Privacy Preferences Policy Control (PPPC) pre-approvals for BeProof on macOS 14+. This document complements the macOS Admin Guide and the PPPC mobileconfig template.
Scope
BeProof is local-first. PPPC is optional for baseline scans. Pre-approve only what your org policy requires — unnecessary TCC grants increase exposure.
| Capability | PPPC service | App bundle ID | Required? |
|---|---|---|---|
| Read approved project paths | Usually none (user-selected roots) | — | Baseline |
| Documents / Downloads in scan scope | SystemPolicyDocumentsFolder, SystemPolicyDownloadsFolder | com.beproof.app | Optional |
| Keychain metadata ([POL-G02](https://ag-audit-nine.vercel.app/policy-pack/v1.2.2#pol-g02)) | No reliable PPPC key for all keychain prompts | com.beproof.app | Consent ledger + user prompt |
| Full Disk Access | Do not deploy | — | Not required |
| Screen recording / Accessibility | Do not deploy | — | Not used |
App vs CLI TCC context
| Install type | TCC identity | PPPC target |
|---|---|---|
| BeProofApp.app | com.beproof.app | PPPC template applies |
| CLI in Terminal/iTerm | Parent terminal bundle ID (e.g. com.apple.Terminal) | Separate PPPC for terminal if keychain automation needed |
| CLI via MDM script | com.jamfsoftware.selfservice.mac or invoking agent | Platform-specific |
Recommendation: Use BeProofApp.app for interactive Keychain consent. Use CLI for scheduled scans only after scope and gaps are accepted.
Keychain & consent ([POL-G02](https://ag-audit-nine.vercel.app/policy-pack/v1.2.2#pol-g02))
PPPC does not replace BeProof's consent ledger. Even with Keychain access:
- User or admin records consent in
.beproof/consent-records.json, or - CLI:
--include-keychain --consent-approved-by "<operator>"
Without consent, policy rules depending on keychain metadata remain unevaluated and export shows keychain_metadata coverage gaps — by design.
Customizing the template
- Copy com.beproof.app.pppc.mobileconfig.
- Replace
__TEAM_ID__with your Apple Developer Team ID (matches signed BeProof build). - Generate UUIDs:
uuidgenfor__UUID_ROOT__and__UUID_TCC__. - Remove folder services your scan scope does not need.
- Sign the profile (MDM vendor or
profiles sign). - Deploy to pilot ring before production.
Code requirement verification
After signing BeProofApp.app:
codesign -dv --verbose=4 /Applications/BeProofApp.app 2>&1 | grep TeamIdentifier
spctl -a -vv /Applications/BeProofApp.appUpdate CodeRequirement if you repackage or re-sign with a different certificate.
Validation checklist
- Profile installs without error on macOS 14+ Apple Silicon pilot device
- BeProofApp.app can read paths listed in org overlay
approvedScanRoots - Keychain workflow documented (consent vs accepted gap)
- No Full Disk Access profile deployed
- Export shows expected coverage (no new unexpected TCC denials)
Platform notes
| MDM | PPPC delivery |
|---|---|
| Jamf | Configuration Profiles → Upload signed mobileconfig |
| Intune | Devices → macOS → Configuration → Custom → .mobileconfig |
| Kandji | Library → Profiles → Privacy Preferences |
| Fleet | Controls → Custom settings (upload signed profile) |
See platform runbooks: jamf.md, intune.md, kandji.md, fleet.md.