TCC: A Quick Primer

What is TCC?

With Mojave being released today, you may have been hearing some buzz about the new Privacy Preferences Policy Control payload. If you’re wondering how this might affect you, hopefully this post will be a good start.

As part of macOS Mojave (10.14), Apple is introducing new controls that allow and restrict cross-application data requests (e.g. Contacts, Calendar, and Photos). This functionality is referred to by Apple as “Transparency, Consent, and Control” (TCC), Access Control, and Privacy Preferences Policy Control (PPPC).

This expanded security framework was first introduced back at WWDC ’16 for iOS devices, and the security model has now been brought to macOS in the upcoming macOS Mojave release. To help IT teams administer these permissions, Apple also provided a new payload profile.

Similar to kernel extension whitelisting, the TCC Configuration Profile must be delivered using a User Approved MDM (UAMDM) in a device profile.

Why is it important?

Once a device is upgraded to macOS Mojave, apps will require user approval in order to access specific application data. If access is not granted — either by the user or by IT via Configuration Profile — features in the application may fail, and in some cases may fail silently with no user-facing alert.

How does this affect you as an admin?

Knowledge is power here! Check with your MDM provider to see how to manage these new Privacy Preferences Control Payloads. You may be required to generate new Privacy Preferences Policy Control Configuration Profiles to distribute to your fleet* in order to guarantee a smooth upgrade.

You may need to distribute a Configuration Profile for an app if it requests access to one of the following components:

• Address Book
• Calendar
• Reminders
• Photos
• Camera*
• Microphone*
• Accessibility
• PostEvent
• SystemPolicyAllFiles
• SystemPolicySysAdminFiles
• AppleEvents

*Camera and Microphone access can only be denied via the Payload Profile. They cannot be allowed/whitelisted.

Check out Apple’s documentation on how to construct the payload here.

Some important notes on TCC profiles that we found:

• Timing matters! Be sure to distribute the profiles only after upgrading to Mojave. Unfortunately, preemptively distributing the profiles while your fleet is still on High Sierra will not work, as they will NOT be recognized by Mojave after the upgrade. The settings are applied at installation time of the profile; the profile is not actively managed. If the profile is installed prior to the upgrade, they will need to be reinstalled to take effect.
• Profiles added via MDM only show up in the Profiles Preferences pane, and won’t appear in the Privacy Preference pane. Don’t be alarmed that your whitelisted apps don’t show up in the Privacy Preference pane! They are still being enforced.
• Added TCC profiles will override its respective configuration in the Privacy Preference pane. Even after the TCC profile is installed, the Privacy Preference pane will still be enabled. This means that it will appear that users have the ability to Allow and Deny permissions for apps, but the TCC profile will always be enforced. For those specific whitelisted apps, the Privacy Preference pane becomes a light switch that isn’t connected to anything. Confusing? Definitely.
• The apps themselves typically have no “knowledge” of TCC profile exceptions. This may result in some confusing user experiences, where the app thinks certain features are enabled, despite components being denied, or vice versa. There are typically very few remediation clues to take from within an app itself when the app is not granted access to a necessary component.

How does this affect Fleetsmith?

Upon release of macOS Mojave, apps in the Fleetsmith Catalog will be updated to include the Privacy Policy Payload automatically as part of their 1-click deployment! This means you won’t have to worry about hand-crafting a TCC Configuration Profile for apps in the Fleetsmith Catalog, or timing the delivery of the payload with staggered Mojave updates across your fleet. Fleetsmith will only whitelist components that necessary for core functionality of a given app. Each app’s page in the catalog will be updated to list any whitelisted components.

Be sure to let us know if you have any questions about this, or if there are additional permissions you’d like to see whitelisted for a given app in the catalog!

Why did you make TCC whitelisting automatic?

We built automatic TCC whitelisting for the same reason we built automatic kernel extension whitelisting. If you’ve chosen to manage a given app via Fleetsmith, we want it to require as little work on your end as possible. If you make the decision that you want to deploy a given app to your devices (and have Fleetsmith keep it updated automatically), then that’s enough information for us to make sure it just works without additional manual technical work from you or your team.

For security reasons, we don’t add anything to the TCC whitelist except for the apps you’ve chosen to manage. This results in the best possible product experience while not sacrificing security, since the only apps that get whitelisted are those that have been explicitly chosen to be managed by the IT team. If you find yourself needing custom TCC profiles delivered, drop us a line!

Other Resources

We’ve found these resources to be incredibly useful, and we hope you do too.

• Apple reference doc: https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf
• https://derflounder.wordpress.com/2018/08/31/creating-privacy-preferences-policy-control-profiles-for-macos/
• Handy TCC Utility Tool: https://github.com/carlashley/tccprofile
• https://carlashley.com/2018/09/06/reading-tcc-logs-in-macos/
• https://eclecticlight.co/2018/09/06/working-with-mojaves-privacy-protection/
• Join the conversation at MacAdmins #tcc channel, and come find us in the #fleetsmith channel as well!

Originally published at blog.fleetsmith.com on September 24, 2018.