Security & Privacy Artifacts

macOS enforces a layered security model through Transparency, Consent, and Control (TCC) permission databases, Gatekeeper code signing enforcement, XProtect malware detection, and per-file quarantine tracking. These artifacts are essential for understanding an endpoint's security posture, detecting unauthorized access to sensitive resources, and investigating malware delivery and execution.

Categories

• TCC Database — Permission grants for camera, microphone, Full Disk Access, and more
• Gatekeeper — Code signing enforcement and app approval history
• XProtect — Apple's built-in malware detection signatures and remediator
• Quarantine Events — Downloaded file tracking with source URLs and timestamps