Support adding command line tools to accessibility

[dhoer]

I love this script, but I have issues with it when trying to add command line tools to accessibility service. This blog provides more details about command line tools and accessibility: http://jacobsalmela.com/os-x-yosemite-osascript-enabling-access-assistive-devices/.

If there was a way to turn off app validation, then I think your script would then be able to allow something like this: sudo privacy_services_manager.py -u vagrant add accessibility /usr/libexec/sshd-keygen-wrapper.

[pdarragh]

Hey @dhoer! Glad to hear you like the script!

This functionality was supposed to be supported by the --admin flag. This option prevents the script from checking for a valid bundle identifier, and can be used to add command line tools. However, it does not seem to be functioning quite properly (just tested it on 10.11 DP2), so I'll reply again when I've got it fixed. Sorry about that!

Pierce

[dhoer]

Thanks for the quick response.

[pdarragh]

Hey @dhoer,

So I've been checking into this a bit more thoroughly. I'm currently testing the most recent Privacy Services Manager available through the releases tab (version 1.6.6) on both Yosemite and Mavericks. To do the test, I did:

$ sudo privacy_services_manager.py --admin add accessibility /usr/libexec/sshd-keygen-wrapper

(Note that specifying a user doesn't do anything for the accessibility service, since that's a globally-managed system, so I left that part out.)

On both 10.9 and 10.10, this completed without giving any errors. However, /usr/libexec/sshd-keygen-wrapper does not show up in the Accessibility tab of the Security & Privacy pane in System Preferences. But on closer inspection of /Library/Application Support/com.apple.TCC/TCC.db, it appears that the binary file was added to the TCC database anyway and was granted proper permissions. I tried this with a few other system binaries, and I got the same result for all of them.

I'm not 100% certain how to test whether this is actually working, or if it just looks like it is. Would you give me an example of how to use sshd-keygen-wrapper (or some other command line utility) that would prompt for Accessibility access?

[dhoer]

You might take a look at Jacob Salmela's tccutil: https://github.com/jacobsalmela/tccutil. I used that to set the /usr/libexec/sshd-keygen-wrapper and it shows up in the Accessibility tab.

[pdarragh]

@dhoer thanks for the tip. Looking through his code I found that I wasn't setting the client_type value in the TCC database properly.

I think I've got it all fixed now. Let me know if it doesn't work! And again, thanks for taking an interest in our script.

Regards, Pierce

[dhoer]

Your welcome!

[uurazzle]

Hello Dennis:

To confirm, does the update fix the issue having? Just want to make sure it is working properly.

On Jun 30, 2015, at 3:26 PM, Dennis Hoer notifications@github.com<mailto:notifications@github.com> wrote:

Your welcome!

— Reply to this email directly or view it on GitHubhttps://github.com/univ-of-utah-marriott-library-apple/privacy_services_manager/issues/25#issuecomment-117349900.

Thanks:

Richard Glaser University of Utah, Marriott Library ITDLS richard.glaser@utah.edumailto:richard.glaser@utah.edu

[dhoer]

Richard, I'm sorry, but I wont have time to test it right away. I was trying different approaches to get chef-safari cookbook more stable when I experimented with your script. I do plan to use your script fully, since it creates the tcc.db for me, and replace Jacob's script: https://github.com/dhoer/chef-safari/blob/master/test/fixtures/cookbooks/safari_test/recipes/setup.rb#L23-30. But I have other priorities I need to get to for now. I do promise to provide feedback when I get back to this.

P.S. If you know of anyone who could help troubleshoot an applescript issue described here: https://github.com/dhoer/chef-safari/issues/1. It would be much appreciated. This Safari cookbook is part of supporting automated provisioning of mac machines to use as selenium test servers.

[uurazzle]

Hello Dennis

np, letting us know the status in if its fixed or not is appreciated.

In regards to AppleScript troubleshooting have you considered posting to MacEnterprise list, OS X irc channel or multiple AppleScript lists?

Sent from my iPad

On Jun 30, 2015, at 4:43 PM, Dennis Hoer notifications@github.com<mailto:notifications@github.com> wrote:

Richard, I'm sorry, but I wont have time to test it right away. I was trying different approaches to get chef-safari cookbook more stable when I experimented with your script. I do plan to use your script fully, since it creates the tcc.db for me and replace Jacob's script: https://github.com/dhoer/chef-safari/blob/master/test/fixtures/cookbooks/safari_test/recipes/setup.rb#L23-30. But I have other priorities I need to get to for now. I do promise to provide feedback when I get back to this.

P.S. If you know of anyone who could help troubleshoot an applescript issue described here: dhoer/chef-safari#1https://github.com/dhoer/chef-safari/issues/1. It would be much appreciated. This Safari cookbook is part of supporting automated provisioning of mac machines to use as selenium test servers.

— Reply to this email directly or view it on GitHubhttps://github.com/univ-of-utah-marriott-library-apple/privacy_services_manager/issues/25#issuecomment-117365147.

[dhoer]

I seen similar posts on different lists, but the issue is never resolved. I didn't know about http://www.macenterprise.org/. I will have to check that out.
Thanks, D

[dhoer]

BTW, I plan to create a Chef cookbook called macosx_privacy_services_manager that wraps this script in Chef dsl and publish it to https://supermarket.getchef.com/cookbooks/. Let me know if you have any issues with me doing that.

[uurazzle]

And for live communication, I would recommend checking out the OS X Server IRC

https://www.afp548.com/2013/02/06/a-field-guide-to-irc/

Has some of the top Apple Enterprise IT on it to give input/advice, etc.

On Jul 1, 2015, at 9:58 AM, Dennis Hoer notifications@github.com<mailto:notifications@github.com> wrote:

I seen similar posts on different lists, but the issue is never resolved. I didn't know about http://www.macenterprise.org/. I will have to check that out.

Thanks, D

— Reply to this email directly or view it on GitHubhttps://github.com/univ-of-utah-marriott-library-apple/privacy_services_manager/issues/25#issuecomment-117726298.

Thanks:

Richard Glaser University of Utah, Marriott Library ITDLS richard.glaser@utah.edumailto:richard.glaser@utah.edu

[uurazzle]

Nope, glad it is useful to the community. That is why we share it, just give us credit for the code.

On Jul 1, 2015, at 10:02 AM, Dennis Hoer notifications@github.com<mailto:notifications@github.com> wrote:

BTW, I plan to create a Chef cookbook called macosx_privacy_services_manager that wraps this script in Chef dsl and publish it to https://supermarket.getchef.com/cookbooks/. Let me know if you have any issues with me doing that.

— Reply to this email directly or view it on GitHubhttps://github.com/univ-of-utah-marriott-library-apple/privacy_services_manager/issues/25#issuecomment-117728089.

Thanks:

Richard Glaser University of Utah, Marriott Library ITDLS richard.glaser@utah.edumailto:richard.glaser@utah.edu

[dhoer]

@uurazzle @pdarragh The 1.6.7 release is not available. Can you please publish this release? Thanks, Dennis

[dhoer]

It looks like on El Capitan you have to pass a 7th parameter with NULL, otherwise it throws an error.

[dhoer]

@pdarragh @uurazzle Thanks again for getting the command line issue fixed. Also, kudos for adding El Capitan support so quickly. I have released a Chef cookbook that wraps all of this awesomeness.

https://supermarket.chef.io/cookbooks/privacy_services_manager

Let me know if your happy how I credited the source and if the documentation is looks good.

Note that this cookbook will be the backbone of automating configurations that require a GUI. For example, adding Safari extensions.