The DMN Security Bite is presented by Mosyle, the premier Apple Unified Platform. Our sole focus is to ensure Apple devices are ready for work and secure for enterprise use. We provide a unique, integrated management and security solution that encompasses advanced Apple-specific security measures for automated Hardening & Compliance, Next Generation EDR, AI-driven Zero Trust, and specialized Privilege Management, all paired with the most robust Apple MDM available. The outcome is a fully automated Apple Unified Platform trusted by more than 45,000 organizations to prepare millions of Apple devices effortlessly and affordably. Sign up for your EXTENDED TRIAL today to discover why Mosyle is the ultimate solution for optimizing your Apple experience.
For many years, macOS security developers and researchers have implored Apple to integrate TCC events within the Endpoint Security (ES) framework. This enhancement would enable them to directly trace a TCC request back to the particular application (or malware) that initiated it, which could facilitate real-time protection as opposed to relying on system logs.
On a positive note, Apple is introducing this functionality in macOS 15.4.
However, there are some drawbacks—it’s not yet fully polished.
Throughout Apple’s diverse device ecosystem, TCC (Transparency, Consent, and Control) serves as a crucial subsystem that prompts users to approve, limit, or deny access requests from applications to sensitive data and hardware components like the microphone and camera. TCC’s primary objective is to offer users insight into how their data is accessed and utilized by apps.
In theory, this system protects users. However, malicious software developers exploit the fact that users often hastily click “Allow,” tricking them into granting unauthorized access.
Prior to this update, identifying a malicious TCC event was somewhat straightforward. Security tools were unable to monitor events directly in real-time, instead relying on log records to determine if a harmful event occurred, which frequently came too late to prevent damage.
As pointed out by Patrick Wardle of Objective-See—creator of numerous well-known Mac security solutions including LuLu—Apple has subtly integrated TCC events into its Endpoint Security framework starting from the last macOS 15.4 beta. Here’s a look:
The newly-added ES_EVENT_TYPE_NOTIFY_TCC_MODIFY identifier alerts endpoint security regarding a triggered TCC prompt. This functionality could finally empower third-party security solutions to monitor permission prompts in real-time, linking requests back to the responsible application.
“As the majority of macOS malware bypasses TCC via explicit user approval, it would be immensely beneficial for security software to detect this and potentially override the user’s risky choice. Until now, the only feasible approach was to analyze the log messages produced by the TCC subsystem,” Wardle notes in a blog entry.
Likewise, Apple previously incorporated Gatekeeper events into the ES framework in macOS 13 Ventura. This enabled endpoint security tools to access Gatekeeper’s decision-making processes regarding whether to permit or block applications based on set policies. Prior to this, Gatekeeper’s decision-making was closed off to third-party access, much like TCC was before the macOS 15.4 beta.
While it’s encouraging that Apple has finally included a TCC event in Endpoint Security, as Wardle highlights, it’s quite nuanced. It may not capture every relevant detail, might function inconsistently at times, and in its current state doesn’t offer substantial visibility. However, it’s noteworthy that this feature was introduced in the macOS 15.4 beta, which will be publicly released next month. We can anticipate that Apple will address many of these concerns by that time.
I highly suggest reading his blog post on Objective-See for further technical insights.
Follow Arin: Twitter/X, LinkedIn, Threads
