Working with Mojave’s Privacy Protection

For the great majority of Mojave users, its new stringent privacy protection may pass almost unnoticed. If the apps that you run don’t try to access newly-protected private data, you will hardly notice the change. That doesn’t mean to say that the protection is wasted, just that it will get on with doing its job quietly.

If you use third-party apps and other tools which do look in protected folders, or which use restricted features such as controlling other apps using AppleEvents, then you can save yourself a lot of potential trouble with a little planning and preparation, which this article explains.

What is protected in Mojave?

Apple has set out lists of different categories, including two classes of app data, services and devices, and the field of automation.

App data is the simplest to understand. The following have class-specific protection:

Contacts (Address Book) – the contents of ~/Library/Application Support/AddressBook
Calendars – the contents of ~/Library/Calendars
Reminders – often bundled with Calendars, sometimes considered separately
Photos – .photoslibrary files in ~/Pictures.

These have individual listings in the Privacy tab of the Security & Privacy pane, but limited controls there which only allow you to disable items which macOS adds to that list.

moprivprobs03

The following have more generic protection:

Mail – the contents of ~/Library/Mail
Messages – the contents of ~/Library/Messages
Safari browsing history – the contents of ~/Library/Safari
Cookies – the contents of ~/Library/Cookies
iTunes backups (when present)
Time Machine backups – all your backup folder
Miscellaneous – the contents of ~/Library/HomeKit, ~/Library/IdentityServices, ~/Library/Metadata/CoreSpotlight, ~/Library/PersonalizationPortrait, and ~/Library/Suggestions, most of which are new to Mojave.

These don’t have individual listings in the Privacy tab, but are normally included when Full Disk Access is granted.

moprivprobs01

Protected devices and services are:

Location services
Camera, built-in
Microphone, built-in.

These have individual listings in the Privacy tab, but limited controls there which only allow you to disable items which macOS adds to that list.

App automation such as scripting other apps and controlling them using AppleEvents is more complex. Clearly there would be no point in introducing the extensive protection above if all an app had to do was to ask Mail to reveal the contents of various messages. But getting the level of protection and access controls right is difficult, and still evolving. If you use apps which rely on controlling other apps, keep a watch on their support site or blog, where their developers should be giving specific advice to help you use them in Mojave.

How does its protection work?

Mojave’s protection system, TCC (for Transparency Consent and Control), has to work with old apps, built before these controls were implemented, and new ones, which may have the protection of being App Store apps, or can be ‘hardened’ and notarized. To cope with this wide range, its rules may appear complex, so I have sketched them out in a diagram which explains what happens when an app tries to access protected data.

MojavePrivacy1

The various classes of protected data are shown at the left, those in red being covered explicitly in the Privacy controls. The first step is to determine whether the app trying to access protected data is signed by Apple: if it is, access will be determined by private controls, and sometimes regular controls as well. That makes sense, as it would be daft to have to give consent before Photos could open its own library.

Apps developed by a third party are checked to see whether they already have access to that particular class of protected data according to the Privacy settings. If they have, access is then granted without any further dialogs or delay. Note that the effect of adding an app to the Full Disk Access list is to give it access to all protected data (not services or hardware, though) without any further consent being sought.

If they haven’t already been given access, the next check is to see which version of the SDK they were built against. If they were built against 10.13 or earlier, then Mojave doesn’t expect them to have support such as usage information, so it should display a dialog inviting you to give consent to the requested access. That will normally only contain the standard text information.

moprivprobs02

If you give consent, then that app will be added to the appropriate class in the Privacy settings; if you decline, then it will be denied access, but isn’t put on any sort of blacklist, so you can still give consent on another occasion.

If the app was built against the 10.14 SDK, then stricter rules are applied. It is then required to have a usage statement for the class of data which it is trying to access, where that is in the class-specific list at the top, or a protected device or service. If the app doesn’t provide the appropriate usage statement, TCC considers that the request to access protected data is unintended, and crashes the app as an ‘unexpected quit’.

If the app does contain a usage statement appropriate for that class of protected data, then Mojave will display the consent dialog, this time containing the text from that usage statement as well. If you give consent, the app will then be added to the list in Privacy in the normal way.

App entitlements are quite different from usage statements or consent, and are built into apps which are either delivered through the App Store (as they always have been for all sorts of system resources), or those which are specially ‘hardened’ and normally notarized. Notarization is an optional process intended to enhance trust in apps which aren’t supplied through the App Store. Those apps cannot be given access to protected data, services, or hardware for which they don’t have an entitlement, even if they contain an appropriate usage statement, but you should still be able to add them to the Full Disk Access list if you wish.

Although it is macOS which determines whether to invite your consent to an app accessing protected data, it cannot bypass the consent step for third-party apps. Third-party apps can’t sneak past and gain access without your being asked for approval. The exception to this is when you add an app to the Full Disk Access list: when on that list, and ticked as having active approval, you will not be prompted for user consent when that app accesses protected data.

You thus control what is added to most of the class-specific Privacy lists by giving consent, but you cannot yourself decide to add an app to any of those. The list which you do control completely is that for Full Disk Access, which (for the moment at least) is not one that an app can directly request.

Every app listed in those Privacy lists can have its access restricted, and this is an important control which you should use for your own benefit. Let’s say that you need to let an app access your address book, but only the once. You can consent to its doing so, and it will be added to the Contacts lists in the Privacy tab. Once it has completed that task, you can and should then open the Security & Privacy pane and remove its tick in the Contacts list, which will force it to seek your consent again should it ever try to access your address book later.

You can also uncheck or remove apps from the Full Disk Access listing, if you want to deny them all access for the time being.

I have a free tool which will reveal the usage information, entitlements, and the version of the SDK against which an app is built: Taccy is available from Downloads above. It not only runs in Mojave, but in Sierra and High Sierra too, so you can use it to check apps before you have even upgraded to Mojave.

Planning for privacy protection

Although you can just leave this all to work out, privacy protection can cause some strange effects, and could get in your way. Apps which haven’t been given access to protected data will show it as if the protected folders have incorrect permissions, for instance when you try to open a file. In some cases, for example when scanning a folder, protected areas will simply be omitted; in other cases, you could find an accessing app suddenly crashes.

moprivprobs12

When you have upgraded to Mojave and you’re setting your preferences up, spend a little while adding apps to the Full Disk Access list in the Privacy tab. Don’t add everything that could possibly want to access any protected data, though: only include those which normally need to have such access.

Also consider those apps which run command tools: Terminal is an obvious case, but if you use other apps to run commands or shell scripts, they may well need to be added to Full Disk Access too. This is because TCC uses an Attribution Chain when assessing whether to give command tools and similar non-apps access. That chain normally rises until it hits a proper app, which is then expected to control access to protected data. Mojave will try to walk you through this process when a command is run, but this can be usefully anticipated and Full Disk Access granted.

TCC and its privacy protection are likely to evolve substantially as they become widely used in Mojave. I’ll be surprised if they remain unchanged over the next six months, as Apple and developers tune it to maintain protection for users without prejudicing functionality.

Because the user can’t add apps to most of the lists in the Privacy settings, if a developer doesn’t provide the right usage information in an app built against the 10.14 SDK, it can lock that app out of being able to access some classes of protected data unless it is given Full Disk Access.

The fallback here is to give that app Full Disk Access, which overrides the narrower class lists. But you may not wish to give it access to some other classes of protected data. In that case, it might be worth keeping access to a copy of the last version of that app to be built against the 10.13 SDK: as TCC is more relaxed in its requirements for such older versions, this could allow you to get an app approved and consented into a Privacy listing even though a later build against 10.14 doesn’t support it. So long as that older version has the same app ID as the current one, inclusion should work for the newer version too.

The general workaround for any app which appears unable to access protected data is to manually add it to the Full Disk Access list, which works for apps built against any version of the SDK, irrespective of the usage information provided.

The greatest uncertainty remains over apps which control other apps using AppleEvents. Some superficial interactions, such as showing a file in a Finder window, shouldn’t have any privacy controls, but quite a few apps engage in much more intimate collaboration. This is likely to see greatest change in the first versions of Mojave, and you should keep a careful watch on the developers’ support sites for further information. You may wish to keep to an earlier version of the app until any problems have been resolved.

Finally, remember that giving your consent (or refusal) is not irrevocable, done and dusted. You the user remain in control of which apps can access which protected data – the whole purpose of these changes. During your early use of Mojave, check the Privacy settings at least once a day until you are happy that little is changing. If you don’t like what you see there, don’t hesitate to change it. It is good practice to withdraw your consent from many apps once they have got the information that you are prepared to give them. And please read the consent dialogs carefully, or you will be caught out when you simply click through them.

18Comments

Add yours

1

Stan on September 6, 2018 at 2:16 pm

It is a pity that Apple doesn`t allow developers to check if their apps are listed in the Full Data Access list.

LikeLiked by 1 person
2

Michael Tsai - Blog - AEDeterminePermissionToAutomateTarget Added, But AEpocalyse Still Looms on September 6, 2018 at 6:59 pm

[…] Update (2018-09-06): Howard Oakley: […]

LikeLike
3

Episode 95: Rich Trouton and the Tale of TCC – Mac Admins Podcast on September 18, 2018 at 2:39 pm

[…] Working with Mojave’s Privacy Protection […]

LikeLike
4

Harry on September 26, 2018 at 9:24 am

I’m happy that Apple is going towards the more secure system. For more privacy, I use Nord VPN provider, I hope now, no one can log my private data.

LikeLiked by 1 person
5

John Brave on September 26, 2018 at 12:51 pm

Apple gave no way to authorize Apple Script Droplets.

I have one that I use tens of times daily and now I can’t! It simply says not authorized.

LikeLiked by 1 person
- 6
  
  hoakley on September 26, 2018 at 12:54 pm
  
  What access does it need? You should be able to add it to the Full Disk Access list, which will give it full access to all files.
  It is also worth rebuilding it using Script Editor in Mojave: you may find that adds the requisite info strings which allows it to do what it needs.
  Howard.
  
  LikeLike
  - 7
    
    John Brave on September 26, 2018 at 2:06 pm
    
    Thanks for the suggestion. But I tried both of these things and no use. I need to control the Finder and there is no way to make the script authorized to send apple events to the Finder.
    
    It’s important enough that I might have to upgrade back to High Sierra. So far this has been a downgrade.
    
    LikeLiked by 1 person
    - 8
      
      hoakley on September 26, 2018 at 2:11 pm
      
      Can you make this into an app rather than a droplet? Even if it doesn’t do exactly what you want, as an app it should be able to be added to the right privacy list, with its app ID. If the droplet has the same app ID, then that may allow the droplet to be run with that authorisation.
      Do you have access to Apple’s Bug Reporter? If not, email me your droplet, please, and I’ll see what I can do both to report it as a bug and ensure that it is seen by the right engineering team at Apple. My email address is in the About page here.
      Howard.
      
      LikeLike
  - 9
    
    John Brave on September 26, 2018 at 2:52 pm
    
    Problem solved! I had to save it as completely new app (a droplet is an app), but the trick was to sign it with my developer signature. Without the signature it wouldn’t ask for permission to do its work.
    
    LikeLiked by 1 person
    - 10
      
      hoakley on September 26, 2018 at 3:14 pm
      
      Well done. I’ll have a look to see what is going on: signatures shouldn’t be required, really, should they?
      Howard.
      
      LikeLike
11

Let’s Talk Apple — Ep. 61 (September 2018) – Let's Talk Podcasts on October 3, 2018 at 8:28 am

[…] Working with Mojave’s Privacy Protection – The Eclectic Light Company — eclecticlight.co/… […]

LikeLike
12

Working with Mojave’s Privacy Protection – Jerry's Mac Blog on October 23, 2018 at 5:17 pm

[…] via Working with Mojave’s Privacy Protection […]

LikeLike
13

Escaping the macOS 10.14 (Mojave) sandbox with R / RStudio | rud.is on November 9, 2018 at 12:14 pm

[…] Working with Mojave’s Privacy Protection […]

LikeLike
14

Valdo on July 9, 2019 at 10:24 pm

Automation Item
in Mojave > System Preferences > Security & Privacy > Privacy > Automation an Installer requires access to System Events.

How to find out to which app generated this request and eventually how to remove the item?

Thank you!

LikeLiked by 1 person
- 15
  
  hoakley on July 9, 2019 at 10:40 pm
  
  The app which generated this request is Installer itself, probably as a result of an Installer script it was running when installing that named package (which doesn’t seem at all helpful).
  By unticking that item, you disable that Automation feature, and to use it again Installer would have to make another request. The only way to remove that item is to clear the whole Automation list with the Terminal command
  tccutil reset AppleEvents
  I hope that helps.
  Howard.
  
  LikeLike
16

Valdo on July 10, 2019 at 11:47 am

Thank you.

P.S. I get answers from you almost immediately, on other well known pages I’m struggling for month to get the right answers. Chappeau Howard!

LikeLiked by 1 person
17

Valdo on July 22, 2019 at 6:47 am

Objective-See apps what I use and recommend for increased privacy in Mojave

LuLu – firewall for outgoing connections
OverSight – camera and microphone controller
KnockKnock – uncovers persistently installed software

I hope those apps will continue to work also in Catalina!

https://objective-see.com/index.html

LikeLiked by 1 person
- 18
  
  hoakley on July 22, 2019 at 7:06 am
  
  Thanks, yes I strongly recommend them.
  However, no third-party tools offer any controls over Mojave privacy settings, as Apple has refused to allow any access to them from code or scripts, other than the tccutil command described above.
  Howard.
  
  LikeLike