Some of the oldest privacy protections in macOS are those applied to devices such as cameras and microphones. In recent years, those have been extended to cover other types of device. This article covers the following items protected in macOS Sequoia, and listed in Privacy & Security settings:

• Bluetooth, can also be added by the user;
• Camera, requires the app to have both user text and entitlement;
• HomeKit data;
• Input Monitoring, to allow monitoring the mouse or trackpad, and keyboard, can also be added by the user;
• Local Network, to allow the app to find and communicate with network devices;
• Microphone, requires the app to have both user text and entitlement;
• Screen & System Audio Recording, to allow the app to record screen and/or audio, can also be added by the user;
• Speech Recognition, to allow access to speech recognition features.

In each case, access to the protected device is normally requested by the app, although those noted can also be added manually by the user. For an app to be allowed to access these devices, it normally has to provide text explaining why it’s doing that, and may be required to have an appropriate entitlement. In at least some cases, including camera and microphone, those are required, and an app that doesn’t provide both text and entitlement will be crashed by macOS if it tries to access that device.

In addition to those regular privacy protections, Intel laptops with T2 chips and Apple silicon laptops also feature hardware microphone disconnect, that automatically disables the microphone when their lid is closed. There is no override for that protection.

App requirements

Occasionally, when looking through the lists in Privacy & Security settings, you may come across apps that surprisingly have access to what appear to be inappropriate devices, or you may be confronted with an unexpected request for access. Don’t feel obliged to consent, but quit the app if it’s running and check its Info.plist and entitlements to establish whether this is legitimate and provides a valid reason.

This is easily accomplished using Mothers Ruin’s superb free Apparency. Open the app with that, and browse its Info Property List.

There you should see all the text it uses to populate its privacy requests. Each NS[name]UsageDescription should provide meaningful information about why the app is making that request. If you don’t see a good explanation there, then refer to the app’s documentation. Apple lists all these keys here. Note that Apple’s bundled apps don’t use text in their Info.plist and shouldn’t make privacy access requests, although its App Store apps should follow the same rules as those for third parties.

Then switch to the list of Entitlements for that app.

If the app uses cameras or microphones, you should there see respective entries for com.apple.security.device.* regardless of whether that app runs in a sandbox. You may also see additional com.apple.security.* entitlements for other protected features. Apple lists all those entitlements here.

So, for an app to make a legitimate request for access to a camera, you should see both

• NSCameraUsageDescription text in its Info.plist giving the reason for access, and
• com.apple.security.device.camera in its entitlements giving it that capability.

For access to a microphone, you should see both

• NSMicrophoneUsageDescription text in its Info.plist giving the reason for access, and
• com.apple.security.device.audio-input in its entitlements giving it that capability.

If you’re still not happy, delete the privacy setting or deny the app’s request. You can always accept the request at a later time if you wish.

Maintenance

There are times when we want to clear out some of the apps that we gave access to devices in the past. For those categories where you can remove individual settings, that’s usually the simplest course of action. But you can’t do that with camera and microphone access, for example. The only way to clear those categories is to reset them completely, then when each app requests access again to grant it to those you want to allow.

The only way to do this is in Terminal’s command line using the tccutil command tool. For example, to reset settings for microphones, enter the command
tccutil reset Microphone
and for cameras use
tccutil reset Camera

Apple doesn’t seem to document the names to be used for each category, but those worth trying according to circumstances include:

• Accessibility
• AddressBook (for the Contacts list)
• AppleEvents (for the Automation list)
• Calendar (note the singular, for the Calendars list)
• Camera
• Microphone
• Photos
• Reminders
• ScreenCapture (for the Screen Recording list)
• SystemPolicyAllFiles (for the Full Disk Access list)
• SystemPolicyDesktopFolder
• SystemPolicyDeveloperFiles (which doesn’t match any of the lists in privacy settings)
• SystemPolicyDocumentsFolder
• SystemPolicyDownloadsFolder
• SystemPolicyNetworkVolumes
• SystemPolicyRemovableVolumes
• SystemPolicySysAdminFiles (which doesn’t match any of the lists in privacy settings).

If only one or two apps are involved, then you can reset their settings with
sudo tccutil reset All com.vendor.appname
for the app with the identity com.vendor.appname, also easily discovered using Apparency.

Beyond that, a full reset can be performed using
sudo tccutil reset All
but that should remove all your consents, which would then need to be recreated one by one.

Summary

• Privacy & Security settings now control access to several types of device, including cameras and microphones.
• T2 and Apple silicon laptops have hardware microphone disconnect to disable their microphone when their lid is closed.
• Apps make requests to have access to protected devices, and some types can also be added by the user.
• Requests for access should give a meaningful reason, and some also require an entitlement.
• If in doubt, use Apparency to check their Info.plist and entitlements.
• Allow access only when you’re satisfied that it’s legitimate and for good reason.
• Device categories in Privacy & Security that can’t be changed by the user can be reset using the tccutil reset command with their category name.
• Be cautious about resetting all consents using sudo tccutil reset All as you’ll then have to recreate them all one at a time.