JAMF + Mojave vs AppleScript

hi folks – I have an AppleScript, deployed as an app, which worked just fine until Mojave. The AppleScript includes calls to System Events and Eclipse.app, plus some shell commands. But since upgrading my lab Macs to 10.14, of course the user gets "[custom app] wants access to control “System Events“ " when the app is launched.

We are using JAMF Pro for MDM and we have the PPPC JAMF / AppleEvents config installed already. Clearly that’s not enough. I downloaded the JAMF PPPC utility too, but it’s a little opaque.

Does my AppleScript bundle need to be code-signed or something? If I re-compile the script with 10.14, will it just work? I know there’s documentation on these issues, but I’m in the weeds with the semester a week out, so would appreciate some guidance!

thanks everyone!

On any given Mac, System Preferences→Security & Privacy→Privacy→Accessibility keeps a list of applications that are allowed to control the computer using accessibility methods. You’ll can add your custom AppleScript app to that list and it should suppress that dialog. I’m not sure how JAMF works, so I’m not sure how you would do that across a range of computers. Do you need a command-line access, or can you clone or set that preference directly?

If you can code-sign it, that will reduce problems. What TedW says is correct, but with the extra wrinkle that a typical applet modifies itself every time it is run, rendering any existing authorization invalid. At the very least, you need to stop that happening, either by rewriting it so that there are no top-level variables whose contents change, or making the finished app’s main.scpt file read-only (using Unix permissions).

I was curious about that, so I made a quick AppleScript app to test it:

property appName : "App Name"
global randomArray

on run
	try
		display dialog appName & " : " & randomArray as text
	on error
		display dialog appName
	end try
	tell application "System Events"
		set theApps to every application process whose frontmost is false and visible is true
		set b to random number from 1 to count of theApps
		set appName to name of item b of theApps
	end tell
	set randomArray to {random number from 1 to 6, random number from 1 to 6, random number from 1 to 6}
end run

This runs as expected before setting the accessibility permissions, but as soon as I added it to the accessibility list, the property and global variable stop being saved across app launches. They can be set as normal during script execution, but any changes are forgotten at quit. So unless the script relies on persistent storage, adding it to the accessibility list should only need reauthorization if the script app is opened and recompiled.

Browser: Safari 605.1.15
Operating System: macOS 10.14

Color me surprised – I’m sure it never used to be that way. I wonder when it changed. It seems that just presence in the list is enough, even if actual access is turned off.

So apps that use accessibility can’t use properties for persistence… Interesting.

Thanks for pointing this out.