{"id":360,"date":"2021-02-09T23:08:02","date_gmt":"2021-02-09T23:08:02","guid":{"rendered":"http:\/\/rainforestqa.com\/macos-tcc-db-deep-dive\/"},"modified":"2023-02-14T01:32:57","modified_gmt":"2023-02-14T01:32:57","slug":"macos-tcc-db-deep-dive","status":"publish","type":"post","link":"https:\/\/www.rainforestqa.com\/blog\/macos-tcc-db-deep-dive","title":{"rendered":"A deep dive into macOS TCC.db"},"content":{"rendered":"\n<p>A deep dive into what the TCC database contains and the meaning of the various fields present in it.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.rainforestqa.com\/blog\/macos-tcc-db-deep-dive\/#What_is_TCC\" >What is TCC?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.rainforestqa.com\/blog\/macos-tcc-db-deep-dive\/#Why_write_this\" >Why write this?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.rainforestqa.com\/blog\/macos-tcc-db-deep-dive\/#TCC_for_the_User\" >TCC for the User<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.rainforestqa.com\/blog\/macos-tcc-db-deep-dive\/#Final_Thoughts\" >Final Thoughts<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.rainforestqa.com\/blog\/macos-tcc-db-deep-dive\/#Appendix\" >Appendix<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_is_TCC\"><\/span>What is TCC?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>TCC (Transparency, Consent, and Control) is a mechanism in macOS to limit and control application access to certain features, usually from a privacy perspective. This can include things such as location services, contacts, photos, microphone, camera, accessibility, full disk access, and a bunch more. TCC was introduced with OSX Mavericks and has gone through a number of changes since to expand what it has control over. TCC also appears to exist and provide the same functionality on iOS, but in this post we\u2019ll only be looking at TCC on macOS.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Why_write_this\"><\/span>Why write this?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>TCC is an end-user protection feature, and tends to get in the way when you\u2019re trying to provision machines in an automatic manner without user interaction. Part of the RainforestQA service is that we run all tests in fresh VMs that we keep up-to-date, and to do this we want to automate as much of the VM build process as possible and we don\u2019t want to babysit the build process to click \u201callow\u201d when dialogs pop up. Instead we would rather have a reliable way of manipulating TCC to grant access programatically with zero human interaction. TCC is not very well documented and the information you can find on it is scattered about the web with various levels of completeness.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"TCC_for_the_User\"><\/span>TCC for the User<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>From a user\u2019s perspective, they see TCC in action when an application wants access to one of the features protected by TCC. When this happens the user is prompted with a dialog asking them whether they want to allow access or not. This response is then stored in the TCC database.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/uploads-ssl.webflow.com\/60da68c37e5767dfb65004c0\/61f1cb7edf626c809fc5ba83_tcc-prompt.png\" alt=\"An example of a TCC prompt\"\/><\/figure>\n\n\n\n<p>Users can also use the System Preferences to manipulate TCC.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/uploads-ssl.webflow.com\/60da68c37e5767dfb65004c0\/61f1cb7e94a0fa2a3625573e_security-and-privacy.png\" alt=\"System Preferences -&gt; Security and Privacy -&gt; Privacy\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">The TCC Database(s)<\/h3>\n\n\n\n<p>The TCC database is just a sqlite3 database, which makes the task of investigating it much simpler. There are two different databases, a global one in <strong>\/Library\/Application Support\/com.apple.TCC\/TCC.db<\/strong> and a per-user one located in <strong>\/Users\/&lt;username&gt;\/Library\/Application Support\/com.apple.TCC\/TCC.db<\/strong>. These databases are protected from editing with <a href=\"https:\/\/en.wikipedia.org\/wiki\/System_Integrity_Protection\" target=\"_blank\" rel=\"noopener\">SIP<\/a>(System Integrity Protection), but you can read them by granting terminal(or your editor) full disk access.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">TCC Database Schema<\/h3>\n\n\n\n<p>As TCC has evolved over the years the database schema has changed as well. The database contains a few tables but the one we\u2019re most interested in is the <strong>access<\/strong> table. Dumping the schema with sqlite gives us the following:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>CREATE TABLE access (\n    service TEXT NOT NULL,\n    client TEXT NOT NULL,\n    client_type INTEGER NOT NULL,\n\n--  allowed INTEGER NOT NULL,       -- Removed in Big Sur\n--  prompt_count INTEGER NOT NULL,  -- Removed in Big Sur\n\n    auth_value INTEGER NOT NULL,    -- Added in Big Sur\n    auth_reason INTEGER NOT NULL,   -- Added in Big Sur\n    auth_version INTEGER NOT NULL,  -- Added in Big Sur\n\n    csreq BLOB,\n    policy_id INTEGER,\n\n    -- Added in Mojave\n    indirect_object_identifier_type INTEGER,\n    indirect_object_identifier TEXT NOT NULL DEFAULT \"UNUSED\",\n    indirect_object_code_identity BLOB,\n\n    flags INTEGER,\n    last_modified INTEGER NOT NULL DEFAULT (CAST(strftime('%s','now') AS INTEGER))\n)<\/code><\/pre>\n\n\n\n<p>Lets take a look at these fields and what they actually mean:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>service<\/strong> &#8211; What service access is being restricted to. E.g. <strong>kTCCServiceMicrophone<\/strong>. See below for a <a href=\"https:\/\/rainforest.engineering\/2021-02-09-macos-tcc\/#all-services\" target=\"_blank\" rel=\"noopener\">full list of services<\/a>.<\/li>\n\n\n\n<li><strong>client<\/strong> &#8211; <a href=\"https:\/\/developer.apple.com\/library\/archive\/documentation\/CoreFoundation\/Conceptual\/CFBundles\/BundleTypes\/BundleTypes.html#\/\/apple_ref\/doc\/uid\/10000123i-CH101-SW1\" target=\"_blank\" rel=\"noopener\">Bundle Identifier<\/a> or absolute path to the program that wants to use <strong>service<\/strong> (e.g. <strong>com.apple.finder<\/strong> or<strong> \/usr\/libexec\/sshd-keygen-wrapper)<\/strong><\/li>\n\n\n\n<li><strong>client_type<\/strong> &#8211; For the previous value, whether it\u2019s a Bundle Identifier(0) or an absolute path(1)<\/li>\n\n\n\n<li><strong>allowed<\/strong> &#8211; (<em>Prior to big sur<\/em>) Whether to allow access(1) to this service or deny it(0)<\/li>\n\n\n\n<li><strong>prompt_count<\/strong> &#8211; (<em>Prior to big sur<\/em>) How many times the user has been prompted about this access. Programs can repeatedly prompt if they are not granted access the first time so this can be used to track if that\u2019s happening.<\/li>\n\n\n\n<li><strong>auth_value<\/strong> &#8211; Whether the access is denied(0), unknown(1), allowed(2), or limited(3). An example for limited access: an application might be allowed ask the user to select some photos, but without being granted access to the User\u2019s entire Photo library. It\u2019s unclear if this is actually implemented in macOS or if this is a carryover from iOS.<\/li>\n\n\n\n<li><strong>auth_reason<\/strong> &#8211; A code indicating how this <strong>auth_value<\/strong> was set. A common value is 3 which means \u201cUser Set\u201d. See below for <a href=\"https:\/\/rainforest.engineering\/2021-02-09-macos-tcc\/#auth-reason-values\" target=\"_blank\" rel=\"noopener\">full list of values and their meaning<\/a>.<\/li>\n\n\n\n<li><strong>auth_version<\/strong> &#8211; Always 1. Since these <strong>auth_*<\/strong> fields are new with macOS Big Sur, this seems expected. Presumably this will change with future macOS releases.<\/li>\n\n\n\n<li><strong>csreq<\/strong> &#8211; Binary code signing requirement blob that the <strong>client<\/strong> must satisfy in order for access to be granted. This is used to prevent spoofing\/impersonation if another program uses the same bundle identifier. There\u2019s an excellent <a href=\"https:\/\/stackoverflow.com\/a\/57259004\/841300\" target=\"_blank\" rel=\"noopener\">stack overflow answer<\/a>(written by yours truly) that covers how this field can be decoded(or generated).<\/li>\n\n\n\n<li><strong>policy_id<\/strong> &#8211; I believe this is related to <a href=\"https:\/\/support.apple.com\/guide\/mdm\/mdm-overview-mdmbf9e668\/web\" target=\"_blank\" rel=\"noopener\">MDM<\/a>(Mobile Device Management) policies, which can be used by organizations to allow TCC access for some applications at a global level. Policies are not able to automatically grant camera or microphone access however. One tool that can generate these profiles is <a href=\"https:\/\/github.com\/carlashley\/tccprofile\" target=\"_blank\" rel=\"noopener\">github.com\/carlashley\/tccprofile<\/a>.<\/li>\n\n\n\n<li><strong>indirect_object_identifier<\/strong> &#8211; For some services (<strong>kTCCServiceAppleEvents<\/strong>) this is what the client is asking to interact with. It\u2019s an absolute path or bundle identifier just like client. This will be set to UNUSED in cases where it doesn\u2019t make sense.<\/li>\n\n\n\n<li><strong>indirect_object_identifier_type<\/strong> &#8211; For the previous value, whether it\u2019s a Bundle Identifier(0) or an absolute path(1)<\/li>\n\n\n\n<li><strong>indirect_object_code_identity<\/strong> &#8211; Same as <strong>csreq<\/strong>, but for the <strong>indirect_object_identifier<\/strong> instead of client.<\/li>\n\n\n\n<li><strong>flags<\/strong> &#8211; I wasn\u2019t able to find any documentation on this, and it always seems to be 0. I believe it is likely used along with the MDM policies.<\/li>\n\n\n\n<li><strong>last_modified<\/strong> &#8211; The last time this entry was modified(seconds since the start of the unix <a href=\"https:\/\/en.wikipedia.org\/wiki\/Epoch_(computing)\" target=\"_blank\" rel=\"noopener\">epoch<\/a>)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple summary of the above<\/h3>\n\n\n\n<p>Each row in the table basically says:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>The program <strong>client<\/strong> identified by <strong>csreq<\/strong> is allowed\/disallowed\/limited\/unknown [set by <strong>auth_value<\/strong>] to use <strong>service<\/strong> [with a target of <strong>indirect_object_identifier<\/strong> identified by <strong>indirect_object_code_identity<\/strong>]<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">An example entry<\/h3>\n\n\n\n<p>This is what you might find in the database if you granted Terminal \u201cFull Disk Access\u201d:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>INSERT INTO access VALUES(\n  'kTCCServiceSystemPolicyAllFiles',  -- service\n  'com.apple.Terminal',               -- client\n  0,    -- client_type (0 - bundle id)\n  2,    -- auth_value  (2 - allowed)\n  3,    -- auth_reason (3 - \"User Set\")\n  1,    -- auth_version\n  -- csreq\n  X'fade0c000000003000000001000000060000000200000012636f6d2e6170706c652e5465726d696e616c000000000003',\n  NULL,        -- policy_id\n  NULL,        -- indirect_object_identifier_type\n  'UNUSED',    -- indirect_object_identifier\n  NULL,        -- indirect_object_code_identity\n  0,           -- flags\n  1612407199   -- last_updated\n);<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>com<strong>.apple.terminal<\/strong> is allowed (2) access to <strong>kTCCServiceSystemPolicyAllFiles<\/strong>(Full Disk Access) because \u201cUser Set\u201d(3).<\/p>\n<\/blockquote>\n\n\n\n<p>The<strong> fade0c&#8230; <\/strong>represents the <strong>csreq<\/strong> blob, and decoded it would read:<strong> identifier &#8220;com.apple.Terminal&#8221; and anchor apple <\/strong>(Refer to this <a href=\"https:\/\/stackoverflow.com\/a\/57259004\/841300\" target=\"_blank\" rel=\"noopener\">stack overflow answer<\/a> for how to decode this). This means that the application needs to have the bundle identifier <strong>com.apple.Terminal<\/strong> and it needs to be signed by Apple. This prevents anyone from creating their own application with that bundle identifier and gaining access to everything the user has granted to terminal.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Final_Thoughts\"><\/span>Final Thoughts<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Understanding the TCC database allows numerous possibilities. It becomes trivial to audit what access has been granted. It also allows one to manipulate the database to authorize permissions without requiring user interaction(e.g. during testing).<\/p>\n\n\n\n<p>At RainforestQA, we use this functionality when configuring our macOS machines to authorize access for our command and control scripts. This allows us to completely automate the installation and maintenance of our macOS fleet, saving us countless hours and making upgrades and maintenance a simple task.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Appendix\"><\/span>Appendix<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The following is a complete list of possible values for <strong>auth_reason<\/strong> and <strong>service<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">auth_reason<\/h3>\n\n\n\n<p>I was unable to find any documentation around <strong>auth_value<\/strong> or <strong>auth_reason<\/strong>. Using the demo version of <a href=\"https:\/\/www.hopperapp.com\/\" target=\"_blank\" rel=\"noopener\">Hopper Dissassembler<\/a> I loaded up <strong>\/System\/Library\/PrivateFrameworks\/TCC.framework\/Versions\/A\/Resources\/tccd<\/strong> and found some references to these fields that gave me clues as to what the possible values are.<\/p>\n\n\n\n<p><strong>auth_reason<\/strong> can take the following values:<br><strong>1 <\/strong>&#8211; Error<br><strong>2<\/strong> &#8211; User Consent<br><strong>3<\/strong> &#8211; User Set<br><strong>4<\/strong> &#8211; System Set<br><strong>5<\/strong> &#8211; Service Policy<br><strong>6<\/strong> &#8211; MDM Policy<br><strong>7<\/strong> &#8211; Override Policy<br><strong>8<\/strong> &#8211; Missing usage string<br><strong>9<\/strong> &#8211; Prompt Timeout<br><strong>10<\/strong> &#8211; Preflight Unknown<br><strong>11<\/strong> &#8211; Entitled<br><strong>12<\/strong> &#8211; App Type Policy<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">service<\/h3>\n\n\n\n<p>It is possible to inspect the localizable strings for the tcc framework to determine what (some) of the valid services are. Using this command:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>plutil -p \/System\/Library\/PrivateFrameworks\/TCC.framework\/Resources\/en.lproj\/Localizable.strings<\/code><\/pre>\n\n\n\n<p>&#8230;gives us the following list of services along with what the user will be prompted with when access is requested.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>kTCCServiceAddressBook<\/strong> &#8211; <em>client<\/em> would like to access your contacts.<\/li>\n\n\n\n<li><strong>kTCCServiceAppleEvents<\/strong> &#8211; <em>client<\/em> wants access to control <em>indirect_object<\/em>. Allowing control will provide access to documents and data in <em>indirect_object<\/em>, and to perform actions within that app.<\/li>\n\n\n\n<li><strong>kTCCServiceBluetoothAlways<\/strong> &#8211; <em>client<\/em> would like to use Bluetooth.<\/li>\n\n\n\n<li><strong>kTCCServiceCalendar<\/strong> &#8211; <em>client<\/em> would like to access your calendar.<\/li>\n\n\n\n<li><strong>kTCCServiceCamera<\/strong> &#8211; <em>client<\/em> would like to access the camera.<\/li>\n\n\n\n<li><strong>kTCCServiceContactsFull<\/strong> &#8211; <em>client<\/em> would like to access all of your contacts information.<\/li>\n\n\n\n<li><strong>kTCCServiceContactsLimited<\/strong> &#8211; <em>client<\/em> would like to access your contacts basic information.<\/li>\n\n\n\n<li><strong>kTCCServiceFileProviderDomain<\/strong> &#8211; <em>client<\/em> wants to access files managed by <em>indirect_object<\/em>.<\/li>\n\n\n\n<li><strong>kTCCServiceFileProviderPresence<\/strong> &#8211; Do you want to allow <em>client<\/em> to see when you are using files managed by it? It will see which applications are used to access files and whether you are actively using them. It will not see when files that are not managed by it are accessed.<\/li>\n\n\n\n<li><strong>kTCCServiceLocation<\/strong> &#8211; <em>client<\/em> would like to use your current location.<\/li>\n\n\n\n<li><strong>kTCCServiceMediaLibrary<\/strong> &#8211; <em>client<\/em> would like to access Apple Music, your music and video activity, and your media library.<\/li>\n\n\n\n<li><strong>kTCCServiceMicrophone<\/strong> &#8211; <em>client<\/em> would like to access the microphone.<\/li>\n\n\n\n<li><strong>kTCCServiceMotion<\/strong> &#8211; <em>client<\/em> Would Like to Access Your Motion &amp; Fitness Activity.<\/li>\n\n\n\n<li><strong>kTCCServicePhotos<\/strong> &#8211; <em>client<\/em> Would Like to Access Your Photos<\/li>\n\n\n\n<li><strong>kTCCServicePhotosAdd<\/strong> &#8211; <em>client<\/em> Would Like to Add to your Photos<\/li>\n\n\n\n<li><strong>kTCCServicePrototype3Rights<\/strong> &#8211; <em>client<\/em> Would Like Authorization to Test Service Proto3Right.<\/li>\n\n\n\n<li><strong>kTCCServicePrototype4Rights<\/strong> &#8211; <em>client<\/em> Would Like Authorization to Test Service Proto4Right.<\/li>\n\n\n\n<li><strong>kTCCServiceReminders<\/strong> &#8211; <em>client<\/em> would like to access your reminders.<\/li>\n\n\n\n<li><strong>kTCCServiceScreenCapture<\/strong> &#8211; <em>client<\/em> would like to capture the contents of the system display.<\/li>\n\n\n\n<li><strong>kTCCServiceSiri<\/strong> &#8211; Would You Like to Use <em>client<\/em> with Siri?<\/li>\n\n\n\n<li><strong>kTCCServiceSpeechRecognition<\/strong> &#8211; <em>client<\/em> Would Like to Access Speech Recognition.<\/li>\n\n\n\n<li><strong>kTCCServiceSystemPolicyDesktopFolder<\/strong> &#8211; <em>client<\/em> would like to access files in your Desktop folder.<\/li>\n\n\n\n<li><strong>kTCCServiceSystemPolicyDeveloperFiles<\/strong> &#8211; <em>client<\/em> would like to access a file used in Software Development.<\/li>\n\n\n\n<li><strong>kTCCServiceSystemPolicyDocumentsFolder<\/strong> &#8211; <em>client<\/em> would like to access files in your Documents folder.<\/li>\n\n\n\n<li><strong>kTCCServiceSystemPolicyDownloadsFolder<\/strong> &#8211; <em>client<\/em> would like to access files in your Downloads folder.<\/li>\n\n\n\n<li><strong>kTCCServiceSystemPolicyNetworkVolumes<\/strong> &#8211; <em>client<\/em> would like to access files on a network volume.<\/li>\n\n\n\n<li><strong>kTCCServiceSystemPolicyRemovableVolumes<\/strong> &#8211; <em>client<\/em> would like to access files on a removable volume.<\/li>\n\n\n\n<li><strong>kTCCServiceSystemPolicySysAdminFiles<\/strong> &#8211; <em>client<\/em> would like to administer your computer. Administration can include modifying passwords, networking, and system settings.<\/li>\n\n\n\n<li><strong>kTCCServiceWillow<\/strong> &#8211; <em>client<\/em> would like to access your Home data.<\/li>\n<\/ul>\n\n\n\n<p>Some other values(from running strings on <strong>tccd<\/strong> binary, observation, and other places online):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>kTCCServiceSystemPolicyAllFiles<\/strong> &#8211; Full Disk Access<\/li>\n\n\n\n<li>kTCCServiceAccessibility &#8211; Allows app to control your computer<\/li>\n\n\n\n<li><strong>kTCCServicePostEvent<\/strong> &#8211; Allows to send keystrokes<\/li>\n\n\n\n<li><strong>kTCCServiceListenEvent<\/strong> &#8211; Input Monitoring; to monitor input from your keyboard<\/li>\n\n\n\n<li><strong>kTCCServiceDeveloperTool<\/strong> &#8211; Allows app to run software locally that do not meet the system\u2019s security policy<\/li>\n<\/ul>\n\n\n\n<p>These seem to be carry-overs from iOS, and may not apply on macOS:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>kTCCServiceLiverpool<\/strong> &#8211; Related to location services<\/li>\n\n\n\n<li><strong>kTCCServiceUbiquity<\/strong> &#8211; Related to iCloud<\/li>\n\n\n\n<li><strong>kTCCServiceShareKit<\/strong> &#8211; Related to the share feature(presumably from iOS)(<a href=\"https:\/\/developer.apple.com\/documentation\/devicemanagement\/sharekit\" target=\"_blank\" rel=\"noopener\">ShareKit<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>There\u2019s also some for specific social networks; again I suspect this is a carry-over from iOS.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>kTCCServiceLinkedIn<\/strong> &#8211; LinkedIn<\/li>\n\n\n\n<li><strong>kTCCServiceTwitter<\/strong> &#8211; Twitter<\/li>\n\n\n\n<li><strong>kTCCServiceFacebook<\/strong> &#8211; Facebook<\/li>\n\n\n\n<li><strong>kTCCServiceSinaWeibo<\/strong> &#8211; Sina Weibo<\/li>\n\n\n\n<li><strong>kTCCServiceTencentWeibo<\/strong> &#8211; Tencent Weibo<\/li>\n<\/ul>\n\n\n\n<p>\u200d<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A deep dive into what the TCC database contains and the meaning of the various fields present in it. What is TCC? TCC (Transparency, Consent, and Control) is a mechanism in macOS to limit and control application access to certain features, usually from a privacy perspective. This can include things such as location services, contacts, [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","inline_featured_image":false,"footnotes":""},"categories":[6],"tags":[],"class_list":["post-360","post","type-post","status-publish","format-standard","hentry","category-engineering"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.rainforestqa.com\/blog\/wp-json\/wp\/v2\/posts\/360","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rainforestqa.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rainforestqa.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rainforestqa.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rainforestqa.com\/blog\/wp-json\/wp\/v2\/comments?post=360"}],"version-history":[{"count":5,"href":"https:\/\/www.rainforestqa.com\/blog\/wp-json\/wp\/v2\/posts\/360\/revisions"}],"predecessor-version":[{"id":867,"href":"https:\/\/www.rainforestqa.com\/blog\/wp-json\/wp\/v2\/posts\/360\/revisions\/867"}],"wp:attachment":[{"href":"https:\/\/www.rainforestqa.com\/blog\/wp-json\/wp\/v2\/media?parent=360"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rainforestqa.com\/blog\/wp-json\/wp\/v2\/categories?post=360"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rainforestqa.com\/blog\/wp-json\/wp\/v2\/tags?post=360"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}