Great stuff @shaquir ! Thanks for sharing. Just need to fix up the spelling mistake for Privacy in the second screen

@shaquir - Thanks for documenting this so well and sharing. Amazing work.

Thank you for the correction @dlondon!

The script is nice but in Catalina there is no access to the TCC.db... sudo or not...
cat: /Library/Application Support/com.apple.TCC/TCC.db: Operation not permitted

@david.allouch, you will typically get that Operation Not Permitted error when the parent process running those commands don't have full disk access. If you ran that script via Jamf it should already be granted full disk access as Jamf whitelists itself, if you are running it locally via terminal (which it appears you are) you would have to grant Terminal full disk access in order for it to access that db. It's a weird catch 22, you have to grant TCC access to something to read out what already has TCC access.

Thanks @shaquir for sharing this script and the workflow too.

I've changed it on my end to accommodate any TCC entry, app name and icon as it follows:

#Select the TCC value pair from the system's TCC.db
#To get a list of all the system TCC values on your machine, you can run the command:
#/usr/bin/sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" 'SELECT * FROM access;'
#This was the original tccSearchPair variable
#tccSearchPair="kTCCServiceScreenCapture|com.tinyspeck.slackmacgap"
#This is the new one to get the 4th variable from Jamf
tccSearchPair=$4

#Variables for dialog
#This was the original appName variable
#appName="Slack"
#This is the new one to get the 5th variable from Jamf
appName=$5

#App icon location
#This was the original appName variable
#appImage="/Applications/Slack.app/Contents/Resources/electron.icns"
#This is the new one to get the 6th variable from Jamf
appImage=$6

I also attached a screenshot showing the configuration in the policy.

I hope it can help.

Great contribution @luispalumbo!

@shaquir - Saving IT lives one script at a time! Thank you.

@shaquir @luispalumbo Is there a way to automate having an app appear in the Screen Recording section of the Privacy tab? For example, we use Microsoft Teams, and would like to prompt users to enable Screen Recording for Teams ahead of time, but Teams won't appear in Privacy until the users' first attempt to share their screens.

We are also facing the same issue for Zoom in Catalina. Looking for any automative process for such issue ?

Hi @pcrandom and @balaji,

I couldn't find any way of doing it automatically due to Apple's restrictions. However, it seems to me that with Big Sur we will be able to do that.

I've attached a screenshot of the Privacy tab of Big Sur and you can see that now there's an option to add or delete items to the list.

Hi, I'm also trying to solve the screen recording issue for Team Viewer and Manage Engine Desktop Central remote control but having issues with the database command...
Getting this error:
Script result: Error: unable to open database "/Library/Application Support/com.apple.TCC/TCC.db": unable to open database file
62:75: execution error: An error of type -4960 has occurred. (-4960)

My script looks like this:

!/bin/bash

This script is part of a workflow to ensure an Application's Screen Recording permission has been set to enabled in the TCC Security and Privacy. If the TCC option is disabled it will prompt the user to enable it

Shaquir Tannis 5-26-2020

https://github.com/shaquir/

Select the TCC value pair from the system's TCC.db

To get a list of all the system TCC values on your machine, you can run the command:

/usr/bin/sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" 'SELECT * FROM access;'

This was the original tccSearchPair variable

tccSearchPair="kTCCServiceScreenCapture|com.tinyspeck.slackmacgap"

This is the new one to get the 4th variable from Jamf

tccSearchPair=$4

Variables for dialog

This was the original appName variable

appName="Slack"

This is the new one to get the 5th variable from Jamf

appName=$5

App icon location

This was the original appName variable

appImage="/Applications/Slack.app/Contents/Resources/electron.icns"

This is the new one to get the 6th variable from Jamf

appImage=$6

function promptUser()
{
initialPrompt=$( /usr/bin/osascript -e "display dialog "$initialMessage" with title "$appName Screen Sharing" with icon file POSIX file "$appImage" buttons {"OK"} default button {"OK"} giving up after 900" )

theButton=$( echo "$initialPrompt" | /usr/bin/awk -F "button returned:|," '{print $2}' )

if [ "$theButton" == "OK" ];
then echo "Opening Screen Recording Privacy" #Open System Preferences > Security & Privacy > Screen Recording open "x-apple.systempreferences:com.apple.preference.security?Privacy_ScreenCapture" sleep 1 #Prompt User with second dialog instructing them to enable app secondPrompt=$( /usr/bin/osascript -e "display dialog "$secondMessage" with title "$appName Screen Sharing" with icon file POSIX file "$appImage" buttons {"OK"} default button {"OK"} giving up after 30" )
else echo "Button OK not selected. Exiting..." exit
fi

Wait 60 seconds and report if screen recording has been enabled

sleep 60
secondCheck=$(/usr/bin/sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" 'SELECT service, client FROM access WHERE allowed = '0'')
if [[ "$secondCheck" != "$tccSearchPair" ]]; then echo "User successfully enabled $appName"
else echo "$appName is still disabled. Exiting..." exit
fi
}

Check for disabled System TCC values

disabledValues=$(/usr/bin/sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" 'SELECT service, client FROM access WHERE allowed = '0'')

Check if tccSearchPair matches a disabled TCC value on the user's machine

if [[ "$disabledValues" == "$tccSearchPair" ]]; then #Run function to prompt user to enable promptUser
else echo "$appName permission has already been enabled. Exiting Script." exit
fi

Any idea how to solve it?

Thanks

It appears that Apple may have officially disabled the ability to read the User and System level TCC.db values.
On a SIP enabled 10.15.7 machine, I ran:

sudo /usr/bin/sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" 'SELECT * FROM access;'

Which returned the error:

Error: unable to open database "/Library/Application Support/com.apple.TCC/TCC.db": unable to open database file

I hope Apple can offer another way to report on TCC values, but this might be the end of our ability to report on these items 😔

@shaquir Try placing a check next to Terminal under Full Disk Access and run again. Changing this returned results for me. Now I am trying to wrap my head around the security risk of enabling this in order to get the script to run. The same command run as an EA returns results without Terminal needing Full Disk Access.

I also confirmed that the policy runs successfully again with the full disk access from terminal set.

@Brett_Cox The extension attribute works already since Jamf is the parent process and its granted full disk access by the default profile pushed out.

I have this all set up but the applescript dialog never displays, I watch the jamf.log and it just hangs there until it times out.

Any ideas? I though maybe it needs to run as the console user but it seems like everyone else has this working.

So I switched the dialog over to jamfhelper and that is working, so the last thing to get working is the open "x-apple.systempreferences:com.apple.preference.security?Privacy_ScreenCapture" that is not working, it errors with LSOpenURLsWithRole() failed with error -610 ...

Thanks

@Ronen The issue you are having with that error is the same thing I did at first. When you are setting your Parameters, you are putting the values in as the labels instead. You will need to set your actual labels there (tccSearchPair, App Name, Icon Location), then in your POLICY, you set the paramters to the things you are searching for. Notice the slight differences in the screenshot you posted and the screenshot that @luispalumba posted.

Great Share @shaquir

Hello. This looks like a great way to ensure the user enables the app.
I've been trying to run the script but not getting any prompt and then this output in Terminal; "Slack permission has already been enabled. Exiting Script." despite it not being enabled. Any tips?

@mspidle Can you share how you used jamfhelper to display the dialog box? I have not been able to get the dialog box to appear. Thank you.

deleted

Thanks for the script shaquir. I've updated the SQL query for macOS 12 Monterey and simplified the script with an until loop. Here is my take : https://community.jamf.com/t5/jamf-pro/prompt-user-to-enable-screen-recording-with-popup-gif/m-p/278016