ScreenNudge: A macOS Screen Recording Approval Prompt

It’s time for an adventure in macOS screen recording approval! This is a journey I’ve been on for many years (since early 2020) and the result is the script presented here that I have tweaked and refined over that time period.

Many Mac admins are well aware that as of macOS Catalina, Apple has required explicit end-user input to approve an application’s access to a Mac computer’s screen. This has created a bit of a pain point for admins who want to ensure that screen recording (for remote support apps for example) gets approved BEFORE they need it.

The inability to preapprove screen recording can also result in a frustrating experience for the end-user. Imagine a new employee on their first day, trying to join the Zoom meant for onboarding new employees, only to discover that Zoom requires them to grant access to Screen Recording if they want to share their screen to get assistance from the onboarding team. Now they have to exit the meeting, navigate to the Security & Privacy pane of System Preferences, go to the Privacy tab and locate the appropriate section where they need to grant approval. This can be a lot to ask of some users, particularly those users who are not super savvy or comfortable with the macOS operating system. (This was another one of the reasons for writing this script).

Because of this, most admins will walk a new employee through the process of approving app access to screen recording on their first day or include it as part of their new employee computer setup documentation. However, as an admin, the more you have to explain and walk someone through a process, the farther you get away from a true “zero touch” deployment.

It was with this in mind that I created a script that would help guide the end-user directly to the System Preferences pane1 they need and prompt them with appropriate instructions. It includes built-in persistence and will repeat that prompt until the app becomes approved and then automatically close System Preferences if the user has left the window open. This script is best paired with a PPPC Profile that sets that bundleid of the application to “Allow Standard User to Approve.” That way, the checkbox can be clicked without requiring the user to unlock the System Preference Pane first, thus removing a step for the end user.

Here’s what it looks like:

ScreenNudge prompt in action. Requesting user to approve Screen Recording.

“Wow, sounds great! Where can I get it?”

– Mac Admins

I’m glad you’re excited! The script can be found here.

Requirements:

  • This script runs on macOS 10.15 or higher. macOS 11 or higher is required for standard user approval (that MDM command was made available in Big Sur.)
  • The script works best when the app being targeted is being deployed with a Privacy Profile library item that lets standard users approve Screen Capture. (Available in macOS Big Sur 11+).
  • The MDM agent running this script needs Full Disk Access in order to read the tcc.db and confirm screen recording has been approved. Most MDM agents have this access by default (check the MDM Profile installed on the machine in System Preferences > Profiles), but if your specific MDM does not, you’ll want to grant it access with a PPPC Profile.

Script Notes

While this script was designed with Kandji in mind, it is designed to be plug-and-play for just about any MDM.

I’ve included two options for messaging the end-user leveraging the Kandji CLI or standard osascript, but feel free to add your messaging binary of choice if you prefer using Terminal Notifier, SwiftDialog, or other solutions.

Pro Tip: osascript dialogs look pretty boring and dated these days in macOS, but adding a path to an app icon goes a long ways towards making it look less terrible.

All you as the admin need to do is to complete the User Input section of the script. Here is where you’ll define the path to the application, choose the messaging you want to present the dialog, and add an icon.

Here’s a few examples:

For Zoom:

appPath="/Applications/zoom.us.app"
appName="Zoom" #Name of app to present in dialog to user
appIcon="/Applications/zoom.us.app/Contents/Resources/ZPLogo.icns" #Path to app icon for messaging
dialogTitle="Screen Recording Approval"
dialogMessage="Please approve screen recording for $appName."

For AnyDesk:

appPath="/Applications/AnyDesk.app"
appName="AnyDesk" #Name of app to present in dialog to user
appIcon="/Applications/AnyDesk.app/Contents/Resources/AppIcon-1.icns" #Path to app icon for messaging
dialogTitle="Screen Recording Approval"
dialogMessage="Please approve screen recording for $appName."

Head on over to GitHub and give it a go! I hope this helps you to improve your onboarding experience and ensure that screen recording gets approved for critical apps like Zoom more reliably.

Troubleshooting

  • It doesn’t seem to be working. How do I troubleshoot? Is there a local log?
    • The script sends logs to stdout as well as unified log. Open Terminal and type
      log show --process "logger" | grep "ScreenNudge" to find the output of the script.
  • I executed the script manually by using an MDM-specific “run now” command and it hangs or requests additional permissions.
    • If the script hangs when being run manually, it could have something to do with some MDM agents being unable to handle multithreading. The script should still execute fine, it’s just the check-in to the MDM service that won’t complete. This issue should only present itself when running manually, not when running as part of normal check-in.
    • Some MDMs will run the policy via Terminal and not via the MDM agent when forced to run manually. If that’s the case, you may want to wait for a normal check-in to test. DO NOT GIVE TERMINAL FULL DISK ACCESS if prompted, or at least don’t let that be your solution for taking to production. That is a poor security stance.
  • I’m using Bomgar Jump Client and can’t figure out the app path.
    • It’s in a hidden folder in Applications. /Applications/.com.bomgar.scc.12345/Remote Support Customer Client.app. Replace the numbers in the hidden folder with whatever numbers are unique to your folder structure.

FAQ

  • Okay great, how can I do this for Camera and Microphone?
    • I haven’t discovered a way to do this for Camera and Microphone access in a reliable fashion. The secret to the script above is that deploying a configuration profile to allow standard user to approve screen recording will pre-populate that app and its checkbox in the Screen Recording section of System Preferences.

      Camera and Microphone actually don’t appear in System Preferences until the app is launched and explicitly requests access to them.

References

1 Learn more about identifying System Preference Panes here.