New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SIP on Sierra blocks changes to the accessibility database #51

Open
hb3b opened this Issue Jan 30, 2017 · 7 comments

Comments

Projects
None yet
3 participants
@hb3b

hb3b commented Jan 30, 2017

ERROR: OperationalError: attempt to write a readonly database

@uurazzle

This comment has been minimized.

Show comment
Hide comment
@uurazzle

uurazzle Jan 30, 2017

Hello hb3b:

Here is a workaround the issue...

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.locationd.plist
sudo /usr/libexec/PlistBuddy -c "Set :com.apple.locationd.bundle-/System/Library/PrivateFrameworks/AssistantServices.framework:Authorized true" /var/db/locationd/clients.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.locationd.plist

uurazzle commented Jan 30, 2017

Hello hb3b:

Here is a workaround the issue...

sudo launchctl unload /System/Library/LaunchDaemons/com.apple.locationd.plist
sudo /usr/libexec/PlistBuddy -c "Set :com.apple.locationd.bundle-/System/Library/PrivateFrameworks/AssistantServices.framework:Authorized true" /var/db/locationd/clients.plist
sudo launchctl load /System/Library/LaunchDaemons/com.apple.locationd.plist

@uurazzle

This comment has been minimized.

Show comment
Hide comment
@uurazzle

uurazzle Jan 30, 2017

uurazzle commented Jan 30, 2017

@dhoer

This comment has been minimized.

Show comment
Hide comment

dhoer commented Feb 12, 2017

@uurazzle

This comment has been minimized.

Show comment
Hide comment
@uurazzle

uurazzle Feb 13, 2017

Currently, with macOS Sierra, you have a couple options, modify the TCC database booted from another system like during imaging, others are doing this. Or disable SIP temporarily to make changes using like using a NetInstall to disable/enable SIP and make modification to the TCC database when SIP is disabled. I would recommend sending Apple feedback to include the ability to set items like this via Configuration Profiles.

uurazzle commented Feb 13, 2017

Currently, with macOS Sierra, you have a couple options, modify the TCC database booted from another system like during imaging, others are doing this. Or disable SIP temporarily to make changes using like using a NetInstall to disable/enable SIP and make modification to the TCC database when SIP is disabled. I would recommend sending Apple feedback to include the ability to set items like this via Configuration Profiles.

@uurazzle

This comment has been minimized.

Show comment
Hide comment
@uurazzle

uurazzle Feb 14, 2017

FYI:

Here is one workaround the SIP restrictions, not sure this will work for your environment or system management, but...

  • Boot to Recovery HD
  • From Terminal, run the following commands:
    $ cd /Volumes/Macintosh\ HD/Library/Application\ Support/
    $ cp -R com.apple.TCC TCC
    $ rm -r com.apple.TCC
    $ mv TCC com.apple.TCC
    $ reboot

Once rebooted, no restrictions will be on the TCC.db even while SIP is enabled.

You might be able to create a NetInstall script that does the above steps that could be include in a imaging process.

Hope this helps.

uurazzle commented Feb 14, 2017

FYI:

Here is one workaround the SIP restrictions, not sure this will work for your environment or system management, but...

  • Boot to Recovery HD
  • From Terminal, run the following commands:
    $ cd /Volumes/Macintosh\ HD/Library/Application\ Support/
    $ cp -R com.apple.TCC TCC
    $ rm -r com.apple.TCC
    $ mv TCC com.apple.TCC
    $ reboot

Once rebooted, no restrictions will be on the TCC.db even while SIP is enabled.

You might be able to create a NetInstall script that does the above steps that could be include in a imaging process.

Hope this helps.

@dhoer

This comment has been minimized.

Show comment
Hide comment
@dhoer

dhoer Feb 15, 2017

Thank you for the help!

dhoer commented Feb 15, 2017

Thank you for the help!

@uurazzle

This comment has been minimized.

Show comment
Hide comment
@uurazzle

uurazzle Feb 15, 2017

Note, this workaround might go away in a future OS upgrade. I would recommend filing a radar to support this functionality using a configuration profile. It's because the folder in question is only set one time via rootless.conf and it's not part of the current core to perpetually protected paths. So if you strip the flag post OS install, then it stays stripped. A major or minor OS update in the future can repair/re-set it.

https://pbs.twimg.com/media/C4qki5zVMAAKLMf.jpg

uurazzle commented Feb 15, 2017

Note, this workaround might go away in a future OS upgrade. I would recommend filing a radar to support this functionality using a configuration profile. It's because the folder in question is only set one time via rootless.conf and it's not part of the current core to perpetually protected paths. So if you strip the flag post OS install, then it stays stripped. A major or minor OS update in the future can repair/re-set it.

https://pbs.twimg.com/media/C4qki5zVMAAKLMf.jpg

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment