App Management (PPPC)

Starting with macOS Ventura (13), updater apps need an additional privacy control to allow them to update or delete other apps. The Catalog Agent and Catalog App (or parent processes) need this permission to be able to update all types of apps. In Apple's documentation specifically, this is called SystemPolicyAppBundles. In macOS Ventura's System Settings this is found under Privacy & Security -> App Management.

MDM solutions may provide support to configure SystemPolicyAppBundles or sometimes you need to create and upload a custom Configuration Profile. Alternatively you can use SystemPolicyAllFiles, also known as Full Disk Access, which may be more compatible or easier to configure in your MDM solution.

Create Configuration Profile

There two binaries that need the SystemPolicyAppBundles permission:

Catalog Agent

Usually the Catalog Agent is called by another process, such as the MDM's agent. In those cases you need to grant the agent the SystemPolicyAppBundles permission, but often the MDM solution automatically takes care of this and grants the SystemPolicyAllFiles permission. In those cases, there is no action required. Otherwise you may need to figure out the parent process, get the Identifier, Identifier Type, Code Requirements and then create the Configuration Profile.

macOS 13 and later

For macOS 13 and later, the Catalog Agent uses a modern LaunchDaemon and autonomously performs an update schedule. This required additional privacy permissions as there is no parent process, just the Catalog Agent process itself. Check Updating Apps for more information.

Therefore you need to explicitely grant the SystemPolicyAppBundles permission in a Privacy Preference Policy Control profile (PPPC):

Allowed: true
Identifier: nl.root3.catalog
IdentifierType: Bundle ID
CodeRequirement:

anchor apple generic and identifier "nl.root3.catalog" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "98LJ4XBGYK")

Privileged Helper Tool

The Privileged Helper Tool operates individually and is called from the main app and not by the MDM solution. Therefore you need to explicitely grant the SystemPolicyAppBundles permission in a Privacy Preference Policy Control profile (PPPC):

Allowed: true
Identifier: /Library/PrivilegedHelperTools/nl.root3.catalog.helper
IdentifierType: Path
CodeRequirement:

anchor apple generic and identifier "nl.root3.catalog.helper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "98LJ4XBGYK")

Example

Below are provided two example Configuration Profiles where all required processes are granted using either SystemPolicyAppBundles (App Management) or SystemPolicyAllFiles (Full Disk Access), depending on your preference:

App Management (option 1)

2KB

PPPC - App Management - App Catalog.mobileconfig

Full Disk Access (option 2)

2KB

PPPC - Full Disk Access - App Catalog.mobileconfig

PreviousManaged Login Item NextCatalog Agent CLI

Last updated 4 months ago