TCC Permission Inheritance for Python Process Launched by Swift App in Enterprise Deployment We are developing an enterprise monitoring application that requires a hybrid Swift + Python architecture due to strict JAMF deployment restrictions. We must deploy a macOS application via ABM/App Store Connect, but our core monitoring logic is in a Python daemon. We need to understand the feasibility and best practices for TCC permission inheritance in this specific setup. Architecture Component Bundle ID Role Deployment Swift Launcher com.athena.AthenaSentry Requests TCC permissions, launches Python child process. Deployed via ABM/ASC. Python Daemon com.athena.AthenaSentry.Helper Core monitoring logic using sensitive APIs. Nested in Contents/Helpers/. Both bundles are signed with the same Developer ID and share the same Team ID. Required Permissions The Python daemon needs to access the following sensitive TCC-controlled services: Screen Recording (kTCCServiceScreenCapture) - for capturing screenshots. Input Monitoring (kTCCServiceListenEvent) - for keystroke/mouse monitoring. Accessibility (kTCCServiceAccessibility) - a prerequisite for Input Monitoring. Attempts & Workarounds We have attempted to resolve this using: Entitlement Inheritance: Added com.apple.security.inherit to the Helper's entitlements. Permission Proxy: Swift app maintains active event taps to try and "hold" the permissions for the child. Foreground Flow: Keeping the Swift app in the foreground during permission requests. Questions Is this architecture supported? Can a Swift parent app successfully request TCC permissions that a child process can then use? TCC Inheritance: What are the specific rules for TCC permission inheritance between parent/child processes in enterprise environment? What's the correct approach for this enterprise use case? Should we: Switch to a Single Swift App? (i.e., abandon the Python daemon and rewrite the core logic natively in Swift). Use XPC Services? (instead of launching the child process directly).

My phone turns or gets connected to Beats, Aipods max 2, and sometimes the Marshall Bluetooth device but it keeps triggering the automation for “When Connected To Bluetooth” - My Car tried deleting and recreating the automation and it’s still buggy.

We are integrating Xcode Cloud into a larger CI/CD pipeline and ran into a serious limitation that makes proper build status reporting nearly impossible. Currently, Xcode Cloud provides only the following custom script phases: • ci_post_clone.sh • ci_pre_xcodebuild.sh • ci_post_xcodebuild.sh However, if a build fails during the actual Xcode build phase (for example, due to a compilation error, unit test failure, or signing issue), the ci_post_xcodebuild.sh script does not run. This means there is no guaranteed way to execute cleanup steps or send external notifications (e.g., updating build status in Bitbucket, Slack, or any external CI system). In any robust CI/CD setup, it’s critical to have a “finally” or “always run” hook that executes regardless of build success or failure — similar to post blocks in Jenkins, finally steps in GitHub Actions, or after_script in GitLab CI. Without such a mechanism, we cannot reliably integrate Xcode Cloud with the rest of our automation and monitoring ecosystem. This effectively breaks standard CI/CD practices, since external systems will never know if a build failed unless they constantly poll the Xcode Cloud API. Feature request: Please add a new hook (e.g., ci_finally.sh or ci_post_build.sh) that always executes after the build, whether it succeeded, failed, or was canceled. This would make Xcode Cloud much more suitable for professional CI/CD environments and allow proper integration with third-party systems.

I have a transformation function that takes in data, executes some instructions, and returns an output. This function is dynamic and not shipped with the binary. Currently, I’m executing it using JavaScriptCore.JSContext, which works well, but the function itself is written in JavaScript. Is there a way to achieve something similar using Swift – such as executing a dynamic Swift script, either directly or through other means? I know this is possible on macOS, but I’m not sure about iOS. I’ve also heard that extensions might open up some possibilities here. Any insights or alternative approaches would be appreciated.

Hi all, I'm developing a sandboxed Mac OS app that generates and compiles AppleScript files to automate tasks in Pages (and other iWork apps). The app creates an AppleScript file and writes it to the NSApplicationScriptsDirectory (i.e., ~/Library/Application Scripts/com.example.app), then compiles and executes it via NSUserAppleScriptTask. On Mac OS Ventura, however, I get the following error in the console when trying to write the file: [PagesModifier] Error creating or compiling the script: You are not allowed to save the file "PagesModifier_...applescript" in the folder "com.example.app" Here are my current entitlements: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array/> <key>com.apple.security.automation.apple-events</key> <array> <string>com.apple.iWork.Pages</string> <string>com.apple.iWork.Numbers</string> <string>com.apple.iWork.Keynote</string> </array> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.scripting-targets</key> <dict> <key>com.apple.iWork.Keynote</key> <array> <string>com.apple.iWork.Keynote</string> </array> <key>com.apple.iWork.Numbers</key> <array> <string>com.apple.iWork.Numbers</string> </array> <key>com.apple.iWork.Pages</key> <array> <string>com.apple.iWork.Pages</string> </array> </dict> <key>com.apple.security.temporary-exception.apple-events</key> <array> <string>com.apple.iWork.Pages</string> <string>com.apple.iWork.Numbers</string> <string>com.apple.iWork.Keynote</string> </array> <key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key> <array> <string>Library/Application Scripts/com.example.app</string> </array> </dict> </plist> I suspect the issue might be due to sandbox restrictions on dynamically creating or modifying the Application Scripts directory on Ventura. Has anyone experienced something similar or have any suggestions on how to work around this? Thanks in advance for your help!

Issue - Safari application not fetched from system_profile command Use case - We are trying to get list of installed applications in the mac. For this we use System_profiler command to fetch the details list. It is working good, but the thing is , It doesnt fetch Safari app as an installed Application. Command used - **/usr/sbin/system_profiler SPApplicationsDataType** Can anyone suggest any other way to fetch the installed applications list from the mac , which includes all the apps (including safari app) and remains effective ?

Instead of a .sdef file (or older formats) made in advance and stored in an app’s bundle, I wonder if the script dictionary can be set soon after the app opens? I seen related API, with a note that the scripting file reader ultimately calls that API. I grok about 90% of that API, but I’m not sure it’s possible.

I would like to create a MailKit extension that will allow me to manage my existing messages. I would like to move them around form folder to folder and reqad and update their headers to store some metadata that will be used by the extension. Looking at the documentation for MailKit suggests that I can only implement 4 types of handlers (content blocker, action handler, compose handler and security handler). I can’t see anything in the docs about being able to get a list of messages in the inbox and manipulate them. Am I missing something? I’d love to hear from someone who knows more about this topic before I get into a dead-end rabbit hole. cheers, -tomek

I updated my computer to Sonoma, and now my LaunchDaemon will not load. I have the following setup : File in /Library/LaunchDaemons/com.startup.plist like this : <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.startup</string> <key>ProgramArguments</key> <array> <string>/usr/local/bin/bash</string> <string>/Library/Scripts/Startup/startup.sh</string> </array> <key>RunAtLoad</key> <true/> <key>StandardErrorPath</key> <string>/tmp/com.startup.stderr</string> <key>StandardOutPath</key> <string>/tmp/com.startup.stdout</string> </dict> </plist> File in File in /Library/Scripts/Startup/startup.sh #!/bin/zsh PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Users:/Users/root:/Users/root/Scripts:/Library/Scripts:/Library/Scripts/Startup #Load modules for Fuse /Library/Filesystems/macfuse.fs/Contents/Resources/load_macfuse /usr/sbin/sysctl -w vfs.generic.macfuse.tunables.allow_other=1 #Connect to XXXXXX_net /bin/sleep 28 myip=0 while [ $myip = 0 ] do /bin/sleep 3 myip=$(ifconfig -l | xargs -n1 ipconfig getifaddr) done /usr/local/bin/sshfs XXXX@XXXXXX.net: /Volumes/XXXXXX.net -o local,auto_cache,reconnect,ServerAliveInterval=15,ServerAliveCountMax=3,ConnectTimeout=5,daemon_timeout=60,iosize=2097152,volname=XXXXXX.net,allow_other,defer_permissions,async_read,Ciphers=aes128-gcm@openssh.com,Cipher=aes128-gcm@openssh.com,compression=no And then we need some commands to be run as root user during boot : /private/etc/sudoers.d/startup-script-nopasswd username ALL = (root) NOPASSWD: /usr/sbin/sysctl username ALL = (root) NOPASSWD: /usr/local/bin/sshfs As of now, I cant even get the /Library/LaunchDaemons/com.startup.plist to run after i updated the macOS to Sonoma ….