Protect your Mac app with environment constraints

Protect your Mac app with environment constraints

Learn how to improve the security of your Mac app by adopting environment constraints. We'll show you how to set limits on how processes are launched, make sure your Launch Agents and Launch Daemons aren't tampered with, and prevent unwanted code from running in your address space.

Chapitres
- 0:00 - Introduction
- 2:47 - Environment constraints
- 7:48 - Defining constraints
- 10:16 - Adopting constraints
- 16:22 - Wrap-up
Ressources
Vidéos connexes

WWDC22
- What’s new in notarization for Mac apps
WWDC20
- Explore the new system architecture of Apple silicon Macs

// Example constraint

<dict>
    <key>$or-array</key>
    <array>
        <array>
            <string>$and</string>
            <dict>
                <key>team-identifier</key>
                <string>M2657GZ2M9</string>
            </dict>
        </array>
        <array>
            <string>$and</string>
            <dict>
                <key>signing-identifier</key>
                <string>com.smith.libraryB</string>
                <key>team-identifier</key>
                <string>P9Z4AN7VHQ</string>
            </dict>
        </array>
        <array>
            <string>$and</string>
            <dict>
                <key>signing-identifier</key>
                <string>com.friday.libraryC</string>
                <key>team-identifier</key>
                <string>TA1570ZFMZ</string>
            </dict>
        </array>
    </array>
</dict>

11:02 - Example parent launch constraint

<dict>
    <key>team-identifier</key>
    <string>M2657GZ2M9</string>
    <key>signing-identifier</key>
    <string>com.demo.MyDemo</string>
</dict>

14:06 - Example process launch constraint

<dict>
    <key>team-identifier</key>
    <string>M2657GZ2M9</string>
    <key>signing-identifier</key>
    <dict>
        <key>$in</key>
        <array>
            <string>com.demo.MyDemo</string>
            <string>com.demo.DemoMenuBar</string>
            <string>demohelper</string>
        </array>
    </dict>
</dict>

14:52 - Example launchd plist constraint

// Example launchd plist constraint

<dict>
    <key>Label</key>
    <string>com.demo.DemoMenuBar.agent</string>
    <key>BundleProgram</key>
    <string>Contents/Library/LaunchAgents/DemoMenuBar.app/Contents/MacOS/DemoMenuBar</string>
    <key>KeepAlive</key>
    <dict>
        <key>SuccessfulExit</key>
        <true/>
    </dict>
    <key>RunAtLoad</key>
    <true/>
    <key>SpawnConstraint</key>
    <dict>
        <key>team-identifier</key>
        <string>M2657GZ2M9</string>
        <key>signing-identifier</key>
        <string>com.demo.DemoMenuBar</string>
    </dict>
</dict>

15:29 - Example library load constraint

// Example library load constraint

<dict>
    <key>team-identifier</key>
    <dict>
        <key>$in</key>
        <array>
            <string>M2657GZ2M9</string>
            <string>P9Z4AN7VHQ</string>
        </array>
    </dict>
</dict>

Explore Get Started

Stay Updated

Explore Platforms

Featured

Explore Technologies

Featured

Explore Community

Featured

Explore Documentation

Release Notes

Explore Downloads

Featured

Explore Support

Featured

Quick Links

Chapitres

Ressources

Vidéos connexes

WWDC22

WWDC20