Running AppleScript with admin on sandboxed app

Patrice_C · June 9, 2024, 4:21pm

I try to run this AppleScript with admin privileges on macOS but it doesn’t work when the app is sandboxed with AppWrapper. The admin password of the user is not asked. Works when not sanboxed.

There are correct entitlements added
com.apple.security.temporary-exception.apple-events

com.apple.systemevents

Code

If TargetMacOS Then
  
  Dim dialog As New MessageDialog
  Dim response As MessageDialogButton
  dialog.Message = "Options for Apache server"
  dialog.Explanation = "Apache is integrated in macOS."
  dialog.CancelButton.Visible = True
  dialog.CancelButton.Caption = "Cancel"
  dialog.ActionButton.Caption = "Start Apache only"
  dialog.AlternateActionButton.Visible = True
  dialog.AlternateActionButton.Caption = "Setup to launch at startup too"
  
  response = dialog.ShowModal
  
  If response = dialog.ActionButton Then
    
    If response = dialog.ActionButton Then
      ' Start Apache immediately
      Dim script As String
      script = "do shell script " + Chr(34) + "/usr/sbin/apachectl start" + Chr(34) + " with administrator privileges"
      
      Dim appleScript As New NSAppleScriptMBS(script)
      Dim errorInfo As Dictionary
      Dim result As NSAppleEventDescriptorMBS = appleScript.Execute(errorInfo)
      
      If errorInfo <> Nil Then
        MsgBox errorInfo.Value(NSAppleScriptMBS.NSAppleScriptErrorMessage)
      Else
        //MsgBox("Apache started successfully.")
      End If
      
    ElseIf response = dialog.AlternateActionButton Then
      ' Setup Apache to launch at startup and start it immediately
      Dim script As String
      script = "do shell script " + _
      Chr(34) + "echo '<?xml version='1.0' encoding='UTF-8'?>\n" + _
      "<plist version='1.0'>\n<dict>\n" + _
      "<key>Label</key>\n<string>com.example.apache</string>\n" + _
      "<key>ProgramArguments</key>\n<array>\n" + _
      "<string>/usr/sbin/apachectl</string>\n" + _
      "<string>start</string>\n</array>\n" + _
      "<key>RunAtLoad</key>\n<true/>\n" + _
      "<key>KeepAlive</key>\n<true/>\n" + _
      "</dict>\n</plist>' | sudo tee /Library/LaunchDaemons/com.example.apache.plist" + Chr(34) + " with administrator privileges" + EndOfLine + _
      "do shell script " + Chr(34) + "sudo launchctl load /Library/LaunchDaemons/com.example.apache.plist" + Chr(34) + " with administrator privileges" + EndOfLine + _
      "do shell script " + Chr(34) + "/usr/sbin/apachectl start" + Chr(34) + " with administrator privileges"
      
      Dim appleScript As New NSAppleScriptMBS(script)
      Dim errorInfo As Dictionary
      Dim result As NSAppleEventDescriptorMBS = appleScript.Execute(errorInfo)
      
      If errorInfo <> Nil Then
        MsgBox errorInfo.Value(NSAppleScriptMBS.NSAppleScriptErrorMessage)
      Else
        //MsgBox("Apache setup and started successfully.")
        If result Is Nil Then
          //MsgBox("No result returned.")
        Else
          //MsgBox(result.StringValue)
        End If
      End If
      
    Else
      ' Cancelled by the user
      //MsgBox("Operation cancelled by the user.")
    End If
  End If
End if

Eric_Williams · June 9, 2024, 6:29pm

I’m fairly certain you’re not going to be able to make this happen if your app is sandboxed - some things just aren’t permitted at all, and it’s easy to understand why starting Apache would be one of them. You can check out these instructions to see if you are running into the sandbox’s limitations: