Code Requirements

Code Requirements

A code requirement is a cryptographic expression that macOS uses to verify the identity of an application before granting it a PPPC permission. It is required for every app entry in a PPPC profile.

---

What Is a Code Requirement?

Every signed application on macOS has a designated requirement — a statement that describes what makes the app "itself." This typically includes the signing certificate, the team identifier, and sometimes the bundle identifier.

A typical code requirement looks like this:

anchor apple generic and identifier "com.1password.1password" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "2BUA8C4S2C")

macOS uses this expression to confirm that the app asking for a permission is the genuine, signed version — not a renamed copy, a different app, or a tampered binary.

⚠️ If the code requirement field is left empty or incorrect, macOS will not trust the profile entry and the permission will not be granted.

---

Reading the Code Requirement Automatically

The easiest way to populate a code requirement is with the Read from App Bundle… button in each app entry form.

For .app Applications

1. Click Read from App Bundle… in the Code Requirement section
2. An open panel appears — navigate to the application in /Applications, /System/Applications, or wherever the app is installed
3. Select the .app bundle and click Open

The app reads the code requirement directly from the binary using codesign and populates:

• The Code Requirement field (the designated requirement string)
• The Identifier field (the bundle identifier from Info.plist)
• The Type field (set to Bundle ID)

For Command-Line Tools

Command-line tools (daemons, agents, scripts) also have code requirements if they are signed.

1. Click Read from App Bundle…
2. Navigate to the tool's location (e.g., /usr/local/bin, /opt/homebrew/bin, /usr/sbin)
3. Select the binary file and click Open

For a non-bundle binary, the app sets:

• The Code Requirement from the binary's designated requirement
• The Identifier to the full filesystem path
  • The Type to Path

---

Reading Manually with codesign

If you need to read a code requirement outside the app — for example, from a remote Mac or from a package installer — you can use Terminal:

codesign -dr - "/Applications/Microsoft Edge.app"

Look for the line that begins with designated =>:

designated => anchor apple generic and identifier "com.microsoft.edgemac" and ...

Copy everything after designated => and paste it into the Code Requirement field.

---

Apps Not Installed on This Mac

If an application is not installed on your Mac, you cannot read its code requirement automatically. There are a few options:

Option 1 — Read from Another Mac

On a Mac where the app is installed, run:

codesign -dr - /Applications/AppName.app

Copy the designated => line and paste it into the profile on your Mac.

Option 2 — Import from TCC, Then Fix Later

When using Import from TCC…, entries for apps that are not installed are flagged with an empty icon. They are still imported, but with an empty code requirement.

After import, find these entries (they are listed in the post-import summary) and click Read from App Bundle… once the app is available.

Option 3 — Use the Developer's Published Requirement

Some software vendors publish their code signing requirements in their documentation or deployment guides. If the vendor provides a requirement string, you can paste it directly into the Code Requirement field.

---

Verifying a Code Requirement

If you are unsure whether a code requirement is correct, you can verify it in Terminal:

codesign -vvv --requirements - /Applications/AppName.app

This output shows the app's current signing status and its requirements. Compare it to what is in your profile entry.

---

Code Requirements and App Updates

Code requirements are generally stable across app versions when the app is signed by the same developer. The designated requirement typically does not change unless:

• The app changes its bundle identifier
• The developer switches signing certificates or teams
• The app transitions between Mac App Store and direct distribution (or vice versa)

In practice, most enterprise apps have stable code requirements that you set once and do not need to update.

---

Common Issues

"Code Requirement field is empty after using Read from App Bundle…"

The application may be unsigned. Unsigned applications cannot be granted PPPC permissions via a configuration profile — only signed apps with valid code requirements can be managed this way. Check whether the app is properly signed with codesign -v /path/to/app.

"The app I need to configure is not in /Applications"

The open panel in Read from App Bundle… lets you navigate anywhere on the filesystem. Use Go → Go to Folder… (⇧⌘G) in the panel to type a path directly.

"The code requirement I pasted doesn't seem to work after deploying"

• Confirm there is no leading or trailing whitespace in the code requirement field
• Confirm the requirement matches what codesign -dr - outputs for the exact version of the app on managed Macs — some apps ship different binaries for different architectures or distribution channels

---

See Also

• Creating a Profile — Full walkthrough of building an entry
• Apple Events — Code requirements are needed for both sender and receiver
• Importing Data — TCC import and handling missing code requirements