Documentation · PPPC

PPPC & TCC

Managed deployment

Privacy Preferences Policy Control (PPPC) pre-approvals for BeProof on macOS 14+. This document complements the macOS Admin Guide and the PPPC mobileconfig template.


Scope

BeProof is local-first. PPPC is optional for baseline scans. Pre-approve only what your org policy requires — unnecessary TCC grants increase exposure.

CapabilityPPPC serviceApp bundle IDRequired?
Read approved project pathsUsually none (user-selected roots)Baseline
Documents / Downloads in scan scopeSystemPolicyDocumentsFolder, SystemPolicyDownloadsFoldercom.beproof.appOptional
Keychain metadata ([POL-G02](https://ag-audit-nine.vercel.app/policy-pack/v1.2.2#pol-g02))No reliable PPPC key for all keychain promptscom.beproof.appConsent ledger + user prompt
Full Disk AccessDo not deployNot required
Screen recording / AccessibilityDo not deployNot used

App vs CLI TCC context

Install typeTCC identityPPPC target
BeProofApp.appcom.beproof.appPPPC template applies
CLI in Terminal/iTermParent terminal bundle ID (e.g. com.apple.Terminal)Separate PPPC for terminal if keychain automation needed
CLI via MDM scriptcom.jamfsoftware.selfservice.mac or invoking agentPlatform-specific

Recommendation: Use BeProofApp.app for interactive Keychain consent. Use CLI for scheduled scans only after scope and gaps are accepted.


Keychain & consent ([POL-G02](https://ag-audit-nine.vercel.app/policy-pack/v1.2.2#pol-g02))

PPPC does not replace BeProof's consent ledger. Even with Keychain access:

  1. User or admin records consent in .beproof/consent-records.json, or
  2. CLI: --include-keychain --consent-approved-by "<operator>"

Without consent, policy rules depending on keychain metadata remain unevaluated and export shows keychain_metadata coverage gaps — by design.


Customizing the template

  1. Copy com.beproof.app.pppc.mobileconfig.
  2. Replace __TEAM_ID__ with your Apple Developer Team ID (matches signed BeProof build).
  3. Generate UUIDs: uuidgen for __UUID_ROOT__ and __UUID_TCC__.
  4. Remove folder services your scan scope does not need.
  5. Sign the profile (MDM vendor or profiles sign).
  6. Deploy to pilot ring before production.

Code requirement verification

After signing BeProofApp.app:

codesign -dv --verbose=4 /Applications/BeProofApp.app 2>&1 | grep TeamIdentifier
spctl -a -vv /Applications/BeProofApp.app

Update CodeRequirement if you repackage or re-sign with a different certificate.


Validation checklist

  • Profile installs without error on macOS 14+ Apple Silicon pilot device
  • BeProofApp.app can read paths listed in org overlay approvedScanRoots
  • Keychain workflow documented (consent vs accepted gap)
  • No Full Disk Access profile deployed
  • Export shows expected coverage (no new unexpected TCC denials)

Platform notes

MDMPPPC delivery
JamfConfiguration Profiles → Upload signed mobileconfig
IntuneDevices → macOS → Configuration → Custom → .mobileconfig
KandjiLibrary → Profiles → Privacy Preferences
FleetControls → Custom settings (upload signed profile)

See platform runbooks: jamf.md, intune.md, kandji.md, fleet.md.