Hey there,I'm having trouble with an macOS app and it's connected privileged helper tool. It looks like there is a problem with the new TCC - Files And Folders security layer. The console says pretty clear:-[TCCDAccessIdentity staticCode]: static code for: identifier /Library/PrivilegedHelperTools/com.my.HelperTool, type: 1: 0x7fdd0b61d300 at /Library/PrivilegedHelperTools/com.my.HelperToolRefusing TCCAccessRequest for service kTCCServiceSystemPolicyDownloadsFolder from client /Library/PrivilegedHelperTools/com.my.HelperTool in background sessionResetting permissions via tccutil didn't help. The app and the helper tool is successfully codesigned and notarized (but not sandboxed). Any tips how to satisfy TCC? Anything I can check? Any documentation beside WWDC 2019 – Advances in macOS Security?Btw. I'm on Catalina 10.15.4thanks a lot,Gary
garygru
Users receive reputation points by contributing quality content to the forums.
Posts include post and replies published on the forums.
Post authors can mark replies as Accepted to indicate successful solutions.
Apple Developer Forums admins can mark replies as Apple Recommended to indicate an approved solution
Last seen
User for
Post
Replies
Boosts
Views
Activity
Hello,I am facing a problem with the blessing of a privileged helper tool. As far as I understand the tccd is taking care of this automatically when usingSMJobBless( ).The console then correctly prints:tccd: Making {ID: com.me.app, PID[1873], auid: 501, euid: 501, binary path: '/Applications/my.app/...'} responsible for Privileged Helper {ID: com.my.HelperTool, PID[1930], auid: 0, euid: 0, binary path: '/Library/PrivilegedHelperTools/com.my.HelperTool'}; PID[1873]; rv = 0We do have more than one SMAuthorizedClients i.e. the helper tool can be installed by more than one app (the app installer and the app itself).The problem: It looks like tccd is following the first-come-first-serve rule. When installing the app (with the helper tool), the installer is blessing the helper tool. The app itself does not correctly work directly afterwards (permission problems). One needs a reboot so that the app can bless the helper tool. The workaround: The app installer calls the deprecated SMJobRemove( ) after installation. The app then installs the helper tool again with SMJobBless( ). Is this really the only solution to this problem or is it possible to reset blessing or actively bless a helper tool? Thanks, (and sorry for the double post, but this is in my eyes worth a new thread)