AppleEvents entitlement - apparently not required?

We have a legacy app written in a mix of C, ObjC, C++ and ObjC++ with .xib files. It is not sandboxed.

It sends an Apple Event to TV (the app of that name from Apple, not a physical TV) using /usr/bin/osascript, calling a compiled Apple Script which is in our app bundle's Resources directory with parameters which we generate in our app at runtime. The first time it does this on a fresh system, the OS puts up a dialog asking for permission to control TV, and after the user clicks Allow, our app appears under Security and Privacy in the Automation section.

That's all fine, but what is unexpected is that the app has no Apple Events entitlement (com.apple.security.automation.apple-events), and it doesn't have a NSAppleEventsUsageDescription string either. The documentation at https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_automation_apple-events says

Your app doesn’t need the Apple Events Entitlement if it only sends Apple events to itself or to other processes signed with the same team ID.

but we're not on the Apple team.

When I filter the log for messages from tccd pertaining to our app, it does indeed complain :

Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=<our bundle id>”

But despite those complaints, everything works - I can send the event, and TV acts upon it. Is this working only by accident, and might fail in some minor future OS update?

tccd also complains about the microphone

Prompting policy for hardened runtime; service: kTCCServiceMicrophone requires entitlement com.apple.security.device.audio-input but it is missing for requesting={TCCDProcess: identifier=<our bundle ID>

but we don't use the microphone

tccd complains about this too

<path-to-our-app> attempted to call TCCAccessRequest for kTCCServiceAccessibility without the recommended com.apple.private.tcc.manager.check-by-audit-token entitlement

What does that mean, and should we be concerned?

Up vote post of ssmith_c Down vote post of ssmith_c
145 views
Posted by
ssmith_c
Reply
Add a Comment

Accepted Reply

I suspect that this is working because osascript is signed by Apple.

I’m not a fan of using osascript for this sort of thing. I much prefer to use NSAppleScript. That runs the code inside your process, which simplifies the TCC story.

One nice thing about NSAppleScript is that you can pass your script arguments programmatically rather than via text substitution. I have code for that lying around somewhere… oh yeah, here it is.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

I suspect that this is working because osascript is signed by Apple.

I’m not a fan of using osascript for this sort of thing. I much prefer to use NSAppleScript. That runs the code inside your process, which simplifies the TCC story.

One nice thing about NSAppleScript is that you can pass your script arguments programmatically rather than via text substitution. I have code for that lying around somewhere… oh yeah, here it is.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment