InDesign Server + Catalina = heavy permission problems
--- Update: PROBLEM SOLVED. See comment below ---
We have run into to serious problems with running InDesign Server (IDS) on Mac OS 10.5.x Catalina: The problems are somehow related to file permissions and will only show when the IDS instances are started by launch agents (or launch deamons).
This problem manifests itself in several ways we have encountered – using IDS CC 2020 as well as IDS 2019:
- Documents can only be opened from a limited number of locations – actually only one location as far as we know, the
/private/tmp/directory on the local machine. When one of our scripts (applescripts) tells IDS to open a file stored in any other location that we have tried – like the desktop or on a network volume connected to with smb or afp – IDS always trow back error number
29445, stating that the file is opened by another user or in another program (which its not).
Copying or moving the document file manually to the /tmp folder makes the document openable without any error message. This might suggest a possible workaround – but no: the files cannot be copied or moved either by the scripts themselves:
Any command to do something with files, other than files in the /tmp-folder, results in error ”Operation not permitted” when run from a script executed from IDS started with launch agents. Finder commands or shell script commands like cp, mv and touch all fails. So it’s not even possible to copy a document to the /tmp directory from the script before opening it.
Trying to place an EPS-file in a document from a script in the ”forbidden” locations results in the same error message as mentioned first above: 29445. This does not happen with pdf:s, jpg:s or png:s. This is a smaller problem than the other two above, since it can be worked around by converting the eps-files to pdf.s in another process.
But problem 1+2 is a showstopper.
All these problems (probably having a common cause) are totally non-existent under other circumstances:
• IDS is started with launch agents in systems older than 0.5.x Catalina – no problem.
• IDS is started from Terminal with Catalina – no problem.
• Indesign CC (client version) is used, under any Mac OS.
There is no difference with IDS CC 2020 compared to IDS CC 2019 in this respect.
The problems could be related to the new security measures introduced with Catalina, where access to network volumes and some local directories (like the desktop) are more heavily controlled than in previous systems, demanding the user to actively allow access to such locations. But with IDS, when started by agents or deamons, those dialogs never show up – only the error messages. And it’s not possible (as far as we know by all the ways we have tried) to allow such access for IDS.
Another security measure, introduced with Mac OS 10.14 – the limitation for scripts to automate other applications without user consentis – is possible to handle under Catalina: A startup script (telling osascript to tell applications to do something) can force the desired dialogs in wich the user can allow InDesign Server to send Apple Events to those applications – once and for all. That’s fine.
But using a startup script to force the corresponding dialogs for directory access will not work with IDS when started from launch agents. Whatever method we have tried, there is always the same the error message:
Operation not permitted.
launchd to the Full Disk Access panel doesn’t help either
However, when IDS is started from Terminal, the same startup script gives us the desired result: The user is asked to give application Terminal access to the network filesystem – which we then can give it, once and for all.
Starting IDS from Terminal is not a plausible solution in real production though, at least for stability reasons.
So the question is: Why can IDS not be given access to file directories when started by launch agents? Why won’t the necessary questions show up?
I guess the cause of the problems relies somewhere inbetween Apple and Adobe. The combination of launch agents and InDesign Server does not work in combination with the new Catalina security measures. Adobe certainly has responsibility, at least partly, since there is no announcement that running IDS by launch agents under MacOS Catalina will not work.
We hav invested in machines that canon ot run systems older than Mac OS Catalina, so our scripts must work in that environment.
Anyway, the most important question for us right now is: What can we do in the current situation? Is there a workaround?
Jörgen Stahle commented
However... Indesign scripts became very slow with the upgrade to Catalina.
The time for processing documents is 3-5 times longer - with huge variation between different executions of the same script.
Jörgen Stahle commented
We added `bash` to the Full Disk Access list in the systems integrity panel – problems gone!
I did add `launchd` and `sh` there before – but not bash.
Maybe Adobe and Apple could do more here to guide the people setting up Indesign servers.