ScreenNudge: A method to approve macOS Screen Recording

It’s time for an adventure in macOS screen recording approval! This is a journey I’ve been on for many years (since early 2020) and the result is the script presented here that I have tweaked and refined over that time period.

Many Mac admins are well aware that as of macOS Catalina, Apple has required explicit end-user input to approve an application’s access to a Mac computer’s screen. This has created a bit of a pain point for admins who want to ensure that screen recording (for remote support apps for example) gets approved BEFORE they need it.

The inability to preapprove screen recording can also result in a frustrating experience for the end-user. Imagine a new employee on their first day, trying to join the Zoom meant for onboarding new employees, only to discover that Zoom requires them to grant access to Screen Recording if they want to share their screen to get assistance from the onboarding team. Now they have to exit the meeting, navigate to the Security & Privacy pane of System Preferences, go to the Privacy tab and locate the appropriate section where they need to grant approval. This can be a lot to ask of some users, particularly those users who are not super savvy or comfortable with the macOS operating system. (This was another one of the reasons for writing this script).

Because of this, most admins will walk a new employee through the process of approving app access to screen recording on their first day or include it as part of their new employee computer setup documentation. However, as an admin, the more you have to explain and walk someone through a process, the farther you get away from a true “zero touch” deployment.

It was with this in mind that I created a script that would help guide the end-user directly to the System Preferences pane1 they need and prompt them with appropriate instructions. It includes built-in persistence and will repeat that prompt until the app becomes approved and then automatically close System Preferences if the user has left the window open. This script is best paired with a PPPC Profile that sets that bundleid of the application to “Allow Standard User to Approve.” That way, the checkbox can be clicked without requiring the user to unlock the System Preference Pane first, thus removing a step for the end user.

Here’s what it looks like:

ScreenNudge prompt in action. Requesting user to approve Screen Recording.

“Wow, sounds great! Where can I get it?”

– Mac Admins

I’m glad you’re excited! The script can be found here.

Requirements:

  • This script runs on macOS 10.15 or higher. macOS 11 or higher is required for standard user approval (that MDM command was made available in Big Sur.)
  • The script works best when the app being targeted is being deployed with a Privacy Profile library item that lets standard users approve Screen Capture. (Available in macOS Big Sur 11+).
  • The MDM agent running this script needs Full Disk Access in order to read the tcc.db and confirm screen recording has been approved. Most MDM agents have this access by default (check the MDM Profile installed on the machine in System Preferences > Profiles), but if your specific MDM does not, you’ll want to grant it access with a PPPC Profile.
Continue reading ScreenNudge: A method to approve macOS Screen Recording

How to identify the Bundle ID for macOS and iOS applications

It’s time for an adventure in app bundle identification!

As a Mac admin there are times where you need to find the Bundle ID of a macOS or iOS application. This might be for an app config, if you’re blocking an app by its bundleid (oftentimes more reliable using a file path), or if you’re configuring PPPC Profiles for an application..

Finding macOS App Bundle IDs

Method 1 – Using Terminal

Finding an app’s Bundle ID on the mac is pretty straight forward. All you have to do is open Terminal and enter the following command:

codesign -dr - /path/to/yourapp.app

Pro Tip: You can drag and drop your app into Terminal right after the codesign -dr – to get the full path of the application.

It will spit out both the certificate leaf and the Bundle ID. I mention this method first because usually when admins are trying to look up a Bundle ID it’s for creating a PPPC Profile, and that usually requires the certificate leaf as well.

In the example output below I can see the Bundle ID for Brave Browser is com.brave.Browser

Everything past the designated => will be your certificate leaf which you’ll need if you’re building a PPPC (Preferences Policy Control) Profile.

$ codesign -dr - "/Applications/Brave Browser.app"

Executable=/System/Volumes/Data/Applications/Brave Browser.app/Contents/MacOS/Brave Browser
designated => identifier "com.brave.Browser" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */

Method 2 – Info.plist

You can also find an app’s Bundle ID by inspecting its package contents. Right-click on the app you want to retrieve the bundle ID for and choose Show Package Contents.

Inside the Contents folder is an Info.plist. This will contain a CFBundleIdentifier key containing the Bundle ID in its key value.

If you want to script the identification of a Bundle ID, you can also read the CFBundleIdentifier key value pair with a piece of code using something like PlistBiddy or other tools that can read plists:

$ /usr/libexec/PlistBuddy -c 'Print CFBundleIdentifier' "/Applications/Brave Browser.app/Contents/Info.plist"

com.brave.Browser

Finding iOS App Bundle IDs

What about iOS/iPadOS/tvOS Apps though? Finding the bundle ids for those doesn’t have to be hard. The easy way is to use one of the following websites:

https://offcornerdev.com/bundleid.html
http://appsearch.co/

If you can’t find what you’re looking for using the above options, you may have to look for the Bundle ID yourself. Navjot Virk has a great post on how to find a bundle ID of an iOS app.

Identifying System Preferences Panes

It’s time for an adventure in identifying macOS System Preferences Panes!

In my previous post I talked about the different ways that admins can deep-link to specific System Preference Panes, but how do you identify those panes and how do you even know if the pane itself supports url scheme linking?

Note: This post is relevant to macOS Monterey and earlier. If you're looking for more information on macOS Ventura's System Settings, check out that blog post here.

Identifying Pane Name & Anchors

How did I discover the url schemes for those panes and how can you do it as well?I’m glad you asked!

You can find the pane and associated deeplink anchors with just a little bit of applescript.

  1. Paste the code below into Script Editor.app (located in /Applications/Utilities)
  2. Open System Preferences to the exact pane that you want to identify, and run the script.
  3. It will output the name of the current pane and any associated anchors.
-- Open System Preferences.app and click into desired pane/setting. Then, run this script to find out name (Pane ID) and any anchors.

tell application "System Preferences"
	set AppleScript's text item delimiters to ", "
	set CurrentPane to the id of the current pane
	get the name of every anchor of pane id CurrentPane
	set CurrentAnchors to get the name of every anchor of pane id CurrentPane
	set the clipboard to CurrentPane
	display dialog "Current Pane ID: " & CurrentPane & return & return & "Pane ID has been copied to the clipboard." & return & return & "Current Anchors: " & return & (CurrentAnchors as string)
end tell

You’ll get an output like this and the pane id will be copied to your clipboard:

System Preferences Pane ID and Anchors

Now unfortunately, sometimes this doesn’t capture ALL anchors that you can deeplink to (really I’ve only found it problematic with the Security & Privacy pane).

If you find some anchors/sections missing, you may want to dig into the preference pane itself and see if there’s any bits of code that reference available options. For example, the script above when run against the Security & Privacy Pane doesn’t return any options for the Input Monitoring section. However, I can open /System/Library/PreferencePanes/Security.prefPane/Contents/Resources/PrivacyTCCServices.plistand see the key value I’m looking for (and what that section is actually called) is ListenEvent.

Identifying if the pane supports URLScheme.

Not all Preference Panes support URLScheme. For those that don’t, you can accomplish the same action of opening the pane with Applescript in most instances. But how do you know if a specific pane supports a URLScheme? Let’s explore.

Most of the preference panes themselves are located within /System/Library/PreferencePanes/.

Here’s how to find if the pane supports url schemes:

  1. Open Finder and Go To /System/Library/PreferencePanes
  2. Right click on the pane you want to inspect choose Inspect Package Contents
  3. Open the Contents > Info.plist. If it supports url scheme you’ll see a NSPrefPaneAllowsXAppleSystemPreferencesURLScheme=1
System Preferences Pane URLScheme support

If the pane DOES support a url scheme, then you can use the open command + URLschemes listed here. If it does not, and you still want to open the pane via script, you could do so using Applescript.

Hope this was helpful! Happy scripting!

Scripting System Preferences Panes

Join me on an adventure in discovering how to use scripts to open nearly every single aspect of the macOS System Preferences Pane!

Mac admins and developers may at some point in their careers find themselves needing to script the opening of macOS System Preferences panes, either for automation or other tasks like presenting a specific pane to a user to click or configure.

The URL Scheme introduced in 10.10 (and refined/restricted in 10.11) makes it easy to not only open specific System Preference Panes, but to deep link to specific sections of those panes with precision. Apple seems to be adding new urls and anchors to System Preferences with each macOS release, so this will continue to be a useful tool to have in your macadmin tool belt.

So how can you automatically open specific System Preferences panes in your scripts? I’m glad you asked! Let’s dive in…

Continue reading Scripting System Preferences Panes

The open command

It’s time for adventures in the open command!

Most admins know the open command. They’ll use it in bash scripts or as part of an item in Self Service to open a file, an application, a URL, or a System Preference Pane (among other things). However there are quite a few additional features beyond the surface level open command that a lot of admins aren’t aware of, so I’d like to share those with you now.

Let’s take a look at a few basic examples of the open command below:


File
open /path/to/file.pdf

Application
open "/Applications/Brave Browser.app"

URL
open https://google.com

System Preference Pane
open "/System/Applications/System Preferences.app"

As Brett Terpresta points on this excellent post, there’s a host of extra options and flags available when using the open command.

Let’s say you want to open a file or a url with a specific app. Maybe you have an internal company url that only works with Chrome and you want to make sure that your script or Self Service item that opens that site always opens in the Chrome browser. Or perhaps you’re deploying a pdf with certain features that only work inside of Adobe Acrobat Reader. You can use the -a flag to specify a specific application by name or -b to specify a specific application by its bundle identifier.

Let’s expand on a few of our original examples:

File
open -a "Adobe Acrobat Reader DC" /path/to/file.pdf
open -b com.adobe.Reader /path/to/file.pdf

URL
open https://google.com
open -a "Brave Browser" https://google.com
open -b com.apple.Safari https://google.com

In the examples above, I can make sure that the PDF I am opening doesn’t default to the macOS Preview.app, but instead Adobe Acrobat Reader. Or in the case of urls, I can’t specifically open the url in Brave Browser or Safari simply by calling on the application name or bundle id.

Unsure how to find an app’s bundle identifier? Open Terminal and type:
codesign -dr - /Applications/appname.app to get it's identifier.

$codesign -dr - /System/Volumes/Data/Applications/Brave\ Browser.app

Executable=/System/Volumes/Data/Applications/Brave Browser.app/Contents/MacOS/Brave Browser
designated => identifier "com.brave.Browser" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */

In the example above, I can see that com.brave.Browser is the bundle identifier.

These are some useful tricks that mac admins can leverage to add application specificity to their scripts when opening files or URLS. There’s a few other tricks that Brett covers, so be sure to go check out his post.


Hello world!

My name is Brian and I have been working with macs for well over a decade both in my personal and professional life. While I did not discover Apple until college, once I did I was hooked! After graduation I found myself working in tech and have spent the last 8+ years of my career engineering and managing Apple devices for various companies.

The mac admin community is a special one, and I created this blog to help share my own journey and adventures through the Apple ecosystem and in managing Apple devices. My aim is to give back to the community in some way, and I hope you find some of the posts here helpful.