On macOS, an administrator account can install software and change system settings, but by default it still can't access your camera, microphone, or full disk without consent—thanks to Transparency, Consent, and Control (TCC). However, a malicious admin can bypass TCC by manipulating the TCC database or by injecting code into trusted applications. This lesson explores the admin/standard user boundary, the privacy preference model, and how to enforce least privilege in macOS enterprise environments.
macOS administrators belong to the admin group and can use sudo for command-line privilege escalation. However, even as admin, System Integrity Protection (SIP) prevents modification of system files, and TCC restricts access to personal data unless explicitly granted. A standard user cannot install kernel extensions (unless approved via MDM) or enable screen recording without a prompt. For everyday use, all users—even IT staff—should be Standard. Admin credentials are entered only when prompted.
This simple check reveals membership. On a well-managed Mac, the return should be 0 for the primary user account.
TCC governs access to Camera, Microphone, Accessibility, Full Disk Access, etc. The TCC database is stored in /Library/Application Support/com.apple.TCC/TCC.db (system-wide) and ~/Library/Application Support/com.apple.TCC/TCC.db (per-user). Applications request permission, and the user is prompted. However, a process with FDA or Accessibility rights can modify the TCC database directly. An attacker who gains admin rights could add their malware to the FDA list, granting themselves full disk access without another prompt.
# Read the user TCC database (requires FDA)
sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "SELECT service, client, auth_value FROM access"
# Sample output shows which apps have which permissions💡 The auth_value column indicates permission: 0=denied, 1=unknown, 2=allowed, 3=limited. Monitoring this database for unauthorized entries is a key detection technique.
| TCC Service | Example Required Access | Attack Impact if Bypassed |
|---|---|---|
| kTCCServiceCamera | Video conferencing apps | Visual surveillance |
| kTCCServiceMicrophone | Voice chat | Eavesdropping |
| kTCCServiceAccessibility | Assistive tools, remote access | Simulate user input, control apps |
| kTCCServiceSystemPolicyAllFiles | Backup, antivirus | Read any file (Full Disk Access) |
Enterprise management leverages MDM profiles to enforce restrictions that even an admin cannot override: disabling the ability to change TCC settings, preventing admin accounts from turning off SIP (requires firmware password), and whitelisting approved applications for privacy preferences. The 'Privacy Preferences Policy Control' payload allows pre-approving apps for specific TCC services, eliminating the user prompt and reducing social-engineering risk.
⚠️ An admin can disable SIP by booting into Recovery—unless a firmware password is set. Without it, all software-based restrictions are moot.
Verify exercises to earn ★ 140 XP and unlock next lab level.