I created two sample apps — one sandboxed and one non‑sandboxed. I tested reading Managed Preferences using bash commands, CFPreferencesCopyValue for a domain, and defaults read. Everything works correctly only when the sandbox is disabled in the entitlements.
When the sandbox is enabled, I’m unable to read values from /Library/Managed Preferences/.
Is there any supported way for a sandboxed macOS app to read an MDM-delivered preference plist under /Library/Managed Preferences/?
Any guidance on the correct and Apple‑supported method would be appreciated.
Is there any supported way for a sandboxed macOS app to read an MDM-delivered preference plist under /Library/Managed Preferences/?
Any guidance on the correct and Apple‑supported method would be appreciated.
There are basically two ways to make this work:
-
Have the user select the file or directory using an open panel (or drag and drop).
-
Use an entitlement that gives you access to the target directory.
In this particular case, that means using one of the "File Access Temporary Exceptions" to hard-code access to "/Library/Managed Preferences/". A few notes on that:
-
The documentation suggests using "Shared Preference Domain Temporary Exceptions". I would certainly try that; however, I suspect it won't work as "Managed Preferences" may not be part of the standard preference system.
-
While there's always an inherent risk in using a "temporary" entitlement, I generally consider this particular entitlement set to be relatively safe. The entitlement’s role is clear and straightforward (it gives access to the target), and there's an obvious benefit for us having some kind of "escape hatch" to enable access, if only as a solution if/when bugs occur.
However, for maximum “safety” you can implement both approaches: include the entitlement and try to directly access the file, but if that fails, then fall back to an open panel.
__
Kevin Elliott
DTS Engineer, CoreOS/Hardware