Platforms to show: All Mac Windows Linux Cross-Platform

KeychainAccessControlMBS class

Type Topic Plugin Version macOS Windows Linux iOS Targets
class Keychain MBS MacClassic Plugin 18.5 ✅ Yes ❌ No ❌ No ✅ Yes All
Defines access rights for items.

This is an abstract class. You can't create an instance, but you can get one from various plugin functions.

Control Flags

Constant Value Description
kSecAccessControlAnd &h8000 Constraint logic operation: when using more than one constraint, all must be satisfied.
kSecAccessControlApplicationPassword &h80000000 Application provided password for data encryption key generation. This is not a constraint but additional item encryption mechanism.
kSecAccessControlBiometryAny 2 Touch ID (any finger) or Face ID. Touch ID or Face ID must be available. With Touch ID at least one finger must be enrolled. With Face ID user has to be enrolled. Item is still accessible by Touch ID even if fingers are added or removed. Item is still accessible by Face ID if user is re-enrolled.
kSecAccessControlBiometryCurrentSet 8 Touch ID from the set of currently enrolled fingers. Touch ID must be available and at least one finger must be enrolled. When fingers are added or removed, the item is invalidated. When Face ID is re-enrolled this item is invalidated.
kSecAccessControlDevicePasscode 16 Device passcode
kSecAccessControlOr &h4000 Constraint logic operation: when using more than one constraint, at least one of them must be satisfied.
kSecAccessControlPrivateKeyUsage &h40000000 Create access control for private key operations (i.e. sign operation)
kSecAccessControlTouchIDAny 2 Touch ID (any finger) or Face ID. Touch ID or Face ID must be available. With Touch ID at least one finger must be enrolled. With Face ID user has to be enrolled. Item is still accessible by Touch ID even if fingers are added or removed. Item is still accessible by Face ID if user is re-enrolled.
kSecAccessControlTouchIDCurrentSet 8 Touch ID from the set of currently enrolled fingers. Touch ID must be available and at least one finger must be enrolled. When fingers are added or removed, the item is invalidated. When Face ID is re-enrolled this item is invalidated.
kSecAccessControlUserPresence 1 User presence policy using biometry or Passcode. Biometry does not have to be available or enrolled. Item is still accessible by Touch ID even if fingers are added or removed. Item is still accessible by Face ID if user is re-enrolled.

This class has no sub classes.

Blog Entries

Release notes


The items on this page are in the following plugins: MBS MacClassic Plugin.


JSValueMBS   -   KeychainItemMBS


The biggest plugin in space...