-
Notifications
You must be signed in to change notification settings - Fork 1
Service Types
A PPPC profile is organized by service type. Each service type controls access to a specific macOS privacy category. Below is a reference for all 24 service types that can be managed through an Intune configuration policy.
Not all service types behave the same in a PPPC policy:
| Restriction | Affected types |
|---|---|
| Deny only — Allow is not available via policy (users must approve via dialog) | Camera, Microphone |
| Authorization values limited — only Deny and Allow Standard User are available | ListenEvent (Input Monitoring), ScreenCapture (Screen Recording) |
| Apple Events receiver fields — requires additional sender/receiver configuration | Apple Events |
| Comment field — supports an optional descriptive comment | Bluetooth Always |
| Deprecated — policy management no longer available as of macOS 26.2; removed in macOS 27.0 | Accessibility |
Allows an application to control the Mac using macOS Accessibility features (e.g., controlling the mouse, reading screen content).
Typical use: Automation tools, assistive technology, remote support agents.
⚠️ Deprecated in macOS 26.2. Apple has deprecated the ability to manage Accessibility access via PPPC configuration profile. Existing profiles that include this service type will continue to function on macOS 26.2, but the setting will be fully removed in macOS 27.0. Probably plan to remove Accessibility entries from your profiles before upgrading your fleet to macOS 27.0.
Access to the user's Contacts database.
Typical use: Email clients, CRM apps, communication tools.
Allows one application to send Apple Events to another application. This is how scripting and automation between apps works.
This service type requires both a sender app and a receiver app to be specified. See Apple Events for a detailed guide.
Typical use: Script runners, automation tools, JumpCloud, 1Password CLI.
Access to Bluetooth hardware.
This service type supports an optional Comment field, which can be used to describe the purpose of the entry.
Typical use: Peripheral management apps, wireless input device software.
Access to the user's calendar data in the Calendar app.
Typical use: Calendar apps, productivity tools, scheduling software.
Access to the built-in or external camera.
⚠️ Deny only. PPPC can only deny camera access. Approvals must come from user consent dialogs — they cannot be pre-approved via a configuration profile. This service type is not shown in the TCC import because approvals cannot be managed this way.
Allows an application to determine whether a user is actively using a file provider extension.
Typical use: Cloud storage apps with file provider extensions.
Allows an application to receive keyboard and mouse events from all processes (input monitoring).
⚠️ Authorization values are limited to Deny and Allow Standard User to Set System Service only.
Typical use: Keyboard utilities, automation tools, accessibility software.
Access to the user's Apple Music library, music activity, and media playback history.
Typical use: Media players, music sync tools.
Access to the built-in or external microphone.
⚠️ Deny only. Same restriction as Camera — access can only be denied, not pre-approved, via a configuration profile.
Access to the user's Photos library.
Typical use: Photo editing apps, backup tools, image importers.
Allows an application to create and post synthetic keyboard and mouse events to the system event stream.
Typical use: Automation and testing tools, remote support agents.
Access to the user's Reminders database.
Typical use: Task managers, productivity apps, calendar tools.
Allows an application to capture the screen contents.
⚠️ Authorization values are limited to Deny and Allow Standard User to Set System Service only.
Typical use: Screen recording apps, remote desktop tools, video conferencing with screen share.
Access to the speech recognition system to convert user speech to text.
Typical use: Dictation software, voice-controlled apps.
Provides access to all protected files on the system, equivalent to Full Disk Access.
Typical use: Backup agents, security tools, antivirus software, management agents.
Access to the files inside application bundles.
Typical use: Developer tools, app scanners, deployment tools.
Access to application-specific data in container directories.
Typical use: Backup tools, migration utilities.
Access to files in the user's Desktop folder.
Typical use: File management tools, sync clients.
Access to files in the user's Documents folder.
Typical use: Office suites, file management tools, sync clients.
Access to files in the user's Downloads folder.
Typical use: Download managers, browsers, file management tools.
Access to files on network-mounted volumes.
Typical use: Backup agents, file sync tools, management software.
Access to files on removable storage (USB drives, SD cards, etc.).
Typical use: Backup tools, media management software, device management agents.
Access to system administration files such as configuration databases and security settings.
Typical use: Management agents, endpoint security tools, IT administration software.
Used by most service types:
| Value | Effect |
|---|---|
| Allow | Pre-approves the app for this permission — the user will not be prompted |
| Deny | Permanently denies the app for this permission |
Used by service types that support the standard user override:
| Value | Effect |
|---|---|
| Allow | Pre-approves the app |
| Deny | Permanently denies the app |
| Allow Standard User to Set System Service | Allows a standard (non-admin) user to approve or deny the permission themselves |