Add the Privacy Preferences Profile

Introduced in macOS Mojave, the Privacy Preferences Policy payload allows administrators to grant or deny access to protected resources on a user's behalf.   This ensures applications work as expected and minimizes disruption to the device user by preemptively granting user consent for data access.

In this section, you'll configure User Consent for Data Access via a Privacy Preferences Policy for your test device.

1. Add a macOS Device Profile

Add a macOS Device Profile

In the Workspace ONE UEM console:

  1. Select Devices
  2. Select Profiles & Resources
  3. Select Profiles
  4. Select Add
  5. Select Add Profile

2. Select Profile Platform

Select Profile Platform

Select the macOS icon.

3. Select the Profile Context

Select the Profile Context

Select the Device Profile icon.

4. Profile General Settings

Profile General Settings

Configure the device profile as follows:

  1. Select General if it is not already selected.
  2. Enter macOS Privacy Preferences for the profile name.
  3. Select Auto for the Assignment Type.
  4. Scroll down to view the Smart Groups field, and click in the search box. This will pop-up the list of created Smart Groups. Enter All Devices and select the All Devices ([email protected]) group.

Note: You DO NOT need to click Save or Save & Publish at this point.  This interface allows you to move around to different payload configuration screens before saving.

5. Select the Profile Payload

  1. Enter Privacy in the Profile search box.
  2. Click Privacy Preferences
  3. Click Configure

6. Add App to Privacy Preferences Payload

Click Add App

7. Understanding App Privacy Preferences

Some applications simply require access to protected services and data locations.   In these cases, you can simply choose which service or data location should be allowed or denied.   In this specific step, you'll simply grant the VMware Horizon client access to Accessibility features.

More detail about User Consent for Data Access and how to locate the bundle identifier or code requirement can be found on VMware's TechZone Blog:  https://techzone.vmware.com/blog/vmware-workspace-one-uem-apple-macos-mojave-user-consent-data-access

8. Configure App Privacy Preferences

  1. Enter com.vmware.horizon as the identifier
  2. Click Bundle ID
  3. Enter identifier "com.vmware.horizon" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = EG7KH642X6 as the Code Requirement
    NOTE: Remember that you can select text in the manual and drag-and-drop the text into the workstation console to copy and paste!

9. Configure Accessibility

  1. Scroll down until you see the option for the service Accessibility
  2. Select the option Allow from the dropdown
  3. Click Save

Additional detail and sample Privacy Preference settings can be found on the VMware Samples GitHub Repository:   https://github.com/vmware-samples/AirWatch-samples/tree/master/macOS-Samples/Privacy%20Preferences%20Policy%20Control

10. Add App to Privacy Preferences Payload

Click Add App

11. Configure App Privacy Preferences

Some applications require access to protected services and data locations, as well as access to other applications.   In these cases, you can also augment your app definition by specifying which applications can be sent Apple Events from the app in the definition.   In this specific step, you'll grant Microsoft Outlook the rights to send Apple Events to Skype for Business.  

More detail about User Consent for Data Access and how to locate the bundle identifier or code requirement can be found on VMware's TechZone Blog:  https://techzone.vmware.com/blog/vmware-workspace-one-uem-apple-macos-mojave-user-consent-data-access

12. Add Privacy Preferences for Outlook

  1. Enter com.microsoft.Outlook as the identifier
  2. Click Bundle ID
  3. Enter identifier "com.microsoft.Outlook" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9 as the Code Requirement
    NOTE: Remember that you can select text in the manual and drag-and-drop the text into the workstation console to copy and paste!

13. Configure Apple Events

  1. Scroll down until you see the option for Apple Events.
  2. Click Allow for Apple Events
  3. Enter com.microsoft.SkypeForBusiness as the identifier
  4. Click Bundle ID
  5. Enter identifier "com.microsoft.SkypeForBusiness" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AL798K98FX as the Code Requirement
    NOTE: Remember that you can select text in the manual and drag-and-drop the text into the workstation console to copy and paste!
  6. Click Save

Additional detail and sample Privacy Preference settings can be found on the VMware Samples GitHub Repository:   https://github.com/vmware-samples/AirWatch-samples/tree/master/macOS-Samples/Privacy%20Preferences%20Policy%20Control

14. Save and Publish Profile

Click Save and Publish

15. Publish the Device Profile

Click the Publish button.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.