SMJobBless privileged helpers and granting permission

First up, read On File System Permissions, which sets the context for all my answers in this space.

How do I get the Finder to ask the user permission for this?

Well, it’s not the Finder that presents these alerts but rather the TCC subsystem. However, regardless of who’s doing the asking, the question is still valid.

Unfortunately the answer isn’t what you were hoping for. In contrast to the other MAC checks, like the Desktop and Documents folder, the system never prompts the user to grant Full Disk Access. They will have to navigate to System Preferences > Security & Privacy > Privacy > Full Disk Access and enable this on their own. If you look at other software is similar situations, they often invest significant effort in explaining this to the user.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks Quinn, Sorry, yes, my sloppy terminology of "The Finder" which I often use for unattached dialogs the user sees.

I did not know this about the Full Disk Access being different so my experiments with plists for the priviledge helper need to be redone.

One of the operations my helper is doing that needs Full Disk Access is downloading a pkg and checking it is signed. None of the normal security api's appear to work with pkg's, maybe I missed something there, I can check apps and so forth on disk. So I end up running /usr/sbin/pkgutil --check-signature instead as I could not figure out how pkgutil is implemented. Did I miss something in the security api, should I be able to look at a pkg's validity?

One of the operations my helper is doing that needs Full Disk Access is downloading a pkg and checking it is signed.

I don’t really understand this. If your helper is downloading the file, it should put it in a place that doesn’t require Full Disk Access.

Did I miss something in the security api, should I be able to look at a pkg's validity?

Installer packages use their own unique signing machinery. AFAIK there’s no API to check package signatures. The only good option I can see is to invoke pkgutil.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I don’t really understand this. If your helper is downloading the file, it should put it in a place that doesn’t require Full Disk Access.

placing it somewhere else is easy, the running of pkgutil appears to require it though. If the check passes I'm then also going to want to run /usr/sbin/installer on it, I think that too requires Full Disk Access.

The application is trying to make things easier for the user, telling them to go to the privacy pref is a non-starter.

I actually think I have to scrap the whole approach. I just don't see how to do it though. I need the app to look at what is currently installed, talk to a couple of different servers, present a UI to allow some customization, download the desired installers and then run them.

I don’t think that either pkgutil or installer require Full Disk Access in general. For pkgutil I don’t see any situation where it would need it. For installer I guess it might if it hits a specific part of the file system but, in general, the installer has its own magic entitlements.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"