App is not listed in the Automation pane of Privacy.

I am working on a macOS app which is distributed outside of the App Store, but it is notarized. The app contains macOS agent wsmon. It is located at App.app/Contents/Resources/wsmon. It does not have GUI, but it is visible in the system bar. The agent requires to record the content of the screen and communicate with Safari using automation.

The Info.plist of App.app contains:

<key>NSAppleEventsUsageDescription</key>
<string>...</string>
<key>NSAppleScriptEnabled</key>
<true/>

The App.app and wsmon have same entitlements:

$ codesign -d --entitlements :- App.app/Contents/Resources/wsmon
<dict>
	<key>com.apple.security.automation.apple-events</key>
	<true/>
	<key>com.apple.security.app-sandbox</key>
	<false/>
</dict>

I run wsmon by the command:

$ launchctl load /Library/LaunchAgents/com.domain.App.wsmon.plist
$ launchctl list | grep wsmon
3050	0	com.domain.App.wsmon

In a minute, would like to record computer's screen dialog opens.

I run System Preferences and check wsmon to allow record screen. It is correct, but I expected to see App instead of wsmon, because wsmon is part of App.app.

When wsmon communicate with Safari, wants access to control Safari dialog opens. I click OK and the agent successfully communicates with Safari.

Then I open the System Preferences, Automation pane. Unfortunately wsmon is not there. I am not able to allow or disallow wsmon access Safari. If a user did not allow the access, he will not be able to change it. Only after I reset the decision by $ tccutil reset AppleEvents, the dialog opens again and I can click allow or don't allow button.

I grad full access to Terminal, but TCC.db does not contain wsmon for kTCCServiceListenEvent, only for screen recording:

$ sudo sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" "select service, client from access where client like '%wsmon%'"
kTCCServiceScreenCapture|/Applications/App.app/Contents/Resources/wsmon

Please clarify:

  1. Why client column of TCC.db contain the path to wsmon binary and not CFBundleIdentifier of App.app nor com.domain.App.wsmon? wsmon belongs to App.app and is not distributed separately.
  2. How to reset kTCCServiceScreenCapture for the agent using tccutil? tccutil reset AppleEvents com.domain.App.wsmon does not work.
  3. Why Automation pane and TCC.db do not contain the agent wsmon to allow/disallow?
Up vote post of ValeryK Down vote post of ValeryK
1.7k views
Posted by
ValeryK
Reply
Add a Comment

Replies

It is located at App.app/Contents/Resources/wsmon.

This is incorrect. Place helper tools and apps in Contents/MacOS, per the advice in Placing Content in a Bundle.

I recently tested this case (a launchd agent embedded in an app) and, at least on macOS 11.6, TCC did the right thing. That is:

  • It showed the name of the parent app in the TCC alert.

  • It granted the privilege to the app.

  • And extended to the agent nested within the app.

If you continue to have problems after fixing your agent’s placement within your bundle, I encourage you to re-test on a ‘clean’ machine. It’s very common for TCC to be confused on development machines.

I usually do this sort of testing in a VM, so that I can restore to a clean snapshot between each test.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment