I have an Automator Workflow installed as a service, that I run via Finder → Services → My Automator Workflow.
The workflow copies some files to a DOS formatted thumb drive, and them attempts to remove invisible directories from it before ejecting it. The device that then uses this drive doesn't like dot-directories like /.Spotlight-V100/.
Inside that Workflow is an AppleScript step, which includes a do shell script command, which uses an /bin/rm command which fails with the message:
The action “Run AppleScript” encountered an error: “rm: /Volumes/MERCEDES/.Spotlight-V100: Operation not permitted”
If I launch the workflow in Automator, I get the same error.
BUT, if I add Automator.app in System Preferences → Security & Privacy → Privacy → Full Disk Access, I no longer get that error when I run the Workflow from Automator, but I still get it when I run from Finder.
So, naturally, I presume that when the script is run by the Services menu, it's different process running it, and I've been trying to figure out (by watching Activity Monitor) what process is so I can whitelist. Processes I've tried unsuccessfully:
- com.automator.runner.xpc
- ScriptMonitor.app
- rm
Does anyone know which process needs to be whitelisted for this use case?
Best Answer
The problem is that the automator service inherits the permissions of the application it's running from.
Automator has Full Disk Access. So, if you run it from Automator, it works!
But let's say you're running Chess.app, and from the top menu, you select Chess → Services → My Automator Workflow. Chess.app does not have full disk access, so the workflow fails. I expect that if you grant Chess.app Full Disk Access in System Preferences, the Workflow will work when run from Chess.app—but not when run from DVD Player.app.
Yes, I recognize that this is incredibly frustrating. ?