Full Disk Access (PPPC)
Last updated
Was this helpful?
Last updated
Was this helpful?
Starting with macOS Ventura (13), updater apps need an additional privacy control to allow them to update or delete other apps and SystemPolicyAllFiles needs to be granted. The Catalog Agent and Catalog App (or parent processes) need this permission to be able to update all types of apps.
There two binaries that need the SystemPolicyAllFiles permission:
Usually the Catalog Agent is called by another process, such as the MDM's agent. In those cases you need to grant the agent the SystemPolicyAllFiles permission, but often the MDM solution automatically takes care of this and grants the SystemPolicyAllFiles permission. In those cases, there is no action required. Otherwise you may need to figure out the parent process, get the Identifier, Identifier Type, Code Requirements and then create the Configuration Profile.
For macOS 13 and later, the Catalog Agent uses a modern LaunchDaemon and autonomously performs an update schedule. This required additional privacy permissions as there is no parent process, just the Catalog Agent process itself. Check for more information.
Therefore you need to explicitely grant the SystemPolicyAllFiles permission in a Privacy Preference Policy Control profile (PPPC):
Allowed: true
Identifier: nl.root3.catalog
IdentifierType: Bundle ID
CodeRequirement:
The Privileged Helper Tool operates individually and is called from the main app and not by the MDM solution. Therefore you need to explicitely grant the SystemPolicyAllFiles permission in a Privacy Preference Policy Control profile (PPPC):
Allowed: true
Identifier: /Library/PrivilegedHelperTools/nl.root3.catalog.helper
IdentifierType: Path
CodeRequirement:
Below is provided an example Configuration Profiles where all required processes are granted using SystemPolicyAllFiles (Full Disk Access):