Privacy Preferences Policy Control (com.apple.TCC.configuration-profile-policy)

Specifies the policies for contact information managed by the Contacts.app.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.

If `true`, statically validate the code requirement. Used only if the process invalidates its dynamic code signature.

If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both.

The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - `Allow`: Equivalent to a `true` value for the `Allowed` key - `Deny`: Equivalent to a `false` value for the `Allowed` key - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. Available in macOS 11 and later.

Not used.

The identifier of the process receiving an AppleEvent sent by the Identifier process. This identifier is required for AppleEvents service; not valid for other services.

The type of AEReceiverIdentifier value, either `bundleID` or `path`. This setting is required for AppleEvents service; not valid for other services.

The code requirement for the receiving binary. This code requirement is required for AppleEvents service; not valid for other services.

Specifies the policies for calendar information managed by the Calendar.app.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.

If `true`, statically validate the code requirement. Used only if the process invalidates its dynamic code signature.

If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both.

The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - `Allow`: Equivalent to a `true` value for the `Allowed` key - `Deny`: Equivalent to a `false` value for the `Allowed` key - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. Available in macOS 11 and later.

Not used.

The identifier of the process receiving an AppleEvent sent by the Identifier process. This identifier is required for AppleEvents service; not valid for other services.

The type of AEReceiverIdentifier value, either `bundleID` or `path`. This setting is required for AppleEvents service; not valid for other services.

The code requirement for the receiving binary. This code requirement is required for AppleEvents service; not valid for other services.

Specifies the policies for reminders information managed by the Reminders app.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.

If `true`, statically validate the code requirement. Used only if the process invalidates its dynamic code signature.

If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both.

The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - `Allow`: Equivalent to a `true` value for the `Allowed` key - `Deny`: Equivalent to a `false` value for the `Allowed` key - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. Available in macOS 11 and later.

Not used.

The identifier of the process receiving an AppleEvent sent by the Identifier process. This identifier is required for AppleEvents service; not valid for other services.

The type of AEReceiverIdentifier value, either `bundleID` or `path`. This setting is required for AppleEvents service; not valid for other services.

The code requirement for the receiving binary. This code requirement is required for AppleEvents service; not valid for other services.

The pictures managed by the Photos app in `~/Pictures/.photoslibrary`.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.

If `true`, statically validate the code requirement. Used only if the process invalidates its dynamic code signature.

If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both.

The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - `Allow`: Equivalent to a `true` value for the `Allowed` key - `Deny`: Equivalent to a `false` value for the `Allowed` key - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. Available in macOS 11 and later.

Not used.

The identifier of the process receiving an AppleEvent sent by the Identifier process. This identifier is required for AppleEvents service; not valid for other services.

The type of AEReceiverIdentifier value, either `bundleID` or `path`. This setting is required for AppleEvents service; not valid for other services.

The code requirement for the receiving binary. This code requirement is required for AppleEvents service; not valid for other services.

A system camera. Access to the camera can't be given in a profile; it can only be denied.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.

If `true`, statically validate the code requirement. Used only if the process invalidates its dynamic code signature.

If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both.

The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - `Allow`: Equivalent to a `true` value for the `Allowed` key - `Deny`: Equivalent to a `false` value for the `Allowed` key - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. Available in macOS 11 and later.

Not used.

The identifier of the process receiving an AppleEvent sent by the Identifier process. This identifier is required for AppleEvents service; not valid for other services.

The type of AEReceiverIdentifier value, either `bundleID` or `path`. This setting is required for AppleEvents service; not valid for other services.

The code requirement for the receiving binary. This code requirement is required for AppleEvents service; not valid for other services.

A system microphone. Access to the microphone can't be given in a profile; it can only be denied.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.

If `true`, statically validate the code requirement. Used only if the process invalidates its dynamic code signature.

If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both.

The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - `Allow`: Equivalent to a `true` value for the `Allowed` key - `Deny`: Equivalent to a `false` value for the `Allowed` key - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. Available in macOS 11 and later.

Not used.

The identifier of the process receiving an AppleEvent sent by the Identifier process. This identifier is required for AppleEvents service; not valid for other services.

The type of AEReceiverIdentifier value, either `bundleID` or `path`. This setting is required for AppleEvents service; not valid for other services.

The code requirement for the receiving binary. This code requirement is required for AppleEvents service; not valid for other services.

Specifies the policies for the app via the Accessibility subsystem. The ability to grant access by this profile is deprecated as of macOS 26.2, and will be removed in macOS 27.0.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.

If `true`, statically validate the code requirement. Used only if the process invalidates its dynamic code signature.

If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both.

The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - `Allow`: Equivalent to a `true` value for the `Allowed` key - `Deny`: Equivalent to a `false` value for the `Allowed` key - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. Available in macOS 11 and later.

Not used.

The identifier of the process receiving an AppleEvent sent by the Identifier process. This identifier is required for AppleEvents service; not valid for other services.

The type of AEReceiverIdentifier value, either `bundleID` or `path`. This setting is required for AppleEvents service; not valid for other services.

The code requirement for the receiving binary. This code requirement is required for AppleEvents service; not valid for other services.

Specifies the policies for the application to use CoreGraphics APIs to send CGEvents to the system event stream.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.

If `true`, statically validate the code requirement. Used only if the process invalidates its dynamic code signature.

If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both.

The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - `Allow`: Equivalent to a `true` value for the `Allowed` key - `Deny`: Equivalent to a `false` value for the `Allowed` key - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. Available in macOS 11 and later.

Not used.

The identifier of the process receiving an AppleEvent sent by the Identifier process. This identifier is required for AppleEvents service; not valid for other services.

The type of AEReceiverIdentifier value, either `bundleID` or `path`. This setting is required for AppleEvents service; not valid for other services.

The code requirement for the receiving binary. This code requirement is required for AppleEvents service; not valid for other services.

Allows the application access to all protected files, including system administration files.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.

If `true`, statically validate the code requirement. Used only if the process invalidates its dynamic code signature.

If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both.

The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - `Allow`: Equivalent to a `true` value for the `Allowed` key - `Deny`: Equivalent to a `false` value for the `Allowed` key - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. Available in macOS 11 and later.

Not used.

The identifier of the process receiving an AppleEvent sent by the Identifier process. This identifier is required for AppleEvents service; not valid for other services.

The type of AEReceiverIdentifier value, either `bundleID` or `path`. This setting is required for AppleEvents service; not valid for other services.

The code requirement for the receiving binary. This code requirement is required for AppleEvents service; not valid for other services.

Allows the application access to some files used in system administration.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.

If `true`, statically validate the code requirement. Used only if the process invalidates its dynamic code signature.

If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both.

The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - `Allow`: Equivalent to a `true` value for the `Allowed` key - `Deny`: Equivalent to a `false` value for the `Allowed` key - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. Available in macOS 11 and later.

Not used.

The identifier of the process receiving an AppleEvent sent by the Identifier process. This identifier is required for AppleEvents service; not valid for other services.

The type of AEReceiverIdentifier value, either `bundleID` or `path`. This setting is required for AppleEvents service; not valid for other services.

The code requirement for the receiving binary. This code requirement is required for AppleEvents service; not valid for other services.

Specifies the policies for the app sending restricted AppleEvents to another process.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.

If `true`, statically validate the code requirement. Used only if the process invalidates its dynamic code signature.

If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both.

The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - `Allow`: Equivalent to a `true` value for the `Allowed` key - `Deny`: Equivalent to a `false` value for the `Allowed` key - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. Available in macOS 11 and later.

Not used.

The identifier of the process receiving an AppleEvent sent by the Identifier process. This identifier is required for AppleEvents service; not valid for other services.

The type of AEReceiverIdentifier value, either `bundleID` or `path`. This setting is required for AppleEvents service; not valid for other services.

The code requirement for the receiving binary. This code requirement is required for AppleEvents service; not valid for other services.

Allows the application to access Apple Music, music and video activity, and the media library.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.

If `true`, statically validate the code requirement. Used only if the process invalidates its dynamic code signature.

If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both.

The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - `Allow`: Equivalent to a `true` value for the `Allowed` key - `Deny`: Equivalent to a `false` value for the `Allowed` key - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. Available in macOS 11 and later.

Not used.

The identifier of the process receiving an AppleEvent sent by the Identifier process. This identifier is required for AppleEvents service; not valid for other services.

The type of AEReceiverIdentifier value, either `bundleID` or `path`. This setting is required for AppleEvents service; not valid for other services.

The code requirement for the receiving binary. This code requirement is required for AppleEvents service; not valid for other services.

Allows a File Provider application to know when the user is using files managed by the File Provider.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.

If `true`, statically validate the code requirement. Used only if the process invalidates its dynamic code signature.

If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both.

The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - `Allow`: Equivalent to a `true` value for the `Allowed` key - `Deny`: Equivalent to a `false` value for the `Allowed` key - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. Available in macOS 11 and later.

Not used.

The identifier of the process receiving an AppleEvent sent by the Identifier process. This identifier is required for AppleEvents service; not valid for other services.

The type of AEReceiverIdentifier value, either `bundleID` or `path`. This setting is required for AppleEvents service; not valid for other services.

The code requirement for the receiving binary. This code requirement is required for AppleEvents service; not valid for other services.

Allows the application to use CoreGraphics and HID APIs to listen to (receive) CGEvents and HID events from all processes. Access to these events can't be given in a profile; it can only be denied.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.

If `true`, statically validate the code requirement. Used only if the process invalidates its dynamic code signature.

If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both.

The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - `Allow`: Equivalent to a `true` value for the `Allowed` key - `Deny`: Equivalent to a `false` value for the `Allowed` key - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. Available in macOS 11 and later.

Not used.

The identifier of the process receiving an AppleEvent sent by the Identifier process. This identifier is required for AppleEvents service; not valid for other services.

The type of AEReceiverIdentifier value, either `bundleID` or `path`. This setting is required for AppleEvents service; not valid for other services.

The code requirement for the receiving binary. This code requirement is required for AppleEvents service; not valid for other services.

Allows the application to capture (read) the contents of the system display. Access to the contents can't be given in a profile; it can only be denied.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.

If `true`, statically validate the code requirement. Used only if the process invalidates its dynamic code signature.

If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both.

The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - `Allow`: Equivalent to a `true` value for the `Allowed` key - `Deny`: Equivalent to a `false` value for the `Allowed` key - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. Available in macOS 11 and later.

Not used.

The identifier of the process receiving an AppleEvent sent by the Identifier process. This identifier is required for AppleEvents service; not valid for other services.

The type of AEReceiverIdentifier value, either `bundleID` or `path`. This setting is required for AppleEvents service; not valid for other services.

The code requirement for the receiving binary. This code requirement is required for AppleEvents service; not valid for other services.

Allows the application to use the system Speech Recognition facility and to send speech data to Apple.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.

If `true`, statically validate the code requirement. Used only if the process invalidates its dynamic code signature.

If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both.

The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - `Allow`: Equivalent to a `true` value for the `Allowed` key - `Deny`: Equivalent to a `false` value for the `Allowed` key - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. Available in macOS 11 and later.

Not used.

The identifier of the process receiving an AppleEvent sent by the Identifier process. This identifier is required for AppleEvents service; not valid for other services.

The type of AEReceiverIdentifier value, either `bundleID` or `path`. This setting is required for AppleEvents service; not valid for other services.

The code requirement for the receiving binary. This code requirement is required for AppleEvents service; not valid for other services.

Allows the application to access files in the user's Desktop folder.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.

If `true`, statically validate the code requirement. Used only if the process invalidates its dynamic code signature.

If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both.

The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - `Allow`: Equivalent to a `true` value for the `Allowed` key - `Deny`: Equivalent to a `false` value for the `Allowed` key - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. Available in macOS 11 and later.

Not used.

The identifier of the process receiving an AppleEvent sent by the Identifier process. This identifier is required for AppleEvents service; not valid for other services.

The type of AEReceiverIdentifier value, either `bundleID` or `path`. This setting is required for AppleEvents service; not valid for other services.

The code requirement for the receiving binary. This code requirement is required for AppleEvents service; not valid for other services.

Allows the application to access files in the user's Documents folder.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.

If `true`, statically validate the code requirement. Used only if the process invalidates its dynamic code signature.

If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both.

The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - `Allow`: Equivalent to a `true` value for the `Allowed` key - `Deny`: Equivalent to a `false` value for the `Allowed` key - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. Available in macOS 11 and later.

Not used.

The identifier of the process receiving an AppleEvent sent by the Identifier process. This identifier is required for AppleEvents service; not valid for other services.

The type of AEReceiverIdentifier value, either `bundleID` or `path`. This setting is required for AppleEvents service; not valid for other services.

The code requirement for the receiving binary. This code requirement is required for AppleEvents service; not valid for other services.

Allows the application to access files in the user's Downloads folder.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.

If `true`, statically validate the code requirement. Used only if the process invalidates its dynamic code signature.

If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both.

The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - `Allow`: Equivalent to a `true` value for the `Allowed` key - `Deny`: Equivalent to a `false` value for the `Allowed` key - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. Available in macOS 11 and later.

Not used.

The identifier of the process receiving an AppleEvent sent by the Identifier process. This identifier is required for AppleEvents service; not valid for other services.

The type of AEReceiverIdentifier value, either `bundleID` or `path`. This setting is required for AppleEvents service; not valid for other services.

The code requirement for the receiving binary. This code requirement is required for AppleEvents service; not valid for other services.

Allows the application to access files on network volumes.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.

If `true`, statically validate the code requirement. Used only if the process invalidates its dynamic code signature.

If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both.

The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - `Allow`: Equivalent to a `true` value for the `Allowed` key - `Deny`: Equivalent to a `false` value for the `Allowed` key - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. Available in macOS 11 and later.

Not used.

The identifier of the process receiving an AppleEvent sent by the Identifier process. This identifier is required for AppleEvents service; not valid for other services.

The type of AEReceiverIdentifier value, either `bundleID` or `path`. This setting is required for AppleEvents service; not valid for other services.

The code requirement for the receiving binary. This code requirement is required for AppleEvents service; not valid for other services.

Allows the application to access files on removable volumes.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.

If `true`, statically validate the code requirement. Used only if the process invalidates its dynamic code signature.

If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both.

The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - `Allow`: Equivalent to a `true` value for the `Allowed` key - `Deny`: Equivalent to a `false` value for the `Allowed` key - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. Available in macOS 11 and later.

Not used.

The identifier of the process receiving an AppleEvent sent by the Identifier process. This identifier is required for AppleEvents service; not valid for other services.

The type of AEReceiverIdentifier value, either `bundleID` or `path`. This setting is required for AppleEvents service; not valid for other services.

The code requirement for the receiving binary. This code requirement is required for AppleEvents service; not valid for other services.

Allows the application to update or delete other apps. Available in macOS 13 and later.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.

If `true`, statically validate the code requirement. Used only if the process invalidates its dynamic code signature.

If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both.

The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - `Allow`: Equivalent to a `true` value for the `Allowed` key - `Deny`: Equivalent to a `false` value for the `Allowed` key - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. Available in macOS 11 and later.

Not used.

The identifier of the process receiving an AppleEvent sent by the Identifier process. This identifier is required for AppleEvents service; not valid for other services.

The type of AEReceiverIdentifier value, either `bundleID` or `path`. This setting is required for AppleEvents service; not valid for other services.

The code requirement for the receiving binary. This code requirement is required for AppleEvents service; not valid for other services.

Specifies the policies for the app to access the data of other apps.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.

If `true`, statically validate the code requirement. Used only if the process invalidates its dynamic code signature.

If `true`, access is granted; otherwise, the process doesn't have access. The user isn't prompted and can't change this value. > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both.

The `Authorization` key is an optional replacement for the `Allowed` key, which has one of the following possible values: - `Allow`: Equivalent to a `true` value for the `Allowed` key - `Deny`: Equivalent to a `false` value for the `Allowed` key - `AllowStandardUserToSetSystemService`: Allows a standard (non-admin) user to configure the permissions for the specified app in the Privacy preferences for services that otherwise require admin authorization; only valid for the `ListenEvent` and `ScreenCapture` services > Note: > Every payload needs to include either `Authorization` or `Allowed`, but not both. Available in macOS 11 and later.

Not used.

The identifier of the process receiving an AppleEvent sent by the Identifier process. This identifier is required for AppleEvents service; not valid for other services.

The type of AEReceiverIdentifier value, either `bundleID` or `path`. This setting is required for AppleEvents service; not valid for other services.

The code requirement for the receiving binary. This code requirement is required for AppleEvents service; not valid for other services.

Specifies the policies for the app to access Bluetooth devices.

A dictionary listing apps and the privacy policy to apply to them.

The bundle ID or installation path of the binary. > Note: > This value is case-sensitive.

The type of identifier value. Application bundles must be identified by bundle ID. Nonbundled binaries must be identified by installation path. Helper tools embedded within an application bundle automatically inherit the permissions of their enclosing app bundle.

Obtained via the command `codesign -display -r -`.