AXIsProcessTrustedWithOptions not prompting for permission

I'm trying to use the Accessibility API and have this code:



NSDictionary *options = @{(__bridge id) kAXTrustedCheckOptionPrompt : @YES};

BOOL accessibilityEnabled = AXIsProcessTrustedWithOptions((__bridge CFDictionaryRef) options);


This always returns no, however it does not prompt the user for permission nor does it display the app's name in System Preferences > Security & Privacy. What do I need to test this? I could try and add the debug version manually into System Preferences but how do I know that this will work properly when released to the public? Is there any way to test this out? I am not seeing any prompt at all.

Replies

I haven't analyzed your code snippet and can't comment on it. But you should be aware that, when you run your application in debug mode in Xcode, the application that needs to have access authorized is Xcode itself, not your application. So it is Xcode should be added to the Accessibility list, and checking Xcode's checkbox should enable accessibility for Xcode while you debug your application. But yes, an alert should be presented asking for permission -- unless Xcode already has permission.

(adding comment to this old thread in case it saves someone else time finding the answer more easily):

It appears, in 10.13.3 at least, that applications which are using the app sandbox will not have the alert shown. If you turn of app sandbox in the project entitlements then the alert is shown.


I filed a bug about this because the point of adding a system prompt to add the application to accessibility and of making this accessibility preference per-app instead of the prevous global setting prior to 10.9 was to make this all explicit and obvious to the user as a way to *increase* security of the system but making it so one has to *turn off* sandboxing in order to use this better approach defeats that since doing so *decreases* security for the user.


Furthermore, even if someone has a convincing argument as to why they need to disable this for sandboxed aps, there's still a bug: the AXIsProcessTrustedWithOptions call documentation (and header file) doesn't document this restriction which means developers waste a bunch of time trying to figure out why it's "broken".

  • This worked for me

Add a Comment

I'm having this same issue. I narrowed it down to the App Sandbox being on like you mentioned. The problem is my Launch at Login function needs App Sandbox enabled.


Don't know what I should do really. My app needs to be trusted for full functionallity but if that alert is not shown first then the app gets rejected from the App Store. So it's basically no option but cut the Launch at Login function for now and hope it's just a bug that gets fixed.

Thanks haikuty, you just saved me from a lot of headache. Is this feature/bug documented somewhere (i.e. the fact that sandboxing disables the Accessibility dialog), or did you find this by chance? A really weird design decision from Apple if this is intentional.

I have noticed that, on (10.15 and 11.0) if signed with Mac Development ceritficate or official Mac App Store distribution cert, the alert WILL pop up (although with errors in Console). But if signed with Develoepr ID, it will not pop up.

I also noticed that on 13.4.1 (and possibly higher) when creating an app project (and possibly others) and going to the target's "Signing and Capabilities" there exists by default an "App Sandbox" which allows/disallows an apps rights to certain things. Even if you have sandbox off, if this section exists the app will adhere to these rules. I fixed it by deleting this section.