Exclusively provided by Mosyle, the sole Apple Unified Platform. At Mosyle, our focus is to ensure Apple devices are ready for work and secure for enterprises. Our distinct approach merges advanced Apple-centric security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-driven Zero Trust, and specialized Privilege Management with the most efficient and contemporary Apple MDM available. This results in a completely automated Apple Unified Platform, which more than 45,000 organizations have come to trust for streamlining the readiness of millions of Apple devices effortlessly and cost-effectively. Request your EXTENDED TRIAL today and discover why Mosyle is your essential ally in working with Apple.
For many years, developers and researchers focused on macOS security have been urging Apple to incorporate TCC events into the Endpoint Security (ES) framework. Implementing this would enable a direct connection between a TCC request and the specific application (or malware) that initiated it, thus potentially allowing third-party security tools to provide real-time protection for permission requests.
The exciting news? Apple is set to implement this in macOS 15.4.
The downside? The feature is still in its early stages.
In the Apple ecosystem, TCC (Transparency, Consent, and Control) plays a vital role, prompting users to grant, restrict, or deny permissions for individual apps accessing sensitive information and built-in features such as the microphone and camera. The primary aim of TCC is to keep users informed about how their data is accessed and utilized by various applications.
In theory, this serves to protect users. However, malware developers exploit the tendency of users to quickly click “Allow,” thereby deceiving them into granting unauthorized access.
Previously, recognizing a malicious TCC event was relatively straightforward, as security tools couldn’t monitor it in real time. They relied on log scraping to establish whether a harmful event had occurred, often well after the consequences took effect.
Patrick Wardle from Objective-See—creator of well-known Mac security tools like LuLu—observed in the latest macOS 15.4 beta that Apple has discreetly integrated TCC events into its Endpoint Security framework. Refer to the details below:
The newly introduced identifier, ES_EVENT_TYPE_NOTIFY_TCC_MODIFY, informs endpoint security systems that a TCC prompt has been activated. This could finally arm third-party security tools with the necessary capabilities to monitor permission prompts in real time and trace the requests back to the originating application.
“Given that a majority of macOS malware bypasses TCC through explicit user consent, having any security tool capable of detecting this — and potentially counteracting the user’s risky choice — could prove incredibly advantageous. Until now, the only (or best) option was to analyze log messages generated by the TCC subsystem,” wrote Wardle in a blog entry.
In a similar vein, Apple had earlier incorporated Gatekeeper events into the ES framework with macOS 13 Ventura. This modification allowed endpoint security tools to access Gatekeeper’s decision-making about applying or denying application launches based on set policies. Prior to this, Gatekeeper’s decisions were not accessible to third-party tools, much akin to TCC prior to the macOS 15.4 beta.
While Apple’s addition of a TCC event to Endpoint Security is commendable, Wardle highlights in his analysis that it remains a “somewhat intricate” implementation. It might not capture every essential detail, may display inconsistent behaviors, and isn’t sufficiently robust in its present state to provide useful visibility. Nonetheless, it’s crucial to acknowledge that this was just recently incorporated into the macOS 15.4 beta, slated for wider release next month. It’s anticipated that Apple will refine many aspects by that time.
I highly recommend visiting his blog at Objective-See for more technical insights.
Follow Arin: Twitter/X, LinkedIn, Threads
