System slowness: How to disable or short-circuit tccd in Mojave? (slows app & subprocess startup)

There's a serious problem that's come up especially in Mojave and Apple seems to not really be interested in resolving this from my discussions with engineers in the know. It especially manifests itself when opening certain apps and subprocesses therein (two examples are python and emacs). This didn't seem to be so much of a problem initially in Mojave, but it's getting worse and it most certainly was not a problem in High Sierra.

It appears to happen due to tccd (some discussions; there are many mentions of these issues in obscure spots around) somehow generating some additional overhead that wasn't present before in previous OS releases. While Apple may consider this to be acceptable, there are many of us who are struggling with the additional time that it's adding to process spawning.

This seems to be able to be reproduced via any app that's existent under any of the sections under System Preferences → Security & Privacy → Privacy.


Solution 1:

Quick answer: You have to use configuration profiles that can only be deployed via an MDM (Mobile Device Management Software) to disable tcc and tcc prompts. Unfortunately TCC is written strong into Mojave's code and doesn't seem to be going away any time soon. This is a downfall for developers/engineers/users/administrators as we all are going to have to learn learn how to walk with TCC. Apple's push for security is stronger than ever and has been written on the wall for Mac Admins for quite some time.

Longer Answer:

Apple is pushing for companies to move over to DEP/MDM workflows for deploying machines to their users: https://support.apple.com/en-us/HT204142

With Mac OS Mojave, Apple wants users to validate the use of programs gaining access to their files, hence the TCC messages of programs wanting to gain access. What does this have to do with your question you ask? Well...

There is some hope for companies that manage their machines with DEP/MDM solutions such as JAMF (for an example). Apple has pointed this out and the annoying prompts can be disabled by using an MDM and configuration profiles here:

https://support.apple.com/en-au/HT209028

You can allow apps to access certain files used for system administration, and to allow access to application data. For example, if an app requests access to your Calendar data, you can allow or deny the request. MDM administrators can manage these requests using the Privacy Preferences Policy Control payload, as documented in the Configuration Profile Reference.

Mac admin Carl Ashley has also pointed this out in more detail here: https://carlashley.com/2018/09/28/tcc-round-up/

You will absolutely need an MDM to deploy these profiles as they cannot be deployed direct to a machine through a package, or other installation method. This will mean either a DEP to MDM enrolment workflow, or through User Approved MDM (users manually enrol their Mac into MDM).

If you try to do this with a non-managed mac and install the config profile without an MDM, it will defeat the purpose of using both the MDM and the config profile because the config profile will prompt the user to install it in System Preferences > Profiles.

Example: enter image description here

This might possibly change if Apple announces a new OS this summer with 10.15. For unknown reasons Apple also has not explicitly documented to developers the need to add the NSRemindersUsageDescription key string in the Info.plist file of their applications to prevent their applications from crashing.

It is counter intuitive for developers to revert back to Xcode 9, where this problem doesn't seem to occur, unlike in its successor Xcode 10. Hoakley also validated this when he tried to use an older version of a program he developed with a Xcode older than v10 in Mojave and it ran fine, allowing the newer version of the app to prompt the user for consent to use the computer files/programs as intended.

I then tested an older version of xattred(Hoakley's program), and discovered that, instead of crashing, it did produce the expected user consent. Once added to that list, the newer version stopped crashing, and could access all protected Calendar files without any more dialogs.

After the user consents to the application, this app in question appears under one of the lists under System Preferences > Security & Privacy > Privacy and usually under Accessibility.

enter image description here

On the bright side:

Trust me, all of us as Macadmins are on the same page of busting our heads on the table over TCC. I can imagine its much worse for the normal user who likes to dabble in the administration domain. Hopefully we will see better, sane, implementation of TCC with future updates of Mac OS.

If you are curious in dabbling with creating profiles, and possibly have an MDM you can try the following: https://github.com/carlashley/tccprofile

https://github.com/erikberglund/ProfileCreator

I hope this explanation is of use to you as a developer/engineer.