Reading TCC logs in macOS

Logging user consent events in macOS Mojave to understand what is happening when a process requests access to control another app, or access to data can be done by using a one line log command (credit to @bp on the macadmins Slack for the command, and the idea to use the phrase user consent in relation to these changes).

Run this command, and then execute the script, or launch the app that you need to test.

log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'

Example using osascript

Example log output using osascript -e 'tell app "System Events" to display dialog "Hello World"' to trigger a dialog.

[testuser@blackbird]:Desktop # log stream --debug --predicate 'subsystem == "com.apple.TCC" AND eventMessage BEGINSWITH "AttributionChain"'
Filtering the log data using "subsystem == "com.apple.TCC" AND composedMessage BEGINSWITH "AttributionChain""
Timestamp Thread Type Activity PID TTL
2018-09-05 11:33:16.474912+1000 0x6c79 Info 0x763b 234 0 tccd: [com.apple.TCC:access] AttributionChain: ACC:{ID: com.apple.systemevents, PID[2348], auid: 501, euid: 501, binary path: '/System/Library/CoreServices/System Events.app/Contents/MacOS/System Events'}, REQ:{ID: com.apple.WindowServer, PID[219], auid: 88, euid: 88, binary path: '/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer'}
2018-09-05 11:33:16.481370+1000 0x6c79 Info 0x763c 234 0 tccd: [com.apple.TCC:access] AttributionChain: RESP:{ID: com.apple.Terminal, PID[2307], auid: 501, euid: 501, responsible path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal', binary path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal'}, ACC:{ID: com.apple.osascript, PID[2347], auid: 501, euid: 501, binary path: '/usr/bin/osascript'}, REQ:{ID: com.apple.WindowServer, PID[219], auid: 88, euid: 88, binary path: '/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer'}
2018-09-05 11:33:16.493752+1000 0x6bf6 Info 0x0 234 0 tccd: [com.apple.TCC:access] AttributionChain: RESP:{ID: com.apple.Terminal, PID[2307], auid: 501, euid: 501, responsible path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal', binary path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal'}, ACC:{ID: com.apple.osascript, PID[2347], auid: 501, euid: 501, binary path: '/usr/bin/osascript'}, REQ:{ID: com.apple.appleeventsd, PID[68], auid: 55, euid: 55, binary path: '/System/Library/CoreServices/appleeventsd'}
2018-09-05 11:33:16.494363+1000 0x6bf6 Info 0x0 234 0 tccd: [com.apple.TCC:access] AttributionChain: RESP:{ID: com.apple.Terminal, PID[2307], auid: 501, euid: 501, responsible path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal', binary path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal'}, ACC:{ID: com.apple.osascript, PID[2347], auid: 501, euid: 501, binary path: '/usr/bin/osascript'}, REQ:{ID: com.apple.appleeventsd, PID[68], auid: 55, euid: 55, binary path: '/System/Library/CoreServices/appleeventsd'}

Breaking it down

In the log output above, there are several significant keywords to help identify what is going on when the prompt is triggered.

KeywordDefinitionDescription
ACCAccess/AccessingDetails the application or script that is attempting to access or control macOS that requires user consent.
RESPResponsibleThe application or script that is responsible for the application or script that is attempting to access or control macOS.
REQRequest/RequestingAction that is being requested.
IDIdentifierThe identifier of the application or script.
PIDProcess IDThe process identifier.
AUIDActual User IDThe real user identifier.
EUIDEffective User IDThe effective user identifier. This will be different to the AUID if a script has been run as a different user.
binary pathPath of binaryThe full path to the binary or script.

In this example, what appears to be happening when the osascript is being executed, is that System Events is requesting access to Window Server in order to display a dialog. If there is no existing Privacy Preference to allow this to happen, a user consent dialog is presented to the user.

User consent dialog presented after an osascript command has been executed from Terminal.

Stepping through the logs, the first entry accounts for the System Event requesting access to Window Server.

2018-09-05 11:33:16.474912+1000 0x6c79     Info        0x763b               234    0    tccd: [com.apple.TCC:access] AttributionChain: ACC:{ID: com.apple.systemevents, PID[2348], auid: 501, euid: 501, binary path: '/System/Library/CoreServices/System Events.app/Contents/MacOS/System Events'}, REQ:{ID: com.apple.WindowServer, PID[219], auid: 88, euid: 88, binary path: '/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer'}

The next entry details the application or script that is relevant to what needs to be whitelisted.

2018-09-05 11:33:16.481370+1000 0x6c79     Info        0x763c               234    0    tccd: [com.apple.TCC:access] AttributionChain: RESP:{ID: com.apple.Terminal, PID[2307], auid: 501, euid: 501, responsible path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal', binary path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal'}, ACC:{ID: com.apple.osascript, PID[2347], auid: 501, euid: 501, binary path: '/usr/bin/osascript'}, REQ:{ID: com.apple.WindowServer, PID[219], auid: 88, euid: 88, binary path: '/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer'}

In this log entry, the responsible application is the Terminal app. The path is captured in the binary path. The application/binary/script accessing is osascript, again, the path to which is captured in binary path, and lastly, the request is going to Window Server, the path, unsurprisingly, is found in the binary path.

The Window Server log entries are not of key importance in this particular scenario, rather, the first log entry where we see System Events attempting to access Window Server is important, coupled with the details in the subsequent entries relating to the Terminal application.

Note: In the case of scripts that are not code signed, and are being launched/run by a Launch Agent/Daemon, the script itself cannot be whitelisted, the path of the shell or interpreter must be used instead. My previous post covers this in a little more detail.

Applying log info to a profile payload

In practice, the user consent dialog should be enough to provide insight as to what applications need to be used in creating an AppleEvents Privacy Preferences Policy Control Payload in a profile or other PPPCP payload types, but using a log stream may be required.

To create an AppleEvents profile using tccprofile.py, the following would be used:

./tccprofile.py --appleevents /Applications/Utilities/Terminal.app,/System/Library/CoreServices/System\ Events.app --allow --payload-description="Whitelist Terminal to allow AppleEvents sent from commands run in Terminal" --payload-identifier="com.github.carlashley" --payload-name="Terminal App AppleEvents Whitelist" --payload-org="My Great Company" --payload-version=1 -o Terminal_AppleEvents.mobileconfig

Post user consent approval

Here’s the log event relating to the user approving control/access. Timestamps are different as this was captured in later tests.

2018-09-06 12:09:45.749330+1000 0x6002     Info        0x8392               245    0    tccd: [com.apple.TCC:access] AttributionChain: ACC:{ID: com.apple.fseventsd, PID[65], auid: 501, euid: 501, binary path: '/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvents.framework/Versions/A/Support/fseventsd'}, REQ:{ID: com.apple.sandboxd, PID[116], auid: 0, euid: 0, binary path: '/usr/libexec/sandboxd'}

Here’s the log event relating to the osascript being executed after consent is approved.

2018-09-06 12:10:36.165892+1000 0x63d4     Info        0x810e               245    0    tccd: [com.apple.TCC:access] AttributionChain: RESP:{ID: com.apple.Terminal, PID[975], auid: 501, euid: 501, responsible path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal', binary path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal'}, ACC:{ID: com.apple.osascript, PID[1121], auid: 501, euid: 501, binary path: '/usr/bin/osascript'}, REQ:{ID: com.apple.WindowServer, PID[214], auid: 88, euid: 88, binary path: '/System/Library/PrivateFrameworks/SkyLight.framework/Versions/A/Resources/WindowServer'}
2018-09-06 12:10:36.179368+1000 0x6230 Info 0x0 245 0 tccd: [com.apple.TCC:access] AttributionChain: RESP:{ID: com.apple.Terminal, PID[975], auid: 501, euid: 501, responsible path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal', binary path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal'}, ACC:{ID: com.apple.osascript, PID[1121], auid: 501, euid: 501, binary path: '/usr/bin/osascript'}, REQ:{ID: com.apple.appleeventsd, PID[70], auid: 55, euid: 55, binary path: '/System/Library/CoreServices/appleeventsd'}
2018-09-06 12:10:36.179915+1000 0x6230 Info 0x0 245 0 tccd: [com.apple.TCC:access] AttributionChain: RESP:{ID: com.apple.Terminal, PID[975], auid: 501, euid: 501, responsible path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal', binary path: '/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal'}, ACC:{ID: com.apple.osascript, PID[1121], auid: 501, euid: 501, binary path: '/usr/bin/osascript'}, REQ:{ID: com.apple.appleeventsd, PID[70], auid: 55, euid: 55, binary path: '/System/Library/CoreServices/appleeventsd'}
2018-09-06 12:10:36.200470+1000 0x63c6 Info 0x85b2 294 0 tccd: [com.apple.TCC:access] AttributionChain: ACC:{ID: com.apple.systemevents, PID[1111], auid: 501, euid: 501, binary path: '/System/Library/CoreServices/System Events.app/Contents/MacOS/System Events'}, REQ:{ID: com.apple.systemevents, PID[1111], auid: 501, euid: 501, binary path: '/System/Library/CoreServices/System Events.app/Contents/MacOS/System Events'}

Errors/Corrections

Given this is based on observations of the log stream, and not any official documentation, any corrections to errors, etc, can be directed to @carl on the macadmins slack.

Details are current as at time of posting.