Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

B S Magnet

macrumors 603
Original poster
Earlier this year, I upgraded a MacBookPro8,1 (a late 2011 13-inch MBP) from High Sierra to a dosdude1-patched Mojave.

From (I believe) Mountain Lion forward, Apple updated how other applications have access to key hardware components and software elements, via the new Security & Privacy prefPane.

Typically, when launching an application for the first time which needs a granting of permissions for OS and/or hardware access, the system prompts a modal box to ask the user whether they want to add permissions in Security & Privacy’s Privacy tab for the components or hardware that application needs in order to run.

More recent software (i.e., software aware of this security prompt written during or after Mountain Lion’s release) tends to be good at getting the system to prompt the user on whether to grant specific permissions. On older software, such as 32-bit Apple applications, this doesn’t happen.

For example, to use the iSight camera in QuickTime 7/Pro, the system isn‘t prompted by the application to then prompt the user to grant permissions to use the camera and microphone (for QuickTime Player.app, formerly QuickTime X Player, the prompt does happen).

What Security & Privacy relies on to check whether an application is granted specific permissions is a sqlite database located on one’s account directory, called TCC (TCC.db).

What I had to learn earlier this year and, again, this week, was how to update that database to grant QuickTime 7 access to both camera and microphone. That I had to do this twice, re-learning the second time, is why I’m making this post.

Fortunately, there are a couple of good resources online. Shy of remembering the name of that database or the page titles, it took some time for me to find them in my bookmarks to facilitate adding to the database on the Mojave build I set up last week.

Without rehashing what one must do in order to make changes, these two citation references do a better job with it.

Modifying the TCC database does a good job describing how the process works. How to modify TCC on macOS via command line is how I set out to add QuickTime 7 to the database. It’s worth one’s while to read through those sites carefully.

In my case, this summarizes what I did, in order, to give QuickTime Player 7 that hardware access. (You need to have SIP disabled and must execute this as su/root.):

Code:
sh-3.2# codesign -dr - /Applications/Utilities/QuickTime\ Player\ 7.app/ | awk -F \" '{print $2}'

The system responds:

Code:
Executable=/Applications/Utilities/QuickTime Player 7.app/Contents/MacOS/QuickTime Player 7
libstdc++.6.0.9.dylib
com.apple.quicktimeplayer

This info provides the prefs file name for QuickTime Player 7 (com.apple.quicktimeplayer). This comes in useful in a moment.

Next, to find the unique identity string for QuickTime Player 7:

Code:
sh-3.2# codesign -dr - /Applications/Utilities/QuickTime\ Player\ 7.app  2>&1 | awk -F ' => ' '/designated/{print $2}' | csreq -r- -b /tmp/csreq.bin
sh-3.2# echo "'$(xxd -p /tmp/csreq.bin  | tr -d '\n')'"

The response is:

Code:
'fade0c000000003800000001000000060000000200000019636f6d2e6170706c652e717569636b74696d65706c6179657200000000000003'

With these, it’s then possible to add in permissions for QuickTime Player 7 on the TCC.db using some built-in command-line sqlite3. (Note: the last digit string in the following is the current UNIX epoch time.) One line is for camera access; the other is for microphone access. The only change between the two lines are the "kTCCServiceCamera" and "kTCCServiceMicrophone" variable.

Code:
sh-3.2# sqlite3 /Users/BSMagnet/Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceCamera','com.apple.quicktimeplayer',0,1,1,X'fade0c000000003800000001000000060000000200000019636f6d2e6170706c652e717569636b74696d65706c6179657200000000000003',NULL,NULL,'UNUSED',NULL,0,1725504769)"
sh-3.2# sqlite3 /Users/BSMagnet/Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceMicrophone','com.apple.quicktimeplayer',0,1,1,X'fade0c000000003800000001000000060000000200000019636f6d2e6170706c652e717569636b74696d65706c6179657200000000000003',NULL,NULL,'UNUSED',NULL,0,1725505223)"

To verify whether those entries were accepted correctly in the database, hop briefly into sqlite:

Code:
sh-3.2# sqlite3 /Users/BSMagnet/Library/Application\ Support/com.apple.TCC/TCC.db
SQL:
SQLite version 3.24.0 2018-06-04 14:10:15
Enter ".help" for usage hints.

The following should list everything contained in TCC.db, under "access". I’ll paste what’s in my fresh Mojave install from last week.

Once the sqlite3 prompt is shown, type “.dump” (the command) and “access” (the field whose data needs to be seen:

SQL:
sqlite> .dump access


The response to the dumping of all entries in the “access” field:

SQL:
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE access (    service        TEXT        NOT NULL,     client         TEXT        NOT NULL,     client_type    INTEGER     NOT NULL,     allowed        INTEGER     NOT NULL,     prompt_count   INTEGER     NOT NULL,     csreq          BLOB,     policy_id      INTEGER,     indirect_object_identifier_type    INTEGER,     indirect_object_identifier         TEXT,     indirect_object_code_identity      BLOB,     flags          INTEGER,     last_modified  INTEGER     NOT NULL DEFAULT (CAST(strftime('%s','now') AS INTEGER)),     PRIMARY KEY (service, client, client_type, indirect_object_identifier),    FOREIGN KEY (policy_id) REFERENCES policies(id) ON DELETE CASCADE ON UPDATE CASCADE);
INSERT INTO access VALUES('kTCCServiceUbiquity','com.apple.weather',0,1,1,X'fade0c000000003000000001000000060000000200000011636f6d2e6170706c652e7765617468657200000000000003',NULL,NULL,'UNUSED',NULL,0,1724230964);
INSERT INTO access VALUES('kTCCServiceUbiquity','com.apple.CloudDocs.MobileDocumentsFileProvider',0,1,1,X'fade0c000000004c0000000100000006000000020000002f636f6d2e6170706c652e436c6f7564446f63732e4d6f62696c65446f63756d656e747346696c6550726f76696465720000000003',NULL,NULL,'UNUSED',NULL,0,1724235727);
INSERT INTO access VALUES('kTCCServiceUbiquity','com.apple.TextEdit',0,1,1,X'fade0c000000003000000001000000060000000200000012636f6d2e6170706c652e5465787445646974000000000003',NULL,NULL,'UNUSED',NULL,0,1724306366);
INSERT INTO access VALUES('kTCCServiceUbiquity','com.apple.Preview',0,1,1,X'fade0c000000003000000001000000060000000200000011636f6d2e6170706c652e5072657669657700000000000003',NULL,NULL,'UNUSED',NULL,0,1724536928);
INSERT INTO access VALUES('kTCCServiceUbiquity','com.apple.QuickTimePlayerX',0,1,1,X'fade0c00000000380000000100000006000000020000001a636f6d2e6170706c652e517569636b54696d65506c6179657258000000000003',NULL,NULL,'UNUSED',NULL,0,1724558615);
INSERT INTO access VALUES('kTCCServiceMicrophone','com.apple.QuickTimePlayerX',0,1,1,X'fade0c00000000380000000100000006000000020000001a636f6d2e6170706c652e517569636b54696d65506c6179657258000000000003',NULL,NULL,'UNUSED',NULL,NULL,1724558714);
INSERT INTO access VALUES('kTCCServiceCamera','com.apple.QuickTimePlayerX',0,1,1,X'fade0c00000000380000000100000006000000020000001a636f6d2e6170706c652e517569636b54696d65506c6179657258000000000003',NULL,NULL,'UNUSED',NULL,NULL,1724558718);
INSERT INTO access VALUES('kTCCServiceCamera','com.apple.quicktimeplayer',0,1,1,X'fade0c000000003800000001000000060000000200000019636f6d2e6170706c652e717569636b74696d65706c6179657200000000000003',NULL,NULL,'UNUSED',NULL,0,1725504769);
INSERT INTO access VALUES('kTCCServiceMicrophone','com.apple.quicktimeplayer',0,1,1,X'fade0c000000003800000001000000060000000200000019636f6d2e6170706c652e717569636b74696d65706c6179657200000000000003',NULL,NULL,'UNUSED',NULL,0,1725505223);
COMMIT;

One can see the last two entries, the two lines added manually, are for QuickTime Player 7. From this point forward, using the iSight and built-in microphone (or even external camera and mic) should work for QT7!

Now one can Ctrl-C to escape from sqlite (or exit it gracefully, as sqlite3 intended). :)

Open Security & Privacy prefPane to verify:

1725509322149.png


I’m posting this because I’m sort of surprised there isn’t such a how-to on the EIM forum. Hopefully this helps at least one person someday!
 
Last edited:

Wowfunhappy

macrumors 68000
Mar 12, 2019
1,751
2,091
From (I believe) Mountain Lion forward, Apple updated how other applications have access to key hardware components and software elements, via the new Security & Privacy prefPane.
Just a heads up—TCC began there but it wasn't relevant. For example, here is what the security and privacy pane looks like in Mavericks:

Screen Shot 2024-09-05 at 6.51.29 PM.png


So stuff like the camera, microphone, and certainly "full disk access" doesn't need to deal with TCC. I don't remember when that stuff was added but I think it's actually very recent, it may have even begun with Mojave.
 

B S Magnet

macrumors 603
Original poster
Just a heads up—TCC began there but it wasn't relevant. For example, here is what the security and privacy pane looks like in Mavericks:

View attachment 2413214

So stuff like the camera, microphone, and certainly "full disk access" doesn't need to deal with TCC. I don't remember when that stuff was added but I think it's actually very recent, it may have even begun with Mojave.

In the first link I referenced, the TCC database provided control over security permissions for third-party applications from Mountain Lion forward, even if those permissions were for “softer” areas of mostly non-hardware access (i.e., personal contacts and notes, as your screen cap portrays).

The key point is the core format of the TCC.db and its paradigmatic purpose, still used with current versions of macOS, was established with Mountain Lion, and its scope built upon and expanded to other areas. I gather this was part of a major strategic re-think on the role of OS security during the days of Lion, with long-term implications.

Because I skipped altogether the use of macOS versions between Lion and El Capitan (using Snow Leopard entirely until 2017), my first real exposure to the re-written Security prefPane happened with Sierra. High Sierra was the first time I experienced hardware permission requests, but as memory serves, was limited to third-party applications (a copy of Toast Titanium I’d used since Leopard on my old A1226 is one which comes to mind).

From Mojave, wider enforcement, particularly around privacy-oriented hardware (camera and mic), began to take hold and, consequently, excluded Apple’s own QT7, Final Cut Pro 7, Logic Pro 8, and a couple of other 32-bit applications whose versions weren’t revised to prompt the intervention and approval step to be added to TCC.db.
 
  • Like
Reactions: TheShortTimer
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.