Why does SilentKnight/LockRattler show TCC is out of date?

Some users are seeing discrepancies in version numbers of installed security data when checking them using SilentKnight, LockRattler, or EFIcienC. This is most common in the TCC database, but can affect others, and is currently worst in Catalina betas. This article explains how this happens, and what to do about it.

I’ll take as my example the TCC database, which is a bundle normally residing at /System/Library/Sandbox/TCC_Compatibility.bundle. Currently, in Mojave and Catalina it should be at version 17.0, which was pushed out as an update on 5 June 2019.

SilentKnight, LockRattler and EFIcienC each obtain the version number by asking macOS for the version of TCC_Compatibility.bundle in that path, and display the result in the TCC box. macOS in turn should read that version number from the Info.plist file within the bundle (at TCC_Compatibility.bundle/Contents/Info.plist). The first check you can make is to select /System/Library/Sandbox/TCC_Compatibility.bundle in the Finder, and see what version number is given. That should match that shown in the app.

Each of the apps also looks at the system’s record of installations at /Library/Receipts/InstallHistory.plist to discover the most recent installation of the TCC database, and reports that, together with the version number installed. So even though the app is reporting that version 16.0 is in use, it may also record the installation of 17.0, for example as
TCC 2019-06-05 04:49:18 +0000 : 17.0

Several things may have happened. First, the installation itself may have failed. Without going back through your unified log, there’s unlikely to be any record of that, as these ‘silent’ updates report almost nothing to the user. Alternatively, the installation may have been mostly successful and updated the important data, in this case TCC_Compatibility.bundle/Contents/Resources/AllowApplicationsList.plist, but didn’t correctly update the Info.plist file.

Some of these security data files, such as those for XProtect, also contain internal version numbers, but TCC’s doesn’t, so there’s no easy way of checking which version the data is from.

The good news is that, at the moment, the TCC data is only likely to affect a small number of users. The current data concerns certain versions of the following apps:

  • Blizzard Starcraft and Starcraft2
  • Pearson TestNav Desktopapp

It’s likely that this will correct itself, either in a future TCC update, or in the 10.14.5 update. There’s no means of downloading and installing again one of these ‘silent’ updates, though: they’re only available when Apple pushes them, and if your Mac reckons the update has been installed, it won’t get pushed again. Apple doesn’t provide these updates as standalone Installer packages either: the only means of obtaining them (as a user) is when Apple pushes them the first time.

The situation with Catalina betas is more complex. Because of their read-only system volume, updating system security data depends on macOS making those data files writable, or they can’t be updated except during a full system update. It’s not yet clear whether this mechanism works fully in the betas, and it may be that the system itself is blocking its own updates. However, if you check the bundles and apps in the Finder, you’ll see that the version numbers given there and in SilentKnight do correspond. No doubt this issue will be sorted out during the beta phase.