tccd

Transparency, Consent, and Control Daemon

Mechanism used to control/limit access of applications to specific features including: full disk access, location services, contacts, camera, accessibility, microphone more

Restricts applications from accessing data that might be sensitive without user consent.

For example in case of an access by an app to the Downloads folder the operating system will display an alert MalwareBytesALert

Use the Privacy tab in the Security & Privacy pane to manage the configuration ElectLight example). Or tccutil EclecticLight

Stored using SQLite in

sqlite3  '/Library/Application Support/com.apple.TCC/TCC.db'
sqlite> .tables
    access            active_policy     expired
    access_overrides  admin             policies
sqlite> .schema         #   TYPE, NOT NULL and DEFAULT removed for clarity

CREATE TABLE admin          (key PRIMARY KEY , value );
CREATE TABLE policies       (id   PRIMARY KEY, bundle_id , uuid , display    ,
                                       UNIQUE (bundle_id, uuid));
CREATE TABLE active_policy  (client , client_type ,policy_id ,
                                PRIMARY KEY (client client_type),
                                FOREIGN KEY (policy_id) REFERENCES policies(id)
                                ON DELETE CASCADE
                                ON UPDATE CASCADE);
CREATE INDEX active_policy_id ON active_policy(policy_id);

CREATE TABLE access         ( service,  client,  client_type,
                              auth_value,  auth_reason,  auth_version,
                              csreq,        TYPE BLOB  displayed as   ?? in Hex
                              policy_id,
                              indirect_object_identifier_type,
                              indirect_object_identifier
                              indirect_object_code_identity ,
                              flags,  last_modified
                              pid, pid_version, boot_uuid
                              last_reminded
                                PRIMARY KEY (service, client, client_type, indirect_object_identifier),
                                FOREIGN KEY (policy_id) REFERENCES policies(id)
                                ON DELETE CASCADE
                                ON UPDATE CASCADE);

select * from access;
# pid,   pid_version , policy_id   are null.  

kTCCServiceDeveloperTool  com.apple.Terminal                                            
kTCCServicePostEvent      com.apple.screensharing.agent                                
kTCCServiceScreenCapture  com.apple.screensharing.agent                               
kTCCServiceAccessibility  /private/var/folders/pg/zyphk57n1t16txf7j3hxfj2h0000gn/T/App
                          Translocation/9412F995-4FF4-44DE-8D66-BCD1E9F8C40F/d/GOGGalaxy 
                          - Botanicula.app/Contents/MacOS/GalaxyWebInstaller    


sqlite> select * from access order by service;
service                          client                       client_type  auth_value  auth_reason  auth_version  csreq  
                                                                         indirect_object_identifier_type  indirect_object_identifier  indirect_object_code_identity  
                                                                                flags  last_modified  boot_uuid  last_reminded

kTCCServiceAccessibility         /System/Library/Frameworks/CoreServices.framework/Versions/A  
                                                                               1 0 4  1 ?? 0 UNUSED 0 1687571380 UNUSED 0
                                 /Frameworks/AE.framework/Versions/A/Support/AEServer

kTCCServiceAccessibility           /private/var/folders/pg/zyphk57n1t16txf7j3hxfj2h0000gn  
                                 /T/App/Translocation/9412F995-4FF4-44DE-8D66-BCD1E9F8C40F/
                                 d/GOGGalaxy - Botanicula.app/Contents/MacOS/GalaxyWebInstaller
                                                                                1 0 4  1 0    UNUSED 0 1703682193 UNUSED 0
kTCCServiceAccessibility         com.gog.galaxy                          0 2 4  1 ?? 0 UNUSED 0 1641090248 UNUSED 0
kTCCServiceAccessibility         com.webex.meetingmanager                0 0 4  1 ?? 0 UNUSED 0 1647719222 UNUSED 0
kTCCServiceAccessibility         us.zoom.xos                             0 0 4  1 ?? 0 UNUSED 0 1643931577 UNUSED 0

kTCCServiceDeveloperTool         com.apple.Terminal                      0 0 4  1    0 UNUSED 0 1641473899 UNUSED 0
kTCCServicePostEvent             com.apple.screensharing.agent           0 2 4  1    0 UNUSED 0 1687571380 UNUSED 0
kTCCServiceScreenCapture         com.apple.screensharing.agent           0 2 4  1    0 UNUSED 0 1687571380 UNUSED 0
kTCCServiceScreenCapture         com.webex.meetingmanager                0 0 4  1 ?? 0 UNUSED 0 1681777609 UNUSED 0

kTCCServiceSystemPolicyAllFiles  /Library/Application Support/Looking Glass Factory/
                                  HoloPlayService/HoloPlayService.app/Contents/MacOS/HoloPlayService 
                                                                        1 0 5 1 ??  UNUSED  0 1703523531 UNUSED  0 
kTCCServiceSystemPolicyAllFiles  /Library/PrivilegedHelperTools/com.oracle.JavaInstallHelper   
                                                                        1 0  5  1 ??  UNUSED  0 1642802641 UNUSED 0
kTCCServiceSystemPolicyAllFiles  /Library/PrivilegedHelperTools/us.zoom.ZoomDaemon             
                                                                        1 0  5  1 ??  UNUSED  0 1643931792 UNUSED 0 
kTCCServiceSystemPolicyAllFiles  /bin/sh                                 1 0  5  1 ??  UNUSED  0 1649706373 UNUSED 0 
kTCCServiceSystemPolicyAllFiles  /usr/libexec/sshd-keygen-wrapper        1 2  4  1 ?? 0 UNUSED 0 1687571380 UNUSED 0
kTCCServiceSystemPolicyAllFiles  com.apple.Terminal                      0 2  4  1 ?? 0 UNUSED 0 1655640409 UNUSED 0
kTCCServiceSystemPolicyAllFiles  com.apple.XProtectFramework.XProtect    0 0  5  1 ??   UNUSED 0 1661138227 UNUSED 0
kTCCServiceSystemPolicyAllFiles  com.apple.backup.launcher               0 2  4  1 ?? 0 UNUSED 0 1678054761 UNUSED 0
kTCCServiceSystemPolicyAllFiles  com.apple.dt.Xcode                      0 0  5  1 ??   UNUSED 0 1697210224 UNUSED 0
kTCCServiceSystemPolicyAllFiles  com.apple.findmy                        0 0  5  1 ??   UNUSED 0 1648035764 UNUSED 0
kTCCServiceSystemPolicyAllFiles  com.gog.galaxy                          0 2  4  1 ?? 0 UNUSED 0 1641059835 UNUSED 0
kTCCServiceSystemPolicyAllFiles  com.macroplant.iExplorer                0 2  4  1 ?? 0 UNUSED 0 1706141928 UNUSED 0
kTCCServiceSystemPolicyAllFiles  com.oracle.java.Java-Updater            0 0  5  1 ??   UNUSED 0 1689027860 UNUSED 0
kTCCServiceSystemPolicyAllFiles  com.segger.JLinkRTTViewer.V760e         0 0  5  1 ??   UNUSED 0 1642802972 UNUSED 0
kTCCServiceSystemPolicyAllFiles  com.segger.JMem.V760e                   0 0  5  1 ??   UNUSED 0 1643071555 UNUSED 0
kTCCServiceSystemPolicyAllFiles  com.valvesoftware.steam                 0 0  5  1 ??   UNUSED 0 1647989642 UNUSED 0
kTCCServiceSystemPolicyAllFiles  com.vivaldi.Vivaldi                     0 0  5  1 ??   UNUSED 0 1691871235 UNUSED 0
kTCCServiceSystemPolicyAllFiles  com.webex.meetingmanager                0 0  5  1 ??   UNUSED 0 1647642159 UNUSED 0
kTCCServiceSystemPolicyAllFiles  org.mozilla.firefox                     0 0  5  1 ??   UNUSED 0 1642232052 UNUSED 0
kTCCServiceSystemPolicyAllFiles  org.mozilla.thunderbird                 0 0  5  1 ??   UNUSED 0 1675277696 UNUSED 0
kTCCServiceSystemPolicyAllFiles  org.sparkle-project.Sparkle.Updater     0 0  5  1 ??   UNUSED 0 1704509034 UNUSED 0
kTCCServiceSystemPolicyAllFiles  org.vim.MacVim                          0 0  5  1 ??   UNUSED 0 1647729075 UNUSED 0
kTCCServiceSystemPolicyAllFiles  us.zoom.ZoomAutoUpdater                 0 0  5  1 ??   UNUSED 0 1668124950 UNUSED 0
kTCCServiceSystemPolicyAllFiles  us.zoom.xos                             0 0  5  1 ??   UNUSED 0 1643929737 UNUSED 0

kTCCServiceUbiquity              com.apple.Automator                     0 2  4  1 ?? 0 UNUSED 0 1664981504 UNUSED 0
kTCCServiceUbiquity              com.apple.MobileSMS                     0 2  4  1 ?? 0 UNUSED 0 1665197743 UNUSED 0
kTCCServiceUbiquity              com.apple.ScriptEditor2                 0 2  4  1 ?? 0 UNUSED 0 1665197741 UNUSED 0
kTCCServiceUbiquity              com.nordicsemi.mastercontrolpanel       0 2  4  1 ?? 0 UNUSED 0 1665197744 UNUSED 0


sqlite3  '/Library/Application Support/com.apple.TCC/TCC.db'
sqlite> .mode column
sqlite> select service,client,last_modified from access order by last_modified desc limit 3;
service                          client                                                        last_modified
-------------------------------  ------------------------------------------------------------  -------------
kTCCServiceSystemPolicyAllFiles  com.macroplant.iExplorer                                      1706141928 
kTCCServiceSystemPolicyAllFiles  org.sparkle-project.Sparkle.Updater                           1704509034 
kTCCServiceAccessibility         /private/var/folders/pg/zyphk57n1t16txf7j3hxfj2h0000gn/T/App  1703682193
                                 Translocation/9412F995-4FF4-44DE-8D66-BCD1E9F8C40F/d/GOG Gal
                                 axy - Botanicula.app/Contents/MacOS/GalaxyWebInstaller

sqlite> select count(*) from access;
39


.dump access
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE access (    service        TEXT        NOT NULL,     client         TEXT        NOT NULL,     
                        client_type    INTEGER     NOT NULL,     auth_value     INTEGER     NOT NULL,     
                        auth_reason    INTEGER     NOT NULL,     auth_version   INTEGER     NOT NULL,     
                        csreq          BLOB,     policy_id      INTEGER,     indirect_object_identifier_type    INTEGER,
                        indirect_object_identifier         TEXT NOT NULL DEFAULT 'UNUSED',     indirect_object_code_identity      BLOB,     
                        flags          INTEGER,     last_modified  INTEGER     NOT NULL DEFAULT (CAST(strftime('%s','now') AS INTEGER)),
                         pid INTEGER, pid_version INTEGER, boot_uuid TEXT NOT NULL DEFAULT 'UNUSED', 
                          last_reminded INTEGER NOT NULL DEFAULT 0,     
                     PRIMARY KEY (service, client, client_type, indirect_object_identifier),    
                     FOREIGN KEY (policy_id) REFERENCES policies(id) ON DELETE CASCADE ON UPDATE CASCADE);

                                                                             CtAvArAv   
INSERT INTO access VALUES('kTCCServiceSystemPolicyAllFiles','com.gog.galaxy',0,2,4,1,
  X'fade0c000000009c0000000100000006000000020000000e636f6d2e676f672e6      csreq
    7616c6178790000000000060000000f000000060000000e000000010000000a2a
    864886f76364060206000000000000000000060000000e000000000000000a2a8
    64886f7636406010d0000000000000000000b000000000000000a7375626a6563
    742e4f550000000000010000000a395753333651383838360000',
     NULL,0,                            policy_id, indirect_object_identifier_type,
     'UNUSED',NULL,0,                   indirect_object_identifier, indirect_object_code_identity, flags   
     1641059835,NULL,NULL,'UNUSED',0);  last_modified , pid, pid_version, boot_uuid, last_reminded 



CREATE TABLE access_overrides ( service   PRIMARY KEY);
CREATE TABLE expired        ( service,  client,  client_type  ,
                              csreq,  last_modified,  expired_at
                                PRIMARY KEY (service, client, client_type));



 '/Library/Application Support/com.apple.TCC'
    AdhocSignatureCache/
676135 Jan  7 18:47 328A4212-F76B-4C7C-B5F7-C04B71D3594C
 98901 Jan  7 18:47 4E1B438D-89AA-4101-B06B-AE1E96F32E28
432337 Jan  7 18:47 74754888-12EA-4FBE-AF8F-D370206CFADC
 98901 Jan  7 18:47 94EB726D-7BF8-464D-B684-C51905563D90
484453 Jan  7 18:47 F452A9D9-A77A-4463-BFBB-78AD47C08C78
  1911 Jan  7 18:47 keys

    	REG.db			TCC.db
Support/com.apple.TCC and ~/Library/Application Support/com.apple.TCC/TCC.db

Blackhat ways to bypass).
the database is TCC.db (https://eclecticlight.co/2018/11/20/what-does-the-tcc-compatibility-database-do/).


Location Services

as of 1/28/24 : 97 records Dec 4'23 - Jan 24

Location Services allows apps and websites to gather and use information based on the current location .
Approximate location is determined using information from local Wi-Fi networks, and is collected by Location Services

Turn Location Services off

Apple menu > System Settings, Privacy & Security in the sidebar, then click Location Services on the right. Turn off Location Services. precise location is not sent to Apple. To deliver relevant search suggestions, Apple may use the IP address of the internet connection to approximate your location by matching it to a geographic region. Other applications and websites may still use other ways to determine your location. location information may be used for emergency calls ]

Which apps and system services can use Location Services Apple menu > System Settings, Privacy & Security then click Location Services:
If Location Services is off for an app, next time that app tries to use your location data it will query you. Scroll to the bottom of the list of apps to reveal System Services, Details button to see system services provided:

System Service can access
ALerts and notificatinos, suggestions and search, setting timezone, system customizations, FindMy Mac, Homekit, Networking andn wirelessm mac anakyticus wifi calling siginificaznt locations for: map,Calendaar, photos...

Location Services allows Apple and third-party apps and websites to gather and use information based on the current location of your computer. approximate location is determined using information from local Wi-Fi networks, and is collected by Location Services in a manner that doest personally identify you. Spotlight or Safari Suggestions in Safari, the location of your Mac will be sent to Apple to make Spotlight Suggestions and Safari Suggestions more relevant . If you turn off Location Services for Spotlight Suggestions and Safari Suggestions, the IP address of your internet connection to approximate your location by matching it to a geographic region. allow use by Siri Suggestions and Safari Suggestions, turn on Suggestions & Search. Can select and remove locations from the list or click > Clear History to remove all the locations. In macOS 13.3 or later, an arrow next to the Control Centre icon in the menu bar indicates the current location of your Mac is being +used. To see the app that?~@~Ys using your location, click the Control Centre icon . See Use Control Centre. If you allow third-party apps or websites to use your current location, any information they collect is governed by their terms and privacy +policies. It?~@~Ys recommended that you learn about the privacy practices of those parties. When you use Siri Suggestions or Safari Suggestions, the location of your Mac at the time you submit a search query to Safari or Spotlight +is sent to Apple to make suggestions more relevant and to improve other Apple products and services.