Scripts blocked by Apple Security, (JSON Helper as example)

I manage AppleScripts for around 40 users. We just changed a lot of environment parameters and I have trouble with Apple Security. I am confused about what is happening here.

We were using Mojave and using MySQL for communicate with databases. Also Satimage and XMLLib in addition to our own Script Libraries.

Everything rewritten to use JSON Helper, curl/PHP and MariaDB. RegExAndStuff replaced Satimage. Tiny XML-files handled with System Events XML, and larger XML-stuff with AppleScriptObjC. Pashua for dialogs. Homebrew for PHP, Python, MariaDB, ImageMagick etc… We then moved to Monterey.

So many things have changed.

No such problems on Mojave, but under Monterey some scripts fails on some macs. Randomly, or sometimes nearly always. A script that has run fine every day for weeks may suddenly start to fail. On one or two of my users. But running just fine for others. Fail, as in just choked – without any dialog.

I am quite sure the problem is related to Apple TCC Security. Running the scripts from Script Debugger always works, but they may (or may not) fail silently when run either as Script Applications or as script files from ie InDesigns Script Panel.

Strange thing is that if I try many times, they will sometimes execute just fine. Say if I run a script 10 times in a row it may execute on 3rd, 5th and 9th attempt. On the rest it is stopped by Apple Security:

Example log when it is stopped by TCC:

2022-10-10 10:07:08.339026+0200 0x1e15159 Error 0x1688bed 19803 0 tccd: [com.apple.TCC:access] Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={<TCCDProcess: identifier=com.vidblishen.jsonhelper, pid=35329, auid=502, euid=502, binary_path=/Applications/JSON Helper.app/Contents/MacOS/JSON Helper>}, requesting={<TCCDProcess: identifier=com.vidblishen.jsonhelper, pid=35329, auid=502, euid=502, binary_path=/Applications/JSON Helper.app/Contents/MacOS/JSON Helper>},

But it does only happen randomly to some scripts, on only some Macs (and other scripts using JSON helper runs just fine on the same Mac). It is difficult to debug as it will always run from Script Debugger.

If this is “security” why is it so random? How can I bless JSON helper to be always allowed to run?

I have tried to give JSON Helper “Full Disk Access” in the security pane, but no avail. It has no quarrentine xattr. Tried version 1.11 and 1.2.

I have tried to reset the TCC database for AE, “tccutil reset AppleEvents”
and also a total reset; tccutil “reset SystemPolicyAllFiles”
This seems to work some of the time on some Macs, but is no silver bullet. It is also highly annoying for users as every prompt is reset. (Hello Windows Vista!)

My scripts and own libraries are all code signed, but not notarized.
I have not code signed RegExAndStuff (should I?)

I have around 50 different scripts, with some executed 100s of times each day. I guess they run just fine about 95% of the time. But then suddenly, for some random user one of them starts to fail often.

Anyone else seeing this? Any suggestions on what I can do?

I wish I had something useful to add, other than that I feel your pain.

What about replacing JSON Helper with ASObjC code?

Thank you for reading Shane. And thank you for your suggestion.

My problem with going with ASObjC is that I might get the code to work, but I am probably not able to debug properly if problems arises. I am also considering replacing it with jq (jq).

However I used JSON Helper as an example. I am not sure it is the actual culprit, but I must read more logs to find out. I think the issue is with Apple Security.
I have also similar experience with RegexAndStuffLib; suddenly a script cannot understand some command from it. Looking very much like the lib is not loaded. Surpressed from loading by TCC?

“NSRegularExpression does not understand «regularExpressionWithPattern_options_error_» error -1708.” is one of them.

Out of thin air. But again; if I run the script from Script Debugger it works. And if I save a script twice, one as a Script Application and the other as a script file one of them might get the above error while the other runs just fine.

One thing I would love to get your advise on though: should I codesign RegexAndStuffLib?
All my other scripts and libs are signed.

And also I wonder: does my description sound familiar, or is this only me doing something stupid again?

[I have noticed that scripts seems to be slightly more robust against problems if I use Script Debugger 7 and not 8. Also, copying the code into a new document before saving might give better odds. This may also very well just be my imagination]

Sorry for the length.

Håvard

Unfortunately these intermittent errors have become a fact of life. Sometimes ASObjC is not loaded, and there’s just no logic to it. I don’t think it’s a TCC issue, but it’s just as painful.

Thank you Shane!

It is very helpful to know that that one is not related.
¨
I am following your advise on replacing JSON Helper with ASObjC.

Håvard

“…there’s just no logic to it” → AppleScript have finally passed the Turing test.