tccutil.py
Modify macOS' TCC.db from the command line
Apple has a utility in /usr/bin named tccutil, but it only supports one command, which is to reset the entire database. It has been like this for many versions of macOS. I wanted a command-line utility that would be able to add, remove, list, and take other actions.
This tool needs SIP disabled in order to function. The risk of doing so is up to you.
Discussions on this topic can be found here: #44
-
tccutil.pycan be installed without any additional software. -
it has an easy to use syntax
-
it supports both system wide and user scope TCC manipulation
-
it wraps the native
/usr/bin/tccutiltool -
there are other solutions out there, but there were some things I did not like about them:
-
Privacy Manager Services has other dependencies that need to be installed (it has also gone over five years without any updates)
-
tccmanager.py uses a
.plistto add items, which is inconvenient.
-
-
these are also some other projects I found that do similar things
-
go-tccutil I actually only recently found this
-
Install using Homebrew.
brew install tccutil
Depending how you have your $PATH variable setup, you can simply type tccutil (instead of the full path) and it will run this utility instead of Apple's.
Clone this repo and manually copy tccutil.py to /usr/local/bin or run from any directory with python /path/to/tccutil.py.
This utility needs super-user priveleges for most operations. It is important that you either run this as root or use sudo, otherwise it won't work and you will end up with “permission denied” errors.
usage: tccutil.py [-h] [--service SERVICE] [--list] [--digest] [--insert INSERT] [-v]
[-r REMOVE] [-e ENABLE] [-d DISABLE] [--user [USER]] [--version]
[ACTION]
Modify Accesibility Preferences
positional arguments:
ACTION This option is only used to perform a reset, using "/usr/bin/tccutil". See
`man tccutil` for additional syntax
optional arguments:
-h, --help show this help message and exit
--service SERVICE, -s SERVICE
Set TCC service
--list, -l List all entries in the accessibility database
--digest Print the digest hash of the accessibility database
--insert INSERT, -i INSERT
Adds the given bundle ID or path to the accessibility database
-v, --verbose Outputs additional info for some commands
-r REMOVE, --remove REMOVE
Removes a given Bundle ID or Path from the Accessibility Database
-e ENABLE, --enable ENABLE
Enables Accessibility Access for the given Bundle ID or Path
-d DISABLE, --disable DISABLE
Disables Accessibility Access for the given Bundle ID or Path
--user [USER], -u [USER]
Modify accessibility database for a given user (defaults to current,
if no additional parameter is provided)
--version Show the version of this script
List existing Entries in the Accessibility Database
sudo tccutil.py --listList existing Entries in the Accessibility Database specific to the current user
sudo tccutil.py --list -uAdd /usr/bin/osascript to the Accessibility Database (using UNIX-Style Option)
sudo tccutil.py -i /usr/bin/osascriptAdd /usr/bin/osascript to the Accessibility Database specific to user 'myuser' (using UNIX-Style Option)
sudo tccutil.py -i /usr/bin/osascript -u myuserAdd Script Editor to the Accessibility Database (using Long Option)
sudo tccutil.py --insert com.apple.ScriptEditor2Remove Terminal from the Accessibility Database
sudo tccutil.py --remove com.apple.TerminalEnable Terminal (must already exist in the Database)
sudo tccutil.py --enable com.apple.TerminalDisable /usr/bin/osascript (must already exist in the Database)
sudo tccutil.py -d /usr/bin/osascriptReset system wide accessibility database
sudo tccutil.py reset ALLMany people have contributed already, so feel free to make a PR and we'll get it merged in.