<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Field Notes — mdm.tools</title>
    <link>https://mdm.tools/blog/</link>
    <atom:link href="https://mdm.tools/blog/feed.xml" rel="self" type="application/rss+xml"/>
    <description>Short, practical write-ups on Apple management from mdm.tools: PPPC, Jamf smart groups, dockutil, firewall profiles, declarative device management, and the reasoning behind each builder.</description>
    <language>en-us</language>
    <copyright>© 2026 mdm.tools</copyright>
    <lastBuildDate>Tue, 14 Jul 2026 00:00:00 +0000</lastBuildDate>
    <generator>scripts/blog.py</generator>
    <item>
      <title>macOS 27 Removes the Silent MDM Accessibility Grant: What Breaks and Who Ships the Fix</title>
      <link>https://mdm.tools/blog/macos-27-accessibility-grant-removed/</link>
      <guid isPermaLink="true">https://mdm.tools/blog/macos-27-accessibility-grant-removed/</guid>
      <pubDate>Tue, 14 Jul 2026 00:00:00 +0000</pubDate>
      <category>PPPC · Deep dive</category>
      <description><![CDATA[In macOS 27, MDM can no longer silently grant Accessibility, the permission remote-support tools need. It's a scoped consent prompt now. Here's who ships it.]]></description>
      <content:encoded><![CDATA[<p><img src="https://mdm.tools/images/og-pppc-accessibility-removal.png" alt="" width="1200" height="630"></p>
<p>In macOS 27, your MDM can no longer silently grant the permission your Help Desk's remote-support tool needs to control a Mac. That permission is Accessibility, and the silent MDM grant for it is gone at 27.0. The replacement is a user consent prompt, and Apple scopes it to AppKit-based Mac apps only, so it may not reach your tool at all.</p>
                <p>This is a follow-up to <a href="https://mdm.tools/blog/pppc-macos-27-still-needs-a-profile/">the PPPC piece</a> in this series. That post drew the line between what moved to the declarative model and what still needs a profile, and it flagged Accessibility as the one real removal. A reader, Stephen Grall, pointed out in the comments that this removal isn't just a schema footnote; it breaks a workflow real teams run every day. He's right, so it gets its own post.</p>
                <p>One question is worth answering before you upgrade: is the part of your remote-support tool that needs Accessibility a native Mac app, or a background agent? That answer decides whether the new consent path reaches you at all.</p>
                <h2>What Apple actually removed</h2>
                <p>Accessibility is the permission a remote-control tool needs to move the mouse and type on the other end of a session. Until now, an MDM could grant it silently by pushing a PPPC profile, with no prompt and no user step. That is the path your Help Desk's remote-support tool has been riding.</p>
                <p>In macOS 27, that silent grant is gone. Of the permissions PPPC could hand out this way, Accessibility is the one Apple is taking back. From Apple's own device-management schema, verbatim: <em>"This profile deprecated its ability to grant access as of macOS 26.2, and removes that ability in macOS 27.0."</em></p>
                <h2>The replacement isn't a drop-in</h2>
                <p>The new declarative privacy configuration (<code>com.apple.configuration.app.settings</code>) does include Accessibility. But two things changed underneath it, and both apply.</p>
                <p>First, it's a consent prompt now, not a silent grant. The user gets Allow or Not Now. You set the default; they still decide. In Apple's words from the WWDC session, "the Allow button is the default button, and is clearly highlighted." So it's tuned toward yes, but it is still the user's call.</p>
                <p>Second, Apple scopes it to AppKit-based Mac apps only, not background agents or helper tools. A lot of remote-support software runs exactly those: a background service that does the actual input injection. If that component isn't an AppKit app, the new declarative path doesn't cover it, and you have no managed grant route at all.</p>
                <h2>Why on-prem feels it first</h2>
                <p>Pushing that declarative config needs an MDM server that already supports custom declarations, and the whole feature is still in beta season. If you self-host your MDM, common in regulated sectors like government, defense, healthcare, and finance, you upgrade on a change-control clock. You can lose the old grant path at 27.0 before your server can deliver the new one.</p>
                <p>Before you upgrade, walk this:</p>
                <ul><li>Find which tools rely on Accessibility.</li><li>Check whether that piece is a native app or a background agent.</li><li>Confirm your MDM's declarative-privacy support, and your own upgrade and deferral timeline.</li><li>Test the consent flow with a real standard user, not an admin.</li></ul>
                <h2>Where the vendors stand</h2>
                <p>I read 11 MDM vendors' official docs during the week of this post. It's beta season, so read this as a snapshot dated 2026-07-11, and re-check your vendor's release notes before you plan. Vendors with a native, supported path today: zero.</p>
                <ul><li><strong>Addigy</strong>: a native App Settings declarative type, in beta behind Apple's AppleSeed for IT seeding program.</li><li><strong>Jamf Pro cloud</strong>: deployable today as hand-built JSON via Blueprints custom declarations, with a Channel selector that includes User (which the new privacy key requires). But custom declarations fall "outside the scope of Jamf support," and on-prem is excluded.</li><li><strong>Fleet</strong>: self-hosted, with a raw-DDM server flag (<code>mdm.allow_all_declarations</code>). It scopes to device configuration declarations today; user-scoped support is on its near-term roadmap. This config needs user scope.</li><li><strong>Everyone else</strong>: Kandji, Mosyle, JumpCloud, FileWave, Hexnode, Omnissa Workspace ONE, SimpleMDM, and Intune, all silent on <code>app.settings</code> so far.</li></ul>
                <p>Still early. Vendors like Jamf ship native support at launch, so today's hand-built paths aren't the final shape. The lag that sticks is on-prem: with the last big DDM feature, DDM software updates were live in Jamf's cloud roughly a year before self-hosted Jamf Pro caught up. Expect a similar gap here.</p>
                <h2>Self-hosting? Build the test bench now</h2>
                <p>You don't have to wait for your MDM server to catch up. Two paths an on-prem shop can run today:</p>
                <ul><li><strong>Author it from Apple's schema.</strong> The <code>app.settings</code> declaration is public in <a href="https://github.com/apple/device-management" rel="noopener">Apple's device-management schema</a>. Write the JSON now, ready to push the moment your server delivers custom declarations.</li><li><strong>Test it on Fleet.</strong> It's open source and self-hostable, and its allow-all-declarations flag pushes raw DDM to a test Mac today. Device scope now, user scope on the roadmap. This config needs user scope, so watch that milestone.</li></ul>
                <p>Once your push path carries user scope (Fleet's user-scope support, or your MDM's custom-declaration support), run the test on a Mac on the macOS 27 beta, signed in as a standard user, not an admin, because the admin path can mask the exact prompt behavior a real user will hit. Until then, stage the JSON and stand up the bench so you're ready the day that scope lands.</p>
                <h2>Three pushbacks, answered</h2>
                <p>This crowd reads schemas, so here are the replies I'd expect, up front.</p>
                <p><em>"Speech Recognition and Bluetooth are deprecated too."</em> They are. But deprecated still grants this cycle; only Accessibility's grant is removed at 27.0. Deprecated works; removed doesn't. That difference is the whole reason this post is about Accessibility specifically.</p>
                <p><em>"PostEvent still grants."</em> It does, and it isn't deprecated at all. Apple's own PPPC doc example grants PostEvent to <code>com.apple.screensharing.agent</code>. If your tool injects input through PostEvent rather than Accessibility, that grant path survives 27.0. Most tools gate control on Accessibility anyway, so check which one yours actually rides.</p>
                <p><em>"Just defer macOS 27."</em> Deferral caps at 90 days: the <code>MajorPeriodInDays</code> limit (range 1–90) in Apple's <code>softwareupdate.settings</code> schema. That's a clock, not a fix. Put the date in your plan.</p>
                <h2>The shape of it</h2>
                <p>Two schema fields tell the whole story. Legacy PPPC is device-channel only; the new privacy key is user-scope only. Device-level and silent, to per-user and consensual. That's a cleaner model in the long run, but the transition has a gap, and remote-support tooling on self-hosted MDM is sitting in it.</p>
                <p>If you need to author or check the payload that still does the load-bearing work this cycle, the <a href="https://mdm.tools/pppc/">PPPC Builder</a> is here. And if you haven't read where the rest of the privacy model landed, start with <a href="https://mdm.tools/blog/pppc-macos-27-still-needs-a-profile/">what macOS 27 actually moved off the profile</a>.</p>
                <h2>Sources</h2>
                <p>The Apple claims below are grounded in Apple's own schema and session, linked here. The vendor specifics are a point-in-time docs survey dated 2026-07-11, not linked individually, so re-check each vendor's current release notes before you plan:</p>
                <ul>
                    <li>Apple: <a href="https://github.com/apple/device-management" rel="noopener">Device management schema (Accessibility grant-removal line, verbatim)</a></li>
                    <li>Apple Developer: <a href="https://developer.apple.com/documentation/devicemanagement/appsettings" rel="noopener">App Settings configuration (the new declarative Privacy defaults)</a></li>
                    <li>Apple Developer: <a href="https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol" rel="noopener">PrivacyPreferencesPolicyControl (legacy payload, PostEvent example)</a></li>
                    <li>WWDC 2026 Session 206: <a href="https://developer.apple.com/videos/play/wwdc2026/206/" rel="noopener">What's new in managing Apple devices (consent UX)</a></li>
                </ul>]]></content:encoded>
    </item>
    <item>
      <title>macOS 27 Software Update: Legacy Commands Removed, Declarative Enforcement Only</title>
      <link>https://mdm.tools/blog/macos-27-software-update-enforcement/</link>
      <guid isPermaLink="true">https://mdm.tools/blog/macos-27-software-update-enforcement/</guid>
      <pubDate>Fri, 10 Jul 2026 00:00:00 +0000</pubDate>
      <category>Software update · Field note</category>
      <description><![CDATA[macOS 27 removed the legacy software update commands, leaving declarative enforcement as the only path, and raised the TLS floor under all MDM traffic.]]></description>
      <content:encoded><![CDATA[<p><img src="https://mdm.tools/images/og-macos-27-software-update-enforcement.png" alt="" width="1200" height="630"></p>
<p>By now you know the software update commands are gone in 27. Apple announced the removal last year, and in every 27.0 operating system it landed. The legacy software update commands stopped functioning, along with the queries and the restrictions like deferrals. What's left is declarative enforcement, which works differently than the old commands did. You declare a target version and a date, and the device drives itself there. There's no "patch now" button in that model.</p>
                <p>If you've been <a href="https://mdm.tools/blog/declarative-device-management-macos-27/">reading along</a>, none of that is new. The mechanism is a deadline: the <code>com.apple.configuration.softwareupdate.enforcement.specific</code> configuration takes a target OS version and a date, and the device updates itself to meet it. You're setting a deadline, not pressing install.</p>
                <h2>The part in the same release I keep seeing people miss</h2>
                <p>In all 27.0 operating systems, select system processes now enforce stricter network security on management traffic. Your MDM service has to meet TLS 1.2 as a floor, with cipher suites and certificates that clear the new App Transport Security bar, or those connections can fail. And it isn't scoped to one function. Device management, enrollment, profile installs, app installs, and software update traffic all ride that stricter requirement now.</p>
                <p>Apple's own wording hedges here: the new requirements "might cause connections to fail" if the service doesn't meet them. So this is a floor you need to clear, not a switch that flips your fleet dark on day one. But it's a floor under everything, not one feature.</p>
                <h2>Why this is the one I'd worry about</h2>
                <p>The two changes fail in opposite ways, and that's the whole problem.</p>
                <p>The software update removal is loud. It shows up the moment you try to run a command that no longer exists, and you know exactly what happened. A TLS handshake your MDM can't complete just looks like the service going quiet, so you go hunting in the wrong place: the device, the network, the profile, anywhere but the certificate on your management service.</p>
                <p>What strikes me about the pairing is that Apple didn't ask us to adopt any of this. They removed the alternative and raised the floor under it in the same release. That framing only holds for software update; it's the one place where the old path is genuinely gone rather than deprecated. It is worth saying plainly because it's easy to over-read into the rest of 27, and the <a href="https://mdm.tools/blog/pppc-macos-27-still-needs-a-profile/">PPPC picture</a> is the opposite: there, the old payload is still doing real work.</p>
                <h2>Before you touch 27</h2>
                <p>Confirm two things with your MDM vendor. Does it do declarative software update enforcement, and does its service clear the new TLS bar? Then test on one machine before it goes anywhere near the fleet.</p>
                <p>One honest caveat: the 27 deployment guide is still pre-release, so the exact wording can shift before it's final. The software update removal is not in that category. It was announced last year and it's in effect across the 27.0 releases now.</p>
                <h2>Sources</h2>
                <p>Both changes below are in Apple's deployment guide and device-management schema:</p>
                <ul>
                    <li>Apple Support: <a href="https://support.apple.com/guide/deployment/device-management-updates-depd638aa061/web" rel="noopener">Device management updates (software update removal, network security)</a></li>
                    <li>Apple: <a href="https://github.com/apple/device-management" rel="noopener">Device management schema (software update enforcement configuration)</a></li>
                </ul>]]></content:encoded>
    </item>
    <item>
      <title>PPPC in macOS 27: What Moved to Declarative and What Still Needs a Profile</title>
      <link>https://mdm.tools/blog/pppc-macos-27-still-needs-a-profile/</link>
      <guid isPermaLink="true">https://mdm.tools/blog/pppc-macos-27-still-needs-a-profile/</guid>
      <pubDate>Thu, 09 Jul 2026 00:00:00 +0000</pubDate>
      <category>PPPC · Deep dive</category>
      <description><![CDATA[macOS 27 adds declarative privacy config for seven permissions, but Full Disk Access and Screen Recording still need a PPPC profile. Where the line falls.]]></description>
      <content:encoded><![CDATA[<p><img src="https://mdm.tools/images/og-pppc-macos-27-still-needs-a-profile.png" alt="" width="1200" height="630"></p>
<p>At WWDC this year, Apple pitched the new macOS privacy model as a convenience: one consolidated consent prompt, fewer dialogs for your users. That part is true. What the pitch skips is where the schema draws the line, and if you run security tooling that line decides whether you migrate this cycle or end up straddling two models. So I went through the configuration key by key.</p>
                <p>This is the second piece in a short series on the macOS 27 model. The <a href="https://mdm.tools/blog/declarative-device-management-macos-27/">first one</a> covered how much of the release moved onto declarative management. This one is about the part everyone is calling the death of PPPC.</p>
                <h2>There is a real declarative privacy path now</h2>
                <p>macOS 27 introduces a declarative configuration, <code>com.apple.configuration.app.settings</code>, that carries a Privacy dictionary of permission defaults. You set a per-app default, and on first launch the app shows one consolidated prompt covering the permissions the user hasn't already seen. It lists your org name, the app, your justification, and each permission in the set.</p>
                <p>Read the schema and two things stand out. The prompt is a nudge, not a silent grant: Apple tuned it toward yes. In its own words from the session, "the Allow button is the default button, and is clearly highlighted." If the user picks Not Now, they fall back to the normal per-permission prompts. And on macOS this whole feature is scoped: the schema notes it applies to standard, AppKit-based Mac apps only, so background agents, daemons, and helper tools are out. There is no device-wide silent privacy grant here.</p>
                <h2>What it covers: seven permissions</h2>
                <p>On macOS the Privacy dictionary covers seven:</p>
                <ul><li>Accessibility</li><li>Bluetooth</li><li>Camera</li><li>Dictation</li><li>Local Network</li><li>Location</li><li>Microphone</li></ul>
                <p>Count them, because the cross-platform schema lists eight. The eighth, Location Accuracy, is iPhone and iPad only; it never shipped on the Mac. So neither platform gets the full list, and the macOS set is these seven.</p>
                <h2>What it does not cover</h2>
                <p>Full Disk Access and Screen Recording are not in the new privacy configuration this cycle. The two permissions you fight with most are simply absent from the declarative model.</p>
                <p>That is the whole ballgame for anyone shipping an endpoint agent. If your tool needs Full Disk Access or screen recording, those grants stay on the legacy PPPC payload for now. You are not cutting over to declarative; you are running both at once. PPPC can still grant Full Disk Access. It was never able to silently grant screen recording anyway; a profile can only deny that one, or hand the choice to a standard user.</p>
                <h2>One grant path is removed. Four more are just deprecated.</h2>
                <p>The "PPPC is dead" reading falls apart right here. In the macOS 27 TCC schema, five service keys are marked deprecated, and only one of them loses a capability you were actually using.</p>
                <ul><li><strong>Accessibility</strong>: the one real removal. Granting it through a PPPC profile is deprecated as of 26.2 and removed in 27.0. Apple points you at the new Privacy key instead.</li><li><strong>BluetoothAlways and SpeechRecognition</strong>: deprecated, with the schema pointing them toward the new Privacy key.</li><li><strong>Camera and Microphone</strong>: marked deprecated, but their entries only restate what was always true: a profile can deny them, never grant them. You weren't granting these from a profile in the first place.</li></ul>
                <p>Full Disk Access and Screen Recording aren't deprecated at all. So the payload isn't being buried; it's being hollowed out selectively, and the one grant that actually goes away is Accessibility.</p>
                <h2>Plan for a straddle, not a cutover</h2>
                <p>If you manage Macs with security tooling, here is the shape of the next cycle:</p>
                <ul><li>Set your camera and microphone defaults in the new model for standard native apps. The user still gets the prompt; you're pre-seeding the answer.</li><li>Keep Full Disk Access and screen recording on the legacy PPPC payload. There is no declarative path for them yet.</li><li>Test the consent flow with real users before you roll it out. The prompt is built to get a yes, so make sure the yes applies the defaults you actually meant.</li></ul>
                <p>The obituaries are early. PPPC is narrower in 27 than it was, but it is still doing the load-bearing work for exactly the permissions your agents depend on. Next in the series: the change in the same release that I think is bigger than any of this, and that fails in a way you won't see coming. If you need to build or check a payload now, the <a href="https://mdm.tools/pppc/">PPPC Builder</a> is here.</p>
                <h2>Sources</h2>
                <p>The specifics here come from Apple's own schema and session, not the summary:</p>
                <ul>
                    <li>Apple Developer: <a href="https://developer.apple.com/documentation/devicemanagement/appsettings" rel="noopener">App Settings configuration (Privacy defaults)</a></li>
                    <li>Apple: <a href="https://github.com/apple/device-management" rel="noopener">Device management schema (TCC and app.settings YAML)</a></li>
                    <li>WWDC 2026 Session 206: <a href="https://developer.apple.com/videos/play/wwdc2026/206/" rel="noopener">What's new in managing Apple devices</a></li>
                </ul>]]></content:encoded>
    </item>
    <item>
      <title>Declarative Device Management in macOS 27: What Actually Moved</title>
      <link>https://mdm.tools/blog/declarative-device-management-macos-27/</link>
      <guid isPermaLink="true">https://mdm.tools/blog/declarative-device-management-macos-27/</guid>
      <pubDate>Wed, 08 Jul 2026 00:00:00 +0000</pubDate>
      <category>DDM · Deep dive</category>
      <description><![CDATA[macOS 27 shifts much more Apple device management onto the declarative model (device health, credentials, network, VPN, and SSO), so your MDM polls far less.]]></description>
      <content:encoded><![CDATA[<p><img src="https://mdm.tools/images/og-declarative-device-management-macos-27.png" alt="" width="1200" height="630"></p>
<p>I spent years hitting refresh on a management console, waiting to find out whether a profile I pushed actually took. If you managed Apple devices the old way, you did too.</p>
                <p>That job mostly ended with declarative device management, and by now everyone knows the pitch. The device holds its own declarations and reconciles its own state, then reports changes back over a status channel, so there's a lot less to poll. It shipped back in iOS 15. At WWDC this year Cyrus Daboo put it about as bluntly as Apple puts anything:</p>
                <blockquote>"It's here. It's shipping. It's in production across fleets around the world. If you're managing devices today without using it, you're working harder than you need to."<cite>Cyrus Daboo, WWDC 2026 Session 206</cite></blockquote>
                <p>Fine. None of that is news. What I don't think got enough attention is how much of the 27 release moved onto that model.</p>
                <h2>The status channel reports things it never used to</h2>
                <p>On iPhone and iPad, device system health now covers the baseband, the camera, and the Face ID sensors. Supervised devices report whether the user turned on Lockdown Mode. Credentials became declarative assets, so you refresh a certificate once and every configuration that references it picks up the change on its own. Anyone who has chased a cert rotation through a dozen profiles knows what that's worth. Network and VPN configurations went declarative this wave too, along with a new extensible SSO configuration.</p>
                <ul><li><strong>Device system health</strong> (iPhone and iPad): baseband, camera, and Face ID sensor status, reported over the status channel.</li><li><strong>Lockdown Mode state</strong> (supervised iPhone and iPad): devices now report whether the user enabled it.</li><li><strong>Credentials as declarative assets</strong>: refresh a certificate once; every configuration that references it reconciles on its own.</li><li><strong>Network and VPN configurations</strong>: moved onto the declarative model this release.</li><li><strong>Extensible SSO</strong>: a new declarative single sign-on configuration.</li></ul>
                <h2>Why this is the real headline of 27</h2>
                <p>For me, that's the story. The model absorbed the parts of device management a lot of us were still doing the old way. Your MDM server didn't go anywhere, and enrollment still runs through it. Declarative management was never a new protocol, just an extension bolted onto MDM. There is just less reason to keep asking the server questions the device is already answering.</p>
                <p>If you're standing up new configurations this cycle, that's the lens to use: for each thing you push, ask whether the device can now hold and report that state itself. More of the answers are "yes" in 27 than in any release before it.</p>
                <p>This is the first in a short series on what changed in the 27 model. The next piece looks at something the WWDC talk sold as a convenience that the schema says is narrower than it sounds: the privacy consent changes, and why the "PPPC is dead" takes are early. When you need to rebuild or sanity-check a payload in the meantime, the <a href="https://mdm.tools/pppc/">PPPC Builder</a> and the rest of the <a href="https://mdm.tools/">builders</a> are here.</p>
                <h2>Sources</h2>
                <p>Every claim above traces to Apple's own primary material:</p>
                <ul>
                    <li>Apple Developer: <a href="https://developer.apple.com/documentation/devicemanagement/leveraging-the-declarative-management-data-model-to-scale-devices" rel="noopener">Leveraging the declarative management data model to scale devices</a></li>
                    <li>WWDC 2026 Session 206: <a href="https://developer.apple.com/videos/play/wwdc2026/206/" rel="noopener">What's new in managing Apple devices</a></li>
                </ul>]]></content:encoded>
    </item>
  </channel>
</rss>
