It’s time for an adventure in macOS screen recording approval! This is a journey I’ve been on for many years (since early 2020) and the result is the script presented here that I have tweaked and refined over that time period.
Many Mac admins are well aware that as of macOS Catalina, Apple has required explicit end-user input to approve an application’s access to a Mac computer’s screen. This has created a bit of a pain point for admins who want to ensure that screen recording (for remote support apps for example) gets approved BEFORE they need it.
The inability to preapprove screen recording can also result in a frustrating experience for the end-user. Imagine a new employee on their first day, trying to join the Zoom meant for onboarding new employees, only to discover that Zoom requires them to grant access to Screen Recording if they want to share their screen to get assistance from the onboarding team. Now they have to exit the meeting, navigate to the Security & Privacy pane of System Preferences, go to the Privacy tab and locate the appropriate section where they need to grant approval. This can be a lot to ask of some users, particularly those users who are not super savvy or comfortable with the macOS operating system. (This was another one of the reasons for writing this script).
Because of this, most admins will walk a new employee through the process of approving app access to screen recording on their first day or include it as part of their new employee computer setup documentation. However, as an admin, the more you have to explain and walk someone through a process, the farther you get away from a true “zero touch” deployment.
It was with this in mind that I created a script that would help guide the end-user directly to the System Preferences pane1 they need and prompt them with appropriate instructions. It includes built-in persistence and will repeat that prompt until the app becomes approved and then automatically close System Preferences if the user has left the window open. This script is best paired with a PPPC Profile that sets that bundleid of the application to “Allow Standard User to Approve.” That way, the checkbox can be clicked without requiring the user to unlock the System Preference Pane first, thus removing a step for the end user.
Here’s what it looks like:
“Wow, sounds great! Where can I get it?”
– Mac Admins
I’m glad you’re excited! The script can be found here.
Requirements:
- This script runs on macOS 10.15 or higher. macOS 11 or higher is required for standard user approval (that MDM command was made available in Big Sur.)
- The script works best when the app being targeted is being deployed with a Privacy Profile library item that lets standard users approve Screen Capture. (Available in macOS Big Sur 11+).
- The MDM agent running this script needs Full Disk Access in order to read the tcc.db and confirm screen recording has been approved. Most MDM agents have this access by default (check the MDM Profile installed on the machine in System Preferences > Profiles), but if your specific MDM does not, you’ll want to grant it access with a PPPC Profile.