App Sandbox Temporary Exception Entitlements
A temporary exception entitlement permits your OS X app to perform certain operations otherwise disallowed by App Sandbox.
If you need to request a temporary exception entitlement, use Apple’s bug reporting system to let Apple know what’s not working for you. Apple considers feature requests as it develops the OS X platform.
To request a temporary exception entitlement for a target in an OS X Xcode project, add it to the target’s
.entitlements property list file using the Xcode property list editor.
The value to provide for any temporary exception entitlement is a string or an array of one or more strings. For more information on using temporary exceptions in OS X, refer to Designing for App Sandbox in App Sandbox Design Guide.
Apple Event Temporary Exception
When you adopt App Sandbox, your app retains the ability to:
Receive Apple events
Send Apple events to itself
Respond to Apple events it receives
However, with App Sandbox you cannot send Apple events to other apps unless you configure a
scripting-targets entitlement or an
apple-events temporary exception entitlement.
scripting-targets entitlement is the preferred way to request the ability to send Apple events to apps that provide scripting access groups, as described in App Sandbox Entitlement Keys.
When an app you are scripting does not provide scripting access groups, use the
apple-events temporary exception entitlement instead. This entitlement contains an array of strings, each of which should contain the bundle identifier of an app to which you want to send Apple events. For example, to enable sending Apple events to iPhoto from your app, you can pass an array containing a single string whose value is
apple-events entitlements are not mutually exclusive, even for a single target app. For example, if your app has a minimum OS version earlier than 10.8, when
scripting-targets was introduced, and your app scripts the Apple Mail app to compose messages, you continue using the temporary entitlement (modified to include the suffix
:before:10.8), while also including the
scripting-targets entitlement for 10.8 and later compatibility, as show below:
Audio Unit Hosting Temporary Exception
By default, sandboxed apps load only audio unit plugins that declare themselves to be safe for use in a sandbox. With this temporary exception, the user is instead asked for permission when the app attempts to load an unsafe (or undeclared) plugin.
Enables hosting of audio components that are not designated as sandbox-safe. See Audio Components and the Application Sandbox for details.
Global Mach Service Temporary Exception
With App Sandbox, lookup of global Mach services fails unless you configure the
mach-lookup.global.name temporary exception entitlement. For each service that you want to enable, add the service as a string value for this entitlement key’s value array.
File Access Temporary Exceptions
With App Sandbox, your app has access only to its container, to its application group containers, to locations that are POSIX world-readable, and to locations in the file system that the user indicates direct intent to use, such as by interacting with an Open or Save dialog. If your app needs permanent access to other locations, you can bring additional locations into your sandbox by enabling the temporary exception entitlement keys described here.
For each path that you want to enable access to, specify the path as a string value for the appropriate entitlement key’s value array. Each string must start with a slash (
/) character—whether it represents an absolute path or a path relative to the user’s home directory. If a path you provide specifies a directory rather a file, you must end the path with a slash character.
home-relative-pathtemporary exception, provide a path relative to the user’s home directory; that is, relative to
absolute-pathtemporary exception, provide an absolute path; that is, relative to
Do not use a read/write entitlement when a read-only entitlement will do.
Shared Preference Domain Temporary Exceptions
If your app needs read-only or read/write access to a shared preference domain, use the following entitlements. Do not use a read/write entitlement when a read-only entitlement will do.