2

I have a LaunchdAgent (e.g. /etc/someDir/myAgent) running, which asks permission to record the screen. System Popup pops - user permits screen-recording in the System-Preferences "Security & Privacy" panel, the "Privacy" tab. It is clearly visible there.

Now when I wish to uninstall/remove this agent, I also want to remove its permissions.

I should be able to use the tccutil command-line tool to either

tccutil reset ALL myAgent

or 

tccutil reset ScreenCapture myAgent

However, I always receive the following error:

tccutil: No such bundle identifier "myAgent": The operation couldn’t be completed. (OSStatus error -10814.)

I tried to use the path to the launchAgent, its label "com.mycompany.myAgent" from the .plist I install in /Library/LaunchAgents to run it, I even tried unique identifiers from its [NSProcessInfo processInfo] -- to no avail.

man tccutil is worthless, and I cannot find any documentation on the subject.

Idea anyone? how can I clear privacy database of my Agent once it is no longer needed?

Motti Shneor
  • 2,095
  • 1
  • 18
  • 24
  • 1
    You can either reset it for all apps (`tccutil reset ScreenCapture`) and re-enable other apps if required. Or you can try to get bundle identifier via `osascript -e 'id of app "MyApp"'`. Also label from the plist is not a bundle identifier. What's inside `ProgramArguments` (plist)? – zrzka Jun 02 '20 at 19:32
  • I know - but I do not want to disturb other applications and services. Especially that I'm doing this on a customer's Mac --- I just want to remove the permission from MY component at the time I un-install it. – Motti Shneor Jun 16 '20 at 12:18

1 Answers1

0

You need to pass the app's bundle identifier to the tccutil reset command. That's the value for the CFBundleIdentifier property in the app's Info.plist, not the display name or executable name.

For single-binary (rather than bundled) executables, you can embed the Info.plist directly into the binary, which opens up a bunch of features which require a bundle identifier, such as entitlements, etc.. If using Xcode to build, enable the "Create Info.plist Section in Binary" target setting. Otherwise, you'll have to manually add the --sectcreate __info_plist option during linking.)

Another option is to place the executable inside a generic .bundle target. Then the bundle identifier of the bundle applies.

pmdj
  • 22,018
  • 3
  • 52
  • 103
  • As I said - my component is a single-file unix-style binary, that has no "bundle ID". That's the source of my problem. Not everything in this world is an "app". TCC seems to support applying entitlements to such executables - but tccutil won't address them. – Motti Shneor Aug 05 '23 at 16:17
  • You probably should try an [embedded Info.plist](https://stackoverflow.com/q/4022495/48660) in that case. If using Xcode to build, enable the "Create Info.plist Section in Binary" target setting. Otherwise, you'll have to manually add the `--sectcreate __info_plist` option during linking.) This lets you assign a bundle identifier, which in turn allows you to do things that require one. – pmdj Aug 05 '23 at 19:17
  • Just to complete this mini-discussion. We embedded info.plist in our single-file binary component, to no avail. TCC does NOT consult this info.plist, and does not identify our binary by bundle-ID, but rather by its full-path. tccutil won't let me remove/reset by this bundle-id. So... nice try. – Motti Shneor Aug 26 '23 at 18:21
  • That leaves the final option, putting the executable inside a bundle, whether or not it otherwise needs to be. [The official documentation](https://developer.apple.com/documentation/xcode/signing-a-daemon-with-a-restricted-entitlement?language=objc) says you should put it in an `.app` bundle, but I've deployed a launch agent that required screen capture consent inside a plain `.bundle` bundle with a suitable Info.plist. (This is the macOS -> Framework & Library -> Bundle template in Xcode) The .app bundle option may have the advantage of letting you set an icon. – pmdj Aug 26 '23 at 18:29
  • 1
    I really wish I could... That's a corporate management decision to deploy as "unix binaries" and not proper MacOS deployment. There are many other aspects for which I would wrap a product in a proper bundle (BTW you don't need a raw .bundle -- there are many standard code-bundled you could use (A Preferences Panel, a Plugin, a Menu-bar status-item App, A System-Extension, Network-filter extension, Audio-component and so on. Also - I'm quite sure with the correct entries in your info.plist - also a .bundle can have a proper icon. – Motti Shneor Aug 29 '23 at 15:26