Create configuration profile for volume rollout

A configuration profile is required to mass-deploy CleanMyMac Business through MDM solutions (such as Jamf) with predefined permissions and settings across managed devices. By distributing this profile, you ensure that CleanMyMac Business has the required permissions to work correctly:

• Full Disk Access (TCC SystemPolicyAllFiles)
• AppleEvents permission (from CleanMyMac Business to System Events)
• Notifications permissions

Note that starting with macOS Big Sur 11, Apple removed the ability to install profiles using profiles -I. Profiles can now be deployed only via MDM solutions.

Follow these steps if you prefer to create your own configuration profile instead of using the pre-created one provided in the volume rollout procedure.

Step 1. Generate placeholders

Open Terminal and run the following commands as needed:

• Generate UUIDs for use in the profile.

  uuidgen

• Generate CodeRequirements for use in the profile.

  Run the command while the CleanMyMac Business desktop app is installed.

  codesign -dr - "/Applications/CleanMyMac Business.app"

  In the command output, copy everything after designated =>—you'll need this for the PPPC payload.

Step 2. Build the PPPC payload (TCC)

PPPC (Privacy Preferences Policy Control) allows administrators to configure permissions for apps to access privacy-sensitive resources. In the case of CleanMyMac Business, you'll configure Full Disk Access and AppleEvents permissions via a PPPC payload in the profile. This ensures compliance with privacy regulations and allows seamless deployment of the required permissions.

  PayloadTypecom.apple.TCC.configuration-profile-policy
  PayloadUUID${PPPC_PAYLOAD_UUID}
  PayloadIdentifier${PPPC_IDENTIFIER_UUID}
  PayloadDisplayNamePrivacy Preferences Policy Control
  PayloadVersion1
  PayloadOrganizationMacPaw Way Ltd
  Services
  
    
    SystemPolicyAllFiles
    
      
        IdentifierTypebundleID
        Identifiercom.macpaw.cmm-business
        CodeRequirement${PASTE_REQUIREMENT_HERE}
        AuthorizationAllow
      
    
    
    AppleEvents
    
      
        IdentifierTypebundleID
        Identifiercom.macpaw.cmm-business
        CodeRequirement${PASTE_REQUIREMENT_HERE}
        AuthorizationAllow
        AEReceiverIdentifierTypebundleID
        AEReceiverIdentifiercom.apple.systemevents
        AEReceiverCodeRequirementidentifier "com.apple.systemevents" and anchor apple
      
    
  

Step 3. Build the Notifications payload

The Notifications payload defines how CleanMyMac Business notifications (banners, badges, and sounds) behave. Adjust the parameters to meet your organization's preferences.

  PayloadTypecom.apple.notificationsettings
  PayloadUUID${NOTIF_PAYLOAD_UUID}
  PayloadIdentifier${NOTIF_IDENTIFIER_UUID}
  PayloadDisplayNameNotifications Payload
  PayloadVersion1
  PayloadOrganizationMacPaw Way Ltd
  NotificationSettings
  
    
      BundleIdentifiercom.macpaw.cmm-business
      AuthorizationAllow
      
      AlertType1
      BadgesEnabled
      SoundsEnabled
      ShowInNotificationCenter
      ShowInLockScreen
    
  

Step 4. Prepare the configuration profile

Create a top-level Configuration wrapper, include the PPPC and Notifications payloads inside PayloadContent (follow the code comments for guidance), and save the prepared profile as a .mobileconfig file.

  

  
    PayloadTypeConfiguration
    PayloadVersion1
    PayloadUUID${PROFILE_UUID}
    PayloadIdentifier${PAYLOAD_UUID}
    PayloadDisplayNameCleanMyMac Business Configuration
    PayloadDescriptionCleanMyMac Business Permissions Configuration
    PayloadOrganizationMacPaw Way Ltd
    PayloadScopeSystem
    PayloadContent
    
      
      
    
  

To validate the profile, run the following command in Terminal:

# Should output OK
plutil -lint "/path/to/profile.mobileconfig"

While most MDM solutions don't require profiles to be signed, it's best practice to sign them—especially when sharing externally.

Using Terminal

Open Terminal and run the following commands:

1. List identities available on your system.

   security find-identity -v -p codesigning login.keychain-db

2. Sign the profile using the selected identity.

   security cms -S \
     -N "Common Name of Your Certificate" \
     -i "/path/to/unsigned.mobileconfig" \
     -o "/path/to/signed.mobileconfig"

3. (Optional) Decode and inspect the signed profile to confirm correctness.

   security cms -D -i "/path/to/signed.mobileconfig" > /tmp/decoded.plist
     plutil -lint /tmp/decoded.plist

Using Apple Configurator

1. Open Apple Configurator.

2. Choose File > Open, select the configuration profile, and click Open.

3. Choose File > Sign, select your certificate, and click Sign.