App Sandbox Temporary Exception Entitlements
A temporary exception entitlement permits your OS X app to perform certain operations otherwise disallowed by App Sandbox.
If you need to request a temporary exception entitlement, use Apple’s bug reporting system to let Apple know what’s not working for you. Apple considers feature requests as it develops the OS X platform.
To request a temporary exception entitlement for a target in an OS X Xcode project, add it to the target’s
.entitlements property list file using the Xcode property list editor.
The value to provide for any temporary exception entitlement is a string or an array of one or more strings. For more information on using temporary exceptions in OS X, refer to “Designing for App Sandbox” in App Sandbox Design Guide.
Apple Event Temporary Exception
When you adopt App Sandbox, your app retains the ability to:
Receive Apple events
Send Apple events to itself
Respond to Apple events it receives
However, with App Sandbox you cannot send Apple events to other apps unless you configure a
scripting-targets entitlement or an
apple-events temporary exception entitlement.
scripting-targets entitlement is the preferred way to request the ability to send Apple events to apps that provide scripting access groups. This entitlement is described in “App Sandbox Entitlement Keys.”
This entitlement contains an array of strings, each of which should contain the bundle identifier of an app you want to send Apple events to, with all characters in the bundle identifier converted to lowercase. For example, to enable sending Apple events to iPhoto from your app, you would pass an array containing a single string whose value is
Audio Unit Hosting Temporary Exception
By default, sandboxed apps load only audio unit plugins that declare themselves to be safe for use in a sandbox. With this temporary exception, the user is instead asked for permission when the app attempts to load an unsafe (or undeclared) plugin.
Global Mach Service Temporary Exception
With App Sandbox, lookup of global Mach services fails unless you configure the
mach-lookup.global.name temporary exception entitlement. For each service that you want to enable, add the service as a string value for this entitlement key’s value array.
File Access Temporary Exceptions
With App Sandbox, your app has access only to its container, to its application group containers, to locations that are POSIX world-readable, and to locations in the file system that the user indicates direct intent to use, such as by interacting with an Open or Save dialog. If your app needs permanent access to other locations, you can bring additional locations into your sandbox by enabling the temporary exception entitlement keys described here.
For each path that you want to enable access to, specify the path as a string value for the appropriate entitlement key’s value array. Each string must start with a slash (
/) character—whether it represents an absolute path or a path relative to the user’s home directory. If a path you provide specifies a directory rather a file, you must end the path with a slash character.
home-relative-pathtemporary exception, provide a path relative to the user’s home directory; that is, relative to
absolute-pathtemporary exception, provide an absolute path; that is, relative to
Do not use a read/write entitlement when a read-only entitlement will do.
Shared Preference Domain Temporary Exceptions
If your app needs read-only or read/write access to a shared preference domain, use the following entitlements. Do not use a read/write entitlement when a read-only entitlement will do.