Home
Intune PPPC Utility is a native macOS app for creating and editing Privacy Preferences Policy Control (PPPC) configuration profiles for deployment through Microsoft Intune as Settings Catalog configuration.
macOS requires user consent before an app can access protected resources such as contacts, the camera, the microphone, files, and more. In a managed environment, IT administrators can pre-approve (or deny) these permissions using a PPPC configuration profile, so users are not prompted each time.
Microsoft Intune delivers these profiles to managed Macs using its own JSON-based policy format. Intune PPPC Utility lets you build and maintain these JSON files using a native Mac interface — no manual JSON editing required.
- 24 PPPC service types — covers every macOS privacy category manageable by MDM
- App icon resolution — section headers display the real app icon and name for installed apps
- Code requirement reader — reads the designated code requirement directly from any installed app or command-line tool
- Apple Events support — sender → receiver pairs with a duplicate button and a Common Receivers menu
-
Import from mobileconfig — convert an existing
.mobileconfigPPPC payload to Intune JSON in one step - Import from TCC database — read your Mac's live TCC approvals and import them as a starting point
- Automatic updates — built-in Sparkle update checking
The Microsoft Intune admin center lets you configure PPPC settings directly, but it does not validate your entries before saving, and certain combinations that the console happily accepts will cause a profile to silently fail and never deploy to devices. Intune PPPC Utility is purpose-built to prevent these mistakes.
Mixing Allowed and Authorization in the same entry
Each app entry must use either the Allowed key (true/false) or the Authorization key (an enum) — never both. The Intune console will let you configure both keys simultaneously without warning. The result is a profile that appears valid in the admin center but fails schema validation when Intune tries to deliver it, leaving the policy permanently stuck in a "Pending" state on every device.
Intune PPPC Utility enforces a single permission model per entry. Switching between Allowed and Authorization automatically clears the other field — you cannot produce an invalid combination.
Deny or Allow for Camera and Microphone
Camera and Microphone can only be denied by a PPPC policy: macOS does not permit MDM to pre-approve access to these sensors. The Intune console will let you set them to Allow anyway. The resulting profile deploys but produces no effect (or may be rejected outright on newer macOS versions).
Intune PPPC Utility only offers Deny for Camera and Microphone entries, matching what macOS actually supports.
Wrong authorization values for Input Monitoring and Screen Recording
ListenEvent (Input Monitoring) and ScreenCapture (Screen Recording) support only Deny and Allow Standard User to Set System Service — the full Allow is not available for these types via MDM policy. The console does not enforce this limit.
Intune PPPC Utility restricts the available values for these service types automatically.
Missing or incorrect code requirements
A profile entry with an empty or malformed code requirement will be delivered by Intune but silently ignored by macOS, because macOS cannot verify the app's identity. The console has no mechanism to validate code requirements at entry time.
Intune PPPC Utility provides a Read from App Bundle… button that reads the designated requirement directly from the installed app using codesign, ensuring the value is always correct.
A profile built with Intune PPPC Utility is one that Intune can deliver and macOS can enforce. Every validation rule is baked into the app, so the constraints that matter are in the tool you use to build the profile — not discovered later when devices fail to receive their permissions.
- macOS 15 or later
- Microsoft Intune subscription (for deployment)
- Full Disk Access (required only for TCC database import functionality)
| Page | Description |
|---|---|
| Getting Started | Installation and first launch |
| Creating a Profile | Building a profile from scratch |
| Importing Data | Import from mobileconfig or TCC database |
| Service Types Reference | All 24 PPPC service types and their restrictions |
| Apple Events | Working with the Apple Events service type |
| Code Requirements | Understanding and obtaining code requirements |
| Uploading to Intune | Getting your profile into Intune |
- Launch the app — a new blank profile opens automatically
- Enter a Profile Name in the sidebar
- Click + to add a PPPC service type
- Select the service, then click Add App to add an application
- Fill in the Identifier and use Read from App Bundle… to get the code requirement
-
File → Save to write the
.jsonfile - Upload the JSON to Intune