Possible to deploy privacy & security settings through Profiles?

[Tobias.vonLienen]

Many apps on macOS require an admin user to allow certain privacy & security settings, e.g. Teams needs Accessibility access and screen recording rights.

Is there a way to deploy these settings through profiles or maybe even elevate a normal user to grant specific rights?

(Another example: I can't pause/unpause a printer from the print center because this requires admin privileges)

[Sean]

TCC/PPPC rights, as they are known, are managed with Security & Privacy profiles.  There are two different Security & Privacy Profile types (Apple used to have this all in one profile and then they split out TCC from the rest):

 

There are two profiles in our example TeamViewer recipe which offers two approaches to options which you may find useful, since there will be some similarity:

https://kb.filewave.com/books/teamviewer/page/teamviewer-macos-client-setup

Apple never made this easy, when it comes to identifying what is required:

https://kb.filewave.com/books/profiles-apple/page/macos-privacy-preferences-payload-in-mojave-1014

But you may well find examples on the Web specifically for Teams.  Many major vendors supply the necessary details to configure these settings.

 

Printer settings are different.  This is standard admin permissions and staff users do not have the ability to manage many print features by default.  However, you can add users to additional groups.  Something like:

/usr/sbin/dseditgroup -o edit -n /Local/Default -a staff -t group lpadmin

 

[damnlyons]

Hey @Tobias.vonLienen, I'd imagine you've probably already solved this by now, but maybe this will help someone else. Here's an example config profile for Teams. An easy way of creating these profiles is to use the PPPC Utility provided by Jamf: https://github.com/jamf/PPPC-Utility, it takes care of a lot of the guesswork.

Microsoft Teams PPPC Prefs Big Sur +.mobileconfig