PPPC profile guide

The Preamp agent requires Full Disk Access (FDA) on modern macOS to read some Claude config paths. In an unmanaged install the user grants FDA manually via System Settings. In a managed install, admins pre-grant via a PPPC (Privacy Preferences Policy Control) profile so the user is never prompted.

Files

• Template: installers/macos/pppc-template.xml (in the agent repo).
• Placeholders to fill:
  • $TEAM_ID — your Apple Team ID.
  • $CODE_REQUIREMENT — the full requirement string from your signed binary.

Extracting the values

Both values come from the signed agent binary. Run on a machine with the signed binary available:

# Apple Team ID
codesign -d --verbose=4 <binary> 2>&1 | grep TeamIdentifier

# Full code requirement string
codesign -d --requirements - <binary> 2>&1

The 2>&1 redirect is required: codesign -d writes its details to stderr on macOS, so a plain | grep reads an empty stream and fails under set -o pipefail.

Importing into your MDM

• JAMF PPPC Utility — File → Import → select the XML, edit Team ID + code requirement, export the signed profile, then upload it to JAMF Pro and scope it to the target Macs.
• Kandji — Library → Add → PPPC Profile → paste the dict, fill the fields, save, and assign to the Blueprint.
• Intune / Mosyle — sign the filled-in XML as a .mobileconfig with a Developer ID Installer cert before uploading. Neither platform signs profiles for you.

Verification

After deployment, a managed Mac should show the agent in System Settings → Privacy & Security → Full Disk Access with a grey toggle (indicating an MDM granted it). A user-controllable blue toggle means the PPPC profile didn’t apply — re-check that the Team ID and code requirement match the binary you actually deploy.