Script Security

The security and protection of the data on your computing devices should always be a priority. Since the documents you create and edit with Omni applications may contain personal or business-related information, by default, Script Security protections for Omni Automation are built into every Omni application.

Script Security Interfaces

Script Security interfaces are triggered within Omni applications when Omni Automation scripts targeting Omni applications are executed externally, or not from within the targeted application’s console or Automation menu. For example:

Regardless of the host platform (macOS, iPadOS, iOS) all script security interfaces will prompt the user to either approve or reject the execution of the script whose Omni Automation (JavaScript) code is displayed in the security interface. Script Security interfaces are modal, disabling interaction with the host application until the user indicates their preference regarding the script’s execution. While the security interface is displayed, the script code can be copied but not changed.

Here are examples of security interfaces in OmniGraffle on macOS, iPadOS, and iOS:

(⬇ see below ) Script Security sheet on macOS


(⬇ see below ) Script Security modal alert on iPadOS


(⬇ see below ) Script Security sheet on iOS


Bypassing the Security Interfaces

A script cannot bypass an Omni application’s security interface. However, the user can set the value of a special application preference to indicate the duration for bypassing the security interface for any external Omni Automation scripts targeting the host application. The bypass duration is user defined and can be as little as 20 minutes, or three hours, or three months. There is no limit on the length of the user-indicated security bypass.

Once the script bypass preference has been assigned a value, the script security interface for the Omni application will not be triggered or displayed.


The value for the preference can written using any syntax supported by an OmniOutliner date field. For example:

NOTE: the security bypass URL must be percent-encoded, replacing spaces with %20, if it is to be pasted into a browser window or run as an Omni Automation script in the console window, like this example for setting the script security bypass in OmniFocus to remain in place until next Monday morning at 6AM:


var prefValue = encodeURIComponent("mon 6a") var urlStr = URL.currentAppScheme + ":///change-preference?OJSBypassPreviews=" + prefValue URL.fromString(urlStr).open()

Or as an Omni Automation script to be entered into and executed from the OmniFocus console window:

NOTE: To set the security bypass to its default value of disabled, omit the preference value (after the equal sign) in the URL:


NOTE: the security bypass duration must be set individually for each Omni application. There is no security bypass preference shared by all Omni applications.

NOTE: The URL protocol schema for the current Omni application can be derived using the currentAppScheme property of the URL class. Documented here.

Here are examples of various bypass duration values:

Once the preference URL has been executed, a modal dialog will ask for your approval to change the preference, followed by a confirmation dialog when the preference value has been set:

Screenshot Screenshot

The Script Bypass Plug-In

The following Omni Automation plug-in is an excellent way to set the security bypass duration for any or all of your installed Omni applications. There's no need to create and execute preference URLs. Simply download and install the plug-in and launch it from the host application’s Automation menu, and enter ether the duration end date, time, or duration.

NOTE: if you use an Omni Automation Plug-Ins folder shared by all your Omni applications, then you only need to install the plug-in once. More about plug-in installation

(⬇ see below ) Action form dialog on macOS:


(⬇ see below ) Action form modal dialog on iPadOS:

/*{ "type": "action", "targets": ["omnifocus","omnigraffle","omniplan","omnioutliner"], "author": "Otto Automator", "identifier": "com.omni-automation.set-approval-bypass-duration", "version": "2.0", "description": "This action will set the duration for bypassing the script approval dialog.", "label": "Bypass Script Previews", "shortLabel": "Bypass Approval" }*/ (() => { var action = new PlugIn.Action(function(selection, sender){ var defaultDurationInMin = 60 var defaultDate = new Date() defaultDate = new Date(defaultDate.setMinutes(defaultDate.getMinutes() + defaultDurationInMin)) if (app.platformName === "macOS"){ var formPrompt = "Enter the date or time duration at which script approval is to be resumed.\n\nAbbreviated Durations: 24h or 2d (there’s no abbreviation for minutes)\nSpecific Time: 4:15PM or 16:15\nSpecific Date: 12/23/22\nSpecific Date & Time: 12/23/22, 5:15PM\nRelative Date: tomorrow or Thursday or 4 weeks" var dateFieldLabel = null } else { var formPrompt = "Script Security Bypass Preference" var dateFieldLabel = "Date, time, or duration:" } var dateInputField = new Form.Field.Date( "dateInput", dateFieldLabel, defaultDate ) var checkSwitchField = new Form.Field.Checkbox( "checkboxSwitch", "Reset bypass preference", false ) var inputForm = new Form() inputForm.addField(checkSwitchField) inputForm.addField(dateInputField) var buttonTitle = "Continue" formPromise =,buttonTitle) inputForm.validate = function(formObject){ var resetCheckbox = formObject.values['checkboxSwitch'] if(resetCheckbox && formObject.fields.length == 2){ inputForm.removeField(dateInputField) return true } else { if (!resetCheckbox && formObject.fields.length == 1){ var defaultDate = new Date() defaultDate = new Date(defaultDate.setMinutes(defaultDate.getMinutes() + defaultDurationInMin)) dateInputField = new Form.Field.Date( "dateInput", dateFieldLabel, defaultDate ) inputForm.addField(dateInputField) return true } else { if(formObject.fields.length == 1){return true} var dateInput = formObject.values['dateInput'] if (!dateInput || dateInput === '' ){return false} var date = new Date() var minDate = new Date(date.setMinutes(date.getMinutes() + 30)) if (dateInput >= minDate){ return true } else { throw "ERROR: target date/time must be at least 30 minutes ahead" } } } } formPromise.then(function(formObject){ var resetCheckbox = formObject.values['checkboxSwitch'] var urlProtocol = URL.currentAppScheme if(resetCheckbox){ var prefStr = urlProtocol + ":///change-preference?OJSBypassPreviews=" } else { var dateInput = formObject.values['dateInput'] dateStr = encodeURIComponent(dateInput.toLocaleString()) var prefStr = urlProtocol + ":///change-preference?OJSBypassPreviews=" + dateStr } console.log(prefStr) URL.fromString(prefStr).open() }) formPromise.catch(function(err){ console.error("form cancelled", err.message) }) }); action.validate = function(selection, sender){ // validation code return true }; return action; })();

This webpage is in the process of being developed. Any content may change and may not be accurate or complete at this time.