Enable Microphone using Privacy Preferences Policy Control setting

hphan
New Contributor III

We discover that the State assessment app on Mojave does not have the checkbox to allow the Microphone in Security > Privacy > Microphone.

I believe that the setting is managed by PPPC. When I set the Privacy Preferences Policy Control setting, I can only set Deny for the Microphone.

How do you enable the checkbox for a particular app in Security > Privacy > Microphone? Is this setting managed by the PPPC setting?

Thank you in advance for any advice.

19 REPLIES 19

ThijsX
Valued Contributor
Valued Contributor

Hi @hphan

Through your MDM / PPPC it is not allowed to set "Allow" settings for Camera and Microphone due privacy concerns etc.
In the way like; the microphone or camera can't be turned on without user approval

ricardtolosa
New Contributor III

@txhaflaire is right. The option to allow camera and microphone has not been added by Apple to PPPC, you can only deny the access to them. Users will need to manually click allow when an app requests access to them.

dash4385
New Contributor II

I total get why "Allow" settings for Camera and Microphone is not an option. But has anyone figure out a way to allow a user to give apps access to enable these settings without needing to have access to the pane?

We have the "Security and Privacy" pane locked down and need to find a way to allow apps to Allow Camera and Microphone without having to enter that pane. Maybe system message that the user can click on and it enable the settings for them?

Any one attempted this yet?

sshort
Valued Contributor

@hugedash If an app is requesting mic or camera access, the user will get a consent pop-up. The user can be a standard account to accept those prompts (there are exceptions if the privacy prompt is for accessibility or full disk access).

If you're running into a situation where the user accidentally clicked "Don't Allow" or the pop-up timed out and the user can't get the app approved, then your next route would be offering something in self service.

#!/bin/sh

# resets the TCC camera approval database
tccutil reset Camera

# resets the TCC microphone approval database
tccutil reset Microphone

Note: the apps requesting approval and System Preferences need to be quit for this to work. So if Slack needs to be reset, and Slack is open, then the camera/mic approval window still won't show.

dash4385
New Contributor II

@sshort Perfect the issues we where have was the later where people would click Don't allow and could not change it because we lock it. I will use those 2 commands to allow people to reset the databases

tnielsen
Valued Contributor

Is there any way to manage these settings from an administrator standpoint? Can it be scripted?

I have a lot of users clicking don't allow without reading things. Is this going to be a user training thing from here on out on apple products?

sshort
Valued Contributor

@tnielsen yep, scroll up to my earlier post :)

#!/bin/sh

# resets the TCC camera approval database
tccutil reset Camera

# resets the TCC microphone approval database
tccutil reset Microphone

tnielsen
Valued Contributor

That looks like it just resets the requests, what I'm trying to say is, is there a way to set these approvals so the users never see the prompt?

tnielsen
Valued Contributor

Nevermind, I see that @txhaflaire is correct. Ugh, my users.... woa is me.

TechSpecialist
Contributor

I’m looking for a solution where Camera is always disabled, but Microphone should alway be available for User’s approval.

The standard Setting that is available only has a feature to disallow Camera, but it also disallows Microphone. Is there any way to manage them separately?

swallace
Contributor

I know this thread is a bit old, but needing to get TestNav (education testing tool) to allow the microphone for all users (students are not admins), similar to what @tnielsen is describing. Last spring this wasn't an issue for us as we were not running Mojave. PPPC tool still only has the "deny" option. I see the script above from @sshort, did you just keep this in SS and point users back to SS? High school kiddos are not always the most corporative and will continue to click "don't allow" to avoid testing. As management, we try to eliminate as many of these roadblocks as possible.

Thanks for any feedback!

larry_barrett
Valued Contributor

JAMF is not a substitute for classroom management. If some jackass keeps denying mic access he can go sit in the office.

There is no way allow it.

talkingmoose
Moderator
Moderator

@swallace, Larry is correct. You can no longer programmatically enable an application to use the microphone. This is a privacy concern with Apple.

However, the microphone does not require admin privileges to enable it after the prompt has been denied. This is a per user choice not a system-wide choice. Choose Microphone under the Privacy tab in the Security & Privacy pane and the current user can enable the testing application without unlocking the pane.

jgor415
New Contributor

@talkingmoose any articles from apple stating that this is indeed true. That you can no longer programmatically enable an application to use the microphone or camera.

hkabik
Valued Contributor

You can enable microphone and camera programmatically by manually editing the TCC.db. I can't figure out how to do this for Screen Recording using this method (I think this is managed by the /Library level TCC.db but that is SIP protected), but this method works fine for Mic and Camera.

Examples:

Enable Microphone in Skype For Business for the currently logged in user -

#!/bin/sh

#get username
user=`stat -f "%Su" /dev/console`

sqlite3 /Users/$user/Library/Application Support/com.apple.TCC/TCC.db -cmd "INSERT or REPLACE INTO access VALUES('kTCCServiceMicrophone','com.microsoft.SkypeForBusiness',0,1,1,NULL,NULL,NULL,'UNUSED',NULL,0,1541440109);" ".exit"

Enable Camera in Teams for the currently logged in user -

#!/bin/sh

#get username
user=`stat -f "%Su" /dev/console`

sqlite3 /Users/$user/Library/Application Support/com.apple.TCC/TCC.db -cmd "INSERT or REPLACE INTO access VALUES('kTCCServiceCamera','com.microsoft.teams',0,1,1,NULL,NULL,NULL,'UNUSED',NULL,0,1541440109);" ".exit"

jgor415
New Contributor

Nevermind I understand now. That is the actual command "INSERT INTO access VALUES" or "REPLACE INTO access VALUES". I am trying to sudo to just view the database using this command
"sqlite3 ~/Library/Application Support/com.apple.TCC/TCC.db" and getting read-only database error. I can't even run "sudo ls -la" to view the permissions.

hkabik
Valued Contributor

If there is not a value it INSERTS the Value, if there is a value (denying Camera access to the app for example) it REPLACES it.

jbakalar
New Contributor

Hi @hkabik , thank you for the Skype for Business command to enable Skype for Business microphone for the current user. This worked during Mojave and Catalina. Now in Big Sur, I get the following error:

'Error: table has 13 columns but 12 values were supplied'

I tried to view the schema of the table called 'access' (e.g. sqlite> .schema access'), but I could not figure out where the change is. After a few trials and errors, I found it.

So for Big Sur to enable Skype for Business's microphone, the updated command is:

#!/bin/sh

#get username
user=`stat -f "%Su" /dev/console`

sqlite3 /Users/$user/Library/Application Support/com.apple.TCC/TCC.db -cmd "INSERT or REPLACE INTO access VALUES('kTCCServiceMicrophone','com.microsoft.SkypeForBusiness',0,1,1,0,NULL,NULL,NULL,'UNUSED',NULL,0,1541440109);" ".exit"

AdamCraig
Contributor III

So I finally got around to trying this. I'm not familiar with SQL at all but i downloaded DB Browser for SQLite and found the entry for what I was trying to automate and just filled out the fields in order to match. I replaced BLOB (a long Binary section of code) with NULL and it worked for me!

My script detects OS and runs a different version for Catalina and Big Sur as they have different number of fields as noted by @jbakalar Thanks @hkabik