“Unapproved caller. SecurityAgent may only be invoked by Apple software” alert on Mac

What is the “Unapproved caller. SecurityAgent may only be invoked by Apple software” alert?

If your Mac suddenly throws up a box that says: “Unapproved caller. SecurityAgent may only be invoked by Apple software”, you’re not alone, and you’re not necessarily looking at malware.

SecurityAgent is a built-in macOS component that handles secure prompts and authentication flows. Any time you see a system dialog asking for your admin password, Touch ID, permission to access the keychain, or approval to unlock a disk, SecurityAgent is the part doing the heavy lifting behind the scenes.

The “Unapproved caller” bit means something has tried to talk to SecurityAgent in a way macOS doesn’t like. In plain English, the system thinks a process that shouldn’t directly invoke this component is attempting to do so, or some of the internal security plumbing is out of sync due to corrupted caches, a half-baked update, or stray system files.

In practice, this is almost always a macOS glitch rather than an attacker breaking in. That said, third-party tools and outdated components can definitely throw a spanner in the works and make this error more likely to appear.

When can this alert show up?

The dialog is notoriously vague, and it doesn’t always show up in the same context. In real-world reports, a few recurring patterns stand out:

• Right after startup or login: The Mac boots, you get the desktop or login screen, and then the “Unapproved caller” box appears and freezes the interface. Sometimes it’s followed by a reboot loop.
• During or after a macOS upgrade or migration: Systems upgraded in place from an older macOS version, or restored from a clone, are more prone to stale caches and permission mismatches in the security stack.
• When something asks for keychain access: The alert may appear in a flurry of dialogs where various system services all ask for access to the “login” keychain. SecurityAgent then complains and refuses to proceed.
• While installing or updating software that touches system security: Enterprise agents, MDM clients, security suites, VPN tools, and similar components that hook into authorization dialogs can trigger it if they’re outdated or misconfigured.
• When booting from a cloned or externally migrated system: Bootable clones that carried over system cache folders verbatim have been known to trigger the error until caches are rebuilt or cleaned out.

Sometimes the box appears once, you restart, and life goes on. In other cases, it keeps coming back and effectively bricks the session until you take more drastic action.

Is this a virus warning or a regular system error?

This is the key distinction to get straight.

• The dialog itself is part of macOS: It’s not a fake pop-up from a browser page or adware overlay. It’s rendered by the system’s own security components.
• Most cases are down to corruption or conflicts, not a live infection: Old caches, partially migrated system files, or buggy third-party helpers are the usual suspects. The wording is just unfortunate enough to sound like somebody’s eavesdropping.
• Malware can still be in the picture indirectly: If you’ve also been seeing adware symptoms (browser redirects, fake virus alerts, shady “cleaner” prompts), it’s possible that a rogue app or launch agent has messed with permissions, keychains, or security services and helped cause the chaos.

Also, don’t confuse this with browser-based scareware. If the same text appears inside a web page together with a phone number to call, that’s just a scam site imitating technical wording. In that scenario, there’s no real SecurityAgent error at all – just close the tab.

To recap, the alert is real, but it’s not a built-in antivirus banner. It’s a symptom of something going wrong in your macOS security subsystem, which may or may not involve unwanted software.

First aid: get out of the frozen “Unapproved caller” screen

If your Mac is currently stuck on this dialog and won’t respond, start with the basics.

Force your Mac to restart

If the pointer doesn’t move or the Restart menu doesn’t work:

• Press and hold the power button (or Touch ID) until the Mac shuts down.
  • On laptops, the screen will go black.
  • On desktops, wait until all indicator lights are off.
• Wait 10–15 seconds.
• Turn it back on normally.

If the problem doesn’t reappear on the next boot, it may have been a one-off cache hiccup. If it does come back, move on to the more structured fixes below.

Step-by-step fixes for the “Unapproved caller - SecurityAgent” error

Step 1: Update macOS and see if the issue is repeatable

• Once you’re back at the desktop, go to Apple menu → System Settings → General → Software Update.
• Install any pending macOS updates and restart.
• Use the Mac for a while to see if the dialog returns in the same context (startup, unlock, app install, and so on).

Apple silently fixes a lot of these edge-case security bugs in minor updates, so this is a low-effort but meaningful step.

Step 2: Boot into Safe Mode to flush caches

One of the most reliable remedies is a Safe Mode boot followed by a normal restart. Safe Mode clears and rebuilds various system caches and runs basic checks on the startup volume, which often takes the “Unapproved caller” message with it.

On a Mac with Apple silicon:

• Shut down the Mac completely.
• Press and hold the power button until you see “Loading startup options”.
• Select your startup disk (usually Macintosh HD).
• Press and hold the Shift key, then click “Continue in Safe Mode”.
• Log in if prompted; you should see “Safe Boot” in the menu bar.
• Once the desktop loads, wait a minute or two, then go to the Apple menu and restart normally.

On an Intel-based Mac:

• Turn on or restart the Mac.
• Immediately press and hold the Shift key.
• Release Shift when you see the login window and sign in.
• After reaching the desktop, reboot again without holding any keys.

If the error stops appearing after this routine, it was most likely tied to corrupted temporary data under the hood that Safe Mode has now rebuilt for you.

Step 3: Clean up login items and legacy helpers

If Safe Mode didn’t permanently fix the problem, the next suspects are login items and background helpers that integrate with system security.

On recent macOS versions (Ventura, Sonoma, Sequoia):

• Open System Settings → General → Login Items.
• Look under both:
  • “Open at Login”
  • “Allow in the Background”
• If the system is blocking changes to the Login Items, click the padlock icon as illustrated below and enter your administrator password to enable tweaks to these settings.
• Disable or remove:
  • Old antivirus or “cleaner” tools you no longer use
  • Enterprise agents or VPN clients you don’t recognize
  • Anything that looks like a leftover from software you already uninstalled
• Restart the Mac and monitor whether the “Unapproved caller - SecurityAgent” alert still shows up.

If you see a clear correlation (the error only occurs when a specific tool is installed), it’s a strong sign that this component is calling into SecurityAgent in an unsupported way.

Step 4: Check and, if needed, reset your login keychain

When the “Unapproved caller” alert rides along with repeated “XYZ wants to use the login keychain” prompts, the underlying problem may be a damaged or out-of-sync keychain. In that case, repairing or resetting the login keychain can stop SecurityAgent from tripping over itself.

Warning: Resetting the keychain will make apps forget stored passwords and some certificates. You’ll have to re-enter credentials for email, Wi-Fi, and certain apps afterwards.

• Use Spotlight to search for Keychain Access and open it.
• In the sidebar, select login under “Keychains”.
• From the Keychain Access menu, open Settings (or Preferences on older macOS).
• Click Reset My Default Keychain (wording may vary slightly by version).
• Follow the prompts and restart your Mac.

If you don’t want to go that far, a softer approach is:

• Right-click the login keychain → Lock Keychain “login”,
• Then unlock it again with your password and restart.

If the SecurityAgent message disappears after this and the constant prompts stop, you’ve just confirmed that the keychain state was part of the problem.

Step 5: Repair the disk and reinstall macOS over the top

If you’ve made it this far and the alert still appears regularly, treat it as a deeper-level system issue rather than a surface-level glitch.

The safe next move is:

• Boot into macOS Recovery.
  • Apple silicon: shut down → hold power until startup options appear → choose Options → Continue.
  • Intel: restart → hold Command (⌘) + R until you see the Apple logo.
• In Recovery, open Disk Utility and run First Aid on your startup volume.
• If no serious errors are found, return to the main Recovery screen and choose Reinstall macOS. This reinstalls the operating system while keeping your files and most settings intact.

A clean reinstall refreshes the system frameworks, including the security and authorization components that SecurityAgent relies on, without erasing user data. Still, having a Time Machine or other backup beforehand is non-negotiable in case something goes sideways.

Step 6: Advanced: manual cache cleanup (only if you know what you’re doing)

Older troubleshooting approaches mention manually removing contents of specific subfolders under /private/var/folders to wipe corrupted caches that Safe Mode didn’t fix.

This technique has indeed helped some users clear the “Unapproved caller” error, particularly on systems restored from clones.

However:

• deleting the wrong thing under /private can break apps or even prevent the system from booting;
• APFS and modern macOS security layers make low-level tinkering more delicate than it used to be.

If you’re not completely comfortable with Terminal, permissions, and restoring from a backup, stick to Safe Mode and the reinstall route instead.

How to reduce the chance of the alert returning

Once you’ve tamed the immediate problem, a few habits will help keep it from coming back out of the blue. The most important one is to keep macOS and your key applications updated so you’re not running old components against a newer security stack. It’s equally important to avoid system-level hacks, outdated kernel extensions, or long-abandoned security tools that still try to hook into authorization flows; these relics are prime candidates for weird SecurityAgent behavior.

From a broader perspective, be careful with cloning tools and migrations. When moving to a new disk or Mac, prefer Time Machine or Apple’s Migration Assistant rather than blindly cloning system volumes and their caches.

If you do rely on third-party cloning utilities, avoid copying system cache directories wholesale. It also pays to review your login items occasionally and prune anything you don’t use or recognize, because every extra background helper increases both the attack surface and the bug surface.

Finally, treat persistent keychain weirdness as an early warning rather than background noise. If you constantly get keychain prompts for the same process, don’t just click “Cancel” or “Always Allow” without thinking. Fix the underlying account settings, regenerate problematic entries, or reset the login keychain before it escalates into full-blown security subsystem confusion that can trigger alerts like “Unapproved caller” in the first place. All of this aligns with good Mac hygiene in general and keeps SecurityAgent operating quietly in the background, where it belongs.

FAQ

1. Does this alert mean my Mac has been hacked?

2. Can I just ignore the message and keep using the Mac?

3. The error appears when I install or update a legitimate app (Adobe, VPN, enterprise agent). Is that normal?

4. Is it safe to force-shut down the Mac when this alert freezes everything?

5. Should I manually delete `/private/var/folders` to fix the error?