Resetting TCC
When privacy settings are playing up, and you get prompted to allow access that you have already agreed to, or access fails when it should have worked, there’s little you can do about it. Once you’ve fiddled with Privacy & Security settings without success, the only tool to try is
tccutil.If problems are confined to just one or two privacy categories, then you can reset just those using a command like
sudo tccutil reset ListNameonly Apple doesn’t document the ListName to be used for each category. Experience suggests you could usefully try the following[…][…]
The nuclear option is to delete TCC’s database, a process requiring the use of Terminal in Recovery mode. This has been described in detail by Robin Kunde, and fleshed out further by Glenn Fleishman at MacWorld.
[…]
This all begs the question as to how the TCC database became corrupted in the first place. After all, it’s better to treat a cause rather than a symptom. As many users seem able to go for years without suffering problems so intractable as to require this nuclear option, and TCC databases are generally small in comparison with other vital system databases, it’s not easy to see how they can repeatedly become corrupted.
Indeed. I don’t recall this ever happening to me, but it’s not uncommon to hear about it from my customers, so it’s frustrating that a full reset is so obscure and difficult to do. Here are my instructions for troubleshooting TCC.
Previously:
- Annoying Catalina Security Features
- Security & Privacy in macOS 10.15 Beta
- Mojave Privacy Protection Aftermath
- Mojave’s New Security and Privacy Protections Face Usability Challenges
- Dropbox Modifies TCC.db to Give Itself Accessibility Access
Update (2023-02-13): Robin Kunde:
Another unfortunate vector for TCC corruption is device management software. At the dayjob we had a long running incident where most people couldn’t screenshare from Google Hangouts because it was impossible to grant the relevant permission to Chrome
TCC was easily corrupted on Catalina as a user with SIP disabled. I had to be careful to enable SIP before launching an app that would trigger a TCC prompt or the app wouldn’t show up in the list in System Prefs with no way to add it manually.
The list of apps in Location Services isn’t determined by the user, all you can do is enable or disable apps that macOS recognises as wanting access to location information. Similarly for those listed in System Services, it’s on or off only. Not only that, but those settings aren’t handled by TCC or its databases, but by the
locationdservice. When you reset TCC, or remove its database, that leaves these settings unaffected. Neither does there appear to be any other way to alter these, even a command tool liketccutil.[…]
If you intend to delete the whole database at /Library/Application Support/com.apple.TCC/TCC.db in Recovery mode, before doing so you should perform a full reset using
sudo tccutil reset Alland allow a couple of minutes for that to propagate to the user database, to ensure that has also been emptied.[…]
Many of TCC’s settings and controls aren’t visible in Privacy & Security, as they determine access to iCloud services. Service names used by TCC for these include kTCCServiceLiverpool and kTCCServiceUbiquity, for CloudKit and iCloud Drive respectively.
Even when you have the correct permissions, and SIP isn’t involved, read and write access to some locations can be blocked by the privacy controls in macOS, a subsystem for Transparency, Consent and Control, the dreaded TCC. While it manages access to services and features like camera and microphone, and controls over other apps, TCC also restricts disk, folder and file access. This is confusingly controlled by two interrelated categories in Privacy & Security settings, Full Disk Access and Files and Folders.
Those don’t govern access to iCloud, which, while also controlled by TCC, is in System Settings > Apple ID > iCloud Drive > Options.
2 Comments RSS · Twitter · Mastodon
MacOS needs a user friendly way to reset most user settings to factory state. Just last week I had bad Bluetooth problems with my Magic Keyboard and Mouse after upgrading from Monterey to Ventura. Reseting the Bluetooth settings was so cumbersome. MacOS used to have a menu item where you could accomplish this in the menu bar. It was very well hidden behind a modiefier key combination, but neverthelss there. I also totally agree that reseting the TCC settings should be much easier.
Security system setting bugs (primarily Accessibility, but also Screen Recording, Desktop etc permissions, and heaven forbid Translocation issues) make up probably 50% of my support emails for Keyboard Maestro. And since they frequently inflict their problems on new users, I fully expect they significantly limit uptake by new users who start using Keyboard Maestro and then immediately get stymied by Appleās buggy security permission and give up.
These bugs and failings have been around since Mojave which is just depressing.
On top of that is the inconsistency between security settings. Keyboard Maestro runs as two processes, the parent Keyboard Maestro editor and the contained Keyboard Maestro Engine, and some systems require both apps to be listed, some require just the parent app to be listed and give implicit permission to the contained engine.
On top of that, the UI for it doesn't allow you to see what permissions an application has in one place, you'd have to check each different system to see whether the app has that permission or not.
The entire system needs to be rethought and the bugs removed. Apple is ok and the whole rethinking thing, but pretty lousy at the removing bugs thing theses days.