macOS: List apps authorized for full disk access
Is there a Terminal command to view a list of all macOS that are authorized and unauthorized but have asked for Full Access?
I am looking for the list that is displayed under System Preferences → Security & Privacy → Privacy → Full Disk Access, but via command-line.
Solution 1:
The sqlite queries mentioned DO work, e.g.:
sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db 'select * from access'
The trick, however, is that you need full-disk access to access that SQLite database, so depending on where you're trying to do this, it's a chicken-and-egg problem. For just testing purposes, you can give your terminal full-disk access, then you'll be able to run the command.
Solution 2:
Apps that have requested and been granted Security > Privacy permissions can be read via:
sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db 'select * from access'
However, this does not specify which permissions were granted.
There's also:
defaults read ~/Library/Preferences/com.apple.universalaccessAuthWarning.plist
..but this will only indicate whether a given app was approved or denied.
Taccy is a small utility that will list which permissions an app will request, even if it has not been launched yet:
https://eclecticlight.co/taccy-signet-precize-alifix-utiutility-alisma/
Solution 3:
Building on @d4's answer, the sqlite DB does have the answer for which permission is granted. The service
column will be kTCCServiceSystemPolicyAllFiles
for Full Disk Access.
So the query:
sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db \
'select client from access where auth_value and service = "kTCCServiceSystemPolicyAllFiles"'
will list out the apps and binaries that are allowed Full Disk Access, i.e.:
/usr/libexec/atrun
/usr/sbin/sshd
com.googlecode.iterm2
(Updated answer based on @Motti Shneor answers, thanks! On their answer they note that auth_value is an int and not a bool, but the WHERE
filter still works.)
If you're interested, you can invert the query to ... where NOT auth_value and service = ...
and it will list the apps that are unchecked in the policy dialog.
On older versions of macOS (before 11.6) the auth_value
column was named allowed
so you might need to adjust the query.
If you get the error Error: unable to open database "/Library/Application Support/com.apple.TCC/TCC.db": authorization denied
and any other file operations on the TCC.db
file all fail, your terminal app itself is missing the full disk access permission required to read the DB file. i.e. I can't run the command from vscode but it works from iTerm because that's how my permissions are set up. That's addressed in rdamazio's answer.