![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/tip-icon.png\"){kind=icon}
<\/p><\/div>
You must apply this policy after you upgrade or install macOS 13 Ventura. Applying the policy before the device has Ventura installed causes the policy to not be recognized.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Creating a Policy to Control Privacy Preferences<\/h2>\n\n\n\n
The Application Privacy Preferences policy can only be applied to macOS devices. After you create the policy, you must relaunch the app.<\/p>\n\n\n\n
To create a Application Privacy Preferences policy<\/strong>:<\/p>\n\n\n\n MacOS devices rely on code-signing information to identify apps that access key resources. Every signed, compiled app on macOS has a code signature that identifies the process that is running the app. Only signed apps can access these key system services, and only signed apps can run on Apple silicon Macs.<\/p>\n\n\n\n To gather the code block necessary for this policy, you need to run a command on a device where the app is installed. From that device, the For example, to run this against the JumpCloud Menu Bar Extra app, you\u2019ll copy everything after When an app runs on macOS, it represents itself to the system either as a reverse-domain string called a Bundle ID ( If you are unsure what the Bundle ID is for the app, you can use the After you have the Bundle ID, you can set the Identifier to the Bundle ID string and then set the Identifier Type to Bundle ID in the policy. If you need to set the Bundle ID field to the path of the binary, supply the path of the binary and change the Identifier Type to Path. <\/p>\n\n\n\n After you gather the app\u2019s code-signing block and the Bundle ID, choose which privilege areas to approve.<\/p>\n\n\n\n MacOS has fairly strict controls regarding app access to user data, including calendars and emails all the way to key files like the user\u2019s Desktop and Documents folders. There are several areas of functionality that can be preapproved by Admins for individual apps. These areas, called services, allow you to approve access to an app without asking the end user to handle the approvals for these services.<\/p>\n\n\n\n Approving only the necessary services for a given app ensures that the principle of least privilege is being honored, and you can allow users to grant or restrict further privileges with their own actions. <\/p>\n\n\n\n JumpCloud lets you approve the following list of services.<\/p>\n\n\n\n Accessibility<\/strong> Address Book<\/strong> Calendar<\/strong> Allow Access to File Providers<\/strong> Allow Access to Media Library<\/strong> Allow Access to Photos<\/strong> Allow Access to Reminders<\/strong> Allow Access to SpeechRecognition<\/strong> Allow Access to All Files<\/strong> Allow Access to the Desktop Folder<\/strong> Allow Access to the Documents Folder<\/strong> Allow Access to the Downloads Folder<\/strong> Allow Access to Network Volumes<\/strong> Allow Access to Detachable Media<\/strong> Allow Access to SysAdmin Files<\/strong> Allow App to Update Applications <\/strong>(Requires macOS13+) This example describes the steps to set up access to the Alfred<\/a> app, a productivity app for macOS that lets users automate tasks on their device. The app requests access to Address Book, Accessibility, and All Files. <\/p>\n\n\n\n To set up access to the Alfred<\/a> app:<\/p>\n\n\n\n The command result displays:\n
<\/li>\n\n\n\n
Gathering the Code-Signing Block<\/h3>\n\n\n\n
codesign<\/code> command can identify the signature of the device:Codesign -dr – \/path\/to\/application\/program.app<\/code><\/p>\n\n\n\ndesignated =><\/code> and paste that into the Code Requirement field in the JumpCloud Application Privacy Preferences Policy:<\/p>\n\n\n\nusername@demo-system \/Users % codesign -dr – \/Applications\/Jumpcloud.app
Executable=\/Applications\/Jumpcloud.app\/Contents\/MacOS\/Jumpcloud
designated => identifier “com.jumpcloud.jcagent-tray” and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] \/* exists *\/ and certificate leaf[field.1.2.840.113635.100.6.1.13] \/* exists *\/ and certificate leaf[subject.OU] = N985MXSH85<\/code><\/p>\n\n\n\nLocating the Identifier & Identifier Type<\/h3>\n\n\n\n
com.jumpcloud.jcagent-tray<\/code>) or as a path to the app itself (\/Applications\/JumpCloud.app\/Contents\/MacOS\/Jumpcloud<\/code>). You’ll need to supply either the Bundle ID or the path to the binary for the app you want to approve. <\/p>\n\n\n\ndefaults<\/code> command in Terminal to find it: defaults read \/Applications\/Jumpcloud.app\/Contents\/Info.plist CFBundleIdentifier<\/code><\/p>\n\n\n\nApproving Privacy Preferences Services<\/h3>\n\n\n\n
Apple\u2019s Accessibility service is a powerful subsystem that allows apps to perform additional functions on behalf of the user, including running scripts and system commands. Frequently, this service is used to perform automations. <\/p>\n\n\n\n
The native Address Book, and its CardDAV accounts, is a protected area on macOS. Allowing access to the Address Book allows an app to read and write the contents of the Address Book without prompting the user. This could compromise privacy for the end user.<\/p>\n\n\n\n
The native Calendar, and its CalDAV, Exchange, and Google accounts, is a protected area on macOS. Allowing access to the Calendar allows an app to read and write the contents of the Calendar without prompting the user. This could have privacy compromises for the end user.<\/p>\n\n\n\n
File Providers are special apps in macOS that handle local copies of files synced to a cloud service like Dropbox or OneDrive. Allowing access to File Providers ensures that File Provider apps will be able to write to the local disk. This is an expected part of their operation, but still needs to be approved by the end user or the Admin must apply this policy.<\/p>\n\n\n\n
The Apple Media Library functionality encompasses the user\u2019s Photos library, iMovie library, and Apple Music library. As these locations are sensitive, apps cannot use these sources without permission.<\/p>\n\n\n\n
The Apple Photos app has its own library format, and access to the system Photos library is gated by the Privacy Preferences subsystem. This policy allows an app to select user photos without first getting permission from the user.<\/p>\n\n\n\n
The Apple Reminders app has a database of reminders, and access to the database is gated by the Privacy Preferences subsystem. This policy allows an app to access the database of reminders without first getting permission from the user.<\/p>\n\n\n\n
Apple\u2019s Siri Speech Recognition service allows users to dictate text to their device in a text field and have the operating system translate their speech into text. This service? requires internet access and microphone access. Microphone access must be approved by the end user for this to work correctly. <\/p>\n\n\n\n
Many directories inside and outside the read-only macOS Sealed System Volume (SSV) are protected from unauthorized access by the Privacy Preferences subsystem. Allowing an app to read and write (if outside the macOS SSV) these files grants access that is fairly broad. Security tool apps frequently require this level of access.<\/p>\n\n\n\n
A user\u2019s Desktop folder may contain sensitive information. Allowing an app to read and write files on the user\u2019s Desktop will gives it full control over those files. <\/p>\n\n\n\n
A user\u2019s Documents folder can contain sensitive information. Allowing an app to read and write files in the user\u2019s Documents folder gives it full control over those files. <\/p>\n\n\n\n
A user\u2019s Downloads folder can contain sensitive information. Allowing an app to read and write files in the user\u2019s Downloads folder gives it full control over those files. <\/p>\n\n\n\n
Network Volumes can contain organizationally sensitive information. Allowing an app to read and write files on Network Volumes gives it full control over the files on Network Volumes that the logged-in user can view and write.<\/p>\n\n\n\n
Detachable Media\u2013external disks and disk images\u2013can contain sensitive information. Allowing an app to read and write files on Detachable Media gives it full control over the files on Detachable Media that the logged-in user can view and write.<\/p>\n\n\n\n
Some files related to the administration of a macOS device are protected by this permission, including files that protect the authentication systems of macOS. Allowing access to these files grants access that is fairly broad. Security tool apps frequently require this level of access.<\/p>\n\n\n\n
An app bundle stores everything that an app requires for successful operation. Allow this app to replace or update other apps on the device. Available in macOS 13 and later.<\/p>\n\n\n\nExample<\/h2>\n\n\n\n
\n
codesign -dr – \/Applications\/Alfred\\ 4.app <\/code><\/p>\n\n\n\nExecutable=\/Applications\/Alfred 4.app\/Contents\/MacOS\/Alfred
designated => anchor apple generic and identifier “com.runningwithcrayons.Alfred” and (certificate leaf[field.1.2.840.113635.100.6.1.9] \/* exists *\/ or certificate 1[field.1.2.840.113635.100.6.2.6] \/* exists *\/ and certificate leaf[field.1.2.840.113635.100.6.1.13] \/* exists *\/ and certificate leaf[subject.OU] = XZZXE9SED4)<\/code><\/p>\n\n\n\n