App Management (PPPC)
Starting with macOS Ventura (13), updater apps need an additional privacy control to allow them to update or delete other apps. The Catalog Agent and Catalog App (or parent processes) need this permission to be able to update all types of apps. In Apple's documentation specifically, this is called SystemPolicyAppBundles. In macOS Ventura's System Settings this is found under Privacy & Security -> App Management.
MDM solutions may provide support to configure SystemPolicyAppBundles or sometimes you need to create and upload a custom Configuration Profile. Alternatively you can use SystemPolicyAllFiles, also known as Full Disk Access, which may be more compatible or easier to configure in your MDM solution.
Create Configuration Profile
There two binaries that need the SystemPolicyAppBundles permission:
Catalog Agent
Usually the Catalog Agent is called by another process, such as the MDM's agent. In those cases you need to grant the agent the SystemPolicyAppBundles permission, but often the MDM solution automatically takes care of this and grants the SystemPolicyAllFiles permission. In those cases, there is no action required. Otherwise you may need to figure out the parent process, get the Identifier, Identifier Type, Code Requirements and then create the Configuration Profile.
macOS 13 and later
For macOS 13 and later, the Catalog Agent uses a modern LaunchDaemon and autonomously performs an update schedule. This required additional privacy permissions as there is no parent process, just the Catalog Agent process itself. Check Updating Apps for more information.
Therefore you need to explicitely grant the SystemPolicyAppBundles permission in a Privacy Preference Policy Control profile (PPPC):
Allowed:
true
Identifier:
nl.root3.catalog
IdentifierType: Bundle ID
CodeRequirement:
Privileged Helper Tool
The Privileged Helper Tool operates individually and is called from the main app and not by the MDM solution. Therefore you need to explicitely grant the SystemPolicyAppBundles permission in a Privacy Preference Policy Control profile (PPPC):
Allowed:
true
Identifier:
/Library/PrivilegedHelperTools/nl.root3.catalog.helper
IdentifierType: Path
CodeRequirement:
Example
Below are provided two example Configuration Profiles where all required processes are granted using either SystemPolicyAppBundles (App Management) or SystemPolicyAllFiles (Full Disk Access), depending on your preference:
App Management (option 1)
Full Disk Access (option 2)
Last updated