How Setting Up PPPC Profiles Can Improve Security on macOS Devices
Managing Apple devices for your team or organization involves several layers of device protection. It’s crucial that individual devices and applications have secure pathways on which to run. Otherwise, you may expose your entire framework to cybersecurity threats and vulnerabilities.
To provide individual users with increased data protection and privacy, Apple implemented a new security feature in macOS 10.14 and above, requiring user consent before any app or process could access protected files or application data. This change had notable implications for users of corporate-owned devices, which are subject to company settings and privacy guidelines.
For IT admins managing Macs, this created a challenge for remote deployment of applications. User consent would now be required before certain actions could be performed on a device. Not only would consent prompts be disruptive to users, they could also be ignored, leaving IT admins unable to accomplish their work.
To combat these challenges, Addigy provides IT admins the ability to manage consent approvals on behalf of their users through Privacy Preferences Policy Control (PPPC) payloads.
In this post, we’ll discuss what PPPC profiles are and how you can leverage them. Keep reading to learn more about setting up and maintaining PPPC profiles on Apple devices in your work environment.
What are PPPC Profiles?
The Privacy Preferences Policy Control (PPPC) payload settings for Apple devices allow administrators to grant or deny specific applications access to device features and tools without consent prompts for end users.
In many scenarios, apps will request extra accessibility privileges before they can operate. This is common with all endpoint protection applications, remote control tools, and video-sharing apps. Enforcing a PPPC payload greatly reduces the need for the end-user to enter admin credentials to grant access to certain apps.
However, Apple does require access to the Mac Microphone, Camera, and Screen Recording (screen sharing) to be acknowledged by the end user. Additionally, Apple requires device supervision to apply PPPC payloads. These requirements are enforced for all Apple device management solutions.
Create and Deploy a PPPC Payload
Before you create and deploy a PPPC payload with Addigy, it is best practice to confirm the PPPC permissions required for an application by first installing it on a test machine. Also, it’s recommended that you have only one PPPC payload per software. This is because multiple PPPC payloads for the same software can conflict with each other and cause unwanted behavior.
The process for creating and deploying a new payload within Addigy is threefold:
- Get the bundle identifier and code requirement
- Create a new PPPC payload
- Deploy your payload to a specific policy
For detailed instructions, refer to the Addigy help documentation on creating and deploying new PPPC payloads.
Default PPPC Profiles
When administrators enroll devices in Addigy’s MDM service, the default Privacy Policy Preferences Control profiles for Addigy and its tools are automatically installed. Devices that are not currently part of the MDM functionality may need to be imported from their solution.
For full documentation on changing, uploading, or importing default PPPC profiles, refer to the Addigy help docs.
How a PPPC Profile Improves Security
PPPC profiles improve by allowing for specific high-vulnerability security permissions for settings and services on the device to be set exactly how an admin requires. Apple’s security posture on devices and their transparency to end users with prompts asking for permission are a great foundation of security for macOS.
However, end users should not be required to approve or deny what their device needs for management. PPPC profiles improve corporate or organizational security by controlling or limiting the type of access that apps gain to each device, without the need for end users to take this action themselves. Plus, if a non-approved or one-off application is installed, it will require PPPC approval and that approval of this one app will not fall into the category of “oh yeah IT just said click allow on all of these,” because the end-user was inundated with PPPC prompts at one time or continually. As users may not know or understand the security implications of the permissions they select, PPPC profiles help to reduce honest mistakes or user errors by streamlining what is and is not acceptable in a given environment.
Connection to Addigy’s Smart Software
Addigy’s Smart Software helps administrators reduce frustrations associated with packaging and deploying software to macOS devices, particularly those that run on macOS 10.14+ and higher.
With Addigy, Smart Software automatically generates the necessary PPPC profiles for software to install and run. The device user is not prompted for approval, which eliminates wait times and extra steps. Administrators can set and deploy preferences without unnecessary delays or hassle.
Use Addigy to Remotely Manage Mac Security and Privacy Preferences
Mac privacy settings are an integral part of maintaining a secure and up-to-date inventory of devices. Your MDM platform should allow you to check these boxes quickly and easily while providing end users with a great experience that empowers them to do their work effectively.
If you’re struggling to maintain remote management of your Mac security and device privacy preferences, sign up for a free Addigy demo to speak with our team today!
