Enable Safari Remote Automation on SIP-enabled macOS 14/15 workers#1152
Open
rcurranmoz wants to merge 10 commits intomasterfrom
Open
Enable Safari Remote Automation on SIP-enabled macOS 14/15 workers#1152rcurranmoz wants to merge 10 commits intomasterfrom
rcurranmoz wants to merge 10 commits intomasterfrom
Conversation
Contributor
rcurranmoz
commented
Mar 26, 2026
rcurranmoz
commented
- Replace bash-wrapped osascript with a direct LaunchAgent that runs osascript on an applescript file, avoiding TCC attribution to bash
- Add safari-enable-remote-automation.applescript and com.mozilla.safari.enableautomation.plist as new deployment artifacts
- Update macos_safaridriver::init to bootstrap the LaunchAgent into gui/ on Darwin 23/24 and poll for the semaphore file
- Remove system TCC DB sqlite3 writes from tcc_perms.sh and add_tcc_perms.sh on macOS 14/15 (system DB is SIP-protected/read-only)
- Add org.mozilla.ci-tcc-pppc.mobileconfig for upload to SimpleMDM as a Custom Configuration Profile to supply system-level TCC grants
- Replace bash-wrapped osascript with a direct LaunchAgent that runs osascript on an applescript file, avoiding TCC attribution to bash - Add safari-enable-remote-automation.applescript and com.mozilla.safari.enableautomation.plist as new deployment artifacts - Update macos_safaridriver::init to bootstrap the LaunchAgent into gui/<uid> on Darwin 23/24 and poll for the semaphore file - Remove system TCC DB sqlite3 writes from tcc_perms.sh and add_tcc_perms.sh on macOS 14/15 (system DB is SIP-protected/read-only) - Add org.mozilla.ci-tcc-pppc.mobileconfig for upload to SimpleMDM as a Custom Configuration Profile to supply system-level TCC grants Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
macOS 12+ requires the string key Authorization: Allow rather than the boolean Allowed: true in PPPC payload entries. The old format caused ErrorCode 22 (invalid value) when pushed via SimpleMDM. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
StaticCode is not a valid PPPC payload key and was causing ErrorCode 22 on install. Also removed SystemPolicyDesktopFolder to reduce surface area while iterating on getting the core services to install cleanly. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ScreenCapture is not a valid PPPC service key on macOS 15 — every entry format tried (Authorization:Allow, Allowed:true) results in ErrorCode 22. Confirmed via binary search on macmini-m4-184 (15.3). Working services: SystemPolicyAllFiles, Accessibility, AppleEvents. ScreenCapture grants for bash/Terminal must be handled separately (user DB fallback for start-worker already in tcc_perms.sh). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Previously the plist was deployed to ~/Library/LaunchAgents/ which caused launchd to auto-load the LaunchAgent when cltbld logged in after the first reboot — before puppet had written the user TCC DB entries. This resulted in osascript hitting a TCC permission prompt and blocking indefinitely. Fix: store the plist at /usr/local/lib/ so launchd never auto-loads it. Only puppet bootstraps it, and only after the perms script succeeds. Also remove any previously deployed plist from ~/Library/LaunchAgents/. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The applescript creates an empty semaphore file at startup as a lock, then writes '1' on success. The puppet unless condition only checked file existence, so a failed run left an empty semaphore that prevented puppet from ever retrying. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The perms script (add_tcc_perms.sh) was refreshonly, meaning it only ran when the file changed. On first run the TCC DB didn't exist so it failed; on subsequent runs the file was unchanged so it never re-ran, leaving the osascript TCC entries unwritten. Replace with an unless condition that checks if the osascript AppleEvents entry is present in cltbld's TCC DB, so it re-runs whenever entries are missing regardless of whether the file changed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
BlackHole pkg install fails on fresh macOS 15 machines; comment out from both m4 and m4-staging roles until the install issue is fixed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
rcurranmoz
force-pushed
the
sip-compatible-safari-automation
branch
7 times, most recently
from
b8bdffb to
8d3fdea
Compare
BlackHole pkg install fails on fresh macOS 15 machines; comment out from both m4 and m4-staging roles until the install issue is fixed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The exec command polled with `test -f semaphore` which would return success immediately if the semaphore file existed but was empty (written by the applescript at startup before GUI interaction completes). This caused false success when a prior failed run left an empty semaphore. Also increase the poll timeout from 60s to 120s to give the applescript sufficient margin — it has ~50s of programmed delays alone. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
rcurranmoz
force-pushed
the
sip-compatible-safari-automation
branch
from
8d3fdea to
c009881
Compare
aerickson
approved these changes
Apr 7, 2026
Member
aerickson
left a comment
aerickson
left a comment
There was a problem hiding this comment.
LGTM, just one note about inventory.
| - macmini-m4-114.test.releng.mdc1.mozilla.com | ||
| - macmini-m4-115.test.releng.mdc1.mozilla.com | ||
| - macmini-m4-126.test.releng.mdc1.mozilla.com | ||
| - macmini-m4-127.test.releng.mdc1.mozilla.com |
Member
There was a problem hiding this comment.
Double checking you want invntory changes in here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.