Enabling System-Controlling Utilities in Mavericks
LaunchBar, TextExpander, Keyboard Maestro, RescueTime — these and many other utilities have one thing in common: they rely on Mac OS X’s support for “assistive devices” to perform tasks that are normally forbidden to applications. Because this setting can’t be enabled by software, these apps always ask the user to turn it on at initial launch if it’s not already enabled. (In “Scripting the Unscriptable in Mac OS X,” 10 March 2003, Matt Neuburg explained this capability and where it came from — it’s actually related to the Workforce Investment Act of 1998, a U.S. statute more commonly known as Section 508.)
In versions of Mac OS X before 10.9 Mavericks, “Enable access for assistive devices” was a system-wide setting located in the Accessibility pane (previously known as Universal Access) of System Preferences. It was highly obscure, particularly because most users never understood the connection between “assistive devices” and clever Mac utilities.
According to Shelly Brisbin, an accessibility expert and author of the forthcoming book “iOS Access for All,” the original goal of the “Enable access for assistive devices” option was to make it possible for special hardware devices to drive software that would in turn control the Mac’s interface. The device could, for instance, have a switch that would drop menus or click buttons.
For the most part, however, this accessibility feature instead ended up being used by mainstream utilities that need to control various aspects of the operating system and other applications like a puppet-master, clicking buttons and invoking commands behind the scenes. Such capabilities are normally prohibited to apps, and hooking into the accessibility system gave these utilities significantly more exposure into the underpinnings of Mac OS X.
That’s all fine, but Apple changed things in Mavericks, in two major ways. First, the feature has moved from working system-wide to a per-app basis, giving users more-granular control and better security, since malicious software can’t ride on the coattails of system-wide access, as some keyloggers used to. Second, because you’re basically granting permission to a piece of software to control your Mac, the interface for controlling this permission moved to the Security & Privacy pane of System Preferences, under Accessibility.
(In fact, Mavericks improves on the previous situation in another way too, with the introduction of the Switch Control options in the Accessibility preference pane — they allow the Mac to be controlled by one or more switches, such as from a gamepad or other assistive device. This YouTube video from Luis Perez explains more.)
Apps that need to control your computer appear in the Accessibility list in Security & Privacy after you launch them — you’ll start seeing new alerts directing you to this preference pane as utilities are updated for Mavericks. And in fact, because the permissions are now on a per-app basis, you’ll get a request from every app that needs permission — the previous blanket permission from selecting “Enable access for assistive devices” no longer applies.
To give such an app permission to control your Mac as necessary, click the lock icon, enter your administrator password, and then select the checkbox next to the app in question. If a utility that requires such accessibility permissions isn’t working as expected, it’s worth making sure it’s enabled in the Accessibility list.
(As a minor aside, clicking the lock to make changes is required for items in the Accessibility list and the Location Services list, but not for Contacts, Calendars, Reminders, Twitter, or Facebook, likely because the former two apply to all user accounts on the Mac, rather than just the current account. Nevertheless, it’s an example of atrocious interface on Apple’s part — why should the lock apply to some of these lists but not others?)
You’ll notice in the screenshot above that Skype and System Preferences are in the list, but I haven’t given them permission. That’s because I have no idea why they would need it, and it’s a bad idea to give such broad control to any application without knowing why it’s necessary. You might also wonder why the activity monitoring utility RescueTime is in the list; a release note says it helps RescueTime increase accuracy by correctly determining when you switch windows.
In the end, the changes in Mavericks are a good thing, but since the previous situation was nearly inscrutable and the accessibility system is still being used by mainstream utilities, users are bound to remain confused.
But now you know what’s going on, so help spread the word!
Mavericks doesn't add the applications to the list until they try to use accessibility services which can be a bit frustrating for users who know they need to add accessibility permissions - launch the app, and then its still not listed.
Keyboard Maestro 6.2, as well as changing the wording of the warning to refer to the new location of the preference in Mavericks, adds some code to specifically provoke the system's accessibility permission system to request permission and add Keyboard Maestro and Keyboard Maestro Engine to the list.
I have also had some reports of this preference system being somewhat flaky, perhaps if you have more than one version of an application installed.
Thanks for the details, Peter! It sounds like people could get these permission requests at random times then, rather than just on first-launch. I still don't know why Skype, for instance, is in the list, and it has never prompted me to give it permission.
Maybe it's for the camera?
You can also drag and drop applications into the list. I had to do this with iTerm.
Contacts, Calendars, and Reminders, as well as Twitter and Facebook, which also show up on the list, don't require authentication by an administrator because they only affect the current user account; the others affect the entire system, and so require authentication.
However, you are absolutely correct: it IS "an example of atrocious interface on Apple's part."
Ah, that makes at least some sense, thanks! I'll update the article.