-
Notifications
You must be signed in to change notification settings - Fork 78
/
Copy pathcom.apple.TCC.configuration-profile-policy.yaml
302 lines (300 loc) · 9.82 KB
/
com.apple.TCC.configuration-profile-policy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
title: Privacy Preferences Policy Control
description: Configures Security Preferences:Privacy settings
payload:
payloadtype: com.apple.TCC.configuration-profile-policy
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.14'
multiple: true
devicechannel: true
userchannel: false
requiresdep: false
userapprovedmdm: true
allowmanualinstall: false
userenrollment:
mode: forbidden
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
payloadkeys:
- key: Services
type: <dictionary>
presence: required
content: A dictionary whose keys are limited to the privacy policy control services. In
the case of conflicting specifications, the most restrictive setting (deny) is
used.
subkeys:
- key: AddressBook
type: <array>
presence: optional
content: Specifies the policies for contact information managed by the Contacts.app.
subkeytype: Identity
subkeys: &id001
- key: IdentityDict
type: <dictionary>
subkeys:
- key: Identifier
type: <string>
presence: required
content: The bundle ID or installation path of the binary.
- key: IdentifierType
type: <string>
presence: required
rangelist:
- bundleID
- path
content: The type of identifier value. Application bundles must be identified
by bundle ID. Nonbundled binaries must be identified by installation path.
Helper tools embedded within an application bundle automatically inherit
the permissions of their enclosing app bundle.
- key: CodeRequirement
type: <string>
presence: required
content: Obtained via the command “'codesign -display -r -'”.
- key: StaticCode
type: <boolean>
presence: optional
default: false
content: If 'true', statically validate the code requirement. Used only if
the process invalidates its dynamic code signature.
- key: Allowed
type: <boolean>
presence: required
content: |-
If 'true', access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value.
Every payload needs to include either 'Authorization' or 'Allowed', but not both.
- key: Authorization
supportedOS:
macOS:
introduced: '11.0'
type: <string>
presence: optional
rangelist:
- Allow
- Deny
- AllowStandardUserToSetSystemService
content: |-
The 'Authorization' key is an optional replacement for the 'Allowed' key, which has one of the following possible values:
* 'Allow': Equivalent to a 'true' value for the 'Allowed' key
* 'Deny': Equivalent to a 'false' value for the 'Allowed' key
* 'AllowStandardUserToSetSystemService': Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the 'ListenEvent' and 'ScreenCapture' services
Every payload needs to include either 'Authorization' or 'Allowed', but not both.
Available in macOS 11 and later.
- key: Comment
type: <string>
presence: optional
content: Not used.
- key: AEReceiverIdentifier
type: <string>
presence: optional
content: The identifier of the process receiving an AppleEvent sent by the
Identifier process. This identifier is required for AppleEvents service;
not valid for other services.
- key: AEReceiverIdentifierType
type: <string>
presence: optional
rangelist:
- bundleID
- path
content: The type of AEReceiverIdentifier value, either 'bundleID' or 'path'.
This setting is required for AppleEvents service; not valid for other services.
- key: AEReceiverCodeRequirement
type: <string>
presence: optional
content: The code requirement for the receiving binary. This code requirement
is required for AppleEvents service; not valid for other services.
- key: Calendar
type: <array>
presence: optional
content: Specifies the policies for calendar information managed by the Calendar.app.
subkeytype: Identity
subkeys: *id001
- key: Reminders
type: <array>
presence: optional
content: Specifies the policies for reminders information managed by the Reminders
app.
subkeytype: Identity
subkeys: *id001
- key: Photos
type: <array>
presence: optional
content: The pictures managed by the Photos app in '~/Pictures/.photoslibrary'.
subkeytype: Identity
subkeys: *id001
- key: Camera
type: <array>
presence: optional
content: A system camera. Access to the camera can't be given in a profile; it
can only be denied.
subkeytype: Identity
subkeys: *id001
- key: Microphone
type: <array>
presence: optional
content: A system microphone. Access to the microphone can't be given in a profile;
it can only be denied.
subkeytype: Identity
subkeys: *id001
- key: Accessibility
type: <array>
presence: optional
content: Specifies the policies for the app via the Accessibility subsystem.
subkeytype: Identity
subkeys: *id001
- key: PostEvent
type: <array>
presence: optional
content: Specifies the policies for the application to use CoreGraphics APIs to
send CGEvents to the system event stream.
subkeytype: Identity
subkeys: *id001
- key: SystemPolicyAllFiles
type: <array>
presence: optional
content: Allows the application access to all protected files, including system
administration files.
subkeytype: Identity
subkeys: *id001
- key: SystemPolicySysAdminFiles
type: <array>
presence: optional
content: Allows the application access to some files used in system administration.
subkeytype: Identity
subkeys: *id001
- key: AppleEvents
type: <array>
presence: optional
content: Specifies the policies for the app sending restricted AppleEvents to
another process.
subkeytype: Identity
subkeys: *id001
- key: MediaLibrary
supportedOS:
macOS:
introduced: '10.15'
type: <array>
presence: optional
content: Allows the application to access Apple Music, music and video activity,
and the media library.
subkeytype: Identity
subkeys: *id001
- key: FileProviderPresence
supportedOS:
macOS:
introduced: '10.15'
type: <array>
presence: optional
content: Allows a File Provider application to know when the user is using files
managed by the File Provider.
subkeytype: Identity
subkeys: *id001
- key: ListenEvent
supportedOS:
macOS:
introduced: '10.15'
type: <array>
presence: optional
content: Allows the application to use CoreGraphics and HID APIs to listen to
(receive) CGEvents and HID events from all processes. Access to these events
can't be given in a profile; it can only be denied.
subkeytype: Identity
subkeys: *id001
- key: ScreenCapture
supportedOS:
macOS:
introduced: '10.15'
type: <array>
presence: optional
content: Allows the application to capture (read) the contents of the system display.
Access to the contents can't be given in a profile; it can only be denied.
subkeytype: Identity
subkeys: *id001
- key: SpeechRecognition
supportedOS:
macOS:
introduced: '10.15'
type: <array>
presence: optional
content: Allows the application to use the system Speech Recognition facility
and to send speech data to Apple.
subkeytype: Identity
subkeys: *id001
- key: SystemPolicyDesktopFolder
supportedOS:
macOS:
introduced: '10.15'
type: <array>
presence: optional
content: Allows the application to access files in the user's Desktop folder.
subkeytype: Identity
subkeys: *id001
- key: SystemPolicyDocumentsFolder
supportedOS:
macOS:
introduced: '10.15'
type: <array>
presence: optional
content: Allows the application to access files in the user's Documents folder.
subkeytype: Identity
subkeys: *id001
- key: SystemPolicyDownloadsFolder
supportedOS:
macOS:
introduced: '10.15'
type: <array>
presence: optional
content: Allows the application to access files in the user's Downloads folder.
subkeytype: Identity
subkeys: *id001
- key: SystemPolicyNetworkVolumes
supportedOS:
macOS:
introduced: '10.15'
type: <array>
presence: optional
content: Allows the application to access files on network volumes.
subkeytype: Identity
subkeys: *id001
- key: SystemPolicyRemovableVolumes
supportedOS:
macOS:
introduced: '10.15'
type: <array>
presence: optional
content: Allows the application to access files on removable volumes.
subkeytype: Identity
subkeys: *id001
- key: SystemPolicyAppBundles
supportedOS:
macOS:
introduced: '13.0'
type: <array>
presence: optional
content: Allows the application to update or delete other apps. Available in macOS
13 and later.
subkeytype: Identity
subkeys: *id001
- key: SystemPolicyAppData
supportedOS:
macOS:
introduced: '14.0'
type: <array>
presence: optional
content: Allows the application to access data of other apps.
subkeytype: Identity
subkeys: *id001
- key: BluetoothAlways
supportedOS:
macOS:
introduced: '11.0'
type: <array>
presence: optional
content: Specifies the policies for the app to access Bluetooth devices.
subkeytype: Identity
subkeys: *id001