Mac OS X,  Mac Security

Reviewing TCC dialog prompts using logs on a Mac

I wrote this awhile back on using the logging facilities in macOS to review and parse logs. The log command provides a number of options to see various events on a Mac. I was recently working on an app that was automatically denying a prompt to generate entitlements and thought I’d post how to find the logs for that. First, let’s find all prompts. We’ll do that using the com.apple.TCC subsystem as a predicate. In the below command we simply pipe the output to grep for Prompting.

/usr/bin/log show -style syslog --predicate 'subsystem == "com.apple.TCC"' --info --last 12h | grep Prompting

I’d much rather use “&& contains” in syslog because I suspect it would be more efficient – but I find I prefer grep. Now that we see the output, let’s swap that Prompting in the above to deny and shorten the window for how long it takes to compile and run the app (typically less than an hour):

/usr/bin/log show -style syslog --predicate 'subsystem == "com.apple.TCC"' --info --last 1h | grep Deny

For reporting purposes, this could also be used to generate a list of apps that have a binary_path to see what software our users are allowing entitlements for:

/usr/bin/log show --predicate 'subsystem == "com.apple.TCC"' --info | grep Allow | grep binary_path