9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
For years, macOS security developers and researchers have urged Apple to add TCC events to the Endpoint Security (ES) framework. Doing so would allow them to directly trace a TCC request to the specific application (or malware) that triggered it. This could allow third-party security tools to offer real-time protection around permission requests.
The good news? Apple is finally making this happen in macOS 15.4.
The bad news? It’s rough around the edges right now.
Across Apple’s ecosystem of devices, TCC (Transparency, Consent, and Control) functions as a hugely important subsystem that prompts users to allow, limit, or deny requests from individual apps to access sensitive data and built-in hardware like the microphone and camera. The main goal of TCC is to provide users with transparency about how their data is accessed and used by applications.
Ideally, this protects users. But malware authors know people impulsively hit “Allow,” so they often rely on this tactic to trick users into approving access they shouldn’t.
Up until this, detecting a malicious TCC event was sort of trivial. Security tools could not directly observe one in real time. Instead, they would have to scrape logs to determine if a malicious event occurred, which often happens way after the damage is done.
As Objective-See’s Patrick Wardle—creator of several popular Mac security tools including LuLu—first spotted in the last macOS 15.4 beta, Apple has quietly added TCC events to its Endpoint Security framework. See below:
The now-added ES_EVENT_TYPE_NOTIFY_TCC_MODIFY identifier notifies endpoint security that a TCC prompt was triggered. This could finally give third-party security tools the teeth they need to monitor permission prompts in real time and link the requests to the application that made them.
“Since the majority of macOS malware circumvents TCC through explicit user approval, it would be incredibly helpful for any security tool to detect this — and possibly override the user’s risky decision. Until now the best (only?) option was to ingest log messages generated by the TCC subsystem,” Wardle writes in a blog post.
Similarly, in the past, Apple added Gatekeeper events to the ES framework in macOS 13 Ventura. This gave endpoint security tools access to the Gatekeeper’s decision-making process regarding whether to allow or block an application from opening based on the policy set. Before this, Gatekeeper’s decision-making wasn’t accessible to third parties, much like TCC before the macOS 15.4 beta.
Apple finally adding a TCC event to Endpoint Security is great, but as Wardle points out in his breakdown, it’s “rather nuanced.” It may not capture every helpful detail, could behave inconsistently at times, and isn’t enough in its current state for any useful visibility. However, it’s important to point out that this was newly added to the macOS 15.4 beta, which will be released widely sometime next month. I expect Apple to have a lot of it ironed out by then.
I highly recommend checking out his blog post on Objective-See for technical insights.
Follow Arin: Twitter/X, LinkedIn, Threads
FTC: We use income earning auto affiliate links. More.
