PPPC Policy and Viewing in System Preferences?

musat
Contributor III

A bit late to the game in wrapping my head around pushing out these settings. One question I have: when I create a policy and push it out to our Macs, do those settings show up in System Preferences / Privacy for me to verify the settings were applied?

So far I haven't seen anything I have tried show up there. Even settings from mobileconfigs that I have downloaded from manufacturers, so I would assume they were accurate.

Before I fall too far down this rabbit hole I wanted to see how I can verify that a setting was applied.

Thanks, Tim

1 ACCEPTED SOLUTION

mike_paul
Contributor III
Contributor III

Yea, this is a common confusion point. Your only methods to verify whats installed/controlled via mdm deployed configuration profiles is to look at the Profiles pane in System Preferences for the payloads pushed down or look at the MDMOverrides.plist with the following command:

/usr/libexec/PlistBuddy -c "print" /Library/Application Support/com.apple.TCC/MDMOverrides.plist

FYI, Terminal needs Full Disk Access/SystemPolicyAllFiles to read that file otherwise you get the message Error Reading File: /Library/Application Support/com.apple.TCC/MDMOverrides.plist. So basically it's a chicken or the egg scenario, you need TCC access granted to read MDM TCC applied settings. Fun times.

Whats displayed in System Preferences > Security & Privacy > Privacy are only the decisions end users made with prompts presented to them and not settings pushed via Profiles. Its essentially displaying the values that are stored in the TCC databases that can be found at /Library/Application Support/com.apple.TCC/TCC.db or ~/Library/Application Support/com.apple.TCC/TCC.db

View solution in original post

3 REPLIES 3

mike_paul
Contributor III
Contributor III

Yea, this is a common confusion point. Your only methods to verify whats installed/controlled via mdm deployed configuration profiles is to look at the Profiles pane in System Preferences for the payloads pushed down or look at the MDMOverrides.plist with the following command:

/usr/libexec/PlistBuddy -c "print" /Library/Application Support/com.apple.TCC/MDMOverrides.plist

FYI, Terminal needs Full Disk Access/SystemPolicyAllFiles to read that file otherwise you get the message Error Reading File: /Library/Application Support/com.apple.TCC/MDMOverrides.plist. So basically it's a chicken or the egg scenario, you need TCC access granted to read MDM TCC applied settings. Fun times.

Whats displayed in System Preferences > Security & Privacy > Privacy are only the decisions end users made with prompts presented to them and not settings pushed via Profiles. Its essentially displaying the values that are stored in the TCC databases that can be found at /Library/Application Support/com.apple.TCC/TCC.db or ~/Library/Application Support/com.apple.TCC/TCC.db

musat
Contributor III

Thanks so much.

Something like that is what I was beginning to think, but didn't know where to go verify that. I saw that the Profiles were getting pushed down, but just wanted to make sure that they were getting applied correctly.

scottlep
Contributor II

Has anyone seen an Extension Attribute that would be able to read this, then possibly display User approved TCC and MDM approved TCC split in to two categories? I have created an EA that does this for KEXTs, but would love one for TCC/PPPC.

Thanks,
Scott