Create configuration profile for volume rollout
(Updated: )A configuration profile is required to mass-deploy CleanMyMac Business through MDM solutions (such as Jamf) with predefined permissions and settings across managed devices. By distributing this profile, you ensure that CleanMyMac Business has the required permissions to work correctly:
- Full Disk Access (TCC SystemPolicyAllFiles)
- AppleEvents permission (from CleanMyMac Business to System Events)
- Notifications permissions
Note that starting with macOS Big Sur 11, Apple removed the ability to install profiles using profiles -I
. Profiles can now be deployed only via MDM solutions.
Create the profile file
Follow these steps if you prefer to create your own configuration profile instead of using the pre-created one provided in the volume rollout procedure.
Step 1. Generate placeholders
Open Terminal and run the following commands as needed:
Generate UUIDs for use in the profile.
uuidgen
Generate CodeRequirements for use in the profile.
Run the command while the CleanMyMac Business desktop app is installed.
codesign -dr - "/Applications/CleanMyMac Business.app"
In the command output, copy everything after
designated =>
—you'll need this for the PPPC payload.
Step 2. Build the PPPC payload (TCC)
PPPC (Privacy Preferences Policy Control) allows administrators to configure permissions for apps to access privacy-sensitive resources. In the case of CleanMyMac Business, you'll configure Full Disk Access and AppleEvents permissions via a PPPC payload in the profile. This ensures compliance with privacy regulations and allows seamless deployment of the required permissions.
PayloadTypecom.apple.TCC.configuration-profile-policy
PayloadUUID${PPPC_PAYLOAD_UUID}
PayloadIdentifier${PPPC_IDENTIFIER_UUID}
PayloadDisplayNamePrivacy Preferences Policy Control
PayloadVersion1
PayloadOrganizationMacPaw Way Ltd
Services
SystemPolicyAllFiles
IdentifierTypebundleID
Identifiercom.macpaw.cmm-business
CodeRequirement${PASTE_REQUIREMENT_HERE}
AuthorizationAllow
AppleEvents
IdentifierTypebundleID
Identifiercom.macpaw.cmm-business
CodeRequirement${PASTE_REQUIREMENT_HERE}
AuthorizationAllow
AEReceiverIdentifierTypebundleID
AEReceiverIdentifiercom.apple.systemevents
AEReceiverCodeRequirementidentifier "com.apple.systemevents" and anchor apple
Step 3. Build the Notifications payload
The Notifications payload defines how CleanMyMac Business notifications (banners, badges, and sounds) behave. Adjust the parameters to meet your organization's preferences.
PayloadTypecom.apple.notificationsettings
PayloadUUID${NOTIF_PAYLOAD_UUID}
PayloadIdentifier${NOTIF_IDENTIFIER_UUID}
PayloadDisplayNameNotifications Payload
PayloadVersion1
PayloadOrganizationMacPaw Way Ltd
NotificationSettings
BundleIdentifiercom.macpaw.cmm-business
AuthorizationAllow
AlertType1
BadgesEnabled
SoundsEnabled
ShowInNotificationCenter
ShowInLockScreen
Step 4. Prepare the configuration profile
Create a top-level Configuration wrapper, include the PPPC and Notifications payloads inside PayloadContent (follow the code comments for guidance), and save the prepared profile as a .mobileconfig
file.
PayloadTypeConfiguration
PayloadVersion1
PayloadUUID${PROFILE_UUID}
PayloadIdentifier${PAYLOAD_UUID}
PayloadDisplayNameCleanMyMac Business Configuration
PayloadDescriptionCleanMyMac Business Permissions Configuration
PayloadOrganizationMacPaw Way Ltd
PayloadScopeSystem
PayloadContent
To validate the profile, run the following command in Terminal:
# Should output OK
plutil -lint "/path/to/profile.mobileconfig"
Sign the profile
While most MDM solutions don't require profiles to be signed, it's best practice to sign them—especially when sharing externally.
Using Terminal
Open Terminal and run the following commands:
List identities available on your system.
security find-identity -v -p codesigning login.keychain-db
Sign the profile using the selected identity.
security cms -S \ -N "Common Name of Your Certificate" \ -i "/path/to/unsigned.mobileconfig" \ -o "/path/to/signed.mobileconfig"
(Optional) Decode and inspect the signed profile to confirm correctness.
security cms -D -i "/path/to/signed.mobileconfig" > /tmp/decoded.plist plutil -lint /tmp/decoded.plist
Using Apple Configurator
Open Apple Configurator.
Choose File > Open, select the configuration profile, and click Open.
Choose File > Sign, select your certificate, and click Sign.