Mosyle, the only Apple Unified Platform..For years, macOS security developers and researchers have urged Apple to add TCC events to the Endpoint Security (ES) framework.
Doing so would allow them to directly trace a TCC request to the specific application (or malware) that triggered it.This could allow third-party security tools to offer real-time protection around permission requests.The good news? Apple is finally making this happen in macOS 15.4.
The bad news? It’s rough around the edges right now.Across Apple’s ecosystem of devices, TCC (Transparency, Consent, and Control) functions as a hugely important subsystem that prompts users to allow, limit, or deny requests from individual apps to access sensitive data and built-in hardware like the microphone and camera.The main goal of TCC is to provide users with transparency about how their data is accessed and used by applications.
Ideally, this protects users.But malware authors know people impulsively hit “Allow,” so they often rely on this tactic to trick users into approving access they shouldn’t.Up until this, detecting a malicious TCC event was sort of trivial.
Security tools could not directly observe one in real time.Instead, they would have to scrape logs to determine if a malicious event occurred, which often happens way after the damage is done.As Objective-See’s Patrick Wardle—creator of several popular Mac security tools including LuLu—first spotted in the last macOS 15.4 beta, Apple has quietly added TCC events to its Endpoint Security framework.
See below: The now-added ES_EVENT_TYPE_NOTIFY_TCC_MODIFY identifier notifies endpoint security that a TCC prompt was triggered.This could finally give third-party security tools the teeth they need to monitor permission prompts in real time and link the requests to the application that made them.“Since the majority of macOS malware circumvents TCC through explicit user approval, it would be incredibly helpful for any security tool to detect this — and possibly override the user’s risky decision.
Until now the best (only?) option was to ingest log messages generated by the TCC subsystem,” Wardle writes in a blog post.Similarly, in the past, Apple added Gatekeeper events to the ES framework in macOS 13 Ventura.This gave endpoint security tools access to the Gatekeeper’s decision-making process regarding whether to allow or block an application from opening based on the policy set.
Before this, Gatekeeper’s decision-making wasn’t accessible to third parties, much like TCC before the macOS 15.4 beta.Apple finally adding a TCC event to Endpoint Security is great, but as Wardle points out in his breakdown, it’s “rather nuanced.” It may not capture every helpful detail, could behave inconsistently at times, and isn’t enough in its current state for any useful visibility.However, it’s important to point out that this was newly added to the macOS 15.4 beta, which will be released widely sometime next month.
I expect Apple to have a lot of it ironed out by then.I highly recommend checking out his blog post on Objective-See for technical insights.Follow Arin: Twitter/X, LinkedIn, Threads You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day.
Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop.Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel
