OS X: Using AppleScript with Accessibility and Security features in Mavericks

OS X Mavericks includes changes to how AppleScript works with Accessibility and Security.

This article has been archived and is no longer updated by Apple.

For security reasons, OS X Mavericks does not use a single setting to enable or disable Accessibility features system-wide (such as the “Enable access for assistive devices” checkbox used in previous versions of OS X). Applications, including AppleScript scripts and apps (“applets”), must be individually authorized to use Accessibility using the Security & Privacy preference pane in System Preferences.

Using GUI Scripting

If you are using GUI scripting with AppleScript, you may be prompted that a process does not have the necessary privileges to allow access to your computer. Follow these steps to activate GUI scripting:

  1. Run your GUI-based AppleScript as you normally would.
  2. When the "not allowed assistive access" alert appears, click OK.
    osax alert
  3. Another prompt should appear indicating which process wants access to control the computer. For example, you may see "AppleScript Editor would like to control this computer" if you run your GUI script from AppleScript Editor. You might see "SystemUIServer" if you select the same script from the Script menu instead. 

    Click the "Open System Preferences" button in this alert message if you want to grant this script access.
    system UI alert
  4. OS X opens the Security and Privacy pane of System Preferences. This is where you grant access for apps to control your computer. To grant access, you'll need administrator credentials.
  5. Click the lock icon in the lower left corner of the Security and Privacy pane and enter an admin name and password when prompted.
  6. Make sure the checkbox next to the process requesting access is selected.
    privacy preferences
  7. Close the System Preferences window.

You should now be able to use the GUI script on your Mac. If you run your script using multiple methods (Terminal, AppleScript Editor, Script menu) you may be prompted to grant access to each method.

This setting is system-wide. You should only authorize for Accessibility scripts and applets that come from a source that you trust. To disable GUI scripting for all users, deselect the options for each script-related process in the Privacy pane of the Security and Privacy preferences.

Signing AppleScript applets

In OS X Mavericks, AppleScript applications ("applets") that use Accessibility features may ask for the same information each time you use them, appearing not to remember the settings you previously entered.

By default, applets that use Accessibility features in OS X Mavericks do not save their properties when run. Applets that save their properties modify their own contents to save the information. This self-modification makes the applet appear to OS X as a different app each time it is executed. This is what triggers the authorization process repeatedly.

If you have an applet that requires both Accessibility and persistent property values, follow these instructions to sign it so that it works without requiring repeated re-authorization.

Important: Signing an applet using the following method introduces a security vulnerability that could allow malicious software to use Accessibility without user permission.

Download and install a related property list file

  1. Option-click, right-click or control-click this link to a special property list file (plist): "ResourceRules-ignoring-Scripts.plist"
  2. Choose the option to download the linked file from the shortcut menu that appears.
  3. Place the downloaded property list file in your preferences folder (~/Library/Preferences).
    Tip: To access your Library folder, hold down the Option key on your keyboard and select Go > Library from the Finder.

Use Terminal to activate the plist file

  1. Open Terminal.
  2. Use the following command, substituting the correct actual path for both the property list file and the targeted AppleScript applet:
    codesign -s - --resource-rules=/Users/YourUserNameHere/ResourceRules-ignoring-Scripts.plist /path/to/applet.app

Note: If you have your own signing identity, you may use that identity in place of “-” for the -s option.

Published Date: