An app updates itself overnight, and a few days later you notice something new: it's listed under Screen Recording now, or there's a menu-bar icon that wasn't there last week, or Activity Monitor shows a background process you don't remember installing. Nobody asked you, in so many words, whether that was okay. The direct answer: an ordinary update does not reset or re-grant permissions you already gave an app, but the things sitting around that permission can change quietly, with no prompt and no notice. We call that shift permission drift, and it's why "did this app always have this?" is such a common, genuinely hard question to answer on a Mac.
This guide covers what does and doesn't change across an update, the one real trigger that can force a reset, and the manual habits that catch drift before it surprises you.
What actually happens to your permissions when an app updates
Every permission macOS asks about — Camera, Microphone, Screen Recording, Full Disk Access, Accessibility, Automation — is tracked by a system Apple calls TCC, short for Transparency, Consent, and Control. Click Allow once, and TCC writes a row tying one specific app to one specific permission. A routine update replaces the files inside the app bundle; it does not touch that row. Same app, same identity, same grant — which is exactly why updating Slack or Zoom for the two-hundredth time has never once made either app ask for microphone access again.
This is also why most "did my permissions get reset" worries turn out to be unfounded. If an update actually wiped grants, every camera and microphone permission on your Mac would need re-approving after every routine patch, and that obviously isn't what happens to anyone, ever. What people are noticing is something else entirely: a new item showing up somewhere it wasn't before, which feels identical to "my permissions changed" even though none of the old ones moved.
The one thing that can actually reset a permission: a changed code identity
There's exactly one thing that makes macOS treat an already-approved app like a stranger: a change to its code-signing identity. A TCC grant isn't just keyed to a bundle identifier like com.company.appname — it's checked against the certificate that actually signed the binary. A new build signed with the same developer certificate passes that check silently. Change the certificate (a company gets acquired and re-signs under a new legal entity, an app forks under a different developer account, a self-built app gets rebuilt with a new ad-hoc signature) and macOS can no longer confirm it's the same app it granted access to. The permission doesn't carry over. The app just prompts again, exactly like a first install.
We ran into a sharper version of this ourselves building SwoopByte Permissions. During development the app is signed ad hoc, so every fresh build gets its own one-off signing hash instead of a stable certificate. Full Disk Access still shows as granted after a rebuild (the toggle doesn't move), but reads silently fail, because to macOS a rebuilt ad-hoc binary is, strictly, a new identity wearing the old one's name. The fix was switching to a stable local signing certificate for development builds. If an app you use ever behaves like this, granted but clearly not working, re-adding it in the relevant Settings pane usually fixes it. Same rule underneath either way: change the signature, and the grant doesn't follow.
Background helpers and login items pile up quietly
The more common way an update changes what you see isn't a new grant at all. It's a new item. macOS keeps every login item and every "run in the background" permission in one place: System Settings > General > Login Items & Extensions. An update that adds a menu-bar helper, a sync agent, or an auto-updater process registers itself there, and the "Allow in the Background" toggle for it defaults to on.
There's actually one small built-in nudge here: the first time an app registers a new background item on a given day, macOS shows a real notification, something like "[App] added items that can run in the background," snoozable for a day or a week right from the banner. It's a genuine signal and also one nearly everyone swipes away without reading — Apple's own documentation confirms it collapses into a single notice per 24 hours no matter how many items actually got added that day, so a second helper installed an hour later generates nothing further to see.
None of this is unique to updates — it's exactly how these apps behave on first install too. What makes it feel like drift is timing: you installed the app once, forgot what runs in the background, and an update six months later adds a second helper worth, at most, one easy-to-miss toast. To remove a helper completely rather than just audit it, that's a full-uninstall job: see our guide on how to completely uninstall an app on Mac for exactly where these leftover files live.
A new version can ask for more because it's built to do more
Every capability an app can request — camera, microphone, calendar, Apple Events, and so on — has to be declared inside the app itself, as an entitlement or a usage-description string, at build time. An old version that never touched Apple Events simply couldn't ask for it, no matter what a user wanted. Ship a new version with a feature that needs Apple Events, say an update that adds "control other apps" automation, and the new build is now able to request something the old one never could. The first time it genuinely needs that access, you'll see a real prompt, the same as any first-time request.
The catch is timing, not concealment. You approve access two weeks after updating, while trying a feature for the first time — by then the update is old news, so the permission reads as unconnected to anything rather than "the thing I clicked update for." Nothing here is hidden. It's just decoupled from the moment that caused it.
Why macOS never shows you what changed
There is still no built-in report anywhere on macOS that says "here's what changed about this app's permissions since the last version you had." The login item notification above is the closest thing to a built-in nudge, and it only covers background and login registrations — it says nothing about camera, microphone, screen recording, Full Disk Access, or any other TCC permission. Apple ships a full App Privacy Report on iPhone: a rolling log of what each app has actually accessed and when. There's never been a Mac equivalent.
Apple has been narrowing the gap in other ways. Screen Recording access already has to be reconfirmed roughly every month on Sequoia and Tahoe, so old access doesn't sit unnoticed forever. But a re-confirmation prompt isn't a changelog: it shortens how long a stale grant survives without ever telling you what changed, or why.
How to check for permission drift yourself
Short of a tool built for exactly this, catching drift by hand is a genuinely tedious habit — worth saying plainly, since most quick-tip advice implies it's easier than it is.
- Screenshot your Privacy & Security panes occasionally — there's no built-in diff, so a screenshot is the only history you'll have. Do it after major macOS updates, since Apple sometimes reorganizes the categories.
- Check Login Items & Extensions after updating anything that runs in the background — backup tools, VPN clients, meeting apps, virtualization software. New helper entries show up here first.
- Read the permission prompt instead of reflexively clicking Allow. A request from an app you've had for a year is a real signal something in the new version needs it.
- Watch Activity Monitor for a process name you don't recognize after an update, especially one still running once you've quit the app.
To confirm whether an app's signing identity actually changed between versions, the one legitimate trigger above, Terminal will tell you directly:
codesign -dv --verbose=4 /Applications/AppName.app 2>&1 | grep TeamIdentifier
Run it before and after an update and compare; a different Team ID means a different developer account signed the app, the one case where a fresh prompt is genuinely expected. macOS also ships a blunter tool, tccutil reset <service> <bundle-id>, which clears a grant outright so the app has to ask again — good for forcing a re-check, not for seeing what's currently granted. Seeing the current state means querying the permission database directly: possible with sqlite3 against ~/Library/Application Support/com.apple.TCC/TCC.db once Terminal has Full Disk Access, but the schema is undocumented and Apple can change it at any release. Treat it as a one-off diagnostic, not a workflow.
What's normal, and what's worth checking twice
A video-calling app adding a virtual-camera helper right after an update that ships background blur is normal — the capability and the helper obviously belong together. A backup or sync tool's auto-updater showing up as a new Login Item after its first real update is normal too; nearly every self-updating Mac app works this way.
What's worth a second look: an app you rarely open still holding Full Disk Access, Accessibility, or Screen Recording months later. It's not dangerous by itself, but there's no reason to keep it live for software you've stopped using. A signature or Team ID change is worth a look too, especially on an app that never announced a change of developer or ownership; it might be a legitimate internal certificate migration, but it's worth confirming rather than assuming. So is a utility whose stated job doesn't obviously need what it's now asking for (a note-taking app requesting Accessibility, a wallpaper app requesting Input Monitoring) — not proof of anything on its own, but a reasonable prompt to skim the release notes before clicking Allow.
None of this calls for panic. It calls for the same five seconds of attention you'd give a permission prompt the first time an app ever asked for it.
How SwoopByte Permissions catches drift for you
This guide has been a manual process because right now, that's the only process that exists. SwoopByte Permissions, the app we're building, automates exactly this: an automatic snapshot of every app's permissions, Team ID and code signature, entitlements, and embedded helpers, with a plain-language diff the moment any of it changes after an update. Instead of "did this app always have this?" you'd see something like: "Raycast 1.96 added Apple Events access and a new background helper. Same Team ID as before." That's the answer this article just walked you toward by hand.
It's an auditor, not a gatekeeper: no app, ours included, can intercept or block a macOS permission prompt. It surfaces what changed and helps you revoke it through the same System Settings panes and tccutil paths above — no notifications, just a quiet menu-bar indicator and a weekly summary on your own schedule. Reading is local and read-only, no sudo, zero network calls. Seeing your current permissions and latest change is free; full history and ongoing drift monitoring are a one-time $19.99, no subscription. It's still in development — join the waitlist, and in the meantime see our companion guide on how to see which apps can access your camera, mic, and screen on Mac to audit what's already granted by hand.
FAQ
Do app updates reset permissions on Mac?
No. A routine update keeps every permission you've already granted, as long as the app's code-signing identity doesn't change. What can change is what's around the grant: a new background helper, a capability the app can now request that it couldn't before, or occasionally a fresh prompt because the identity itself changed.
Why did an app ask for a permission again after I updated it?
Either the new version added a feature that needs a permission the old version never requested, or the app's code-signing identity changed: a new developer certificate, an ownership change, or a broken build signature. An app re-asking for something it already had, with nothing else different, shouldn't normally happen.
Can an app grant itself Full Disk Access after an update?
No. Full Disk Access has to be added manually in System Settings > Privacy & Security > Full Disk Access (see Apple's Privacy & Security settings guide). No app, through an update or otherwise, can add itself to that list or any other TCC permission list on its own. It can only prompt you to do it, same as on first install.
How do I check if an app's permissions changed after an update?
Compare a screenshot of the relevant Privacy & Security pane from before and after, check Login Items & Extensions for a new background entry, and pay attention to any permission prompt you weren't expecting. To check a code-identity change specifically, run codesign -dv --verbose=4 on the app and compare its Team ID before and after.
What is "permission drift"?
Permission drift is the plain-language term for how an app's real permission footprint, its grants, background helpers, entitlements, and code signature, shifts across updates without macOS ever notifying you. There's no built-in report for it, which is the specific gap SwoopByte Permissions is being built to close.
Does reinstalling an app reset its permissions on Mac?
Usually not, as long as you reinstall the same app from the same developer with the same signing identity. TCC keys the grant to identity, not to whether the files happen to be present on disk. Installing a different app that does a similar job starts from zero, since it's a different identity entirely.
Related guides
How to see which apps can access your camera, mic, and screen on Mac
The manual audit companion to this guide — every permission pane, checked in one pass.
Read guide →How to completely uninstall an app on Mac
Where the background helpers behind a permission actually live, and how to clear them out for good.
Read guide →