Help

AppleScript, JamfAgent and tcc.db (Allow apps below to control your computer)

dpodgors
Contributor

Posted on ‎01-11-2017 06:49 AM

So it appears that in order to run an AppleScript that manipulates a dialog box, from JAMF, one must set jamfAgent up in "Allow apps below to control your computer". This would need to be done programmatically since it's not set up on any of our Mac's. So I've been searching for the solution all over the net. I thought I found a nifty solution for a command line call (from jacob_salmela) but it looks like Apple has thwarted that with their SIP implementation. Any suggestions on how to accomplish this?
Thanks In advance.
Don

0 Kudos
3 REPLIES 3

mm2270
Legendary Contributor III

Posted on ‎01-11-2017 10:11 AM

I don't believe there are any good solutions to this, other than contacting an Apple rep and filing a request/complaint that SIP protecting the tcc.db is cramping your style. Its not the first thing SIP has hobbled for us and many other orgs. I'm all for security, but I wish Apple would be a little more lenient with some of the items that are SIP protected. So, I would contact your Apple rep and make sure they know how much you need to be able to manipulate the tcc.db without being prevented by SIP, and how many systems it affects in your environment.

I'm not sure it will go anywhere, but that's the only real answer I can give. That, or temporarily disable SIP if this is for something you need to capture as part of a base OS image to include in imaging, and then re-enable it. I know that won't really work in many cases, but not sure what else we can do about it.

0 Kudos

mrheathjones
New Contributor III

Posted on ‎01-12-2017 11:01 AM

I have a script that adds a few items to the TCC.db built into my DeployStudio image (macOS Sierra compatible)

You can try something like this from terminal:

sudo sqlite3 /Library/Application Support/com.apple.TCC/TCC.db "REPLACE INTO access VALUES('kTCCServiceAccessibility','/usr/local/bin/jamfAgent' ,1,1,1,1,NULL);"

This will add the jamfAgent binary and allow it to control the computer. You should be able to script this as a policy and flag it with the enrollment trigger, that way all incoming macs will get this upon enrollment.

Applescript version:

do shell script "sqlite3 /Library/Application Support/com.apple.TCC/TCC.db "REPLACE INTO access VALUES('kTCCServiceAccessibility','/usr/local/bin/jamfAgent' ,1,1,1,1,NULL);"" with administrator privileges

I assume you can strip the "with administrator privileges" out if running via jamfPro as a policy.

0 Kudos

dpodgors
Contributor

Posted on ‎01-12-2017 11:12 AM

Are you running Sierra? I get a "Error: attempt to write a readonly database" error. Apple has seen fit to include the TCC.db in to it's witness protection program (SIP) in Sierra.