Privacy Preferences

You can remotely manage the security preferences in the Privacy pane of Security & Privacy preferences of the macOS device.

To protect the end user's privacy, macOS 10.14+ devices require users to explicitly allow apps to access privacy features such as Photos, Calendar, Accessibility, Camera, and Microphone. You can use the Privacy Preferences policy settings in the MaaS360 portal to remotely pre-approve or pre-deny access to these privacy features on behalf of the user. These policy settings override the user preferences configured on the macOS devices.
Note: Supported only on macOS 10.14+ devices.
Follow these steps to configure privacy preferences policies in the MaaS360 portal:
  1. From the MaaS360 Portal Home page, navigate to Security > Policies.
  2. Open a macOS MDM policy.
  3. Navigate to Security & Privacy > Privacy Preferences.
  4. Configure the following privacy preferences:
    Policy Setting Description Support Matrix
    Configure Privacy Preferences Turn this setting on to view and configure the privacy preferences policies. macOS 10.14+
    Identifier Type The type of identifier:
    • Bundle ID: Application bundles are identified by bundle ID
    • Path: A non-bundled binary can be an executable or process, which can be identified by the installation path.
    		macOS 10.14+
    Identifier The bundle ID or installation path of the application or process.  
    Code Requirement The application code signing value.
    Finding the Code Requirement
    1. Open the Terminal app on any macOS device where the target application is installed. (Applications/Utilities/Terminal.app)
    2. In a new window, type the following command:

      codesign --display -r - [PATH OF APPLICATION]

      (the example below uses the IBM MaaS360 app). Press Enter.
    3. Find the text that appears after designated =>. The following example uses the MaaS360 app and the code requirement is highlighted in yellow.
      code requirement macOS
    		  
    Static Code Validation If enabled, the process or application statically validates the code requirement. Enable this feature only if the process invalidates its dynamic code signature.  
    Comment Enter notes for your own use. This setting is not used by macOS.  
    Services Enable services offered by Apple to pre-configure in this profile. If there are conflicting configurations, the most restrictive settings (deny) are used.
    Setting Description Support Matrix
    Accessibility Allows or denies the specified apps to control the Mac via Accessibility APIs. macOS 11.0+
    Admin Files Allows or denies specified apps access to some files used by system administrators. macOS 11.0+
    Calendars Allows or denies specified apps access to event information managed by the Calendar app. macOS 10.14+
    Camera Access to device camera cannot be granted to apps. Denies specified apps access to the Camera. macOS 11.0+
    Contacts Allows or denies specified apps access to contact information managed by Contacts. macOS 11.0+
    Desktop Folder Allows or denies specified apps access to the Desktop folder. macOS 11.0+
    Documents Folder Allows or denies specified apps access to the Documents folder. macOS 11.0+
    Downloads Folder Allows or denies specified apps access to the Downloads folder. macOS 11.0+
    File Provider Allows or denies the application to access documents and directories that are stored and managed by another application's File Provider extension. macOS 11.0+
    Full Disk Access Allow or disallow the application access to all protected files. macOS 11.0+
    Input Monitoring Disallows the application to monitor events from input devices such as a mouse, keyboard, and trackpad. Allows a standard user to set system service (macOS 11+). macOS 11.0+
    Media Library Allows or denies specified apps access to Apple Music, music and video activity, and the media library. macOS 11.0+
    Microphone Access to device microphone cannot be granted to apps. Denies specified apps access to the microphone. macOS 11.0+
    Network Volumes Allows or denies the application to access files on Network Volumes. macOS 11.0+
    Photos Allows or denies specified apps access to images managed by the Photos app in: /Users/username/Pictures/Photos Library
    Note: If the user put their photo library somewhere else, it won’t be protected from apps.
    		 macOS 11.0+
    Post Event Allows or denies specified apps to use CoreGraphics APIs to send CGEvents to the system event stream. macOS 11.0+
    Reminders Allows specified apps access to information managed by Reminders. macOS 11.0+
    Removable Volumes Allows specified apps access to files on removable volumes. macOS 11.0+
    Screen Capture Disallow specified apps to capture (read) the contents of the system display. macOS 11.0+
    Speech Recognition Allows the application to use speech recognition capabilities. macOS 11.0+
    App Bundles Allows the application to update or delete other apps. macOS 13.0+
    		 
    Apple Events Allows or disallows the application to send a restricted Apple event to another process. Supports multiple Apple events for an application.
    Setting Description Support Matrix
    Finder Allow or disallow specified apps to send a restricted Apple event to Finder Application. macOS 11.0+
    System UI Server Allows or disallows specified apps to send a restricted Apple event to System UI server. macOS 11.0+
    System Events Allow or disallow the application to send restricted Apple system events. macOS 11.0+