After installing software, I need to allow it to load in Security & Privacy. How do I do it with a script?

Question

So I'm working on deploying a piece of software for our organization. I deployed it with JAMF and it seems to work just like expected (exactly like if I installed it manually).

The thing is, that after installation finishes, I have to got to Settings -> Security & Privacy and in General tab I can see the message:

System software from developer "XXX" was blocked from loading.

If I click the Allow button to the right, it is finished - program runs as expected.

The question is - how do I do it automatically, ex. with a script? Including the pop-up message just after installation that informs user, that it has to be allowed from settings?

Answer 1

Ok, So I have an answert for this, after further investigation.

You can add a vendor to trusted on the very low level of system config. This is done by command:

spctl kext-consent add VENDORID

There are some issues with it, though, as it isn't very straight forward.

First, you need to get the VENDORID. The easiest way to do it is to get a clean MacOS installation. Any will work, but if you have some stuff installed, it may be a little more difficult to find vendor id on the list.

Install the program, that you need to allow manually. Go to terminal, run this command:

sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy

It will open a KextPolicy file in sqlite3. You need to run a search (select) query on this:

SELECT * FROM kext_policy;

It should provide with a list of vendors of 3rd party software, that you might need to add consent for. It will start with a string of capital letters and numbers. I think, the length is fixed to 10 characters, but not sure about it. It may look like PXPZ95SK77.

Now, you can add this with the command I mentioned before, so it would be like this:

spctl kext-consent add PXPZ95SK77

The trick is - you can't do it from the level of running OS! You can either do it manually: reboot your computer into recovery mode (hold command+R on keyboard when booting a computer - right after apple logo shows up) and access terminal there. This is the manual way.

Good thing, that JAMF let's you create a script that runs on startup (so you get automatization!)

Go to your JAMF dashboard. Management Settings -> Computer Management -> Scripts. Create a New one. In Options choose priorty to At Reboot. My script is as follows:

#!/usr/bin/env/bash 

spctl kext-consent add VENDORID

Not sure, but I think that this script doesn't have to be assigned to any computer etc. - it seems to be running on them automatically. But since this is an antivirus, that we recon is standard for all computers in our organization, that is ok with us.

A great source of knowledge was this link, which massively helped me figuring this thing out!

Answer 2

That's the whole point of Gatekeeper. The user needs to manually allow for an application to run or have access to control your computer. Otherwise any malicious application could just grant itself access and permissions to run and control your computer.

Your best option would be creating a Readme.txt file with explicit step-by-step instructions on how to grant access and permissions for that application, to control your computer, in System Preferences.app

This following AppleScript code, In MacOS Mojave, will bring you to the System Preferences window where you can address the "If I click the Allow button to the right" issue that you have mentioned.

tell application "System Preferences"
    activate
    tell its pane id "com.apple.preference.security"
        reveal anchor "General"
    end tell
end tell

And this AppleScript code will bring you to where you need to set Accessibility, Full Disk Access, and Automation privileges for the application.

tell application "System Preferences"
    activate
    tell its pane id "com.apple.preference.security"
        reveal anchor "Privacy_Accessibility"
    end tell
end tell