Enabling Accessibility for ADPassMon in Mavericks

I’m a fan of ADPassMon.

It’s especially useful for FileVault 2 encrypted Macs, where the user will never see the
“Your password will expire in X days” notification at the loginwindow, since they are directly taken to their Desktop from the pre-boot authentication.

Now, Mavericks (10.9.”0″) appears to have a bug where it will not show the password expiry notification even if you’re not using FileVault 2. Another reason to use ADPassMon.

ADPassMon has a built in shortcut to change the user’s password

Screen Shot 2013-11-14 at 16.31.19For this to work, you need to grant it access to “control your computer” in the Accessibility options in System Preferences.

Now these options have changed a bit in Mavericks.
In Mountain Lion it used to look like this:

Accessiblity 10.8It was sufficient for ADPassMon the check the “Enable access for assistive devices” checkbox, which could be done simply by running

sudo touch /private/var/db/.AccessibilityAPIEnabled

In Mavericks however, the option to allow ADPassMon to do it’s thing has moved to
System Preferences -> Security & Privacy -> Privacy:

Accessibility 10.9These settings are stored in
/Library/Application Support/com.apple.TCC/TCC.db
which is another SQLite3 database.

Chances are, you want to enable this programmatically.
Otherwise your users get presented with this message:

Screen Shot 2013-11-14 at 4.29.48 PMSelecting “Open System Preferences” will take them here:

Screen Shot 2013-11-14 at 4.29.55 PMSee the closed lock?
Now you might give your users access to the Security & Privacy settings by messing with the

security authorizationdb

command, but is that really a good idea?


The alternative is to modify the /Library/Application Support/com.apple.TCC/TCC.db database before installing ADPassMon.

When packaging up ADPassMon, add a preinstall script with these two commands:

sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "delete from access where client='org.pmbuko.ADPassMon';"

sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','org.pmbuko.ADPassMon',0,1,1,NULL);"

If you’re using Composer to build your package, it might look like this:

Screen Shot 2013-11-14 at 16.42.10

Thanks to spikehed for finding this trick here, and of course Peter Bukowinski for creating ADPassMon!