Yes this helps as a workaround (but that's not what we want to let our customers do. Also we only need access to the downloads folder).Our helper tool has different jobs to do (e.g. installing something). I now found out that one job triggers something so that everything works afterwards. The console says:tccd: Making {ID: com.me.app, PID[1873], auid: 501, euid: 501, binary path: '/Applications/my.app/...'} responsible for Privileged Helper {ID: com.my.HelperTool, PID[1930], auid: 0, euid: 0, binary path: '/Library/PrivilegedHelperTools/com.my.HelperTool'}; PID[1873]; rv = 0I'm still wondering, which action is required to make the app responsible for the helper tool.

Ok, thanks for explanation. Our App is downloading plugin installers. The privileged helper is then running the installers (i.e. needs permission to read and execute). I've found that when the app lets the helper tool do a chmod and a chown on the installer binaries the installation process is not blocked anymore. tccd then also prints into the console that our app is responsible for the privileged helper (like in the message above). Is that a way to handle that thing or is this just a coincidence?I still see those messages: Sandbox: installd(629) System Policy: deny(1) file-read-data /Users/gary/Downloads/MyInstaller.pkgBtw. the Files&Folders privilege is not shown for the app and the privileged helper as well.Edit: Now that I have added the Privacy - Downloads Folder Usage Description to the plist of the app, the modal Downloads Access dialog appeared and the app is shown and checked in System Preferences > Security > Files & Folders.

Looks like this is still not solved but I'm getting near. I now encounter the following problem:My helper tool has more than one SMAuthorizedClients i.e. the helper tool can be installed by more than one app (the app installer and the app itself). The installation of the helper is done via SMJobBless as known from EvenBetterAuthorization example.The problem is that the first app which calls SMJobBless is "responsible" for the helper tool, the other app is not working correctly until a restart or a manual launchctl unload / load cycle.Now my question: How do I enforce to "bless" the helper tool or make my app responsible without reinstalling the helper tool? Or is it possible to just install the helper tool and let the blessing be done later?