Which Apps Have Full Disk Access on Your Mac?

Full Disk Access is the most powerful permission on macOS. An app with this can read your Mail mailbox, your Messages history, your Time Machine backups, the contents of any folder including Desktop and Documents — basically everything that isn’t a system file. macOS deliberately makes this permission high-friction to grant. The dialog is verbose. You have to manually unlock System Settings. You have to drag-add the app or browse for it.

Despite that friction, by year three of Mac ownership most people have given Full Disk Access to several apps. Some genuinely need it. Many don’t anymore. Time for an audit.

Where to find the list

System Settings → Privacy & Security → Full Disk Access. On older macOS, System Preferences → Security & Privacy → Privacy tab → Full Disk Access.

You’ll see a list of apps with toggles. On means the app has Full Disk Access. Off means it doesn’t, even if it’s in the list.

If a list is short (3-5 apps), good — that’s about right. If it’s 10+ apps, audit time.

The high-trust apps that should be there

Apps that genuinely benefit from Full Disk Access:

1. Backup software — Time Machine, Backblaze, Arq, Carbon Copy Cloner. Backup tools by definition need to read everything.
2. Password managers — 1Password, Bitwarden, sometimes need it for keychain integration or browser extension setup.
3. Sync/clone tools — DropDMG, SuperDuper for full-disk operations.
4. Specific developer tools — Terminal, iTerm2, sometimes need it to access files in Mail or Messages folders for scripts.
5. Search/indexing tools you’ve consciously installed — HoudahSpot, Foxtrot, etc.

That’s roughly the legitimate set. Five or six tools at most, for most users.

The apps that probably shouldn’t have it anymore

Common over-permissioned apps to look for:

• Old backup tools you’ve replaced with something else
• Discontinued password managers from a previous trial
• Cleanup tools that asked for it to “clean caches” but you don’t use anymore
• Migration tools from a one-time data transfer
• A previous AV or security tool you switched away from
• A scriptable automation tool you used for one project
• An installer or onboarding helper that asked for it during setup and never removed itself

Anything in the list you don’t recognise or haven’t deliberately used in 60 days — toggle it off. The app keeps working in most ways; it just can’t read your entire disk.

Files and Folders: the more granular permission

Beyond Full Disk Access, macOS has a separate Files and Folders permission category. System Settings → Privacy & Security → Files and Folders.

This is the per-folder permission system. Apps appear here when they’ve requested access to specific folders — Documents, Downloads, Desktop, iCloud Drive, Removable Volumes, Network Volumes.

This is where you see app-by-app what folders each can read or write. It’s much more granular than Full Disk Access, and most apps live here rather than in Full Disk Access.

Audit Files and Folders the same way: any app with access to folders it doesn’t actually need to function in, toggle off.

App Management: a newer permission

Sequoia 15 (macOS 15) and onwards has a separate App Management permission. Privacy & Security → App Management. Apps with this can install, modify, or remove other apps.

Should be limited to:

• Trusted updaters (Sparkle-based updaters for legitimate apps)
• App Store
• Specific dev tools you use

Anything else with App Management permission deserves scrutiny.

Audit your permissions in one screenSweep shows every app’s camera, mic, file, and location permissions on one page. Revoke in one click. Get Sweep free →

A walkthrough

For each app in Full Disk Access:

1. Read the app name
2. Ask: when did I last use this?
3. Ask: does its core function require reading my whole disk?
4. If both answers favor revoking, toggle off

Repeat for Files and Folders, but more leniently — that one’s narrower.

What revocation actually does

Toggling off Full Disk Access doesn’t uninstall the app. It just removes its high-trust access. The app continues to:

• Run normally
• Access its own data (sandbox or app group container)
• Access folders you explicitly allow it via the standard file open dialog
• Read user-generated content you give it

What it loses:

• Reading your Mail database without prompting
• Reading Messages history
• Reading other apps’ private data
• Reading backups
• Reading system folders without per-folder consent

For most apps, this is the right level. Full Disk Access is overpowered for what they actually need.

Apps that might fail without it

A few categories will visibly break:

• Backup tools — they’ll fail to back up Mail, Messages, and protected folders
• Some monitor / utility tools — that read system logs or process trees
• Migration assistants — fine, those are one-off uses
• Disk utilities — for full-disk operations

If an app you use breaks after revoking Full Disk Access, the dialog will be obvious (something like “needs Full Disk Access to function”). You can re-grant in seconds.

Stale entries

The “Show in Finder” trick reveals a lot:

1. In Privacy & Security → Full Disk Access, ctrl-click an app
2. Choose “Show in Finder”
3. See where the app actually lives

If the app doesn’t open or isn’t where it claims to be, the permission entry is stale. Remove it: select the entry, click the minus button. Authenticate if needed.

This is usually fine to do — entries for non-existent apps don’t grant any access (there’s no app to claim it), but tidying the list makes future audits faster.

Sequoia 15 and tightening of access

Sequoia 15 made some permissions even more friction-heavy. Sometimes you have to re-grant Full Disk Access weekly for apps that previously had it indefinitely. Apple’s reasoning: more frequent reminder of what apps have powerful permissions.

For most users this is mildly annoying but a privacy win. The first time it surprised me, my reaction was “ugh.” Now I appreciate that I have to consciously re-grant rather than forget.

What about command-line tools?

Terminal and iTerm2 can be granted Full Disk Access. When granted, scripts and commands you run inside them inherit that access. So find searches across the whole disk, cp can copy from any location, etc.

This is fine if you want it. But it means anything you run in that Terminal — including curl-piped install scripts from the internet — has access to your whole disk. Worth thinking about before granting.

If you don’t routinely script things that need full-disk access, leave Terminal’s permission off and rely on macOS prompting you per-folder when scripts try to read protected folders.

Don’t dig through Settings yourselfSweep surfaces every app’s permissions in one place. Free for macOS →

Apps that are commonly suspicious in this list

If you see any of these in Full Disk Access and don’t remember installing them:

• “MacKeeper” or similar branded “cleanup” tools
• Free PDF readers from obscure publishers
• Free system utilities from unknown publishers
• “Optimizer” tools you don’t remember
• Browser plug-ins or “speed-up” tools

Any of these warrant investigation. Toggle off, then look at what the app actually is. Some are legitimate-but-overzealous. Some are not. macOS won’t always block sketchy apps from being installed, but the permission audit is a good place to catch them.

A privacy audit isn’t a malware scan

Full Disk Access audit is about: do my legitimately-installed apps have more access than they need? It’s not about: is there malware on my Mac?

Different problems, different tools. For malware, Apple’s built-in XProtect and Gatekeeper, plus a reputable on-demand scanner if you’re worried, are the right tools. For permission tidiness, the audit covered here is the right approach.

Doing this regularly

A Full Disk Access audit takes 3-5 minutes if your list is short. Worth doing:

• Twice a year as routine
• Whenever you uninstall a backup tool, password manager, or cleanup app
• After major macOS upgrades that may have shifted permission categories
• After installing anything that asked for Full Disk Access during setup

If you make it routine, your Full Disk Access list stays at 3-5 apps you trust deeply, instead of climbing to 15 apps you don’t quite remember.

Sweep’s privacy audit puts every Mac permission — including Full Disk Access, Files and Folders, App Management, and the rest — on one screen. You can scan and revoke in a single sitting. Faster than clicking through System Settings categories one by one, and gives you a clearer picture of where the powerful permissions actually live.