A Guide to Catalina’s Privacy Protection: 4 tccutil

Apart from the Privacy tab in the Security & Privacy pane, the only utility which operates on Mojave’s and Catalina’s privacy system is the command tool tccutil. Worse still, that command only has one function, to reset – that is, remove – current privacy settings. At least it now offers finer control over just what you reset.

privacy34

When your privacy settings have become hopelessly munged and you want to start with a clean sheet, use
tccutil reset All
and all the lists in Privacy should be cleared. However, as Matthew Warren has shown, this doesn’t actually appear to reset some lists, which may need to be reset individually. TCC also maintains at least two lists, one for each user, and one for root, which isn’t visible in the Privacy pane but can be accessed by running tccutil as root.

If you want to remove just one app from all the lists, use
tccutil reset All com.vendor.appname
to apply that to the app with the identity com.vendor.appname.

To clear all entries in a particular privacy list, use
tccutil reset ListName
which clears every entry from the ListName list.

The finest control that you get is to clear the entry for a specific app in a specific list, which is
tccutil reset ListName com.vendor.appname

You can discover app identities from a number of places, including by dragging and dropping the app onto my free utility Taccy, which displays this as the App ID in the top left of its window.

Apple doesn’t appear to list the services which can be used as ListName in the commands above, despite that being reported as a bug. Those available in Mojave and Catalina include:

Accessibility
AddressBook (for the Contacts list)
AppleEvents (for the Automation list)
Calendar (note the singular, for the Calendars list)
Camera
Microphone
Photos
Reminders.

Added for Catalina are:

ScreenCapture (for the Screen Recording list)
SystemPolicyAllFiles (for the Full Disk Access list, which may also work in Mojave)
SystemPolicyDesktopFolder
SystemPolicyDeveloperFiles (which doesn’t match any of the lists in the Privacy pane)
SystemPolicyDocumentsFolder
SystemPolicyDownloadsFolder
SystemPolicyNetworkVolumes
SystemPolicyRemovableVolumes
SystemPolicySysAdminFiles (which doesn’t match any of the lists in the Privacy pane).

All except the first two of these refer to properties allowed in the Files and Folders list.

A rumoured addition for Catalina is SpeechRecognition or Siri, but I can’t find anyone who has used it successfully. Additional lists which may or may not do anything are given here.

The following lists appear only to be controlled in Privacy:

Developer Tools
Input Monitoring
Location Services

That is the sum total of controls which Apple provides the user with.

5Comments

Add yours

1

Rafael Prado on February 18, 2020 at 11:29 pm

Hi,
the “Location” list is not managed via TCC database [like the others are].

All those location items listed under ‘Privacy -> Location Services’ are managed by the ‘locationd’ daemon and are configured inside a plist file located at: “/var/db/locationd/clients.plist”

the “clients.plist” file contains all the items presented on the GUI, and also several hidden ones. There are plist keys to and to any item. You can edit [with sudo] that file (its syntax is very simple to understand) and clean up / remove items, or better: also monitor it to have fine detailed control over items permitted to access your location, including the hidden ones not showed by the security-privacy preference pane GUI.

LikeLiked by 1 person
- 2
  
  hoakley on February 19, 2020 at 12:23 am
  
  Thank you – that’s very helpful. I can see I’m going to have to explore that a bit more.
  Howard.
  
  LikeLike
3

TCC troubleshooting | DAM SAN on August 5, 2020 at 4:51 pm

[…] Read Howard Oakley’s blog post on Catalina and privacy protection […]

LikeLike
4

holaluisemilio12341 on September 3, 2020 at 5:20 pm

https://discussions.apple.com/thread/251754247?login=true&page=1

Hello, having some trouble after installing the last supplemental macos 10.15.6 system update..

Deleting tcc.db didn’t work at all…

LikeLiked by 1 person
- 5
  
  hoakley on September 3, 2020 at 5:42 pm
  
  Thank you.
  I recommend that you first download and re-install the 10.15.6 update, then apply the Supplemental Update to that. If that doesn’t fix it, try the 10.15.6 Combo Update followed by the Supplemental Update. At worst, you may need to re-install Catalina, I’m afraid.
  I wish you success,
  Howard.
  
  LikeLike

Share this:

Related