App not appearing in Full Disk Access list

The presenter in this WWDC session from 2019 (https://asciiwwdc.com/2019/sessions/701) states: "So, now in macOS Catalina, executables that are denied access to files due to a lack of Full Disk Access approval are now prepopulated unchecked."

I'm unable to make this work. Included is a minimal test app that tries to access a resource that would require Full Disk Access (FDA) and then opens Privacy & Security ... FDA in settings. When I run this from Xcode or manually run the app from Finder the test app does not appear in the list of apps in FDA. If I manually drag and drop the app from the build folder into the FDA window and enable it then the app is granted FDA access successfully.

To be clear I understand that even the app is automatically populated in the FDA list the user will still need to toggle the switch to enable it. But I'd like to avoid making the user hunt down the app manually add it.

Testing on macOS Sonoma 14.5. Xcode 15.4.

Link to project file: https://akiairzavu3i3x4dmaya-public.s3.amazonaws.com/FDA+test.zip

Answered by DTS Engineer in 792457022

The issue here is that you’re calling isReadableFile(atPath:), which calls access, which doesn’t trip the TCC check. You have to actually try opening the file. For example, this code:

print("will open")
do {
    let fd = try FileDescriptor.open("/Library/Application Support/com.apple.TCC/TCC.db", .readOnly)
    print("did open")
    try! fd.close()
} catch {
    print("did not open, error: \(error)")
}

prints this:

will open
did not open, error: Operation not permitted

and causes the app to show up in System Settings > Privacy & Security > Full Disk Access [1].

WARNING The above code is meant for testing purposes. It’s not intended to be used as an answer to the question of “How can I tell whether my app has the Full Disk Access privilege?” The location and format of TCC.db is an implementation detail and thus could change at any time.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Testing on macOS 14.5.

Accepted Answer

The issue here is that you’re calling isReadableFile(atPath:), which calls access, which doesn’t trip the TCC check. You have to actually try opening the file. For example, this code:

print("will open")
do {
    let fd = try FileDescriptor.open("/Library/Application Support/com.apple.TCC/TCC.db", .readOnly)
    print("did open")
    try! fd.close()
} catch {
    print("did not open, error: \(error)")
}

prints this:

will open
did not open, error: Operation not permitted

and causes the app to show up in System Settings > Privacy & Security > Full Disk Access [1].

WARNING The above code is meant for testing purposes. It’s not intended to be used as an answer to the question of “How can I tell whether my app has the Full Disk Access privilege?” The location and format of TCC.db is an implementation detail and thus could change at any time.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Testing on macOS 14.5.

Yes, that works. Thanks!

App not appearing in Full Disk Access list
 
 
Q