NOTE (possibly not needed)
Give “Installer” full disk access
/System/Library/CoreServices/Installer.app
Give installer permissions
sudo security authorizationdb write system.install.apple-software allow
sudo security authorizationdb write system.install.software allow
sudo security authorizationdb write system.install.pkg allow
to undo
sudo security authorizationdb remove system.install.apple-software
sudo security authorizationdb remove system.install.software
sudo security authorizationdb remove system.install.pkg
Resetting it all
1. Run script below
2. After, enter recovery mode, delete two files:
rm /Volumes/Macintosh\ HD/Library/Application\ Support/com.apple.TCC/TCC.db
rm /Volumes/Macintosh\ HD/var/db/auth.dbWhen in rec mode, golden opportunity to disable SIP
csrutil disable
Why?
- Writes
csr-active-configto NVRAM so the kernel boots without SIP. - Removes kernel enforcement that blocks writes to protected paths (
/System,/usr,/bin,/sbin, Apple/Applications). - Allows loading unsigned/tampered kernel extensions and modifies code-signing checks (AMFI becomes permissive).
- Lets debuggers attach to any process (
task_for_pidusable) and enables kernel debugging/patching. - Makes system daemons, launch agents, and protected configs editable; system volume can be remounted writable.
Master reset script
#!/bin/bash
# macOS Security Reset Script for macOS "Sequoia"
# **Run this script as root (sudo) for it to work properly**
# 1. Reset all Privacy permissions (TCC database) for all apps.
# This clears camera, microphone, etc. permissions (they will be re-asked on next use).
# Uses Apple's tccutil tool to reset the Transparency, Consent, and Control (TCC) database:contentReference[oaicite:0]{index=0}.
echo "Resetting all TCC privacy permissions..."
/usr/bin/tccutil reset All
# (Note: This may take a minute to propagate changes to the user TCC database:contentReference[oaicite:1]{index=1})
# 2. Re-enable Gatekeeper (app download security) and restore its default settings.
# - Ensure Gatekeeper's app verification is enabled (spctl --master-enable).
# - Remove any setting that prevented Gatekeeper from auto-reenabling itself (GKAutoRearm).
# - Re-enable file quarantine prompts if they were disabled.
echo "Re-enabling Gatekeeper and restoring quarantine settings..."
/usr/sbin/spctl --master-enable # Enable Gatekeeper (allow only trusted software):contentReference[oaicite:2]{index=2}
/usr/bin/defaults delete /Library/Preferences/com.apple.security GKAutoRearm 2>/dev/null
# ^ Removes the Gatekeeper auto-rearm override (if it was set to prevent Gatekeeper from re-enabling):contentReference[oaicite:3]{index=3}
/usr/bin/defaults delete /Library/Preferences/com.apple.LaunchServices LSQuarantine 2>/dev/null
# ^ Ensure global file quarantine warnings are at default (enabled)
# If the above was disabled per user, reset in each user's domain:
for USER_DIR in /Users/*/; do
PREF_FILE="$USER_DIR/Library/Preferences/com.apple.LaunchServices.plist"
if [ -e "$PREF_FILE" ]; then
/usr/bin/defaults delete "$PREF_FILE" LSQuarantine 2>/dev/null
fi
done
# (The LSQuarantine key controls the "Downloaded from Internet" warning; deleting it reverts to default=on:contentReference[oaicite:4]{index=4})
# 3. Reset Application Firewall to default.
# Default = OFF with no custom app rules (macOS firewall is off by default):contentReference[oaicite:5]{index=5}.
echo "Resetting the Application Firewall to defaults (turning it off and clearing rules)..."
# Turn off firewall (if on) using official socketfilterfw tool:
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate off
# Remove custom firewall configuration:
if [ -e "/Library/Preferences/com.apple.alf.plist" ]; then
mv /Library/Preferences/com.apple.alf.plist /Library/Preferences/com.apple.alf.plist.backup 2>/dev/null
fi
# (The plist is moved to .backup; macOS will recreate a fresh config with defaults on next boot if needed)
# 4. Remove any custom LaunchDaemons/Agents that persistently disable security features.
# This checks for launch daemons/agents containing keywords like "spctl", "Gatekeeper", "csrutil", etc., and moves them.
echo "Removing custom LaunchDaemons or LaunchAgents that disable security settings (if any)..."
mkdir -p /Users/Shared/SecurityDaemonsBackup
SECURITY_DAEMONS=$(grep -EIl "spctl|LSQuarantine|Gatekeeper|csrutil|auth\.db|socketfilterfw|GKAutoRearm|tccutil" /Library/LaunchDaemons /Library/LaunchAgents 2>/dev/null)
for daemon in $SECURITY_DAEMONS; do
base=$(basename "$daemon")
if [[ "$base" != com.apple.* ]]; then
echo " - Found custom security override: $base. Moving it to /Users/Shared/SecurityDaemonsBackup/"
mv "$daemon" "/Users/Shared/SecurityDaemonsBackup/$base"
fi
done
# (Any LaunchDaemon/Agent found to be explicitly disabling Gatekeeper, SIP, TCC, firewall, etc., is moved out of /Library, disabling it on next boot.)
# 5. Inform user about next steps (Recovery Mode tasks for SIP and Auth DB resets).
echo "Initial security settings reset complete. Next, reboot to Recovery Mode to finalize resets (SIP and auth database)..."