App Sandbox Temporary Exception Entitlements

A temporary exception entitlement permits your OS X app to perform certain operations otherwise disallowed by App Sandbox.

If you need to request a temporary exception entitlement, use Apple’s bug reporting system to let Apple know what’s not working for you. Apple considers feature requests as it develops the OS X platform.

To request a temporary exception entitlement for a target in an OS X Xcode project, add it to the target’s .entitlements property list file using the Xcode property list editor.

The value to provide for any temporary exception entitlement is a string or an array of one or more strings. For more information on using temporary exceptions in OS X, refer to “Designing for App Sandbox” in App Sandbox Design Guide.

Apple Event Temporary Exception

When you adopt App Sandbox, your app retains the ability to:

However, with App Sandbox you cannot send Apple events to other apps unless you configure a scripting-targets entitlement or an apple-events temporary exception entitlement.

The scripting-targets entitlement is the preferred way to request the ability to send Apple events to apps that provide scripting access groups. This entitlement is described in “App Sandbox Entitlement Keys.”

This entitlement contains an array of strings, each of which should contain the bundle identifier of an app you want to send Apple events to, with all characters in the bundle identifier converted to lowercase. For example, to enable sending Apple events to iPhoto from your app, you would pass an array containing a single string whose value is com.apple.iphoto.

Entitlement key
Capability

com.apple.security.temporary-exception.apple-events

Enables sending of Apple events to one or more destination apps.

Audio Unit Hosting Temporary Exception

By default, sandboxed apps load only audio unit plugins that declare themselves to be safe for use in a sandbox. With this temporary exception, the user is instead asked for permission when the app attempts to load an unsafe (or undeclared) plugin.

Entitlement key
Capability

com.apple.security.temporary-exception.audio-unit-host

Enables hosting of audio components that are not designated as sandbox-safe. See Audio Components and the Application Sandbox for details.

Global Mach Service Temporary Exception

With App Sandbox, lookup of global Mach services fails unless you configure the mach-lookup.global.name temporary exception entitlement. For each service that you want to enable, add the service as a string value for this entitlement key’s value array.

Entitlement key
Capability

com.apple.security.temporary-exception.mach-lookup.global-name

Enables lookup of one or more global Mach services.

File Access Temporary Exceptions

With App Sandbox, your app has access only to its container, to its application group containers, to locations that are POSIX world-readable, and to locations in the file system that the user indicates direct intent to use, such as by interacting with an Open or Save dialog. If your app needs permanent access to other locations, you can bring additional locations into your sandbox by enabling the temporary exception entitlement keys described here.

For each path that you want to enable access to, specify the path as a string value for the appropriate entitlement key’s value array. Each string must start with a slash (/) character—whether it represents an absolute path or a path relative to the user’s home directory. If a path you provide specifies a directory rather a file, you must end the path with a slash character.

Do not use a read/write entitlement when a read-only entitlement will do.

Entitlement key
Capability

com.apple.security.temporary-exception.files.home-relative-path.read-only

Enables read-only access to the specified files or subdirectories in the user’s home directory.

com.apple.security.temporary-exception.files.home-relative-path.read-write

Enables read/write access to the specified files or subdirectories in the user’s home directory.

com.apple.security.temporary-exception.files.absolute-path.read-only

Enables read-only access to the specified files or directories at specified absolute paths.

com.apple.security.temporary-exception.files.absolute-path.read-write

Enables read/write access to the specified files or directories at specified absolute paths.

Shared Preference Domain Temporary Exceptions

If your app needs read-only or read/write access to a shared preference domain, use the following entitlements. Do not use a read/write entitlement when a read-only entitlement will do.

Entitlement key
Capability

com.apple.security.temporary-exception.shared-preference.read-only

Enables read-only access to the contents of the specified preference domain or domains in the user’s home directory.

com.apple.security.temporary-exception.shared-preference.read-write

Enables read/write access to the contents of the specified preference domain or domains in the user’s home directory.