@Bol I did get it to stop prompting for Access to System events, however it still prompts for accessibility I think again because of the way the main process uses the child process, so the whitelist is not working correctly for this flag.  But for the life of me, no matter the combination, I cant get it to approve both.

The piece it wants for accessibility is JamfDaemon, the app inside of the Jamf app, not the process inside of JamfDaemon.

IM going to try one more thing, I'm wondering if you can make one Profile for the process name, and a 2nd for the path name or if it tries to apply both ways to the same process.  I need a way to make one profile with the changes you suggested and another that is still just allowing accessibility since that breaks when you change the identifier info.

So now if I approve accessibility for "JamfDaemon" manually for accessibility it works but including accessibility on the profile doesnt work because of the child/parent process mismatch.  

Or if I click approve for the "Allow Jamf to control system events" it works.  Since this 2nd option hold the process/script at bay and lets the script run right after it, I suppose its the lesser of two evils.  Just going to have the end user click the allow button until someone else can figure this out. 

---

@GabePPS wrote:

I think I'm going to have to give on having AppleScript type in the login info, I just cant find a way to make this work in its current form.

---

I personally think that would be the best bet as you can't guarantee on how long apple will allow what your script is trying to achieve. 

I tried to step through your script in between my own work, you really need to break the line of code which is prompting for TCC access and provide logs so we can take a look, it takes time. 

In the time I had I was seeing the opposite of a "mismatch", running from Self Service it showed;

2022-02-15 09:06:11.135978+1030 0x130b9    Info        0x369de              1417   0    tccd: [com.apple.TCC:access] AttributionChain: responsible={<TCCDProcess: identifier=com.jamf.management.service, pid=4004, auid=665241948, euid=665241948, responsible_path=/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService, binary_path=/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService>}, accessing={<TCCDProcess: identifier=com.jamfsoftware.jamf, pid=4007, auid=665241948, euid=0, binary_path=/usr/local/jamf/bin/jamf>}, requesting={<TCCDProcess: identifier=com.apple.mds, pid=115, auid=0, euid=0, binary_path=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds>},

2022-02-15 09:06:11.136035+1030 0x130b9    Default     0x369de              1417   0    tccd: [com.apple.TCC:access] AUTHREQ_CTX: msgID=115.159, function=<private>, service=kTCCServiceReminders, preflight=yes, query=1,

2022-02-15 09:06:11.136078+1030 0x130b9    Default     0x369de              1417   0    tccd: [com.apple.TCC:access] AUTHREQ_ATTRIBUTION: msgID=115.159, attribution={responsible={<TCCDProcess: identifier=com.jamf.management.service, pid=4004, auid=665241948, euid=665241948, responsible_path=/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService, binary_path=/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService>}, accessing={<TCCDProcess: identifier=com.jamfsoftware.jamf, pid=4007, auid=665241948, euid=0, binary_path=/usr/local/jamf/bin/jamf>}, requesting={<TCCDProcess: identifier=com.apple.mds, pid=115, auid=0, euid=0, binary_path=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds>}, },

2022-02-15 09:06:11.137580+1030 0x130b9    Info        0x369de              1417   0    tccd: [com.apple.TCC:access] IDENTITY_ATTRIBUTION: /Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService[115]: from cache: = com.jamf.management.Jamf, type 0 (32/52)

2022-02-15 09:06:11.137588+1030 0x130b9    Default     0x369de              1417   0    tccd: [com.apple.TCC:access] AUTHREQ_SUBJECT: msgID=115.159, subject=com.jamf.management.Jamf,

2022-02-15 09:06:11.138709+1030 0x130b9    Default     0x369de              1417   0    tccd: [com.apple.TCC:access] -[TCCDAccessIdentity staticCode]: static code for: identifier com.jamf.management.Jamf, type: 0: 0x7f8b8ca18490 at /Library/Application Support/JAMF/Jamf.app

2022-02-15 09:06:11.170246+1030 0x130b9    Info        0x369de              1417   0    tccd: [com.apple.TCC:access] -[TCCDAccessIdentity matchesCodeRequirement:]: SecStaticCodeCheckValidity() static code (0x7f8b8ca18490) from com.jamf.management.Jamf : identifier "com.jamf.management.Jamf" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "483DWKW443"; status: 0

2022-02-15 09:06:11.170264+1030 0x130b9    Info        0x369de              1417   0    tccd: [com.apple.TCC:access] Override: eval: matched <kTCCServiceReminders, com.jamf.management.Jamf>; result: Auth:Allowed (<Unspported Authorization Reason value>); because: code meets requirement

I haven't used the path name in my profiles but can try and let you know

I'm also getting this 'jamf wants access to control system events' when I run an osascript to rename a computer. i have a popup appear for user to enter computer name and click save. It works fine on Intel macs but with M1 macs I get the 'jamf wants access to control system events'. The M1 macs are running macOS Monterey.

This script is only run once via self service but I would rather not see that 'jamf wants access to control system events' regardless of how many times I run the policy.

I want to try the following PPPC configuration profile (see link). What do I do? Copy the code and upload it to JAMF in a configuration profile or pppc payload?

https://github.com/jamf/JamfPrivacyPreferencePolicyControlProfiles/blob/master/JamfAppleEvents.mobileconfig

WE had a script to mount network shares that started doing this and I fixed it by removing all "tell" blocks. 

still used osascript, just differently

Apparently this is a known issue for Apple where the Jamf.app has 2 child processes that don't properly get whitelisted for the TCC process.  We have seen some convoluted ways to maybe get around it with making a new jamf PPPC with the processes using the info from the main app and then it works without removing the tell...however its a bigger issue.  This apparently started back around 11.4 with a security update apple made to the system which broke apps that have differently named child processes.  I have an open escalation with apple at the moment, but its on their side since the PP profile should allow for this.  It gets even more complicated when the process also requires accessibility, for which there is no current workaround.

That change was to fix actively exploited CVE-2021-30713 which is ironic, seems it's a lot easier to bypass than to correctly whitelist permissions!

Kudos to you Mr Shackney for the update, I wasn't aware the accessibility side has been acknowledged and will stop looking into it.
Frankly, the state of tcc right now is a dogs breakfast to say the least. Keep us in the loop!

from what I've been reading it's JAMF requesting access to 'system events' so it's a JAMF PPPC setting not an 'osascript' setting.   

It looks like my PPPC settings is allowing JAMF system events access but I still get the popup.

@lparnell  mobileconfig did not work for me, I still get the Jamf wants to control system events popup.

I'm going to try the @rmorse config

are you 'enabling' Big Sur compatibility when creating the config profile with PPPC utility?

osascript is only if you are using Jamf to run an apple script at any given time.  The PPPC utility (or config profile) wont allow the child process of the "Jamf" app to be named differently than the main app or it will still prompt.  This isnt something that will be easily solved unless Apple fixes it.  Nothing to do with the Big Sur compatibility check box, which just allows for the config profile to prompt the user to allow for screen recording, microphone access and anything users can still select.

Hi @GabePPS  yep that's what I'm doing is running a script from self service and I get that JAmF wants to control system events popup.  The script works great but I don't like that popup. Here is the script.  

#!/bin/bash
# GetUserInputFromSelfService-ComputerName.bash
# slightly modified from suggestion by Mauricio Pellizzon https://www.jamf.com/jamf-nation/discussions/32795/script-best-way-to-request-user-input
# 2019-10-29
#
# T C
# 2/14/2022

userName=$(ls -la /dev/console | cut -d " " -f 4)

# echo ""$userName is the logged in user"";

user_entry=""

validateResponce() {
case "$user_entry" in
"noinput" ) echo "empty input" & askInput ;;
"cancelled" ) echo "time out/cancelled" & exit 0 ;;
* ) echo "$user_entry" ;;
esac
}

askInput() {
user_entry=$(sudo -u "$userName" osascript <<EOF
use AppleScript version "2.4" -- Yosemite (10.10) or later
use scripting additions
set theTextReturned to "nil"
tell application "System Events"
activate
try
set theResponse to display dialog "Please enter Computer Name (enter nil to cancel)" with title "Set Computer Name" buttons "Save" default button "Save" default answer ""
set theTextReturned to the text returned of theResponse
end try
if theTextReturned is "nil" then
return "cancelled"
else if theTextReturned is "" then
return "noinput"
else
return theTextReturned
end if
end tell
EOF
)
validateResponce "$user_entry"
}

askInput "$userName"

# Make it upper case - just a convention
upper="$(echo $user_entry | tr [:lower:] [:upper:])"

#/usr/local/bin/jamf setComputerName -name $user_entry
/usr/local/bin/jamf setComputerName -name $upper

# Update the server so it knows the name
/usr/local/bin/jamf recon

exit 0

Yea, I see AppleScript in there.  You can try changing that by removing the tell command but I'm going to bet that breaks the script.  Until Apple fixes their TCC issues, it's most likely going to have to have that first prompt, which is really not great.  

For your script though I believe I've seen ways to get that computer name inputted without having to use AppleScript...you maybe able to do that with JamfHelper....but DEPNotify is probably your best bet.

Previously we used DEPNotify to name computers, which can easily pop up a menu when the user logs in and then prompt to name the machine.  We used to also have them set the barcode (asset tag) number.  I might suggest looking at DEPNotify as an alternative.  

@GabePPS  @tcandela  Removing these lines will work and won't break the script;

tell application "System Events"

activate

end tell

With those lines, you are sending the display dialogue to another process (System Events) which isn't required.

You are seeing a tcc prompt as the process running your script ( below ) does not have approval to send to system events.

com.jamf.management.service : /Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService

 Scripting additions includes the use of display dialog without this requirement.

@teodle wrote:

WE had a script to mount network shares that started doing this and I fixed it by removing all "tell" blocks. 

still used osascript, just differently

---

Mount volume is the same, it does not require sending the command to another process. Same for list disks, set volume etc.

https://developer.apple.com/library/archive/documentation/AppleScript/Conceptual/AppleScriptLangGuide/reference/ASLR_cmds.html

Hey Guys, I found this thread while trying to solve a similar issue we were having with prompts popping when running AppleScripts through JAMF. Following @GabePPS 's advice, I wrote a new PPPC for all the JAMF binaries and apps that seems to be working. The main issue seems to be that Mac's TCC does not like the default CodeRequirement for the binaries/apps and so it must be replaced with that of the main Jamf.app bundle. Here's the core of the PPPC stripped down to just the JAMF things with full file access, accessibility, and appleevents access to System Events, SystemUIServer, Finder, and Mail. 

I included the JamfAAD and SelfService as well but I'm not 100% on those as I couldn't think of a good way to test. 

Warning: It's Huge. 

https://pastebin.com/s2JDK65u 

@todd_baldwin Can I ask do you have a separate one for just osascript?  If so can you just screen shot it so I can compare?  Im going to try yours in place of my jamf TCC to see if changes the input from keyboards using AppleScript and accessibility.

I'm like 99% sure I don't. I've never had an issue where Jamf was requesting access to osascript (i think it already has it?). In theory, if Jamf is requesting access to 'System Events' that means the osascript portion is already working.   

Perhaps that is part of my problem.  Im telling it to do something that might be breaking it.  Going to test and let you know.

Just tested with a modified version of @tcandela 's rename script (edited to not rename, just echo the input back) and got no prompts.

Yea, unfortunately it still doesnt seem to work for me.  I think its all related to accessibility which cant get the same path for osascripts.  At one point with @Bol hints, I was able to have the jamf wants access message suppressed but then it popped the accessibility message for osascript.  So I never got them both working together and its because my script wants to type info in the keyboard which Apple really does't want anything to do anymore lol.

---

@todd_baldwin wrote:

Hey Guys, I found this thread while trying to solve a similar issue we were having with prompts popping when running AppleScripts through JAMF. Following @GabePPS 's advice, I wrote a new PPPC for all the JAMF binaries and apps that seems to be working. The main issue seems to be that Mac's TCC does not like the default CodeRequirement for the binaries/apps and so it must be replaced with that of the main Jamf.app bundle. Here's the core of the PPPC stripped down to just the JAMF things with full file access, accessibility, and appleevents access to System Events, SystemUIServer, Finder, and Mail. 

I included the JamfAAD and SelfService as well but I'm not 100% on those as I couldn't think of a good way to test. 

Warning: It's Huge. 

 

 

https://pastebin.com/s2JDK65u 

 

 

---

Same as what I found, Jamf documented the change on allowing the bundle but nothing to do with the code requirement.. 

https://community.jamf.com/t5/jamf-pro/quot-jamf-quot-wants-access-to-control-quot-system-events-quot/m-p/256295/highlight/true#M237627

Gabe, sorry I missing this. No I don't think you could get by without tell blocks since macOS isn't psychic about which app you want to talk to! Any and all pop-ups you are getting regarding interaction with an app are by design which roiled quite a few developers. Any interaction with an app is going to need user consent or a PPPC profile to maybe get it working. Don't ask me though, I've decided to stay away from AppleScript and app control as Apple has put up onerous hoops to jump through (I get it but don't want to deal with it). So yeah you might need to fool around and make a PPPC pref in Jamf or with that tool for Safari to Allow System Events. Or perhaps consider doing away with interaction via script and pop up guided messages to instruct the user how to do what they need to do (I know they're kids but how are they ever going to learn ;)

Also since my post here in 2019: I decided to stop fooling around with writing AppleScript in my shell scripts and wrote a shell function that can be embedded in any shell script (bash/zsh) to do the AppleScript for you! It's called shui 

When we slowed down the clicking of windows in our ADE, they went away (Monterey) and I feel like you're right on that... slowing down and letting things finish has rid us of the popup ¯\\_(ツ)_/¯ 

Thanks for the idea.  It may not be the reason, but here it has helped alleviate most of these...

---

@GabePPS wrote:

Yea, unfortunately it still doesnt seem to work for me.  I think its all related to accessibility which cant get the same path for osascripts.  At one point with @Bol hints, I was able to have the jamf wants access message suppressed but then it popped the accessibility message for osascript.  So I never got them both working together and its because my script wants to type info in the keyboard which Apple really does't want anything to do anymore lol.

---

@GabePPS Well, if you haven't given up on your Apple Script dreams yet.. It's just been acknowledged in testing so hopefully next major release, you could be back in business! 

• Resolves an issue where PPPC payloads for Accessibility and AppleEvents do not suppress user approval prompts.