Enabling Accessibility for ADPassMon in Mavericks

I’m a fan of ADPassMon.

It’s especially useful for FileVault 2 encrypted Macs, where the user will never see the
“Your password will expire in X days” notification at the loginwindow, since they are directly taken to their Desktop from the pre-boot authentication.

Now, Mavericks (10.9.”0″) appears to have a bug where it will not show the password expiry notification even if you’re not using FileVault 2. Another reason to use ADPassMon.

ADPassMon has a built in shortcut to change the user’s password

Screen Shot 2013-11-14 at 16.31.19For this to work, you need to grant it access to “control your computer” in the Accessibility options in System Preferences.

Now these options have changed a bit in Mavericks.
In Mountain Lion it used to look like this:

Accessiblity 10.8It was sufficient for ADPassMon the check the “Enable access for assistive devices” checkbox, which could be done simply by running

sudo touch /private/var/db/.AccessibilityAPIEnabled

In Mavericks however, the option to allow ADPassMon to do it’s thing has moved to
System Preferences -> Security & Privacy -> Privacy:

Accessibility 10.9These settings are stored in
/Library/Application Support/com.apple.TCC/TCC.db
which is another SQLite3 database.

Chances are, you want to enable this programmatically.
Otherwise your users get presented with this message:

Screen Shot 2013-11-14 at 4.29.48 PMSelecting “Open System Preferences” will take them here:

Screen Shot 2013-11-14 at 4.29.55 PMSee the closed lock?
Now you might give your users access to the Security & Privacy settings by messing with the

security authorizationdb

command, but is that really a good idea?


The alternative is to modify the /Library/Application Support/com.apple.TCC/TCC.db database before installing ADPassMon.

When packaging up ADPassMon, add a preinstall script with these two commands:

sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "delete from access where client='org.pmbuko.ADPassMon';"

sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','org.pmbuko.ADPassMon',0,1,1,NULL);"

If you’re using Composer to build your package, it might look like this:

Screen Shot 2013-11-14 at 16.42.10

Thanks to spikehed for finding this trick here, and of course Peter Bukowinski for creating ADPassMon!

2 thoughts on “Enabling Accessibility for ADPassMon in Mavericks

  1. FYI:

    We have made a management utility to administrate OS X Location Services, Contacts requests, Accessibility, and iCloud access in enterprise environments.

    It runs on OS X 10.8 & 10.9 and has been tested with OS X 10.10 “Yosemite”.

    Since Mac OS X 10.8 “Mountain Lion”, Apple has introduced systems to handle access to certain features of the computer. Among these are Contacts (AddressBook), iCloud (Ubiquity), Accessibility, and Location Services. The first three are managed through one method (SQLite databases called TCC.db hidden throughout the system), while the latter is handled by the locationd daemon through property list files. Originally I created two separate scripts to accommodate the manual modification of these systems. However, eventually I realized that while the internal workings were different, the desired effect was more or less the same. This Privacy Services Manager is a compilation (and mild reformation) of those two scripts.

    The script is fairly straightforward, though there are some options:

    $ privacy_services_manager.py [-hvn] [-l log] [-u user] [–template] [–language] action service applications


    Option Purpose
    -h, –help Prints help information.
    -v, –version Prints version information.
    -n, –no-log Redirects logging to stdio.
    –template Modify permissions for Apple’s User Template. Only applies to certain services.
    -l log, –log-dest log Redirect logging to the specified file. (This can be overridden by –no-log.)
    -u user, –user user Modify permissions for user, not yourself. (Requires root privileges.)
    –language lang When changing permissions for the User Template, modify the langtemplate.

    Our two other GitHub repos

    – tcc_database_manager
    – location_services_manager

    Are deprecated and replaced by the more-complete & actively developed and supported Privacy Services Manager

    We also have included a package installer/uninstaller for those using package distribution systems or to ease installation for the busy/less technical.

    If you have any questions, problems or features requests feel free to email me off-list or send email or file a issue via the GitHub repo.

    For more information see the following web page:


  2. Pingback: tccutil.py: Command Line Utility for OS X Accessibility Database

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.