My agent/service relies on Accessibility APIs. Being installed by IT on all corporate Macs, it receives its permission to use these APIs via a configuration profile installed on the Mac, and not via the System-Preferences Security & Privacy panel (Privacy tab, Accessibility item).
Problem is - if that profile is removed, or changed to remove this permission - The agent currently has no way to know it, and will hang on the next call to some AX API.
our code calls
before using other AX APIs, but sadly - the method returns true even when accessibility has been denied by removing the profile.
By contrast - if If user manually un-checks the Accessibility for this agent in the System-Preferences panel - the function returns false immediately.
If after removing the profile, I kill my agent (launchd then relaunches it) - then calling AXIsProcessTrustedWithOptions returns false as expected.
This seems to be a bug of some kind or incomplete behaviour, but I need a workaround as soon as possible.
My first "wish" would be to be able to register for and receive some system-wide NSNotification about "configuration profile changes", at which time, I could decide to exit my agent, and relaunch with accessibility permissions synchronised.
Or is there any AX internal notification I could register for? haven't found any.
Any clue would be greatly appreciated.
Problem is - if that profile is removed, or changed to remove this permission - The agent currently has no way to know it, and will hang on the next call to some AX API.
our code calls
Code Block @result Returns TRUE if the current process is a trusted accessibility client, FALSE if it is not. */ extern Boolean AXIsProcessTrustedWithOptions (CFDictionaryRef __nullable options) CF_AVAILABLE_MAC(10_9);
before using other AX APIs, but sadly - the method returns true even when accessibility has been denied by removing the profile.
By contrast - if If user manually un-checks the Accessibility for this agent in the System-Preferences panel - the function returns false immediately.
If after removing the profile, I kill my agent (launchd then relaunches it) - then calling AXIsProcessTrustedWithOptions returns false as expected.
This seems to be a bug of some kind or incomplete behaviour, but I need a workaround as soon as possible.
My first "wish" would be to be able to register for and receive some system-wide NSNotification about "configuration profile changes", at which time, I could decide to exit my agent, and relaunch with accessibility permissions synchronised.
Or is there any AX internal notification I could register for? haven't found any.
Any clue would be greatly appreciated.
No one cared to answer, and I don't have an answer either - but in the mean time I received confirmation from Apple (I opened a tech-support-incident for this issue) that indeed this is a "Bug" or "unexpected behavior" of the operating system. No workaround was suggested by the tech-support engineers.
My rather horrible work-around to this scenario is to "poll" by spawning a new instance of the same daemon executable (using NSTask) every few minutes, just so it can call the AXIsProcessTrustedWithOptions method, get a "fresh" and reliable answer and exit with return-code. If that answer is "NO", then I quit+relaunch the original process.
My rather horrible work-around to this scenario is to "poll" by spawning a new instance of the same daemon executable (using NSTask) every few minutes, just so it can call the AXIsProcessTrustedWithOptions method, get a "fresh" and reliable answer and exit with return-code. If that answer is "NO", then I quit+relaunch the original process.