comment The name of the requested right is matched against the keys. An exact match has priority, otherwise the longest match from the start is used. Note that the right will only match wildcard rules (ending in a ".") during this reduction. allow rule: this is always allowed <key>com.apple.TestApp.benign</key> <string>allow</string> deny rule: this is always denied <key>com.apple.TestApp.dangerous</key> <string>deny</string> user rule: successful authentication as a user in the specified group(5) allows the associated right. The shared property specifies whether a credential generated on success is shared with other apps (i.e., those in the same "session"). This property defaults to false if not specified. The timeout property specifies the maximum age of a (cached/shared) credential accepted for this rule. The allow-root property specifies whether a right should be allowed automatically if the requesting process is running with uid == 0. This defaults to false if not specified. See remaining rules for examples. rights class rule comment Matches otherwise unmatched rights (i.e., is a default). rule default com.apple. rule default com.apple.AOSNotification.FindMyMac.modify allow-root class rule k-of-n 1 rule is-root is-admin default com.apple.AOSNotification.FindMyMac.remove allow-root authenticate-user class rule k-of-n 1 rule is-root is-admin default shared version 1 com.apple.DiskManagement. class rule comment Used by diskmanagementd to allow access to its privileged functions k-of-n 1 rule is-root is-admin on-console default com.apple.DiskManagement.internal. class rule comment Used by diskmanagementd to allow access to its privileged functions k-of-n 1 rule is-root is-admin default com.apple.DiskManagement.reserveKEK allow-root class user comment Used by diskmanagementd to allow use of the reserve KEK. group admin shared com.apple.KerberosAgent class evaluate-mechanisms comment Used to acquire Kerberos credentials. mechanisms KerberosAgent:kerberos-dialog KerberosAgent:kerberos-authenticate,privileged com.apple.OpenScripting.additions.send allow-root class user comment Used to send restricted scripting addition commands to processes that require authorization to handle the events. group admin com.apple.ReportPanic.fixRight allow-root authenticate-user class user group admin require-apple-signed shared timeout 10 com.apple.Safari.parental-controls allow-root class rule comment Checked when changing parental controls for Safari. k-of-n 1 rule is-admin authenticate-admin shared timeout 60 com.apple.Safari.show-credit-card-numbers class user comment This right is used by Safari to show credit card numbers. session-owner shared timeout 10 com.apple.Safari.show-passwords class user comment This right is used by Safari to show passwords. session-owner shared timeout 10 com.apple.Safari.install-ephemeral-extensions class user comment This is the right used by Safari to install an ephemeral extension without a developer certificate present. session-owner shared timeout 0 com.apple.Safari.allow-apple-events-to-run-javascript class user comment This right is used by Safari to allow Apple Events to run JavaScript on web pages. session-owner shared com.apple.Safari.allow-unsigned-app-extensions class user comment This right is used by Safari to allow unsigned extensions in the Develop Menu. session-owner shared com.apple.Safari.allow-javascript-in-smart-search-field class user comment This right is used by Safari to allow JavaScript to be used in the Smart Search Field. session-owner shared com.apple.ServiceManagement.blesshelper allow-root class user comment Used by the ServiceManagement framework to add a privileged helper tool to the system launchd. group admin timeout 30 version 1 com.apple.ServiceManagement.daemons.modify class rule comment Used by the ServiceManagement framework to make changes to the system launchd's set of daemons. k-of-n 1 rule is-root entitled-admin-or-authenticate-admin-nonshared version 1 com.apple.SoftwareUpdate.modify-settings class rule comment Checked by the Admin framework when making changes to the Software Update preference pane. rule root-or-entitled-admin-or-app-specific-admin com.apple.SoftwareUpdate.scan class rule comment Checked when user is updating software. rule root-or-entitled-admin-or-authenticate-admin com.apple.XType.fontmover.install allow-root class user group admin shared timeout 300 com.apple.XType.fontmover.remove allow-root class user group admin shared timeout 300 com.apple.XType.fontmover.restore class rule rule root-or-entitled-admin-or-authenticate-admin com.apple.activitymonitor.kill class rule comment Used by Activity Monitor to authorize killing processes not owned by the user. rule entitled-admin-or-authenticate-admin shared timeout 0 com.apple.appserver.privilege.admin class rule comment For administrative access to the Application Server management tool. rule appserver-admin com.apple.appserver.privilege.user class rule comment For user access to the Application Server management tool. k-of-n 1 rule appserver-admin appserver-user com.apple.builtin.confirm-access class evaluate-mechanisms mechanisms builtin:confirm-access tries 1 com.apple.builtin.confirm-access-password class evaluate-mechanisms mechanisms builtin:confirm-access-password com.apple.builtin.generic-new-passphrase class evaluate-mechanisms mechanisms builtin:generic-new-passphrase com.apple.builtin.generic-unlock class evaluate-mechanisms mechanisms builtin:generic-unlock com.apple.builtin.sc-kc-new-passphrase class evaluate-mechanisms mechanisms builtin:generic-new-passphrase com.apple.container-repair class user group admin shared timeout 30 com.apple.dashboard.advisory.allow class user group admin shared timeout 300 com.apple.desktopservices class user comment For privileged file operations from within the Finder. group admin shared timeout 0 com.apple.desktopservices.scripted class user comment For scripting-initiated privileged file operations from within the Finder. group admin shared timeout 0 com.apple.docset.install class user comment Used by Xcode to restrict access to a daemon it uses to install and update documentation sets. group admin shared com.apple.iBooksX.ParentalControl class user comment Checked when making changes to the Parental Controls for iBooks. group admin shared com.apple.icloud.passwordreset class user comment Authenticate as the session owner to reset iCloud password session-owner timeout 0 password-only version 1 com.apple.library-repair class user group admin com.apple.lldb.LaunchUsingXPC class user group admin com.apple.opendirectoryd.linkidentity class rule rule entitled-session-owner-or-authenticate-session-owner com.apple.ctk.pair class rule rule kcunlock com.apple.ctkbind.admin class user group admin shared com.apple.pf.rule authenticate-user class user group admin timeout 0 com.apple.security.assessment.update class rule rule root-or-entitled-admin-or-authenticate-admin com.apple.server.admin.streaming allow-root class rule comment For making administrative requests to the QuickTime Streaming Server. k-of-n 1 rule is-admin authenticate-admin shared timeout 0 com.apple.trust-settings.admin allow-root class user comment For modifying Trust Settings in the Local Admin domain. group admin com.apple.trust-settings.user comment For modifying per-user Trust Settings. rule entitled-session-owner-or-authenticate-session-owner com.apple.uninstalld.uninstall class rule rule entitled-admin-or-authenticate-admin config.add. class allow comment Wildcard right for adding rights. Anyone is allowed to add any (non-wildcard) rights. config.config. class deny comment Wildcard right for any change to meta-rights for db modification. Not allowed programmatically (just edit this file). config.modify. class rule comment Wildcard right for modifying rights. Admins are allowed to modify any (non-wildcard) rights. Root does not require authentication. k-of-n 1 rule is-root authenticate-admin config.remove. class rule comment Wildcard right for deleting rights. Admins are allowed to delete any (non-wildcard) rights. Root does not require authentication. k-of-n 1 rule is-root authenticate-admin config.remove.system. class deny comment Wildcard right for deleting system rights. sys.openfile. class user comment See authopen(1) for information on the use of this right. group admin shared timeout 300 system. rule default system.burn class allow comment For burning media. system.csfde.requestpassword.weak class rule comment Used by CoreStorage Full Disk Encryption to request the user's password, allowing alternative authentication methods. rule authenticate-admin-or-staff-extract-weak system.csfde.requestpassword class rule comment Used by CoreStorage Full Disk Encryption to request the user's password. rule authenticate-admin-or-staff-extract version 1 system.device.dvd.setregion.initial class user comment Used by the DVD player to set the region code the first time. Note that changing the region code after it has been set requires a different right (system.device.dvd.setregion.change). group admin shared system.disk.unlock class evaluate-mechanisms comment Do not modify. mechanisms DiskUnlock:prompt DiskUnlock:unlock,privileged system.global-login-items. class rule k-of-n 1 rule default version 1 system.hdd.smart class allow comment For modifying SMART settings. system.identity.write. class rule comment For creating, changing or deleting local user accounts and groups. k-of-n 1 rule is-admin authenticate-admin system.identity.write.credential class rule comment Checked when changing authentication credentials (password or certificate) for a local user account. rule default system.identity.write.self authenticate-user class user comment Checked when changing authentication credentials (password or certificate) for the current user's account. session-owner system.install.app-store-software class rule comment Checked when user is installing software from the App Store. rule entitled-appstore-or-entitled-authenticate-appstore system.install.app-store-software.standard-user authenticate-user class user comment Checked when user is installing new software. entitled group admin timeout 10 system.install.software.mdm-provided allow-root version 1 class rule rule entitled system.install.apple-config-data allow-root class rule rule entitled system.install.apple-software class rule comment Checked when user is installing Apple-provided software. rule root-or-entitled-admin-or-authenticate-admin system.install.apple-software.standard-user authenticate-user class user comment Checked when user is installing new software. entitled group admin timeout 10 system.install.software allow-root class user comment Checked when user is installing new software. group admin shared timeout 900 version 2 system.install.software.iap allow-root authenticate-user class user entitled system.keychain.create.loginkc allow-root class evaluate-mechanisms comment Used by the Security framework when you add an item to an unconfigured default keychain. mechanisms loginKC:queryCreate loginKC:showPasswordUI version 1 session-owner shared system.keychain.modify class user comment Used by Keychain Access when editing a system keychain. group admin shared timeout 30 system.login.console class evaluate-mechanisms comment Login mechanism based rule. Not for general use, yet. mechanisms builtin:policy-banner loginwindow:login builtin:login-begin builtin:reset-password,privileged loginwindow:FDESupport,privileged builtin:forward-login,privileged builtin:auto-login,privileged builtin:authenticate,privileged PKINITMechanism:auth,privileged builtin:login-success loginwindow:success HomeDirMechanism:login,privileged HomeDirMechanism:status MCXMechanism:login CryptoTokenKit:login loginwindow:done version 7 system.login.fus class evaluate-mechanisms comment Login mechanism based rule. Not for general use, yet. mechanisms builtin:smartcard-sniffer,privileged loginwindow:login builtin:reset-password,privileged builtin:auto-login,privileged builtin:authenticate-nocred,privileged loginwindow:success loginwindow:done version 1 system.login.done class evaluate-mechanisms mechanisms system.login.screensaver class rule comment The owner or any administrator can unlock the screensaver, set rule to "authenticate-session-owner-or-admin" to enable SecurityAgent. rule use-login-window-ui version 1 system.login.tty class rule rule default version 1 system.preferences allow-root class user comment Checked by the Admin framework when making changes to certain System Preferences. group admin shared system.preferences.accessibility class user comment Checked when making changes to the Accessibility Preferences. group admin shared timeout 0 system.preferences.accounts allow-root class user comment Checked by the Admin framework when making changes to the Users & Groups preference pane. group admin shared system.preferences.datetime allow-root class user comment Checked by the Admin framework when making changes to the Date & Time preference pane. group admin shared version 1 system.preferences.energysaver allow-root class user comment Checked by the Admin framework when making changes to the Energy Saver preference pane. group admin shared system.preferences.location class rule comment For changing the network location from the Apple menu. k-of-n 1 rule on-console is-admin is-root system.preferences.network allow-root class user comment Checked by the Admin framework when making changes to the Network preference pane. group admin shared system.preferences.nvram class rule k-of-n 1 rule entitled admin system.preferences.parental-controls class user comment Checked when making changes to the Parental Controls preference pane. group admin shared system.preferences.printing allow-root class user comment Checked by the Admin framework when making changes to the Printing preference pane. group admin shared system.preferences.security allow-root class user comment Checked by the Admin framework when making changes to the Security preference pane. group admin shared system.preferences.security.remotepair class user comment Used by Bezel Services to gate IR remote pairing. entitled-group group admin shared timeout 30 version 1 system.preferences.sharing allow-root class user comment Checked by the Admin framework when making changes to the Sharing preference pane. group admin shared system.preferences.softwareupdate allow-root class user comment Checked by the Admin framework when making changes to the Software Update preference pane. group admin shared system.preferences.startupdisk allow-root class user comment Checked by the Admin framework when making changes to the Startup Disk preference pane. group admin shared version 1 system.preferences.timemachine allow-root class user comment Checked by the Admin framework when making changes to the Time Machine preference pane. group admin shared system.preferences.version-cue class rule comment For gating modifications to Adobe Version Cue preferences. rule authenticate-admin system.print.admin class rule rule root-or-lpadmin system.print.operator allow-root class user group _lpoperator shared system.printingmanager class rule comment For printing to locked printers. k-of-n 1 rule is-admin authenticate-admin system.privilege.admin allow-root class user comment Used by AuthorizationExecuteWithPrivileges(...). AuthorizationExecuteWithPrivileges() is used by programs requesting to run a tool as root (e.g., some installers). group admin shared timeout 300 system.privilege.taskport allow-root class user comment Used by task_for_pid(...). Task_for_pid is called by programs requesting full control over another program for things like debugging or performance analysis. This authorization only applies if the requesting and target programs are run by the same user; it will never authorize access to the program of another user. WARNING: administrators are advised not to modify this right. group _developer shared timeout 36000 system.privilege.taskport.debug allow-root class user comment For use by Apple. WARNING: administrators are advised not to modify this right. group _developer shared timeout 36000 system.privilege.taskport.safe class allow comment For use by Apple. system.restart class evaluate-mechanisms comment Checked if the foreground console user tries to restart the system while other users are logged in via fast-user switching. mechanisms RestartAuthorization:restart builtin:authenticate,privileged RestartAuthorization:success system.services.directory.configure class rule k-of-n 1 rule is-root entitled authenticate-admin-nonshared comment For making Directory Services changes. version 3 system.services.networkextension.filtering allow-root class user comment For making changes to the Content Filtering configuration using NetworkExtension. entitled-group group admin vpn-entitled-group system.services.networkextension.vpn allow-root class user comment For making changes to the VPN configuration using NetworkExtension. entitled-group group admin vpn-entitled-group system.services.systemconfiguration.network class rule comment For making change to network configuration via System Configuration. k-of-n 1 rule is-root entitled _mbsetupuser-nonshared authenticate-admin-nonshared entitled-group version 2 vpn-entitled-group system.sharepoints. allow-root class user comment Checked when making changes to the Sharepoints. group admin shared system.shutdown class evaluate-mechanisms comment Checked if the foreground console user tries to shut down the system while other users are logged in via fast-user switching. mechanisms RestartAuthorization:shutdown builtin:authenticate,privileged RestartAuthorization:success system.volume. class rule comment system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount) k-of-n 1 rule is-root is-admin authenticate-admin-30 system.volume.external. class rule comment system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount) k-of-n 1 rule is-root is-admin on-console authenticate-admin-30 system.volume.external.adopt class rule comment system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount) k-of-n 1 rule is-root is-admin authenticate-admin-30 system.volume.network. class rule comment system.volume.network.unmount k-of-n 1 rule is-root is-admin on-console authenticate-admin-30 system.volume.optical. class rule comment system.volume.optical.(adopt|encode|mount|rename|unmount) k-of-n 1 rule is-root is-admin on-console authenticate-admin-30 system.volume.optical.adopt class rule comment system.volume.optical.adopt k-of-n 1 rule is-root is-admin authenticate-admin-30 system.volume.removable. class rule comment system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount) k-of-n 1 rule is-root is-admin on-console authenticate-admin-30 system.volume.removable.adopt class rule comment system.volume.(external|internal|removable).(adopt|encode|mount|rename|unmount) k-of-n 1 rule is-root is-admin authenticate-admin-30 com.apple.installassistant.macos allow-root class user comment Used by Install Assistant group admin shared timeout 300 com.apple.security.syntheticinput class rule rule authenticate-session-owner com.apple.security.sudo class rule k-of-n 2 rule entitled authenticate-session-owner system.preferences.continuity class rule comment Used by Password And Continuity PrefPane to request the user's password. rule authenticate-staff-extract-context com.apple.configurationprofiles.userprofile.trustcert class rule comment Install user configuration profile with certificate requiring trust change. rule authenticate-session-owner-or-admin com.apple.configurationprofiles.userenrollment.install class user comment This right is used by UserManagement to ask user to acquire password from users. session-owner extract-password password-only shared version 1 com.apple.safaridriver.allow comment This right is used by safaridriver to allow running it. class rule k-of-n 1 rule is-admin is-webdeveloper authenticate-webdeveloper version 1 com.apple.app-sandbox.create-symlink comment Authorize an app-sandboxed application to install a symlink into /usr/local/bin. class rule rule authenticate-admin-nonshared shared timeout 60 com.apple.app-sandbox.set-attributes comment Authorize an app-sandboxed application to change permissions on a privileged file. class rule rule authenticate-admin-nonshared shared timeout 60 com.apple.app-sandbox.replace-file comment Authorize an app-sandboxed application to save (overwrite) a file in a privileged location. class rule rule authenticate-admin-nonshared shared timeout 60 com.apple.applepay.reset class user comment Used by nfcd. group admin shared timeout 300 com.apple.tcc.util.admin comment For modification of TCC settings. class rule rule authenticate-admin-nonshared shared com.apple.system-extensions.admin comment Authorize a 3rd party application which wants to manipulate system extensions. class rule rule authenticate-admin-nonshared shared rules admin class user group admin shared allow class allow comment Allow anyone. app-specific-admin class user group admin appserver-admin class user group appserveradm appserver-user class user group appserverusr authenticate class evaluate-mechanisms mechanisms builtin:authenticate builtin:reset-password,privileged builtin:authenticate,privileged PKINITMechanism:auth,privileged kcunlock class evaluate-mechanisms extract-password mechanisms builtin:unlock-keychain builtin:kc-verify,privileged version 1 authenticate-admin class user comment Authenticate as an administrator. group admin shared timeout 0 authenticate-admin-nonshared class user comment Authenticate as an administrator. group admin timeout 30 version 1 _mbsetupuser-nonshared class user authenticate-user comment Succeeds if user is from _mbsetupuser group. group _mbsetupuser timeout 30 authenticate-admin-30 class user comment Like the default rule, but credentials remain valid for only 30 seconds after they've been obtained. An acquired credential is shared by all clients. group admin shared timeout 30 authenticate-admin-extract-weak class user comment Authenticate as an administrator + allow password extraction. extract-password group admin require-apple-signed timeout 0 authenticate-staff-extract-weak class user comment Authenticate as group staff + allow password to be extracted. extract-password group staff require-apple-signed timeout 0 authenticate-admin-extract class user comment Authenticate as an administrator + allow password extraction. extract-password password-only group admin require-apple-signed timeout 0 version 1 authenticate-staff-extract class user comment Authenticate as group staff + allow password to be extracted. extract-password password-only group staff require-apple-signed timeout 0 version 1 authenticate-staff-extract-context class rule k-of-n 2 rule authenticate-staff-extract localauthentication-context authenticate-admin-or-staff-extract-weak class rule k-of-n 1 rule authenticate-admin-extract-weak authenticate-staff-extract-weak authenticate-admin-or-staff-extract class rule k-of-n 1 rule authenticate-admin-extract authenticate-staff-extract authenticate-appstore-30 class user group _appstore shared timeout 30 authenticate-developer class user comment Authenticate as a developer. group _developer shared timeout 36000 authenticate-session-owner class user comment Authenticate as the session owner. session-owner authenticate-session-owner-or-admin allow-root class user comment Authenticate either as the owner or as an administrator. group admin session-owner shared authenticate-session-user class user comment Same as authenticate-session-owner. session-owner default class user comment Default rule. Credentials remain valid for 5 minutes after they've been obtained. An acquired credential is shared by all clients. group admin shared timeout 300 entitled class evaluate-mechanisms mechanisms builtin:entitled,privileged tries 1 entitled-admin class rule k-of-n 2 rule is-admin entitled entitled-admin-nonshared class rule k-of-n 2 rule is-admin-nonshared entitled entitled-admin-or-authenticate-admin-nonshared class rule k-of-n 1 rule entitled-admin-nonshared authenticate-admin-nonshared entitled-admin-or-authenticate-admin class rule k-of-n 1 rule entitled-admin authenticate-admin-30 entitled-appstore class rule k-of-n 2 rule is-appstore entitled entitled-appstore-or-entitled-authenticate-appstore class rule k-of-n 1 rule entitled-appstore entitled-authenticate-appstore entitled-authenticate-admin class rule k-of-n 2 rule entitled authenticate-admin-30 entitled-authenticate-appstore class rule k-of-n 2 rule entitled authenticate-appstore-30 entitled-session-owner class rule k-of-n 2 rule is-session-owner entitled entitled-session-owner-or-authenticate-session-owner class rule k-of-n 1 rule entitled-session-owner authenticate-session-owner is-admin authenticate-user class user comment Verify that the user asking for authorization is an administrator. group admin shared is-admin-nonshared authenticate-user class user comment Verify that the user asking for authorization is an administrator - nonshared right. group admin is-appstore authenticate-user class user group _appstore shared is-developer authenticate-user class user comment Verify that the user asking for authorization is a developer. group _developer is-lpadmin authenticate-user class user group _lpadmin is-root allow-root authenticate-user class user comment Verify that the process that created this AuthorizationRef is running as root. is-session-owner allow-root authenticate-user class user comment Verify that the requesting process is running as the session owner. session-owner lpadmin class user group _lpadmin shared on-console class evaluate-mechanisms mechanisms builtin:on-console tries 1 root-or-entitled-admin-or-admin class rule k-of-n 1 rule is-root entitled-admin admin root-or-entitled-admin-or-app-specific-admin class rule k-of-n 1 rule is-root entitled-admin app-specific-admin root-or-entitled-admin-or-authenticate-admin class rule k-of-n 1 rule is-root entitled-admin-or-authenticate-admin root-or-lpadmin class rule k-of-n 1 rule is-root is-lpadmin lpadmin use-login-window-ui allow-root class user comment Authenticate either as the owner or as an administrator. group admin session-owner shared localauthentication-context class evaluate-mechanisms comment Used by LocalAuthentication to pass externalized context. mechanisms LocalAuthentication:context is-webdeveloper authenticate-user class user comment Verify that the user asking for authorization is a web developer. group _webdeveloper authenticate-webdeveloper class user comment Authenticate as a web developer. group _webdeveloper shared timeout 36000