GUI Mavericks Security Issue

My company is using GUI scripting in a number of AppleScripts. We are about to move to Mac OSX 10.9.

I create the AppleScripts and distribute them to our staff. Those scripts will now prompt the users to with the message that the AppleScript is “not allowed assistive devices”.

Our IT department does not allow our staff to have admin rights on their Macs. So it won’t be possible for them to add the script to the Accessibility list in the Security & Privacy preferences pane.

I have tried the method with the ResourceRules-ignoring-Scripts.plist listed on this page: http://macosxautomation.com/mavericks/guiscripting/index.html, but I get an error message saying “code object is not signed at all In subcomponent: path/Contents/Script Debugger.plist”.

  1. How do I make this work?

  2. Do I need to codesign the applet?

  3. If I codesign the applet and then distribute the AppleScripts to my staff, will they still be prompted to add the GUI script to the Accessibility list?

Thanks,

Jeff Walters
Pearson

The answer to 2 is yes, as it is to 3 the first time the apps are run. The answer to 1 is to follow the instructions exactly.

First step is to see where you can avoid using GUI scripting…

Shane,

Thanks so much for the answers!

And users must have admin rights to add a codesigned applet to the Accessibility list, correct? No way around that?

Jeff

I believe so. (I’m going largely on what I’ve read; I haven’t done more than dabble with it myself, being a GUI scripting hater from way-back.)

Application Security in Mavricks is on Desktop level not on system level. Since the beginning of desktop software in general there’s a way to bypass desktop security: booting the system as root/admin user in prompt mode, single user mode on the Mac. In single user you’re root and won’t be prompted to enter a password. Now you’re able to change the contents of “unaccessible” preference files and change your preferences to your likings. Because the desktop isn’t launched (yet) you’re not able to use any kind of process that has any sort of connection to the desktop. For instance, you’re not able to start apps but also foundation utilities like diskutil won’t work in single user mode.

edit: Of course the answer for ict men will be a home directory on the server with a remote directory service security system for your desktop. Then, unfortunately you’re out of reach.

Directory service is up when in single user mode so you can change also user information in there, you can even turn admin priveleges on in single user mode. Again, only working for local systems.