Your Mac Has 150+ Hidden Groups. Here's Why That Matters.

macOS maintains over 150 groups under the hood. System Settings shows you two: “Admin” and “Standard.” The rest are invisible, and some of them silently pre-authorize remote services on your machine. This is one of several hidden system behaviors I discovered while auditing what Apple actually runs on my Mac.

instem os-groups is a free macOS app that makes all of it visible.

What’s Actually Going On

Every Mac has a set of groups called SACL groups, Service Access Control Lists. These are com.apple.access_* groups that control which users are pre-authorized for remote services: SSH, screen sharing, remote Apple events, FTP, and file sharing.

If a user is in the SACL group for a service, that service can be activated without any additional permission prompt. One toggle in System Settings and it is live.

What most people do not know: every admin user is silently added to all SACL groups through a nested UUID, the admin group’s GeneratedUID. When that UUID appears in a SACL group’s NestedGroups, all admin users inherit membership automatically.

That means every admin on your Mac is already pre-authorized for every remote service. No password prompt. No permission dialog. Just a switch in System Settings > General > Sharing.

What the App Shows You

instem os-groups renders your Mac’s entire group architecture as an interactive graph.

Red nodes: SACL groups (service access control)
Orange nodes: Admin group
Grey nodes: System groups
Blue nodes: User accounts
Green nodes: Custom groups
Solid lines: Direct membership
Dashed orange lines: Nested UUID inheritance (the hidden pre-authorization chain)

Click any node to see its full details: UUID, members, nested groups, and current service status. Red warnings appear when a stopped service already has pre-authorized users, meaning it is one click from going live.

How to Use It

Filter the noise. Use the filter bar at the top to focus on what matters:

SACL Only: Shows only the service access control groups and their members
My Groups: Shows only the groups your account belongs to
Hide System: Removes the 100+ system groups to reduce clutter

Explore the graph. Scroll to zoom, drag to pan. Drag individual nodes to reposition them. Click any node to open a detail panel with everything macOS knows about that group or user.

Look for warnings. The app flags situations where remote services are stopped but users are already pre-authorized. These are the scenarios where one toggle opens a service to the network.

What to Be Careful Of

The app is read-only. It does not modify your system. But the information it reveals might prompt you to make changes. If you do, keep these in mind:

Do not remove yourself from the admin group. This locks you out of administrative access. Recovery requires booting into Recovery Mode or using another admin account.
Do not delete SACL groups. macOS recreates these groups automatically and manual deletion can corrupt directory services.
Do not modify NestedGroups via dscl. Use System Settings > Users & Groups to manage group membership safely.
Always have a recovery plan. Maintain a second admin account or ensure you have Recovery Mode access before making any changes.

Privacy

This app does not track, monitor, or collect any data. Period.

There is no network access. It is explicitly disabled at the system level. No telemetry. No analytics. No crash reporting. No account creation. No sign-in. No server. The app never contacts the internet for any reason. Everything runs locally on your Mac, and your data never leaves your machine.

The app’s network policy is set to deny all connections at the OS level (NSAllowsArbitraryLoads: false, NSAllowsLocalNetworking: false), and the WebView blocks every URL that is not a local file. There is nothing to phone home to.

Why It’s Not on the App Store

The App Store requires apps to run inside Apple’s App Sandbox. Sandboxed apps cannot call system utilities like dscl (Directory Service command line), which is exactly how this app reads your Mac’s group architecture. There is no public macOS API that exposes the full group structure, nested UUIDs, and SACL membership the way dscl does.

Building this app inside the sandbox would mean it could not do the one thing it exists to do.

The app is distributed directly. macOS Gatekeeper will ask you to confirm the first launch (right-click > Open). After that, it runs like any other app.

Install

Download the DMG using the link below
Open the DMG and drag InstemOSGroups to your Applications folder
First launch: right-click the app and select “Open”
macOS will show a warning. Click “Open” to confirm

About the macOS Warning

On first launch, macOS will display a warning: “Apple could not verify InstemOSGroups is free of malware that may harm your Mac or compromise your privacy.”

This is the standard Gatekeeper warning that appears for any app distributed outside the Mac App Store that has not been notarized through Apple. It does not mean the app is unsafe. It means Apple has not reviewed it. As explained above, this app cannot be distributed through the App Store because it requires access to system utilities that the App Sandbox does not allow.

To open the app:

Right-click (or Control-click) the app and select Open
In the dialog that appears, click Open

If you do not see an “Open” button in the dialog:

Go to System Settings > Privacy & Security
Scroll down. You will see a message that InstemOSGroups was blocked
Click Open Anyway
Enter your password when prompted

After doing this once, the app will open normally from then on.

Requires macOS 13.0 (Ventura) or later.

Download instem os-groups

— downloads

License

instem Public Use License (iPUL) v1.0

Grant of Use

Permission is granted, free of charge, to any individual to use, inspect, and share this software in unmodified form for personal, non-commercial purposes, provided this license, all attribution, and all privacy disclosures remain intact.

Conditions

Any redistribution must include this license in full, unmodified. The privacy disclosure embedded in the software must remain intact in any permitted distribution. Attribution to ROI PIPE LLC and instem.ai must be preserved in all copies.

Prohibitions

You may not distribute modified versions of this software without prior written approval from ROI PIPE LLC. You may not use this software or any portion of its code, architecture, or methods commercially without a separate written commercial license from ROI PIPE LLC. You may not bundle this software with any other software, tool, or payload of any kind. You may not remove, alter, or obscure any attribution, privacy disclosure, or license notice contained in the software.

No Warranty

This software is provided as-is, without warranty of any kind. ROI PIPE LLC is not liable for any damages arising from its use.

Governing Law

This license is governed by the laws of the United States.

Suggestions

If you have suggestions you would like to see in this app, please comment below. Let's talk about it.

Comments

No comments yet. Be the first to share your thoughts.

Name *

Email *

Cell Phone *

Comment *

0 characters

By pressing the Post Comment button I agree to receive recurring messages and phone calls and emails from instem.ai oporated by ROI PIPE LLC to the provided mobile number or land line and email address and agree to the instem.ai terms and privacy policy. Message & data rates may apply. Reply STOP to cancel.

Your Mac Has 150+ Hidden Groups. Here’s Why That Matters.

What’s Actually Going On

What the App Shows You

How to Use It

What to Be Careful Of

Privacy

Why It’s Not on the App Store

Install

About the macOS Warning

License

Suggestions

Comments

Leave a Comment

Your Mac Has 150+ Hidden Groups. Here’s Why That Matters.

What’s Actually Going On

What the App Shows You

How to Use It

What to Be Careful Of

Privacy

Why It’s Not on the App Store

Install

About the macOS Warning

License

Suggestions

Comments

Leave a Comment

Sign in