Request permissions to disable System Integrity Protection for my application

Question

cristeab OP

Created Oct ’18

Replies 4

Boosts 0

Views 1.5k

Participants 3

Hi

I need to allow accessbility access for my application without user action. I know that I need to change

/Library/Application Support/com.apple.TCC/TCC.db

but this is protected by SIP. From what I have understood, some applications can request to disable SIP, by including in their plist file

<key>com.apple.rootless.install</key>

<true/>

then signing the application. Is this all what is needed ? Can I sign the application with my certificate or it should be submitted for signing to Apple.

I do not want to publish the application on Apple Store, just to disable for my application SIP.

thanks

Bogdan

Boost

Answer 1

john daniel OP

Oct ’18

Accepted Answer

That entitlement is only for Apple software. If it works, that would be a huge security hole. I'm pretty sure it won't work for you.

0

Answer 2

DTS Engineer OP

Apple

Oct ’18

That entitlement is only for Apple software.

Correct.

@cristeab, Can you give us some more background about the context of this issue? Most folks in your situation just disable SIP on the Mac running their software. Why doesn’t that work in for you?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 3

cristeab OP

Oct ’18

Hi

My software is a time tracking application, I need accessbility access in order to read window titles. Explicitly requesting user interaction is not an option, since the intention is to track automatically user activity. I am wondering however if it is possible to automatically simulate a click in order to enable accessiblity from the dialog, then close it. Thus I should avoid SIP while still granting automatically accessbility access.

regards

Bogdan

0

Answer 4

DTS Engineer OP

Apple

Oct ’18

My software is a time tracking application, I need accessbility access in order to read window titles.

OK.

Explicitly requesting user interaction is not an option, since the intention is to track automatically user activity.

I’d like to clarify your requirements here, but before that I want to be clear about Apple’s goal. The purpose of this restriction is to prevent apps from doing exactly what you’re doing without user consent. Trying to hack your way around this restriction is not going to end well.

Is there some specific reason why you don’t just ask the user for consent? Are you targeting a managed environment where the user can’t consent? Or are you just trying to ease your testing process?

If there are no special circumstances — that is, your app is distributed to normal users who can consent to your accessibility requirements — then I recommend that you ask the user to give their consent. That is the expected way forward.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0