Full Disk Access (Catalina) - Not working with privileged helper

I haven't been able to find an answer to this question in this forum, and I have noticed that other developers of similar tools, are running into the same issue (Etcher, CCC, etc).


I've developed an application (ApplePi-Baker) to backup or restore external disks (usually these are SD cards for use with Raspberry Pi, but these can be USB drives as well).


With the arrival of Mojave, I revamped my application to make it use a so called Privileged Helper Tool, which was a pain to implement, but now it works great.


However,... with the arrival of Catalina this no longer seems to work. Trying to open a disk (only external disks) simply fails.

The application and helper tool are 64 bit, have the proper plist files, have been signed, and the DMG has been notarized.
Also note that the application is NOT sandboxed and NOT distributed through the Apple Store.


Adding the application bundle to "Security & Privacy" - "Privacy" - "Full Disk Access" does not seem to make a difference in Catalina.


The helper tool is located in the application bundle (../Contents/Library/LaunchServices) with the proper embedded plists and association with the main application (and viceversa). At start of the application, the helper tool (after the user authorizes this) is installed correctly.


Note: In Catalina, it appears one cannot add the Helper Tool itself to the "Full Disk Access" list. From what I have found: these rights are inherited from the main application.


I'm running the final release of Catalina, not a beta version, and the application is developed with Lazarus Pascal.


Interesting observation:
I can open the "disk" of a mounted DMG without any issues.


Console is not providing me with anything useful either at least nothing I could find anyway - insight is much appreciated.
The minute the helper tool tries to open the disk, I get these messages, and honestly I do not have aclue what these messages mean (couldn't find anything online either):


default 12:40:31.478127+0200 tccd -[TCCDAccessIdentity staticCode]: static code for: identifier com.tweaking4all.ApplePiBaker, type: 0: 0x7fafa2618ec0 at /Applications/ApplePiBaker.app
default 12:40:32.227840+0200 runningboardd Invalidating assertion 313-163-227 (target:executable<applepibaker(501)>) from originator 163
default 12:40:32.332542+0200 runningboardd [executable<applepibaker(501)>:978] Ignoring jetsam update because this process is not memory-managed
default 12:40:32.332627+0200 runningboardd [executable<applepibaker(501)>:978] Set darwin role to: UserInteractiveNonFocal
default 12:40:32.332809+0200 runningboardd [executable<applepibaker(501)>:978] Ignoring GPU update because this process is not GPU managed


Can anyone help me get insight what is going wrong or what I should do?

If any additional info is needed, then I'd be happy to provide this info.

Replies

I've noticed that Catalina has a new security category. In addition to Full Disk Access, there is "Removable Volumes" under "Files and Folders". I think Full Disk Access is for full access to the boot volume whereas "Removable Volumes" is for other volumes. I guess that given the complexity of SIP, Full Disk Access, ACLs, and basic Unix permissions, Apple felt that external volumes with Owners disabled needed another layer of security.


Unfortunately, I don't see a way to enable the "+" button in this category. You have to have the app ask for access. With a PrivilegedHelper, I guess you would have to have the parent ask for access.


Personally, I can't say I would ever use a PrivilegedHelper. I just added a helper to my app and executed it via osascript with "administrator privileges" and that seems to work pretty well.

Thank John for the reply!


Interesting find! However, I do not see "Removable Volumes" listed on my MacBoop Pro (15" 2016) and MacBook (12") - both running public final release of Catalina (I'm assuming you're refering to the list "System Preferences" -> "Security & Privacy" -> "Privacy").


If this is a leftover of a beta, then maybe Apple goofed up there, and planned this option, but removed it at the final release without correcting "Full Disk Access"? On that note, I ran the beta on my MacBook (12") which doesn't list it either.


I used scripts before, and this indeed worked fine, but it did cause issues with some users.

Trying to implement things the Apple recommended way, I figured that it would be at least a good idea to explore how this works and eventually implemented it. It comes with the nice side effect that the GUI becomes more responsive while executing scripts, etc as well.


As for asking access from the user, I wouldn't know how to do this.
i've seen 2 scenario's when it comes to "asking the user";

1) The application accesses a function that needs permission, and macOS ask a "Allow/Do not Allow" question when the application calls this function

2) When I want to install a helper tool, in which case I ask the user for authorization and macOS then handles the installation of the helper tool.


Since I'm seeing CCC, Etcher, etc having similar problems, I'm wondering if this is a bug and if I should report this or not.

Having said that: I'm no expert, and that's why I'm trying to find out from experts in this forum if it is a bug or just my lack of knowledge.

It doesn’t matter if it is a bug or lack of knowedge. It has been released, so you have to deal with it. Try navigating to the external volume in the Terminal. You should get a security prompt and the Removable Volumes entry. Make sure Full Disk Access is not enabled for Terminal just to make sure. You may have to have your main app try to access the external volume to get the entry.


I don’t know why so many developers are having trouble with these issues. It is practically like Apple is putting on a siren with flashing lights for Mac developers. Consider how your app would function in iOS. If it wouldn’t function at all, then you need to find a new app to write. I’m in the same boat. My software is Dead App Walking. Apple is killing theses kinds of system utilities with a thousand little cuts. macOS, at least as we know it, is deprecated. These new security dialogs are our signal to find something else to write while we still have some income.

Hi John,


Yep, I had not noticed it yet, but indeed I do get a "Terminal would like to access files on a removable volume" message.
Even worse, using "sudo" I can't even ask for a list of the external drive.
Who the heck comes up with these ideas? 😟

I fully agree with you that Apple is killing developers (of said utilities) with a thousand cuts - nicely put!

It is almost like Apple has a special department that comes up with ideas to take motivation away from developers.

I'm not even using XCode (I really can't stand it) so you can imagine the extra hurdles I have to take to get anything done.


And you're right; maybe it is time to (yet again) move to another platform or maybe even start a different hobby ...


I do understand the need for more security though, but can't this be done in a more developer friendly way?

I'm not paying $99/year for a certificate, for software I offer others for free, to get more and more aggravated with every release.


Anyhoo - I'm still hopefull that there will be a fix for this 😊

Yup. Same problem here. "Full Disk Access" doesn't allow my root user app to access external volumes. Curiously enough it does if I invoke it using sudo within Terminal. Now how does one go about getting "Removable Volumes" to appear in the Security & Privacy section for my app even though it already has "Full Disk Access" and is running as root (via Security.framework's authtrampoline). 😟

That is because your app is using Terminal's privileges, which does have access to external volumes. The new privacy controls in Catalina are higher than even root. The user must authorize them. There are some functions you can call to see if you have access. Review the "Advances in macOS Security" presentation from WWDC 2019.