We use several mac minis as caching servers in some of my company's locations around the world. To be able to access them remotely, we need our screensharing utility (Bomgar) to be approved in Security & Privacy > Screen Recording. It is important this happens BEFORE it ships out, because otherwise we've got a headless mac mini that we can't access remotely.
To ensure it gets approved, I have an until loop set to prompt the end user and bring up the appropriate preference pane until access is granted. However, it looks like the osascript prompt I'm using throws an error:
020-08-04 19:19:12.566 osascript[5461:27615] -[__NSCFConstantString objectAtIndex:]: unrecognized selector sent to instance 0x7fff8f3960e0 2020-08-04 19:19:12.567 osascript[5461:27615] *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '-[__NSCFConstantString objectAtIndex:]: unrecognized selector sent to instance 0x7fff8f3960e0' *** First throw call stack: ( 0 CoreFoundation 0x00007fff37b63b57 __exceptionPreprocess + 250 1 libobjc.A.dylib 0x00007fff708115bf objc_exception_throw + 48 2 CoreFoundation 0x00007fff37be2be7 -[NSObject(NSObject) __retain_OA] + 0 3 CoreFoundation 0x00007fff37ac83bb ___forwarding___ + 1427 4 CoreFoundation 0x00007fff37ac7d98 _CF_forwarding_prep_0 + 120 5 CoreFoundation 0x00007fff37a96ed7 CFArrayContainsValue + 197 6 HIServices 0x00007fff35d9d7b9 TransformProcessType + 927 7 osascript 0x0000000106c9b02c osascript + 12332 8 HIToolbox 0x00007fff367b27c5 AEInteractWithUser + 53 9 StandardAdditions 0x00000001097a98b9 CSDSTEXTurl_ + 5865 10 StandardAdditions 0x000000010979779d AEVTsysodisA + 145 11 AE 0x00007fff38e5a203 _AppleEventsCheckInAppWithBlock + 18103 12 AE 0x00007fff38e69c83 AESendMessage + 2838 13 AE 0x00007fff38e75fb1 aeSend + 355 14 osascript 0x0000000106c99b25 osascript + 6949 15 AppleScript 0x00007fff4b7f6342 _Z13ComponentSendPK6AEDescPS_ii + 485 16 AppleScript 0x00007fff4b807f0a _ZN15TUASApplication4SendEP25TStackFrame_UASRemoteSendP6AEDescS3_hhh + 2332 17 AppleScript 0x00007fff4b828ca7 _Z13UASRemoteSendhhhhhPh + 548 18 AppleScript 0x00007fff4b8011f0 _Z13UASActor_Sendhhh + 383 19 AppleScript 0x00007fff4b834402 _Z13UASValue_Sendhh14TUASClassIndexh + 326 20 AppleScript 0x00007fff4b80bff9 _Z11UASExecute1v + 288 21 AppleScript 0x00007fff4b7dfb26 _Z14ASExecuteEventPK6AEDescjiPj + 614 22 AppleScript 0x00007fff4b7d8971 AppleScriptComponent + 1677 23 AppleScript 0x00007fff4b7f1bdb _ZN12AGenericCall8DelegateEP23ComponentInstanceRecord + 37 24 AppleScript 0x00007fff4b7f1ba1 _ZN15AGenericManager13HandleOSACallEP19ComponentParameters + 57 25 AppleScript 0x00007fff4b7f118c GenericComponent + 156 26 OpenScripting 0x00007fff369f53e2 OSAExecuteEvent + 50 27 osascript 0x0000000106c9a5bd osascript + 9661 28 libdyld.dylib 0x00007fff719b9cc9 start + 1 29 ??? 0x0000000000000003 0x0 + 3 ) libc++abi.dylib: terminating with uncaught exception of type NSException /Library/Application Support/JAMF/tmp/Catalina Message Test: line 36: 5461 Abort trap: 6 osascript -e 'display alert "Screen Recording Approval Required" message "Please approve Screen Recording for Bomgar in System Preferences > Security & Privacy > Privacy > Screen Recording"'
Full loop below:
osVer="$(sw_vers -productVersion)" BomgarApproval="$(sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" 'SELECT service, client FROM access WHERE allowed = '1'' | grep -o "com.bomgar.bomgar-scc")" if [[ $osVer == 10.15.* ]]; then echo "### macOS 10.15 Catalina Found. Prompting for ScreenCapture approval." until [[ $BomgarApproval = "kTCCServiceScreenCapture|com.bomgar.bomgar-scc" ]] do open "x-apple.systempreferences:com.apple.preference.security?Privacy_ScreenCapture" osascript -e 'display alert "Screen Recording Approval Required" message "Please approve Screen Recording for Bomgar in System Preferences > Security & Privacy > Privacy > Screen Recording"' sleep 5 echo "--- Checking for approval of ScreenCapture for Bomgar..." export BomgarApproval=$(/usr/bin/sqlite3 "/Library/Application Support/com.apple.TCC/TCC.db" 'SELECT service, client FROM access WHERE allowed = '1'' | grep bomgar) echo "Bomgar status is $BomgarApproval" done echo "Bomgar has been approved" fi
If I allow Terminal full disk access and run the piece of code locally on the machine, it works fine. JAMF by default whitelists itself for full disk access, so why doesn't the script work when being run via jamf policy?
That TCC database is protected by Apple's System Integrity Protection (SIP). The macOS won't let you modify that file and you shouldn't try to work around Apple's safeguards. That would only lower security.
Generally, instead of modifying that file directly or via script, you should be using a Configuration Profile to push a Privacy Protection Policy Control profile for Bomgar to allow it the access it needs. The PPPC Utility can help you do that.
However, for the privacy of the end user, Apple disables access to screen recording along with camera and microphone to all but the user. You'll need to log in to the account where Bomgar will generally run and manually approve access.
I'm a couple years late, but could we not place a script in Self Service for the user to run to alter screen recording settings? Apologies if this has been answered in the years since this was asked, but I'm not seeing any solutions other than deploying the Configuration Profile you've mentioned.
I agree with Bill. And despite the fact that the error message is claiming the issue is with the osascript command, I think you are seeing errors from your sqlite command in your until loop that are affecting your comparison in the second pass of your until clause.
A PPPC configuration profile payload should resolve this instantly.
FWIW, I think your approach is impressive and exactly the way I'd take it on pre-Catalina.