How to reset macOS Privacy preferences when other options don’t work

It shouldn’t surprise regular readers of Mac 911 that your loyal correspondent and his family routinely experience problems with their devices and services, some of which lead to columns in this fine publication. The only time that’s shocking is when I search for a solution and discover that I’m apparently the definitive source for an answer – that doesn’t work for me.

Such is the case with resetting privacy settings that allows non-Apple macOS apps to perform certain tasks that pose a privacy risk. For example, Default Folder, Dropbox, and LaunchBar all require accessibility access for how they handle files in the Finder. Backblaze and Default Folder require full disk access to back up or search your volumes.

You can find Privacy settings in macOS Monterey and earlier System Preferences > Security and privacy > Privacywhile macOS Ventura puts them in System settings > Privacy and security under one Privacy column.

As I wrote in June 2021, the preference database for a subset of privacy settings related to app-based permissions is vulnerable and can get corrupted for no good reason. In “Restoring macOS accessibility permissions when an app won’t turn on,” I explained that I used a Terminal-based solution to reset the underlying database in no time.

What happens when this columnist tries his own advice, given by Jon Gotow, creator of Default Folder, and it fails? He emails Mr. Gotow again for more advice. Jon directed me to this excellent 2020 article by iOS developer Robin Kunde. Kunde digs into utilities and more esoteric ways to determine what’s wrong, but ends up with a way to clear the so-called TCC database (named for “Transparency”) , Consent, and Control’, apparently) that contains these preferences.

He recommends starting over with the restore, mounting the data volume (required for macOS Catalina or later), and using a Terminal command to delete a file called TCC.db found at "/Volumes/YOUR VOLUME HERE/Library/Application Support/com.apple.TCC/TCC.db".

I tried that – and my setup remained completely broken:

• Restarting didn’t help.
• Resetting the database from the terminal did not help.
• Clearing the database did not help.
• Dragging items to the accessibility or other panels did not add them.

There’s one more step you can take, I’ve discovered. It’s thankfully not technically destructive, in the sense that macOS recreates the bits you need to remove.

As with all advice on deleting files on which the system depends, make sure you have a full Time Machine backup or clone and proceed at your own risk.

Here’s how to get on with a little more grounding than Kunde’s blog:

1. Reboot into macOS Recovery. Choose on an Intel Mac  > Restart and then hold down Command-R until macOS Recovery appears. On an M-series Mac, choose  > Exit, wait for your Mac to shut down, then press and hold the power button until you see the Options gear icon appear or macOS tells you to let go. Click Options and follow the prompts to enter a password for an administrator shown.
2. Click Disk Utility in macOS Recovery.
3. Find your boot volume on the left. To elect View > Show all devices to make sure you can find it. On Mojave or older, select and mount your master boot volume if it’s not already mounted. On Catalina or later, select the data drive (a volume that ends with “- Data”) and mount it. You will be prompted for a password if you have enabled FileVault.
4. To elect Disk Utility > Quit Disk Utility.
5. Back in macOS Recovery, choose Utilities > Terminal.
6. In Terminal, resize the window to make it easier to see all the output. Type ls -l /Volumes and press Return to find the exact name of your boot volume or boot data volume.
7. To avoid accidental deletion of files, navigate down to the correct folder. Type cd "/Volumes/YOUR VOLUME NAME/Library/Application Support/com.apple.TCC/" and press Return. (The quotes are critical, as there are spaces in the directories and otherwise they won’t be processed correctly.)
8. Type ls and press Return to see what’s in the directory. It should contain two files: AdhocSignatureCache and TCC.db.
9. If correct, delete two files by typing rm AdhocSignatureCache plus Return and rm TCC.db plus return.
10. Now type cd .. and press Return to move up one level in the folder hierarchy. Type rmdir com.apple.TCC to delete that folder. (It won’t work if there’s any content left.)
11. To elect  > Restart.

This is what this looks like as a transcript for my volume Mister Electron. in steps 7 to 10 above. For successful operations except the ls command, you get no feedback; you will only get a response if something goes wrong, for example if a file cannot be deleted.

# cd “/Volumes/Mister Electron - Data/Application Support/com.apple.TCC/”
# ls
AdhocSignatureCache TCC.db
# rm AdhocSignatureCache
# rm TCC.db
# cd ..
# rmdir com.apple.TCC

After rebooting, you should be prompted by apps that need privacy permissions. When you navigate to the correct location this time, you should see a list of those apps and check a box next to each one.

Ask Mac 911

We’ve put together a list of the questions we get asked most often, along with answers and links to columns: read our super FAQs to see if your question is covered. If not, we are always looking for new problems to solve! Email yours to mac911@macworld.com, including screenshots if applicable and if you want your full name used. Not every question is answered, we don’t reply to email, and we can’t provide direct troubleshooting advice.