Snake&Apple IX — TCC

Introduction to Transparency, Consent, and Control on macOS

INTRO

Welcome to another article in the series on macOS security internals!

Transparency, Consent, and Control (TCC) is the final layer in the Apple App Security mode. Similar to the Sandbox, it aims to mitigate the threat of malware running successfully on macOS. However, there is a distinction between them. TCC manages access to user data (through user consent), while the Sandbox controls app behavior (via system-imposed restrictions).

These two mechanisms work together. For example, an app must first have the appropriate entitlement in the sandbox profile if it wants to access the camera. TCC only prompts the user that the app wants to access the camera.

This article will examine TCC components, such as its daemons, databases, permissions dialogs, entitlements, and where to find related APIs.

The table below summarizes all of the subjects described in this article:

Please note that some topics have been intentionally omitted and will be addressed in future articles. However, leave a comment if you have any questions or need clarification about anything written here while reading. I guarantee a response and will use your feedback for future articles.

The Snake&Apple IX. TCC repository contains all of the code used.

TCC

I call it the front door of platform privacy as it controls every app's access to the user's private data. Before any app can access anything on macOS, the user must first permit it (via TCC pop-up or manually in Privacy settings).

It does not have a kernel extension like the components described before. However, it is deeply integrated into the macOS with daemons, databases, and UI security prompts to enforce privacy controls. We can read the rationale why it was introduced in the Apple Platform Security: