Prompt User to Enable Screen Recording TCC

shaquir
Contributor III

Background: As many of you may be aware, the Screen Recording option can only be enable by a physical user on a Mac. To manage this limitation set by Apple, I have created this workflow to prompt users to enable the Screen Recording option for the required App (Currently set to Slack, but can be easily modified). You can check out how I similarly addressed the Camera and Microphone issue here: Automatically Reset Teams Camera and Microphone for User

Solution: I created this Script to check if an Application's Screen Recording permission has been set to enabled in the TCC Security and Privacy. If the TCC option is disabled, it will open System Preferences > Security & Privacy > Screen Recording and prompt the user to enable the App

115d76bb44dc4193aaeb0b15f1ec73b7

ef6db43b057c4186ae6d9a44664b6901

Jamf Workflow

Extension Attribute
Name: Disabled System TCC Values
Script: Disabled_System_TCC_Values_EA.sh

#!/bin/bash
#Extension Attribute reports disabled system level TCC values
#Shaquir Tannis 5-26-2020
#Report Machine's disabled TCC values (Note, this does not include user level TCC results, i.e. Camera and Microphone)
disabledValues=$(/usr/bin/sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" 'SELECT service, client FROM access WHERE allowed = '0'')
echo "<result>$disabledValues</result>"

Smart Group:
Name: AppName ScreenSharing Disabled

Criteria:
Disabled System TCC Values is not <Leave Blank>
And Disabled System TCC Values like kTCCServiceScreenCapture|com.tinyspeck.slackmacgap

Policy:
Name: Prompt User to enable AppName ScreenSharing
Frequency: Once every day
Trigger: Check-in
Scope: AppName ScreenSharing Disabled
Script: Prompt_User_to_Enable_ScreenRecording_TCC.sh

Feel free to message me with any questions or suggestions.

21 REPLIES 21

dlondon
Contributor III

Great stuff @shaquir ! Thanks for sharing. Just need to fix up the spelling mistake for Privacy in the second screen

matin
New Contributor III

@shaquir - Thanks for documenting this so well and sharing. Amazing work.

shaquir
Contributor III

Thank you for the correction @dlondon!

david_allouch
New Contributor

The script is nice but in Catalina there is no access to the TCC.db... sudo or not...
cat: /Library/Application Support/com.apple.TCC/TCC.db: Operation not permitted

mike_paul
Contributor III

@david.allouch, you will typically get that Operation Not Permitted error when the parent process running those commands don't have full disk access. If you ran that script via Jamf it should already be granted full disk access as Jamf whitelists itself, if you are running it locally via terminal (which it appears you are) you would have to grant Terminal full disk access in order for it to access that db. It's a weird catch 22, you have to grant TCC access to something to read out what already has TCC access.

luispalumbo
Contributor

Thanks @shaquir for sharing this script and the workflow too.

I've changed it on my end to accommodate any TCC entry, app name and icon as it follows:

#Select the TCC value pair from the system's TCC.db
#To get a list of all the system TCC values on your machine, you can run the command:
#/usr/bin/sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" 'SELECT * FROM access;'
#This was the original tccSearchPair variable
#tccSearchPair="kTCCServiceScreenCapture|com.tinyspeck.slackmacgap"
#This is the new one to get the 4th variable from Jamf
tccSearchPair=$4

#Variables for dialog
#This was the original appName variable
#appName="Slack"
#This is the new one to get the 5th variable from Jamf
appName=$5

#App icon location
#This was the original appName variable
#appImage="/Applications/Slack.app/Contents/Resources/electron.icns"
#This is the new one to get the 6th variable from Jamf
appImage=$6

I also attached a screenshot showing the configuration in the policy.

I hope it can help.
528814ad34c842e3bf04a96a86bfbb8e

shaquir
Contributor III

Great contribution @luispalumbo!

M_Tucker-JBE
New Contributor II

@shaquir - Saving IT lives one script at a time! Thank you.

pcrandom
Contributor

@shaquir @luispalumbo Is there a way to automate having an app appear in the Screen Recording section of the Privacy tab? For example, we use Microsoft Teams, and would like to prompt users to enable Screen Recording for Teams ahead of time, but Teams won't appear in Privacy until the users' first attempt to share their screens.

balaji
New Contributor II

We are also facing the same issue for Zoom in Catalina. Looking for any automative process for such issue ?

luispalumbo
Contributor

Hi @pcrandom and @balaji,

I couldn't find any way of doing it automatically due to Apple's restrictions. However, it seems to me that with Big Sur we will be able to do that.

I've attached a screenshot of the Privacy tab of Big Sur and you can see that now there's an option to add or delete items to the list.

9f85610b05cc4324871ac64784f20b79

Ronen
New Contributor II

Hi, I'm also trying to solve the screen recording issue for Team Viewer and Manage Engine Desktop Central remote control but having issues with the database command...
Getting this error:
Script result: Error: unable to open database "/Library/Application Support/com.apple.TCC/TCC.db": unable to open database file
62:75: execution error: An error of type -4960 has occurred. (-4960)

00be3206707f4a80848e4de8146a75b6

My script looks like this:

!/bin/bash

This script is part of a workflow to ensure an Application's Screen Recording permission has been set to enabled in the TCC Security and Privacy. If the TCC option is disabled it will prompt the user to enable it

Shaquir Tannis 5-26-2020

https://github.com/shaquir/

Select the TCC value pair from the system's TCC.db

To get a list of all the system TCC values on your machine, you can run the command:

/usr/bin/sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" 'SELECT * FROM access;'

This was the original tccSearchPair variable

tccSearchPair="kTCCServiceScreenCapture|com.tinyspeck.slackmacgap"

This is the new one to get the 4th variable from Jamf

tccSearchPair=$4

Variables for dialog

This was the original appName variable

appName="Slack"

This is the new one to get the 5th variable from Jamf

appName=$5

App icon location

This was the original appName variable

appImage="/Applications/Slack.app/Contents/Resources/electron.icns"

This is the new one to get the 6th variable from Jamf

appImage=$6

function promptUser()
{
initialPrompt=$( /usr/bin/osascript -e "display dialog "$initialMessage" with title "$appName Screen Sharing" with icon file POSIX file "$appImage" buttons {"OK"} default button {"OK"} giving up after 900" )

theButton=$( echo "$initialPrompt" | /usr/bin/awk -F "button returned:|," '{print $2}' )

if [ "$theButton" == "OK" ];
then echo "Opening Screen Recording Privacy" #Open System Preferences > Security & Privacy > Screen Recording open "x-apple.systempreferences:com.apple.preference.security?Privacy_ScreenCapture" sleep 1 #Prompt User with second dialog instructing them to enable app secondPrompt=$( /usr/bin/osascript -e "display dialog "$secondMessage" with title "$appName Screen Sharing" with icon file POSIX file "$appImage" buttons {"OK"} default button {"OK"} giving up after 30" )
else echo "Button OK not selected. Exiting..." exit
fi

Wait 60 seconds and report if screen recording has been enabled

sleep 60
secondCheck=$(/usr/bin/sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" 'SELECT service, client FROM access WHERE allowed = '0'')
if [[ "$secondCheck" != "$tccSearchPair" ]]; then echo "User successfully enabled $appName"
else echo "$appName is still disabled. Exiting..." exit
fi
}

Check for disabled System TCC values

disabledValues=$(/usr/bin/sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" 'SELECT service, client FROM access WHERE allowed = '0'')

Check if tccSearchPair matches a disabled TCC value on the user's machine

if [[ "$disabledValues" == "$tccSearchPair" ]]; then #Run function to prompt user to enable promptUser
else echo "$appName permission has already been enabled. Exiting Script." exit
fi

13d8c620804441b8993069e58454ae6e

2edf1ca46b8b416fbecac16bec5f7e94

Any idea how to solve it?

Thanks

shaquir
Contributor III

It appears that Apple may have officially disabled the ability to read the User and System level TCC.db values.
On a SIP enabled 10.15.7 machine, I ran:

sudo /usr/bin/sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" 'SELECT * FROM access;'

Which returned the error:

Error: unable to open database "/Library/Application Support/com.apple.TCC/TCC.db": unable to open database file

I hope Apple can offer another way to report on TCC values, but this might be the end of our ability to report on these items 😔

Brett_Cox
New Contributor II

@shaquir Try placing a check next to Terminal under Full Disk Access and run again. Changing this returned results for me. Now I am trying to wrap my head around the security risk of enabling this in order to get the script to run. The same command run as an EA returns results without Terminal needing Full Disk Access.

6a47483eff1049aaa6ce1160f7fdc8b3

I also confirmed that the policy runs successfully again with the full disk access from terminal set.

mike_paul
Contributor III

@Brett_Cox The extension attribute works already since Jamf is the parent process and its granted full disk access by the default profile pushed out.

mspidle
New Contributor

I have this all set up but the applescript dialog never displays, I watch the jamf.log and it just hangs there until it times out.

Any ideas? I though maybe it needs to run as the console user but it seems like everyone else has this working.

mspidle
New Contributor

So I switched the dialog over to jamfhelper and that is working, so the last thing to get working is the open "x-apple.systempreferences:com.apple.preference.security?Privacy_ScreenCapture" that is not working, it errors with LSOpenURLsWithRole() failed with error -610 ...

Thanks

wes_goins
New Contributor

@Ronen The issue you are having with that error is the same thing I did at first. When you are setting your Parameters, you are putting the values in as the labels instead. You will need to set your actual labels there (tccSearchPair, App Name, Icon Location), then in your POLICY, you set the paramters to the things you are searching for. Notice the slight differences in the screenshot you posted and the screenshot that @luispalumba posted.

singhmeith75
New Contributor II

Great Share @shaquir

tjhall
Contributor III

Hello. This looks like a great way to ensure the user enables the app.
I've been trying to run the script but not getting any prompt and then this output in Terminal; "Slack permission has already been enabled. Exiting Script." despite it not being enabled. Any tips?

dwaterbury
New Contributor III

@mspidle Can you share how you used jamfhelper to display the dialog box? I have not been able to get the dialog box to appear. Thank you.