Allowing Security & Privacy - Privacy - Accessibility : Allow the apps below to control your computer

kquan
Contributor

Hey Guys!

Not sure if this is possible anymore, but is there a script/command to use to allow an app for Accessibility? Trying to see if this is possible since our lab machines do not allow admin access.

macOS 10.13

Thanks all!

998f53908c9e49e9a0c1e4e37d1a4f82

29 REPLIES 29

hkabik
Valued Contributor

This is unfortunately no longer possible.

kquan
Contributor

@hkabik I wonder if I can capture the setting in Composer after installing the software

mm2270
Legendary Contributor II

No, I don't think that will work either. It's stored in a sqlite database, not a regular plist file or other simple setting first off. Second, the location where it lives is protected by SIP if I'm not mistaken, which is the main problem and why it can't be changed. So, sadly, managing this programmatically is no longer an option.

jec1
New Contributor II

Hello World, SO, this means that this feature is NO longer modifiable even via JAMF? Anyone know if some genius out there is working on a solution?

Ciao

cyepiz
New Contributor II

DITTO! As always, our end users ignore the prompt (smartboard in our case), which means we have to go in after the fact, and it's causing some pain..

sshort
Valued Contributor

You'd have to update to Mojave to pre-approve this with a PPPC profile

sjmosher
New Contributor II

Would deploying a TCC/PPPCP configuration profile through Jamf work if you set the targeted app (such as TeamViewer.app) to "Allow" on the Security -> Accessibility TCC setting? I know you can't use a remote app or script to manage it anymore.

kevin_v
Contributor

BUMP! Where we at?! We've lost the ability to control systems via TeamViewer for Mojave users who do not have local admin rights...

ben_mcneil
New Contributor II

@kevin.v its eluded to above but if your machines are 10.14.x then you can fix this by uploading a custom configuration policy.
Found this persons repository very helpful: (i think it might be @sshort 's)
LINK

sshort
Valued Contributor

@ben.mcneil it me 😀

gmusland
New Contributor II

Bump. Our school updates to the latest operating system - the summer following the release; so we are stuck with High Sierra - and need to approve Google Drive File Stream for students.

jesse_mcbrower
New Contributor II

Bump

I am trying to figure this out, too. I had a profile working that I created in PPPC however it stopped working and I'm not sure why.

Any new information on this?

gmusland
New Contributor II

Bump
Still working on this - too. Need to open the System Preferences Panel - Security & Privacy - Privacy.

But not the other panels there (General, FileVault, Firewall).

There is a BLOCKED KERNEL in JamfNation.com - not sure if this is the "lead" or if it is going in another direction.

callum_baird82
New Contributor II

This may be a silly question

If the admin credentials are known, is there not a way of releasing a script that inputs the admin user/password in and then enables the Accessibility control and then locks it again?

This is sounding a bit advanced for Bash but maybe python or applescript?

sshort
Valued Contributor

@callum.baird82 Any action that simulates clicks requires Accessibility permissions. Doesn't make sense to create a script that needs admin approval/PPPC whitelisting for accessibility... that in turn gives admin approval/PPPC whitelisting for accessibility to another app.

gmusland
New Contributor II

Bump

cory_coles_vh
New Contributor

Use this to create a config profile that allows your app - https://github.com/jamf/PPPC-Utility/releases

And see this recent video which is highly detailed on the topic of PPPC - https://youtu.be/Po_h3KdgYmw

sshort
Valued Contributor

@gmusland If the Macs are on High Sierra, then none of these PPPC approval profiles apply to your org's situation. Anything that is giving you an accessibility pop-up would have to be approved manually by the user in High Sierra (or earlier).

Not sure what you mean here:

There is a BLOCKED KERNEL in JamfNation.com - not sure if this is the "lead" or if it is going in another direction.

j_allenbrand
New Contributor III

Any way around getting Prey requesting permission to use the camera?

kricotta
Contributor II

After using the PPPC utility and allowing a bunch of access. The app I want to approve shows in the Privacy->Accessibility pane but does not show a checkmark next to it. How do I get it to "enable" or put a check there?

Sincerely,

Kevin Ricotta
Jamf Technical Support

larry_barrett
Valued Contributor

@kricotta The check mark won't show if you allowed it via the PPPC utility. It's a "feature".

mhegge
Contributor II

I used https://github.com/jamf/PPPC-Utility/releases . to add Animate, Photoshop and Maya 2018. Unfortunately, the confguration profile did not change a thing.

What am I doing wrong?

JAMF Pro 10.12.0-t1555503901f673f4dcade14afaa8ec3d1981d71ae5
10255605437a45c9be65759268cfc6c5
655ee76fb6394cd2ae59f18c1964ab89
9882b04e679342f88af1c00d471b6e33

Mojave 10.14.6

mhegge
Contributor II

This seemed like a very simple process. Apparently I am missing something.

mhegge
Contributor II

Was informed the changes will not show in the GUI. Which I find ridiculous.

Jaygrossman
New Contributor

I would like to bump this as it was the best solution I found with the current WFH craze and people using Zoom for Remote Control support.
I followed the link from @corey.coles https://github.com/jamf/PPPC-Utility/releases, used this utility to add the Zoom application and Allow Accessibility. Once this was distributed via Jamf Pro, as stated, the box was not checked, but I was able to remote control another device without them needing to allow the accessibility.

gabester
Contributor III

I think we can all agree that Apple has made a mess of managing this.

From day one they have had deaf ears to the simplest of solutions - separate Security and Privacy into separate prefpanes. It’s only gotten worse from there.

It’s honestly one of the reasons we have been advocating in my organization to migrate off Macs to Windows. There are so many things I as an administrator cannot manage on my Macs in my enterprise, and any successful workarounds, hacks, scripts et centers that we depend upon may stop working with the next update. It’s terribly frustrating that it has become harder to manage Apple devices at the same time that managing Windows and Chromebooks has become so much simpler.

The fact that Apple doesn’t even provide tools for this shows how little they care about the enterprise environment. In a way I cannot wait for Apple to ship ARM-based Macs as that will certainly kill off their value proposition for many enterprises.

I cannot believe THIS is how I have to manage user settings on macOS! PPPC shouldn’t even be a thing. Sigh.

GregE
Contributor

It's not so bad when you can manage it via a Config Profile (yes it's more work but it's manageable) - the real bugbear is that you can only half manage it.
eg: Zoom we can deploy a config profile to enable Zoom in the Accessibility pane so that we can remotely control a device (and not give the end user admin rights to enable that function) however as soon as they want to share screen they are prompted to open System Preferences and check the box next to 'allow screen recording' (which doesn't require admin rights) as we can't add that entry to the config profile!
Same with Microsoft Teams.
Then you get on to video editing... Camtasia - do you want to allow access to Microphone? Yes. Webcam? Yes. Screen Recording? Yes. Files and Folders? Yes. Network Drive? Yes. Out of all that there's only 1 option we can control with a config profile.
Then there's the Notifications....

FutureFacinLuke
Contributor II

I'm in the process of deploying VNC Server to 77 iMacs so we can have half or more of the class remote in from their iPad.

VNC Server Needs Accessibility Checked to function. Cannot be done by a Standard User.
I've tried doing it with PPPC Utility - Does anyone have the Code Requirement.

I get the security risks with being able to invoke Screen Sharing/KVM access remotely but these are DEP configured Macs why is this 'feature' still broken?

If there isn't a fix for this I'm going to have to do it manually on each device using ARD or similar.

Damien_wick
New Contributor

Having this issue for all of my Macs using TeamViewer. Need a resolution. I have ensured they have the proper profiles and other settings. It would appear that a month ago, we suddenly lost the ability for remote capability. Has there been any traction?