macOS 15.4: A Major Leap in Real-Time TCC Security Monitoring

Security Enhancement in macOS 15.4: TCC Events Added to Endpoint Security

Apple has introduced a new feature in macOS 15.4 that adds TCC (Transparency, Consent, and Control) events to the Endpoint Security framework. This move responds to long-standing requests from security developers and researchers who have advocated for real-time monitoring of permission prompts.

What is TCC?

TCC is a critical subsystem across Apple devices that manages user permissions for apps accessing sensitive data or hardware, such as microphones and cameras. Its primary goal is to provide transparency to users about how their data is used by applications. However, it can also be exploited by malware authors who trick users into granting unnecessary permissions.

New Feature in macOS 15.4

In the latest beta of macOS 15.4, Apple has added an ES_EVENT_TYPE_NOTIFY_TCC_MODIFY identifier to the Endpoint Security framework. This feature notifies security tools when a TCC prompt is triggered, allowing them to monitor permission requests in real time and link these requests to specific applications.

Benefits for Security Tools

• Real-time Monitoring: Security tools can now observe TCC events as they happen, enhancing their ability to detect and respond to malicious activities promptly.
• User Protection: By identifying and possibly overriding risky user decisions, security tools can better protect users from malware that exploits TCC prompts.

Current Limitations

While the addition of TCC events is a significant step forward, it currently has some limitations:

• Inconsistent Behavior: The feature may not capture all necessary details or behave consistently in its current state.
• Beta Phase: As this feature was introduced in a beta version, improvements are expected before the final release next month.

Historical Context

Previously, security tools had to rely on log scraping to detect malicious TCC events, which often occurred after damage was already done. Similarly, Apple added Gatekeeper events to the Endpoint Security framework in macOS 13 Ventura, providing third-party security tools with greater visibility into application management decisions.

Conclusion

The addition of TCC events to the Endpoint Security framework is a positive development for macOS security. While there are current limitations, this feature holds promise for enhancing real-time protection and user safety.