Thank you for your response. I tried using a temporary exception as you suggested, but it didn't work. Below, I've included the code (Objective-C) and the entitlements used. I'm relatively new to macOS programming, so the issue could be with my implementation. Entitlements in the token project/extension: Executed code: Result: So with the above implementation, I couldn't connect with the CLI/script. My main 2 questions are: Is it not possible to remove the app sandbox from the token extension? This application will not be in the Mac App Store, so it's not a requirement to have the sandbox enabled. Is there any other possible way to allow communication? For instance, having the CLI in another file/location that is copied to the container and is visually good for the user. The issue with embedding the CLI inside the project is that the CLI has a self-update mechanism, which downloads zips and changes a few files. So if I put it inside the app, the signature of the application will not be valid anymore, right? Thank you!