Communicating with Endpoint System Extensions

I have a regular GUI-based app that communicates with an Endpoint System Extension installed by another app.

Both the GUI app and Endpoint System Extension have the same Team ID and are part of the same App Groups.

But I still need to do one of the following to the GUI-based app to allow it to communicate with the Endpoint System Extension over XPC:

  • Disable the sandbox
  • Add com.apple.security.temporary-exception.mach-lookup.global-name to entitlements

For some reason I thought there was another way to resolve this. Am I missing anything?

(My goal is to allow an app distributed through the Mac App Store to communicate with my Endpoint System Extension if it exists, and I am worried about the "temporary-exception" entitlement needed to support this.)

Up vote post of Todd_at_Ennetix Down vote post of Todd_at_Ennetix
618 views
Posted by
Todd_at_Ennetix
Reply
Add a Comment

Accepted Reply

I believe that:

  • Setting your NSEndpointSecurityMachServiceName service name to TTT.GGG.SSS, where TTT is your Team ID, GGG is a group name you choose, and SSS is the service name within that, and

  • Signing your sandboxed app with the app group entitlement containing TTT.GGG

should allow your app to connect to TTT.GGG.SSS.

Note that your sysex and your app can’t share an app group container — because one is running as root and the other is running as the logged in user — but the app group entitlement isn’t just about containers. It has other side effects, and one of those is opening up a hole in your sandbox for Mach service name lookups.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

I believe that:

  • Setting your NSEndpointSecurityMachServiceName service name to TTT.GGG.SSS, where TTT is your Team ID, GGG is a group name you choose, and SSS is the service name within that, and

  • Signing your sandboxed app with the app group entitlement containing TTT.GGG

should allow your app to connect to TTT.GGG.SSS.

Note that your sysex and your app can’t share an app group container — because one is running as root and the other is running as the logged in user — but the app group entitlement isn’t just about containers. It has other side effects, and one of those is opening up a hole in your sandbox for Mach service name lookups.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment