Axcient Knowledge

●  Status of Axcient Services
Submit a Ticket View My Cases

    Axcient Knowledgebase  /  Axcient x360Recover  /  Essential User Guide - x360Recover  /  2. Configure x360Recover  /  Work with an agent  /  (macOS) Deploy a Privacy Preference Policy Control (PPPC) file

    (macOS) Deploy a Privacy Preference Policy Control (PPPC) file

    PPPC files for macOS Agent Deployments - x360Recover

    Super Administrator

    Written By Tami Sutcliffe (Super Administrator)

    Updated at August 14th, 2024

    What is a Privacy Preferences Policy Control (PPPC) file?

    A Privacy Preferences Policy Control (PPPC) file is an xml formatted metadata file used by the mobile device manager service on macOS to allow administrators to pre-assign security permissions and other settings for an application.

    Certain security settings (notably Full Disk Access permissions) can only be granted to an application via manual user actions or via deployment of a PPPC policy.  

    Why do I need it? 

    The x360Recover Agent for macOS requires Full Disk Access permissions to successfully be able to fully backup and protect your macOS desktop system.  To avoid forcing the user to manually grant the permission to the agent after installation, system administrators may instead deploy a PPPC policy to grant the application permissions without involving the users.

    Deployment of PPPC policies can only be performed via the Apple Mobile Device Management (MDM) service.   You must have deployed a macOS compatible RMM or other management tool that supports Mobile Device Management to use this method.

    For more information on Apple MDM see Intro to mobile device management profiles

    Deploy a custom PPPC policy file with Microsoft Intune

    Different management tools may have different requirements and procedures for creating and deploying a PPPC policy, but many make use of a standardized xml file format.  Check the documentation of your management tools for specific instructions that may be applicable to your environment.

    The following is an example using Microsoft Intune as the device management platform.

    1. Download the PPPC policy file

    A generic PPPC Profile policy file can be downloaded here:

    [xcloud-agent.mobileconfig|https://updates.axcient.cloud/xcloud-agent/xcloud-agent.mobileconfig]

    IMPORTANT: You MUST deploy the PPPC Profile policy BEFORE installing the agent for the system to correctly register Full Disk Access permissions. It will not work to deploy the policy after the agent is already installed.

    2. Next, deploy the generated profile using your remote management platform.

    For example, see Use custom settings for macOS devices in Microsoft Intune for instructions on deploying the policy from Microsoft Intune.

    3. Once the PPPC profile has been installed via your management tools, install the agent normally.  The Full Disk Access permissions will have already been assigned to the application and backups should be taken without issue.

    For more details on agent installation see Install an Agent on macOS.

    Deploy a custom PPPC policy file with Jumpcloud

    Jumpcloud natively supports creating and deploying PPPC policy files on macOS managed devices.

    To deploy a policy file, first login to the Jumpcloud Admin Portal

    From the Device Management section of the left menu pane, select Policy Management and click the ‘+’ button to create a new policy.

    On the New Policy configuration panel select the ‘Mac’ tab in the top menu bar.

    Select Application Privacy Preferences Policy from the list then click Configure.
         On the New Policy panel, enter a unique name for the policy to identify it later.

    Under Application Information, enter the following:

    a. Code requirement:

            aa. Identifier "xcloud-agent" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2XN53TAJW4"

    b. Identifier:

       ba. /Library/xCloudAgent/Contents/bin/xcloud-agent

    c. Identifier type:

        ca.  Path

    Under Privacy Preferences click to select ‘Allow Access To All Files’

    Select the desired Policy Groups, Device Groups, or Devices to which the policy should be applied and click Save.

    For those technically curious as to how those cryptic identifier settings are derived, they come from the macOS ‘codesign’ utility.

    First, manually install the agent onto an available macOS device.  After installation the agent files are located in /Library/xCloudAgent

    To determine the codesigning requirements, open a terminal and run the following:

    Codesign -dv  - /Library/xCloudAgent/Contents/bin/xcloud-agent

    Deploy a custom PPPC policy file with JamF

    If your organization is using JamF to manage your macOS devices, there is a provided utility for creating the policy files.

    For complete details refer to the instructions located on Github for the PPPC Utility.


     

    SUPPORT | 720-204-4500 | 800-352-0248  

     

    1865

    Related Articles

    (macOS) Install an agent - x360Recover

    Overview  Support for backup and recovery of files and folders for macOS protecte...

    Understand agents

    What is a backup agent?   Note:  All x360Recover protected systems require a back...

    Configure an agent

    Overview    x360Recover provides an agent orchestration feature to manage key age...