CODEWITHSUNDEEP
macosapplescript
Chris G.
Chris G.

Reputation: 25934

Allow AppleScript script to run without asking for permission

Hi I am using osascript tell process "Terminal" in a bash script.

It obviously need permission for doing this. It asks me for sudo, but I would like to signe go give this script access to run without interacting. Can you do that?

Full osascript call

osascript <<END
tell application "Terminal"
    activate
    tell application "System Events"
        tell process "Terminal"
            click menu item "Merge All Windows" of menu "Window" of menu bar 1
        end tell
    end tell
end tell
END

Note: this is within a shell script.

Upvotes: 6

Views: 13201

Answers (1)

mklement0
mklement0

Reputation: 437042

Update: Dominik Bucher reports that the solution below doesn't work on macOS High Sierra and above, seemingly by design.

What your AppleScript is doing is an instance of GUI scripting - controlling the user interface programmatically.

GUI scripting requires that the application performing it - Terminal.app in this case, assuming you're running your Bash script from there[1] - be authorized for assistive access in System Preferences > Security & Privacy > Privacy > Accessibility.

You are offered to be taken to the relevant System Preferences pane the very first time you open an application (or run a script from within it) that's not yet authorized. You can always manage applications there later manually. Only checked applications are currently authorized.

This is a one-time, per-application, for-all-users configuration step that itself requires administrative privileges (authentication via interactive prompt), but once an application has been authorized, running such a script no longer requires admin privileges.
(sudo never enters the picture with respect to GUI scripting.)

See Apple's support article on the subject (written at the time of OS X 10.9, but still applies as of 10.11).

Caveat: Since authorization is at the application level, authorizing Terminal.app then allows any script run from it to perform GUI scripting.

There is an - undocumented - way to programmatically authorize an application, where administrative authentication is provided via sudo; e.g., to authorize Terminal.app, use the following - note that unless already authenticated, sudo still prompts for the admin password:

  • OS X 10.11 (El Capitan):

sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "REPLACE INTO access values ('kTCCServiceAccessibility', 'com.apple.Terminal', 0, 1, 1, NULL, NULL);"

  • OS X 10.10 (Yosemite) and 10.9 (Mavericks):

sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "REPLACE INTO access values ('kTCCServiceAccessibility', 'com.apple.Terminal', 0, 1, 1, NULL);"

For background, see this answer (as of this writing, it needs updating for El Capitan).

As far as I know, there's no way to sign an individual application / applet in a way that pre-authorizes assistive access.
(Additionally, signed AppleScript applets may invalidate their - manually granted - authorization by self-modification - see the linked Apple Support article above.)

[1] Authorization is granted at the level of OS X applications (*.app bundles), so a script that performs GUI scripting requires that the application running the script be authorized - as opposed to a command-line program such as osascript inside an application that is actually interpreting the script (even though the error message may - misleadingly - implicate that program; e.g., osascript is not allowed assistive access).

Upvotes: 8

Related Questions