Jamf Nation Community

@txhaflaire is right. The option to allow camera and microphone has not been added by Apple to PPPC, you can only deny the access to them. Users will need to manually click allow when an app requests access to them.

I total get why "Allow" settings for Camera and Microphone is not an option. But has anyone figure out a way to allow a user to give apps access to enable these settings without needing to have access to the pane?

We have the "Security and Privacy" pane locked down and need to find a way to allow apps to Allow Camera and Microphone without having to enter that pane. Maybe system message that the user can click on and it enable the settings for them?

Any one attempted this yet?

@hugedash If an app is requesting mic or camera access, the user will get a consent pop-up. The user can be a standard account to accept those prompts (there are exceptions if the privacy prompt is for accessibility or full disk access).

If you're running into a situation where the user accidentally clicked "Don't Allow" or the pop-up timed out and the user can't get the app approved, then your next route would be offering something in self service.

#!/bin/sh

# resets the TCC camera approval database
tccutil reset Camera

# resets the TCC microphone approval database
tccutil reset Microphone

Note: the apps requesting approval and System Preferences need to be quit for this to work. So if Slack needs to be reset, and Slack is open, then the camera/mic approval window still won't show.

@sshort Perfect the issues we where have was the later where people would click Don't allow and could not change it because we lock it. I will use those 2 commands to allow people to reset the databases

Is there any way to manage these settings from an administrator standpoint? Can it be scripted?

I have a lot of users clicking don't allow without reading things. Is this going to be a user training thing from here on out on apple products?

@tnielsen yep, scroll up to my earlier post :)

#!/bin/sh

# resets the TCC camera approval database
tccutil reset Camera

# resets the TCC microphone approval database
tccutil reset Microphone

That looks like it just resets the requests, what I'm trying to say is, is there a way to set these approvals so the users never see the prompt?

Nevermind, I see that @txhaflaire is correct. Ugh, my users.... woa is me.

I’m looking for a solution where Camera is always disabled, but Microphone should alway be available for User’s approval.

The standard Setting that is available only has a feature to disallow Camera, but it also disallows Microphone. Is there any way to manage them separately?

I know this thread is a bit old, but needing to get TestNav (education testing tool) to allow the microphone for all users (students are not admins), similar to what @tnielsen is describing. Last spring this wasn't an issue for us as we were not running Mojave. PPPC tool still only has the "deny" option. I see the script above from @sshort, did you just keep this in SS and point users back to SS? High school kiddos are not always the most corporative and will continue to click "don't allow" to avoid testing. As management, we try to eliminate as many of these roadblocks as possible.

Thanks for any feedback!

JAMF is not a substitute for classroom management. If some jackass keeps denying mic access he can go sit in the office.

There is no way allow it.

@swallace, Larry is correct. You can no longer programmatically enable an application to use the microphone. This is a privacy concern with Apple.

However, the microphone does not require admin privileges to enable it after the prompt has been denied. This is a per user choice not a system-wide choice. Choose Microphone under the Privacy tab in the Security & Privacy pane and the current user can enable the testing application without unlocking the pane.

@talkingmoose any articles from apple stating that this is indeed true. That you can no longer programmatically enable an application to use the microphone or camera.

You can enable microphone and camera programmatically by manually editing the TCC.db. I can't figure out how to do this for Screen Recording using this method (I think this is managed by the /Library level TCC.db but that is SIP protected), but this method works fine for Mic and Camera.

Examples:

Enable Microphone in Skype For Business for the currently logged in user -

#!/bin/sh

#get username
user=`stat -f "%Su" /dev/console`

sqlite3 /Users/$user/Library/Application Support/com.apple.TCC/TCC.db -cmd "INSERT or REPLACE INTO access VALUES('kTCCServiceMicrophone','com.microsoft.SkypeForBusiness',0,1,1,NULL,NULL,NULL,'UNUSED',NULL,0,1541440109);" ".exit"

Enable Camera in Teams for the currently logged in user -

#!/bin/sh

#get username
user=`stat -f "%Su" /dev/console`

sqlite3 /Users/$user/Library/Application Support/com.apple.TCC/TCC.db -cmd "INSERT or REPLACE INTO access VALUES('kTCCServiceCamera','com.microsoft.teams',0,1,1,NULL,NULL,NULL,'UNUSED',NULL,0,1541440109);" ".exit"

Nevermind I understand now. That is the actual command "INSERT INTO access VALUES" or "REPLACE INTO access VALUES". I am trying to sudo to just view the database using this command
"sqlite3 ~/Library/Application Support/com.apple.TCC/TCC.db" and getting read-only database error. I can't even run "sudo ls -la" to view the permissions.

If there is not a value it INSERTS the Value, if there is a value (denying Camera access to the app for example) it REPLACES it.

Hi @hkabik , thank you for the Skype for Business command to enable Skype for Business microphone for the current user. This worked during Mojave and Catalina. Now in Big Sur, I get the following error:

'Error: table has 13 columns but 12 values were supplied'

I tried to view the schema of the table called 'access' (e.g. sqlite> .schema access'), but I could not figure out where the change is. After a few trials and errors, I found it.

So for Big Sur to enable Skype for Business's microphone, the updated command is:

#!/bin/sh

#get username
user=`stat -f "%Su" /dev/console`

sqlite3 /Users/$user/Library/Application Support/com.apple.TCC/TCC.db -cmd "INSERT or REPLACE INTO access VALUES('kTCCServiceMicrophone','com.microsoft.SkypeForBusiness',0,1,1,0,NULL,NULL,NULL,'UNUSED',NULL,0,1541440109);" ".exit"

So I finally got around to trying this. I'm not familiar with SQL at all but i downloaded DB Browser for SQLite and found the entry for what I was trying to automate and just filled out the fields in order to match. I replaced BLOB (a long Binary section of code) with NULL and it worked for me!

My script detects OS and runs a different version for Catalina and Big Sur as they have different number of fields as noted by @jbakalar Thanks @hkabik