hoakley Macs, Technology

Privacy: what TCC does and doesn’t

Trying to understand privacy settings in macOS Ventura is a strange experience. Almost everything you assume, or take for granted, turns out to be wrong, even some of the articles I’ve written here. While the Transparency, Consent and Control (TCC) subsystem is an important part of it, it’s by no means alone. Let me explain.

Privacy & Security settings

The front end to privacy settings is of course Privacy & Security in System Settings, and Security & Privacy in System Preferences before it. But only some of what’s offered there is controlled by TCC. Obviously, the Security settings at the foot are separate, but so are Location Services at the top.

tcc01

The list of apps in Location Services isn’t determined by the user, all you can do is enable or disable apps that macOS recognises as wanting access to location information. Similarly for those listed in System Services, it’s on or off only. Not only that, but those settings aren’t handled by TCC or its databases, but by the locationd service. When you reset TCC, or remove its database, that leaves these settings unaffected. Neither does there appear to be any other way to alter these, even a command tool like tccutil.

tccreset1

Most, if not all, of the other items listed under Privacy are controlled by TCC and recorded in its databases, although controls vary according to the list. Full Disk Access is user-controlled, in that you can add and remove apps from this list, as well as enabling or disabling access. Most of the other lists depend on the app declaring its wish through an entry in its Info.plist and/or an entitlement, and making the request, so triggering the user consent dialog.

tccutil and reset

The command tool used to reset part or all of TCC’s databases likewise has no power over Location Services. Depending on the exact command used, what it does is iterate through its main database in /Library/Application Support/com.apple.TCC/TCC.db first by service, then within each service by the identity, in case-sensitive alphabetical order, deleting all entries in that database individually.

It will, for example, delete all entries for SystemPolicyAllFiles (for apps given Full Disk Access), for com.apple.Safari before com.apple.donotdisturbd, then later do the same for entries for kTCCServiceLiverpool. It doesn’t flush or remove the AdhocSignatureCache folder alongside its database either, and sometimes may leave behind items in the lists in Privacy & Security. To ensure a reset is complete, you should therefore manually check each list after performing the reset, and, if permitted, delete any outstanding items.

You can follow these database deletions in the log, where each is marked by an entry such as
5.785551 com.apple.TCC Publishing <TCCDEvent: type=Delete, service=kTCCServiceLiverpool, identifier_type=Bundle ID, identifier=com.apple.Passbook> to 2 subscribers: {
518 = "<TCCDEventSubscriber: token=518, state=Passed, csid=com.apple.photolibraryd>";
337 = "<TCCDEventSubscriber: token=337, state=Passed, csid=com.apple.cloudd>";
}
which deletes access to kTCCServiceLiverpool for the bundle/app ID com.apple.Passbook.

Once all entries have been deleted in the main database at /Library/Application Support/com.apple.TCC/TCC.db, this is either repeated or echoed to the user database at ~/Library/Application Support/com.apple.TCC/TCC.db, although that doesn’t normally appear to be used when adding or changing settings.

If you intend to delete the whole database at /Library/Application Support/com.apple.TCC/TCC.db in Recovery mode, before doing so you should perform a full reset using
sudo tccutil reset All
and allow a couple of minutes for that to propagate to the user database, to ensure that has also been emptied.

tccutil and restore

Within a fraction of a second of completing the reset of the main database, TCC starts to restore most of the core services it has just deleted. Of the 32 core bundle IDs and services deleted in a reset, at least 15 are normally restored in the following couple of seconds, as ‘System Set’. None of those are apparent in the lists in Privacy & Security, though, but are concerned with TCC’s less visible controls over iCloud access.

iCloud access

Many of TCC’s settings and controls aren’t visible in Privacy & Security, as they determine access to iCloud services. Service names used by TCC for these include kTCCServiceLiverpool and kTCCServiceUbiquity, for CloudKit and iCloud Drive respectively.

For several years, it has been assumed (and I’m as guilty as anyone for the error) that kTCCServiceLiverpool and its private entitlement in com.apple.private.tcc.allow are concerned with Location Services. As I will explain next week, that doesn’t appear to be correct, however logical it might have seemed at the time.

User control over app access to iCloud is in System Settings > Apple ID > iCloud Drive > Options, where they are unhelpfully listed in a window of fixed size, and in random order and not alphabetically.

tccreset2

Summary

  • Not all in Privacy & Security is controlled by TCC. Location Services are managed separately by locationd, and aren’t affected by TCC resets.
  • The main TCC database at /Library/Application Support/com.apple.TCC/TCC.db appears more used and more important that its equivalent in the user’s Home library.
  • tccutil resets delete entries in both databases.
  • Before deleting the main TCC database, reset it fully and wait for a couple of minutes for both to sync.
  • After any reset with tccutil, manually check each category and delete any items remaining.
  • Entries set by macOS will be restored automatically following a reset.
  • iCloud access is also controlled by TCC, and set in the Apple ID section of System Settings.