macOS privacy settings are governed by TCC, which requires explicit user consent for each app requesting Camera, Microphone, Location, Accessibility, etc. But what if malware tricks a user into approving, or exploits a TCC bypass? This lesson dives into TCC database management, how to deploy pre-approval via MDM, and how to audit privacy settings to ensure no unauthorized application has been granted sensitive access.
When an app requests access to the Camera, the system displays a prompt, and the user's choice is stored in the TCC database. This prompt cannot be automated via script—it's a deliberate security feature. However, an admin can pre-approve specific applications using a Privacy Preferences Policy Control (PPPC) profile deployed via MDM. This is ideal for enterprise-required tools (screen sharing, remote management) and eliminates the risk of users approving malicious prompts out of habit.
# Query the TCC database for apps with Camera access
sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "SELECT client FROM access WHERE service='kTCCServiceCamera' AND auth_value=2"This command lists applications that have been granted Camera access (auth_value=2). Any unknown entries warrant immediate investigation.
A PPPC profile is an XML payload that can allow or deny specific TCC services for identified apps (by bundle ID or code signing requirement). For example, you can pre-allow your remote support tool Accessibility access without user interaction. This is critical for deploying security tools like EDR agents that need Full Disk Access. Create these profiles with the 'PPPC Utility' or manually, and deploy via MDM.
💡 When building a PPPC profile, use the 'Identifier' (bundle ID) and 'CodeRequirement' fields to precisely identify the app. The CodeRequirement is obtained with 'codesign -dr - /path/to/app'.
| TCC Service | Sensitive Resource | Common Legitimate Use |
|---|---|---|
| kTCCServiceCamera | Camera | Video conferencing, security tools |
| kTCCServiceMicrophone | Microphone | Voice recording, dictation |
| kTCCServiceListenEvent | Accessibility (input monitoring) | Assistive tools, remote desktop, security tools |
| kTCCServiceSystemPolicyAllFiles | Full Disk Access | Backup, antivirus, EDR |
Regularly audit the TCC database for unexpected entries. Compare against a known-good baseline. Use MDM to query privacy settings and generate compliance reports. Additionally, enable the 'Require administrator password to access system-wide preferences' setting to prevent non-admin users from changing privacy settings. This can be enforced via a configuration profile payload.
⚠️ A malicious admin can modify the TCC database directly (SQLite write). Pair privacy controls with a firmware password and restricted admin access to prevent local TCC bypass.
Verify exercises to earn ★ 150 XP and unlock next lab level.