Create a Mac Application Privacy Preferences Policy

Some macOS apps need additional privacy permissions to work correctly. The Application Privacy Preferences policy lets you preapprove permissions for system services for a specific app. Preapproving these services saves you time when managing Apple devices with Mobile Device Manager (MDM) because you don’t have to ask the end user to handle approvals. 

This policy requires three pieces of identifying information for each service that you want to preapprove: a code-signing block, a Bundle ID, and approval of the privacy preferences.

After you create an Application Privacy Preferences Policy and apply it to a device or device group, the policy appears in System Settings > Privacy & Security > Profiles. The policy does not appear in System Settings > Privacy & Security > Full Disk Access. That location contains policies that the user approves, rather than Admin-approved policies like the Application Privacy Preferences Policy. 

Creating a Policy to Control Privacy Preferences

The Application Privacy Preferences policy can only be applied to macOS devices. After you create the policy, you must relaunch the app.

To create a Application Privacy Preferences policy:

1. Log in to the Admin Portal: https://console.jumpcloud.com/login.
2. Go to DEVICE MANAGEMENT > Policy Management.
3. In the All tab, click (+).
4. On the New Policy panel, select the Mac tab.
5. Select Application Privacy Preferences Policy from the list, then click configure.
6. (Optional) On the New Policy panel, enter a new name for the policy or keep the default. Policy names must be unique.
7. Under Code Requirement, paste the code-signing block. See Gathering the Code-Signing Block for instructions.
8. Under Identifier, enter the Bundle ID or the path to the binary for the app. See Locating the Bundle ID or Binary Path for instructions.
9. Under Identifier Type, choose BundleID. If you are using the binary path, choose Path.
10. Skip the Static Code checkbox, and do not select it.
11. Under Privacy Preferences, select the checkbox for each type of access required for this app. This action preapproves the required privileges for the app. See Approving Privacy Preferences Services for instructions.
12. (Optional) Select the Device Groups tab. Select one or more device groups where you’ll apply this policy. For device groups with multiple OS member types, the policy is applied only to the supported OS.
13. (Optional) Select the Devices tab. Select one or more devices where you’ll apply this policy.
14. Click save.
15. If prompted, click save again.
16. Relaunch the app. See the policy’s Behavior field for more information.

Gathering the Code-Signing Block

MacOS devices rely on code-signing information to identify apps that access key resources. Every signed, compiled app on macOS has a code signature that identifies the process that is running the app. Only signed apps can access these key system services, and only signed apps can run on Apple silicon Macs.

To gather the code block necessary for this policy, you need to run a command on a device where the app is installed. From that device, the codesign command can identify the signature of the device:
Codesign -dr - /path/to/application/program.app

For example, to run this against the JumpCloud Menu Bar Extra app, you’ll copy everything after designated => and paste that into the Code Requirement field in the JumpCloud Application Privacy Preferences Policy:

username@demo-system /Users % codesign -dr - /Applications/Jumpcloud.app
Executable=/Applications/Jumpcloud.app/Contents/MacOS/Jumpcloud
designated => identifier "com.jumpcloud.jcagent-tray" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = N985MXSH85

Locating the Identifier & Identifier Type

When an app runs on macOS, it represents itself to the system either as a reverse-domain string called a Bundle ID (com.jumpcloud.jcagent-tray) or as a path to the app itself (/Applications/JumpCloud.app/Contents/MacOS/Jumpcloud). You'll need to supply either the Bundle ID or the path to the binary for the app you want to approve. 

If you are unsure what the Bundle ID is for the app, you can use the defaults command in Terminal to find it: 
defaults read /Applications/Jumpcloud.app/Contents/Info.plist CFBundleIdentifier

After you have the Bundle ID, you can set the Identifier to the Bundle ID string and then set the Identifier Type to Bundle ID in the policy. If you need to set the Bundle ID field to the path of the binary, supply the path of the binary and change the Identifier Type to Path. 

Approving Privacy Preferences Services

After you gather the app’s code-signing block and the Bundle ID, choose which privilege areas to approve.

MacOS has fairly strict controls regarding app access to user data, including calendars and emails all the way to key files like the user’s Desktop and Documents folders. There are several areas of functionality that can be preapproved by Admins for individual apps. These areas, called services, allow you to approve access to an app without asking the end user to handle the approvals for these services.

Approving only the necessary services for a given app ensures that the principle of least privilege is being honored, and you can allow users to grant or restrict further privileges with their own actions. 

JumpCloud lets you approve the following list of services.

Accessibility
Apple’s Accessibility service is a powerful subsystem that allows apps to perform additional functions on behalf of the user, including running scripts and system commands. Frequently, this service is used to perform automations. 

Address Book
The native Address Book, and its CardDAV accounts, is a protected area on macOS. Allowing access to the Address Book allows an app to read and write the contents of the Address Book without prompting the user. This could compromise privacy for the end user.

Calendar
The native Calendar, and its CalDAV, Exchange, and Google accounts, is a protected area on macOS. Allowing access to the Calendar allows an app to read and write the contents of the Calendar without prompting the user. This could have privacy compromises for the end user.

Allow Access to File Providers
File Providers are special apps in macOS that handle local copies of files synced to a cloud service like Dropbox or OneDrive. Allowing access to File Providers ensures that File Provider apps will be able to write to the local disk. This is an expected part of their operation, but still needs to be approved by the end user or the Admin must apply this policy.

Allow Access to Media Library
The Apple Media Library functionality encompasses the user’s Photos library, iMovie library, and Apple Music library. As these locations are sensitive, apps cannot use these sources without permission.

Allow Access to Photos
The Apple Photos app has its own library format, and access to the system Photos library is gated by the Privacy Preferences subsystem. This policy allows an app to select user photos without first getting permission from the user.

Allow Access to Reminders
The Apple Reminders app has a database of reminders, and access to the database is gated by the Privacy Preferences subsystem. This policy allows an app to access the database of reminders without first getting permission from the user.

Allow Access to SpeechRecognition
Apple’s Siri Speech Recognition service allows users to dictate text to their device in a text field and have the operating system translate their speech into text. This service? requires internet access and microphone access. Microphone access must be approved by the end user for this to work correctly. 

Allow Access to All Files
Many directories inside and outside the read-only macOS Sealed System Volume (SSV) are protected from unauthorized access by the Privacy Preferences subsystem. Allowing an app to read and write (if outside the macOS SSV) these files grants access that is fairly broad. Security tool apps frequently require this level of access.

Allow Access to the Desktop Folder
A user’s Desktop folder may contain sensitive information. Allowing an app to read and write files on the user’s Desktop will gives it full control over those files. 

Allow Access to the Documents Folder
A user’s Documents folder can contain sensitive information. Allowing an app to read and write files in the user’s Documents folder gives it full control over those files. 

Allow Access to the Downloads Folder
A user’s Downloads folder can contain sensitive information. Allowing an app to read and write files in the user’s Downloads folder gives it full control over those files. 

Allow Access to Network Volumes
Network Volumes can contain organizationally sensitive information. Allowing an app to read and write files on Network Volumes gives it full control over the files on Network Volumes that the logged-in user can view and write.

Allow Access to Detachable Media
Detachable Media–external disks and disk images–can contain sensitive information. Allowing an app to read and write files on Detachable Media gives it full control over the files on Detachable Media that the logged-in user can view and write.

Allow Access to SysAdmin Files
Some files related to the administration of a macOS device are protected by this permission, including files that protect the authentication systems of macOS. Allowing access to these files grants access that is fairly broad. Security tool apps frequently require this level of access.

Allow App to Update Applications (Requires macOS13+)
An app bundle stores everything that an app requires for successful operation. Allow this app to replace or update other apps on the device. Available in macOS 13 and later.

Example

This example describes the steps to set up access to the Alfred app, a productivity app for macOS that lets users automate tasks on their device. The app requests access to Address Book, Accessibility, and All Files. 

To set up access to the Alfred app:

1. Verify that the Alfred app is installed on a macOS device.
2. Gather the code block for Alfred. See Gathering the Code-Signing Block.
3. On the device where Alfred is installed, run this command in Terminal:

codesign -dr - /Applications/Alfred\ 4.app 

The command result displays:
Executable=/Applications/Alfred 4.app/Contents/MacOS/Alfred
designated => anchor apple generic and identifier "com.runningwithcrayons.Alfred" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = XZZXE9SED4)

4. Copy everything after the designated =>. For example:

anchor apple generic and identifier "com.runningwithcrayons.Alfred" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = XZZXE9SED4)

5. In JumpCloud’s Application Privacy Preferences Policy, paste that content into the Code Block section. For instructions on creating this policy, see Creating a Policy to Control Privacy Preferences.
6. Use the defaults command to locate the CFBundleIdentifier from Alfred’s info.plist file:

defaults read /Applications/Alfred\ 4.app/Contents/Info.plist CFBundleIdentifier

The app’s identifier displays:

com.runningwithcrayons.Alfred

7. Copy the identifier from Step 6 into the Identifier field in the JumpCloud Application Privacy Preferences Policy.

8. Under Identifier Type, choose Bundle.
9. The Alfred app needs access to Address Book, Accessibility, and All Files, so you must select these three checkboxes in the policy.