We have an application that is packaged with pkgbuild/productbuild.. The app requires the Accessibility permission, which we have been enabling via a postinstall script. We have been inserting a record into /Library/Application Support/com.apple.TCC/TCC.db, and this is no longer possible with 10.12 Sierra.
The permission must be granted on install so that it exists when a non-admin users runs the app.
What is the proper/preferred method of requesting the permission from the pkg?
I have the same issue and would like to know if there's a way to do this.
No answers about how to do this?
I think it would be quite useful for application developers if Apple provides a way to do this
The only way for an application to request permission to use Accessibility features is with the API provided by Apple, namely AXIsProcessTrustedWithOptions.
What my company's software does is, during the postinstallation phase of installing, launch any of our applications that require Accessibility permissions and have them call AXIsProcessTrustedWithOptions.
Unfortuantely it inundates the user with multiple windows asking to grant apps permission. Furthermore our installer installs a kernel extension so starting with 10.14 there's also a dialog asking for permission for the kext to load, and in 10.15 it will require a reboot as well.
There is horrible UX. Unfortunately Apple doesn't provide us any way of doing anything different. It's quite unfortunate, and a lot of it strikes me as pointless.
I would love Apple to give us a method of granting these sorts of permission during the installation process in a way that's easy for the user to handle, but don't hold your breath. In the future I expect we'll see more features get locked away behind permissions dialogs resulting in further UX degredations, and I don't expect we'll see any new features that alleviates this problem.
I think the iOS platform has shown that strict and granular permission-granting don't necessarily force horrific UI experience, and maybe adopting iOS-style design of your app can smooth this a little. Specifically, having multiple applications - can usually be replaced by having a single Application bundle, code-signed as one, but supporting several binaries, or "Privileged Helpers", or by itself launching Agents/Daemons in either user/system scope. If you build your software so - your user will only need to provide accessibility permission once. Also, there is a reason for restricting developers from introducing Kernel Extensions, which are the most common source of kernel panics, OS hangs and slowdowns, and bad energy management. It's not that Apple does not provide alternatives.
In the special case of security/privacy permissions handling - MacOS indeed lags behind iOS, and to my humble opinion - the issue is more of bad documentation, than anything else. Obviously TCC database exists, and performs, since MacOS 10.8 - also, new "Lists" are added with every MacOS release (several were added in Catalina) so it's a living component of the OS.
There is also a very important point to make here: Apple sees the end user's "last word" on privacy, as the top priority. not 'root' or 'admin' or 'corporate IT'. That's an on-going struggle. In my company, huge amount of MDM profiles, kernel extensions, amazingly-bad "support" applications, supervision agents and more - are installed on every corporate user's Mac - just to circumvent this. As a result, my 2020 MBPPro 16" takes 3 minutes!!! to boot, and eats up its battery in less than an hour. it also crashes, hangs, and requests reboot about 10 times a week. This is not my Mac's case - but all users' case.
What I mean is -- Mac is a Personal computer. If you accept this - your software will usually work nicely. If you don't -- you'll probably end up with "Horrific UI" and weird solutions.