Preemptively granting permission to Camera and Microphone in macOS

Starting with macOS 10.14, Apple introduced the requirement that applications requesting access to certain APIs would require permissions from the end-user. This is commonly referred to by other IT administrators are Privacy Preference Policy Control (PPPC) or Transparency Consent Control (TCC). The intent is to make the end user aware of what the application they are using requires access to. In 10.14, the list of services that could be whitelisted included 25 TCC services and it has grown to 39 services. From a consumer perspective, the can be a good thing, albeit exhausting, as you need to essentially provide access to multiple services for individual apps.

Apple to their credit has allowed IT administrators to manage most of these services that applications require in order to function by use of configuration profiles when your device is enrolled into an MDM server (whether user approved or via DEP). However for 4 services (Microphone, Camera, ListenEvent, and ScreenCapture), Apple decided that even IT administrators on enterprise-owned devices cannot preemptively provide allow access to these services (one can only deny access). This complicates things because end-users often need to join video conferences on the fly and those applications typically require access to the microphone and camera. If the user gets bombarded with different alerts to provide access, they may accidentally deny it and not be aware how to resolve the issue. Every application/developer is on their own in terms of how to best communicate how to resolve accidental denials of apps to functional services. And for some services, it is implied that you need to quit the app and restart it. Yes, you need to get out of the meeting and re-join it. This becomes an IT support issue as you can imagine.

It’d be great if Apple would provide proper options to allow these services on enterprise-owned devices that are supervised by an MDM server. You can submit feedback to Apple at http://feedbackassistant.apple.com.

To cut to the chase, I was alerted to this article from Zoom last week where it seems that Zoom is recommending that you provide full disk access to Zoom Rooms so that it can then provide itself Camera and Microphone access. Shame on Zoom for doing this since this is after all how we got here in the first place (Dropbox previously got caught doing similar stuff in 2016, but quickly rectified it). But I do get it to some extent. From their perspective, they are concerned about providing as seamless of an experience as possible. And the same is true of IT administrators to some extent. Computers are tools for people to get work done. It shouldn’t be super complicated to join video conference meetings on your computer in 2019. But Apple has made it so.

Since the cat’s out the bag, I made a script that provides camera and microphone access. It was designed to work with Jamf Pro which automatically has granted its binaries full disk access when it’s MDM profile has been user approved (or installed via DEP). This allows the script to make the modifications to the user’s TCC.db. I tested this against Microphone, Camera, ListenEvent, and ScreenCapture services (kTCCServiceMicrophone, kTCCServiceListenEventkTCCServiceCamera, and kTCCServiceScreenCapture). The last two don’t work just so you’re aware.

To use this script, add it to your Jamf Pro server and make use of Jamf Pro Script Parameters:

Parameter 4: is used to provide the full path to the application (e.g. /Application/Firefox.app)
Parameter 5: is used to provide the TCC service name. See $tcc_service_list array for valid entries. Of importance to you will be: “kTCCServiceMicrophone” and “kTCCServiceCamera

The script can be found on my GitHub repo. Feedback/improvements always welcomed.

2 thoughts on “Preemptively granting permission to Camera and Microphone in macOS

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s