App Management (PPPC)

Starting with macOS Ventura (13), updater apps need an additional privacy control to allow them to update or delete other apps and SystemPolicyAllFiles needs to be granted. The Catalog Agent and Catalog App (or parent processes) need this permission to be able to update all types of apps.

The permission SystemPolicyAppBundles may also work but we have still seen occasions where SystemPolicyAllFiles was required to complete an app update. Our recommendation is to use SystemPolicyAllFiles.

Create Configuration Profile

There two binaries that need the SystemPolicyAllFiles permission:

Catalog Agent

Usually the Catalog Agent is called by another process, such as the MDM's agent. In those cases you need to grant the agent the SystemPolicyAllFiles permission, but often the MDM solution automatically takes care of this and grants the SystemPolicyAllFiles permission. In those cases, there is no action required. Otherwise you may need to figure out the parent process, get the Identifier, Identifier Type, Code Requirements and then create the Configuration Profile.

macOS 13 and later

For macOS 13 and later, the Catalog Agent uses a modern LaunchDaemon and autonomously performs an update schedule. This required additional privacy permissions as there is no parent process, just the Catalog Agent process itself. Check Updating Apps for more information.

Therefore you need to explicitely grant the SystemPolicyAllFiles permission in a Privacy Preference Policy Control profile (PPPC):

  • Allowed: true

  • Identifier: nl.root3.catalog

  • IdentifierType: Bundle ID

  • CodeRequirement:

anchor apple generic and identifier "nl.root3.catalog" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "98LJ4XBGYK")

Privileged Helper Tool

The Privileged Helper Tool operates individually and is called from the main app and not by the MDM solution. Therefore you need to explicitely grant the SystemPolicyAllFiles permission in a Privacy Preference Policy Control profile (PPPC):

  • Allowed: true

  • Identifier: /Library/PrivilegedHelperTools/nl.root3.catalog.helper

  • IdentifierType: Path

  • CodeRequirement:

anchor apple generic and identifier "nl.root3.catalog.helper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "98LJ4XBGYK")

Example

Below is provided an example Configuration Profiles where all required processes are granted using SystemPolicyAllFiles (Full Disk Access):

Last updated