings as shown below.
This top-notch application is exclusively designed for macOS v10.15 and later, providing flexibility to save profiles locally. Additionally, with this, Admins can directly upload profiles to MDM Solutions without any hassle.
Previously, approving screen capture and input monitoring PPPC requests was easy for any local user (either Standard or Admin). However, with the release of macOS Big Sur and later, users are now required to authenticate the change by clicking the padlock symbol in the bottom left corner of the screen in System Preferences and entering administrator login details.
PPPC profiles can control preferences by allowing, denying, or letting users approve them. The table below shows the PPPC Utility settings.
Preference | Allow | Deny | Standard User Permission |
---|---|---|---|
Accessibility | ✔ | ✔ | |
Admin Files | ✔ | ✔ | |
Calenders | ✔ | ✔ | |
Camera | ✔ | ||
Contacts | ✔ | ✔ | |
Desktop Folder | ✔ | ✔ | |
Documents Folder | ✔ | ✔ | |
Downloads Folder | ✔ | ✔ | |
File Provider | ✔ | ✔ | |
Full Disk Access | ✔ | ✔ | |
Input Monitoring | ✔ | ✔ | |
Media Library | ✔ | ✔ | |
Microphone | ✔ | ✔ | |
Network Volumes | ✔ | ✔ | |
Photos | ✔ | ✔ | |
Post Events | ✔ | ✔ | |
Reminders | ✔ | ✔ | |
Removable Volumes | ✔ | ✔ | |
Screen Recording | ✔ | ✔ | |
Speech recognition | ✔ | ✔ |
Create mobileconfig File on PPPC Utility
As earlier, we have understood what a PPPC utility kit is and how it can benefit Admins by allowing them to create and push configurations without writing complex commands. Let us check how to create a mobile config file using a PPPC utility kit by following the steps below.
To download the kit, please go to this GitHub page. Once downloaded, please launch the PPPC Utility, and as sample, let us create policy to provide Full Disk access to a sample app Brave Browser as shown below:
- Launch PPPC Utility app.
- On the left side, under the Applications tab, click on the + icon and select the application that needs to be controlled or permitted.
- Once added, On the Properties tab, allow for the properties (e.g., here we have Allowed permission for Full Disk Access) and Allow System Events
- To create the mobileconfig file, click on save and provide the required details as shown below.
Once the mobileconfig file is created on the device, let’s use the Intune Custom profile deployment method for Admins. Follow the steps below to do it like a pro.
Deploy mobileconfig File in Intune
Admins must carefully follow each step of the profile creation process to avoid issues. Once completed, the profile can be deployed by developing an Admin Account and configuring details. The profile is then deployed to assigned devices over the air. Follow the steps below to create a profile.
- In the Microsoft Intune admin center, under Devices > macOS > Under macOS Policies, Select Configuration Profiles.
- To create a profile, click on Create profile, select platform macOS, Profile type Templates, under Template name, select Custom and click on Create.
Under Basics, enter a name and description for the configuration profile.
To configure settings on the configuration settings page, follow these steps:
- Provide a custom configuration profile name.
- Select the Deployment channel as the Device channel, as the profile should be active for all logged-in users.
- Upload the mobile configuration file created by the Admin under the configuration profile file section and click Next.
On the next page, Scope tags are filtering options provided in Intune to ease the admin jobs. In the scope tag section, you will get an option to configure scope tags for the policy. Click on Next.
On the next page, select Assignments group and click Next.
Once all the settings have been reviewed, click on Create to finish creating the profile.
Once the configuration profile is assigned to the group of devices, the Intune portal will reflect the status of the deployment under the configuration profile overview tab as shown below.
End User Experience – Deploy PPPC Utility on macOS
Once the device gets the deployed configuration profile, end-users can view the deployed profiles on the mac devices, by switching under System Settings > Under Privacy & Security > Profiles > To view the profile, double-click on it as shown below.
Now that we understand the process of deploying the configuration profile created by PPPC Utility, Intune also has an alternate feature: the same profile can also be deployed using Intune. Let us check out how that works.
Alternate Method – Deploy Privacy Preferences Policy Control Configuration Profiles using Intune
Now, without further ado, let us start the alternative method of profile creation in Intune by Mac Admins. Once completed, follow the steps below to create a profile that will be deployed to assigned devices over the air.
- In the Microsoft Intune admin center, under Devices > macOS > Under macOS Policies, Select Configuration Profiles.
- To create a profile, click on Create profile, select platform macOS, Profile type Settings Catalog and click on Create.
Under Basics, enter profile name and description and click Next.
On the Configuration settings page, Please add the settings by performing the steps:
- Click on Add Settings.
- On the right side panel, Search with Keyword Privacy and click on the visible setting Privacy Preferences Policy Control option.
- Once selected, you can select the settings that need to be edited, then click OK to exit the right-side panel.
To fetch the code requirement of a particular app, you can run the terminal command : codesign -dr - "path/Bundle ID"
and can copy the lines that become visible after the word designated.
To fetch identifier of a particular app, you can run the terminal command : osascript -e 'id of app "App Name"'
and can copy the lines gets visible below the command.
Once the settings are visible on the right side window, to edit the permission, click on Edit instance button and provide the required details as shown below.
On the next page, Scope tags are filtering options provided in Intune to ease the admin jobs. In the scope tag section, you will get an option to configure scope tags for the policy. Click on Next.
On the next page, select Assignments group and click Next.
Once all the settings have been reviewed, click on Create to finish creating the profile.
Conclusion
We understand that privacy is a major concern for everyone, and as such, we have written this article to assist Mac admins in deploying, restricting, or editing privacy settings available in the macOS System settings. We also recommend that these methodologies are only applicable in scenarios where end-users have standard privileges while using the macOS devices.
We want to assure you that Admins can choose the deployment method of the settings over macOS devices according to your comfort, and we hope that these methods will make it easier for users to manage their privacy settings. Thank you for trusting us to provide you with this information.
If you find my articles informative and helpful, I suggest you take a look at my recently published article on How to deploy Local Primary Account on macOS using ADE Method in Intune. This article covers topics such as what is ADE enrollment method on macOS devices.
We aim to help you get the most out of using two operating system platforms and explain the purpose and benefits of doing so efficiently and effectively. Suppose you’ve followed my articles about managing macOS devices with Microsoft Intune. In that case, I invite you to explore my other posts to broaden your knowledge. Check out all my posts here.
I would also like to share my recently published video, which provides a detailed guide on how to seamlessly upgrade macOS devices from other MDM solutions like Jamf, Jumpcloud, or Kandji to Microsoft Intune. The video offers comprehensive instructions and step-by-step guidance to ensure a successful upgrade process.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Snehasis Pani has 7+ years of IT Support experience and is currently a macOS Administrator. He loves to help the community by sharing his knowledge of Apple Mac Devices Support. He is an M.Tech graduate in System Engineering. Do check out his profile on Twitter and Linkedin.