General: DevForums tag: App Sandbox App Sandbox documentation App Sandbox Design Guide documentation — This is no longer available from Apple. There’s still some info in there that isn’t covered by the current docs but, with the latest updates, it’s pretty minimal (r. 110052019). Still, if you’re curious, you can consult an old copy [1]. App Sandbox Temporary Exception Entitlements archived documentation — To better understand the role of temporary exception entitlements, see this post. Embedding a Command-Line Tool in a Sandboxed App documentation Discovering and diagnosing App Sandbox violations (replaces the Viewing Sandbox Violation Reports DevForums post) Resolving App Sandbox Inheritance Problems DevForums post Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" [1] For example, this one archived by the Wayback Machine.

I've got an app that is sandboxed, and it requires a privileged helper. I've worked through the EBAS sample app with various updates to conform with current systems. After a lot of work, I've got to a point where I'm stumped. The Python script SMJobBlessUtil.py returns this error, and I don't know what to do to correct it: <path to helper tool>: tool __TEXT / __info_plist section dump malformed (2) I've gone over the various settings numerous times. It doesn't fail for the EBAS sample, but does for my app. Looking at the binary, the __info_plist sections look identical apart from identifiers. This is what mine looks like (identifiers deleted): <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CFBundleIdentifier</key> <string>***</string> <key>CFBundleInfoDictionaryVersion</key> <string>6.0</string> <key>CFBundleName</key> <string>***</string> <key>CFBundleVersion</key> <string>1.0</string> <key>SMAuthorizedClients</key> <array> <string>anchor apple generic and identifier "***" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "***")</string> </array> </dict> </plist> I must be missing something, but I've run out of ideas on where to find it. Anybody got a pointer?

Im working on a small text snippet / lorem ipsum app as a side project and the idea is, for instance, whenever and wherever user types "lorem10" I'd like to print/paste 10 random lorem ipsum words. Eg. "lorem10 " -> ("Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do") For that to be possible I need to, Programmatically press "delete" key to remove the trigger string ("lorem10"). Programmatically press "cmd + v" for pasting the result string. This is possible, even in sandbox! But it requires accessibility permission. For instance I can simulate "delete" key press like this: func delete() {     let eventSource = CGEventSource(stateID: .combinedSessionState)     let keyDownEvent = CGEvent(       keyboardEventSource: eventSource,       virtualKey: CGKeyCode(51),       keyDown: true)     let keyUpEvent = CGEvent(       keyboardEventSource: eventSource,       virtualKey: CGKeyCode(51),       keyDown: false)     let loc = CGEventTapLocation.cghidEventTap     //Triggers system default accessibility access pop-up     keyDownEvent?.post(tap: loc)     keyUpEvent?.post(tap: loc)   } My question is essentially if this is allowed in Mac App Store? Because requesting accessibillity permission like this is not allowed in sandbox: func getPermission() { AXIsProcessTrustedWithOptions([kAXTrustedCheckOptionPrompt.takeUnretainedValue():true] as CFDictionary). } But I can simulate one short "shift" or "cmd" key press for instance, and trigger the pop-up inside a sandboxed app and get around this it seems. Is this a bug? I really hope I can release my app in the Mac App Store, but doing so I just want to be sure Im not using any bug that might get removed in the near future.

Hi there, Introduction I have been working on a Finder Sync extension and I would now like to use it to access a file the user has selected. This has been causing me significant issues (and I believe that a lot of other developers have also experienced similar issues with the extension). Because I plan to release my app on the App Store, I need both the main app and the finder sync app to be sandboxed Some example code describing the issue When the user executes the custom finder action in the context menu, I use the following code to extract and access the selected files: guard let target = FIFinderSyncController.default().selectedItemURLs() else { NSLog("Failed to obtain targeted URLs: %@") return }       do { //Read content of the first selected file (example) let text = try String(contentsOf: target[0], encoding: .utf8) }catch {     print("Some error occurred: \(error)") } The problem Though these files should have a sandbox exception (because they are selected by the user), they do not and I get the following error because I seemingly do not have the permission (even though I should have): Error Domain=NSCocoaErrorDomain Code=257 "The file “myfile.txt” couldn’t be opened because you don’t have permission to view it." I know from my thorough research (refer to links) that a lot of other people working with Finder Sync extensions have had this problem in the past and that Apple has not provided an official way to fix this. So essentially I am asking if Apple is planning to fix this bug in the near future or, if not, whether there is a workaround for this problem (while still passing the App Store review) and while keeping the main functionality of a context-menu like Finder Sync Extension. Useful links My previous question concerning the transfer of URLs given in the Finder Sync Extension I already asked a similar question on how to share some file URLs between my Finder Sync Extension and the Main App, to which I received a presumably working answer, which would work if this problem didn't exist. The solution to passing this access between extension and main app is to create a security scoped bookmark. This is not possible as long as I can't even access the files in the context of the extension itself. Here is the link to this aforementioned question I posted last month: Accessing a file in a sandboxed main app, which was selected in a Finder Sync Extension Some people with the same issue (dating back as far as 2016 Someone on the Apple Developer Forum had a similar issue and the respondent suggested a multitude of hacky fixes: Swift file reading permission error on macOS sandbox Here is someone on StackOverflow from someone who had the exact same issue. Multiple people mentioned there that this was a bug in the operating system and have filed multiple bug reports, which were all unanswered by Apple: Read and Write access for FinderSync extension in a sandboxed environment FinderSync Extension runtime error: The file couldn’t be opened because you don’t have permission to view it

Is there any way to read/write preferences for a Mac app group using the defaults command? I'm talking about the stuff you would programmatically manipulate using [NSUserDefaults initWithSuiteName:], and that is stored on disk in ~/Library/Group Containers. If I just say defaults read <suite name>, it tells me the the domain does not exist.

My goal is to implement a moving background in a virtual camera, implemented as a Camera Extension, on macOS 13 and later. The moving background is available to the extension as a H.264 file in its bundle. I thought i could create an AVAsset from the movie's URL, make an AVPlayerItem from the asset, attach an AVQueuePlayer to the item, then attach an AVPlayerLooper to the queue player. I make an AVPlayerVideoOutput and add it to each of the looper's items, and set a delegate on the video output. This works in a normal app, which I use as a convenient environment to debug my extension code. In my camera video rendering loop, I check self.videoOutput.hasNewPixelBuffer , it returns true at regular intervals, I can fetch video frames with the video output's copyPixelBuffer and composite those frames with the camera frames. However, it doesn't work in an extension - hasNewPixelBuffer is never true. The looping player returns 'failed', with an error which simply says "the operation could not be completed". I've tried simplifying things by removing the AVPlayerLooper and using an AVPlayer instead of an AVQueuePlayer, so the movie would only play once through. But still, I never get any frames in the extension. Could this be a sandbox thing, because an AVPlayer usually renders to a user interface, and camera extensions don't have UIs? My fallback solution is to use an AVAssetImageGenerator which I attempt to drive by firing off a Task for each frame each time I want to render one, I ask for another frame to keep the pipeline full. Unfortunately the Tasks don't finish in the same order they are started so I have to build frame-reordering logic into the frame buffer (something which a player would fix for me). I'm also not sure whether the AVAssetImageGenerator is taking advantage of any hardware acceleration, and it seems inefficient because each Task is for one frame only, and cannot maintain any state from previous frames. Perhaps there's a much simpler way to do this and I'm just missing it? Anyone?

My app has the App Sandbox enabled and the File Access to Downloads folder is set to Read / Write in XCode. Upon clicking on a button the app should open the Finder displaying the Downloads folder. The following code snippet is used to launch the Finder if let inspirationsDirectory = FileManager.default.urls(for: .downloadsDirectory, in: .userDomainMask).first{ NSWorkspace.shared.open(inspirationsDirectory) } On my MacOS it works well. After releasing the app to the AppStore and installing it on another Mac the following message is received upon clicking the button: The application does not have permission to open "Downloads" Which would be the solution to launch the Finder successfully ? Is it possible to launch the Finder showing the Downloads folder sorted by the Date Added column descending ?

When we try to run our code that uses the containerURLForSecurityApplicationGroupIdentifier function, the returned value is null if the program was run with root privileges. (when we run the code like a normal user, it is works as expected) The following code was run: NSFileManager* fileManager = [NSFileManager defaultManager]; if(!fileManager) { return “”; } NSURL* containerURL = [fileManager containerURLForSecurityApplicationGroupIdentifier:[NSString stringWithUTF8String:group_name]]; if(!containerURL) { return “”; } -> we will receive the right containerURL: /Users/{user}/Library/Group Containers/{group_name} If the same code will be run with root/admin privileges the containerURL will be NULL. With an older version of MacOS the output result was the following: normal user: /Users/{user}/Library/Group Containers/{group_name} root user : /private/var/root/Library/Group Containers/{group_name}

I have a Flutter app that should be sandboxed for Appstore and this app should run a binary that I build with make. I sign that binary with Developer ID certificate: codesign -v -f --options=runtime --entitlements "./macos/Runner/binary_sandboxed.entitlements" --sign "Developer ID Application: ..." ./path/to/binary here is binary_sandboxed.entitlements: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.inherit</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>$(TEAM_ID).$(PRODUCT_BUNDLE_IDENTIFIER)</string> </array> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.network.server</key> <true/> <key>com.apple.security.network.client</key> <true/> </dict> </plist> and the main app runned with entitlements: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.inherit</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>Q7Q43CUMWT.$(PRODUCT_BUNDLE_IDENTIFIER)</string> </array> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.network.server</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>keychain-access-groups</key> <array> <string>$(AppIdentifierPrefix)$(PRODUCT_BUNDLE_IDENTIFIER)</string> </array> </dict> </plist> When I run app I get an error ProcessException: Operation not permitted In console log I see this message: denied since it was quarantined by Main app and created without user consent, qtn-flags was 0x00000086 if delete quarantine flag binary in Containers xattr -d com.apple.quarantine /Users/appuser/Library/Containers/com.bin/Data/Library/Application Support/com.bin/binary I got an error when run binary zsh: illegal hardware instruction failed: Unable to get bundle identifier because code signature information has no Info.Plist. What did I do wrong? And what should I do?

I have an application running in the sandbox which launches an application bundle using NSTask. The main app entitlements enable sandbox add the User Selected File Read/Write permission. <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> </dict> The child app entitlements enable sandbox and inherit. <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.inherit</key> <true/> </dict> When invoke NSSavePanel *savePanel = [NSSavePanel savePanel] in the child process, system will throw the error.The error message prompt that missing the User Selected File Read/Write permission. However, I have already added this permission in the main app, and I have set up the inherit in the child-process as well. The child process cannot add the User Selected File Read/Write permission again because it add sandbox and inherit in entitlements by the doc EnablingAppSandbox . It appears that the system is not inheriting this permission for the child process. panel[60195:2499353] [OpenSavePanels] Unable to display save panel: your app is missing the User Selected File Read/Write app sandbox entitlement. Please ensure that your app's target capabilities include the proper entitlements. And the error stack. [miscellany] CLIENT ERROR: remote view delegate NSSavePanel lacks method which can react to the details of Error Domain=com.apple.ViewBridge Code=14 "(null)" UserInfo={com.apple.ViewBridge.error.hint=-[NSViewServiceMarshal bootstrap:withReply:] caught NSInternalInconsistencyException '+[NSOpenAndSavePanelService loadViewToService:isOpenPanel:appCentric:] : failed entitlements check' with backtrace ( "0 CoreFoundation __exceptionPreprocess + 242", "1 libobjc.A.dylib objc_exception_throw + 48", "2 CoreFoundation -[NSException raise] + 9", "3 com.apple.appkit.xpc.openAndSavePan com.apple.appkit.xpc.openAndSavePan + 16852", "4 AppKit -[NSViewController _loadViewIfRequired] + 72", "5 AppKit __24-[NSViewController view]_block_invoke + 27", "6 AppKit NSPerformVisuallyAtomicChange + 132", "7 AppKit -[NSViewController view] + 123", "8 ViewBridge -[NSViewServiceMarshal _bootstrap:replyData:completion:] + 1826", "9 ViewBridge -[NSViewServiceMarshal bootstrap:withReply:] + 245", "10 CoreFoundation __invoking___ + 140", "11 CoreFoundation -[NSInvocation invoke] + 305", "12 CoreFoundation -[NSInvocation invokeWithTarget:] + 70", "13 ViewBridge -[NSVB_ViewServiceImplicitAnimationDecodingProxy forwardInvocation:] + 178", "14 CoreFoundation ___forwarding___ + 756", "15 CoreFoundation _CF_forwarding_prep_0 + 120", "16 CoreFoundation __invoking___ + 140", "17 CoreFoundation -[NSInvocation invoke] + 305", "18 CoreFoundation -[NSInvocation invokeWithTarget:] + 70", "19 ViewBridge -[NSVB_QueueingProxy forwardInvocation:] + 321", "20 CoreFoundation ___forwarding___ + 756", "21 CoreFoundation _CF_forwarding_prep_0 + 120", "22 CoreFoundation __invoking___ + 140", "23 CoreFoundation -[NSInvocation invoke] + 305", "24 CoreFoundation -[NSInvocation invokeWithTarget:] + 70", "25 CoreFoundation ___forwarding___ + 756", "26 CoreFoundation _CF_forwarding_prep_0 + 120", "27 CoreFoundation __invoking___ + 140", "28 CoreFoundation -[NSInvocation invoke] + 305", "29 ViewBridge __deferNSXPCInvocationOntoMainThread_block_invoke + 142", "30 ViewBridge __wrapBlockWithVoucher_block_invoke + 37", "31 ViewBridge kNotRunningOnAppKitCompatibleThread_block_invoke + 323", "32 CoreFoundation __CFRUNLOOP_IS_CALLING_OUT_TO_A_BLOCK__ + 12", "33 CoreFoundation __CFRunLoopDoBlocks + 398", "34 CoreFoundation __CFRunLoopRun + 2015", "35 CoreFoundation CFRunLoopRunSpecific + 560", "36 HIToolbox RunCurrentEventLoopInMode + 292", "37 HIToolbox ReceiveNextEventCommon + 657", "38 HIToolbox _BlockUntilNextEventMatchingListInModeWithFilter + 64", "39 AppKit _DPSNextEvent + 858", "40 AppKit -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 1214", "41 ViewBridge __77-[NSViewServiceApplication vbNextEventMatchingMask:untilDate:inMode:dequeue:]_block_invoke + 111", "42 ViewBridge -[NSViewServiceApplication _withToxicEventMonitorPerform:] + 114", "43 ViewBridge -[NSViewServiceApplication vbNextEventMatchingMask:untilDate:inMode:dequeue:] + 151", "44 ViewBridge -[NSViewServiceApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 99", "45 AppKit -[NSApplication run] + 586", "46 AppKit NSApplicationMain + 817", "47 libxpc.dylib _xpc_objc_main + 867", "48 libxpc.dylib xpc_main + 96", "49 ViewBridge xpc_connection_handler + 0", "50 ViewBridge NSViewServiceMain + 1789", "51 com.apple.appkit.xpc.openAndSavePan main + 178", "52 dyld start + 1903" ), com.apple.ViewBridge.error.description=NSViewBridgeErrorServiceBootstrap}

I'm the developer of a small utility for Mac called "MusicDeviceHost". https://apps.apple.com/us/app/musicdevicehost/id1261046263?mt=12 As the name suggests, it is a host application for audio units (music device components). See also "Using Sound Canvas VA with QMidi": https://youtu.be/F9C4BiBR A problem occurs while trying to authorize the "Sound Canvas VA" component, Roland Cloud Manager (v3.0.3) returns the following error: “Authorization Error - RM Service not connected Error Connecting to Roland Cloud Manager Service” I guess the error is caused by some permission denied to the sandboxed application version. The NOT sandboxed version of MDH actually works flawlessly. I am using the following entitlements: com.apple.security.app-sandbox com.apple.security.network.client So connecting to the service should work, because "com.apple.security.network.client" is enabled. At Roland, they say: "Cloud Manager isn't supported in a sandboxed environment." But as far as I can see, MainStage and other sandboxed apps works fine... So what is the right answer? Is there someone out there with the same issue? Thanks for helping :)

Hello, I have an app in the App Store that is your typical cleaner app. The app searches for files from deleted apps and can remove them. Under macOS Sonoma the app does no longer work. When deleting files, the following message appears in the Console: System Policy: App(1636) deny(1) file-write-unlink The app has scoped bookmarks for the folder and additionally I added Full Disk Access for my app - it still does not work? Is there another layer on top of that? The app works perfectly fine on Big Sur, Monterey and Ventura. Regards, Sascha

An iOS app running in simulator has complete access to the Mac's file system: // Files in protected directory like Desktop, Documents, Calendar, etc will need additional permissions. let filesInSystem = FileManager.default.enumerator(at: .currentDirectory(), includingPropertiesForKeys: nil)?.allObjects This isn't the case when running in device as the app is sandboxed. Is the same possible when running in simulator? More specifically, is there a way to restrict access to the Mac's file system when running an app in the Simulator? This is particularly useful when trying out binaries/frameworks that are not open sourced.

Hello, I have sandboxed mac app which is launching a helper app. The main app has sandbox enabled and has get-task-allow entitlement. From main app I launch[1] a helper which is an application bundle located in Contents/Helpers of the main bundle. The helper has sandbox enabled and com.apple.security.inherit entitlement. Currently I have a problem attaching debugger to helper process or getting access to location services from it (but that's probably different issue). I checked the responsible process and it seems to set up to correct PID of the main application. The Xcode is reporting "Not allowed to attach to process" error and I see the same in the log: macOSTaskPolicy: (com.apple.debugserver) may not get the task control port of (com.****) (pid: 31628): (com.****) is hardened, (com.****) doesn't have get-task-allow, (com.apple.debugserver) is a declared debugger(com.apple.debugserver) is not a declared read-only debugger To add a more of the context what I'm trying to achieve is that we run certain parts of our app in separate child processes so we can restart then if anything goes wrong [2]. So I have few questions: Do I need to launch the helper (child) process a particular way to be able to attach debugger to it? Is there a tool to inspect sandboxes (rules applied and the inheritance)? Do I really need to explicitly enable sandboxing and inheritance on the helper app, doesn't it run in the parent' s sandbox anyway? Thank you. [1] We use boost::child_process for launching the helper, which is using popen behind the scene, but I have the same experience with NSTask. [2] I know that's what XPCServices are for but don't ask :-)

Hello! I'm curious about how com.apple.developer.hid.virtual.device entitlement works with apps. So the documentation hints that it should only be used within a driver. However, on macOS 13 I can successfully compile an app and create a virtual HID device. On earlier versions, such as macOS 12, the app crashes on launch and there's a message in the console: ASI found [libsystem_secinit.dylib] (sensitive) 'failed to compile sandbox profile /System/Library/Sandbox/Profiles/application.sb:1010:15: unbound variable: iokit-user-client-class-name ' Everything seems to be working with the sandbox turned off. Is there a way to use the aforementioned entitlement in a sandboxed app or should I fall back to DriverKit?

I have a sandboxed/hardened app that is distributed outside of the MacAppStore. I want to allow the app to auto-update itself. I currently have the ability in the app to figure out if there is a newer version which then informs the user and gives them an option to download the app (currently it downloads to ~/Downloads in the app container). The app comes as a simple zip file that only includes the app itself. Once downloaded, then NSWorkspace.shared.open(URLtoDownloadedUpdate) will expand the zip and place the app in ~/Downloads. What I want is it to replace the current version of the app w/ this newly downloaded version. Is this possible? First, how do I find out where the old app is stored? And then how do I replace it with the new version when the old app is still running? I realize many people use Sparkle to do this instead of rolling their own. I simply do not want to depend on a third party.

Hello, I’m trying to allow my MacOS app written in swift to run a kill command. it works when I test it manually in my terminal but when I run it in the app I get an not permitted error. j was reading about work space authorization and put in a request but i got a response saying I didn’t need that type of authorization for what I’m doing. Any help pointing me in the right direction? https://developer.apple.com/documentation/appkit/nsworkspaceauthorizationtype Thanks!

Hi, I'm working on an Xcode Source Editor Extension. Currently, I have App Sandbox enabled and everything works as expected. I have some features I'd like to add that would require me to disable the App Sandbox and release the extension and containing app outside of the App Store. However, whenever I remove the App Sandbox capability from my project and re-run the extension, I can no longer see my extension appear in the Editor menu - it's just gone. My question is - are Xcode Source Editor Extensions only limited to sandboxed environments or can they operate out of the sandbox? If so, how come I don't see it in Xcode 15?

Hi I'm using library in my project which create, modify and read file in iConf. How to get access for the app to read from that file. Tnx, Filip

I am developing a tool for myself using Swift and SwiftUI where I can retrieve student projects using git and then running Maven tests for the projects. The app is not sandboxed, since it is just for my personal use. I use Process to launch git clone or git pull, and then get the commit log and parse the commit data to the app database. All this works just fine, I can see the app database table populated with repository commit data. But when I do the same to execute Maven tests, and call try process.run() process.waitUntilExit() The process never returns, unlike running git the same way. The only difference is the command executed and the arguments given to Process. In the process view, I can see that there is a java child process running in my app, but it never (like in tens of minutes I have waited) completes. Running the same mvn test command...: /opt/apache-maven-3.6.3/bin/mvn -Dstyle.color=never -Dtest=ReverseArrayRangeTests test ...from command line finishes in a couple of seconds. While running the Maven command below executes just fine from Process: /opt/apache-maven-3.6.3/bin/mvn -DskipTests -Dstyle.color=never package In this case, I can see the output from the process while it builds the .jar package from the project. Is there something special in running mvn test command, running Java in the child process, that it just does not work? Takes too much resources or something? macOS limiting what the child process can do, even though the app is not sandboxed? I have also tried to Archive the app and run it outside of Xcode debugging, but that doesn't change anything. My previous solution was to run the tests separately in Terminal using a shell script, saving the test results to a log file the app then read and parsed. But I'd like to do everything within the same GUI app, if possible. Any ideas?