Post

Replies

Boosts

Views

Activity

Reply to MacOS 14.4 ServiceManagement, cannot install sandboxed daemon from sandboxed main application anymore
Thank you for the reply! Great to hear indeed that the SMAppService returns an error now when the daemon isn't sandboxed, which wasn't the case on 14.2 indeed. In my case I had already sandboxed the daemon since 14.2 so that wasn't the issue I encountered. I have been able to identify and solve the issue. The 14.4 update imposed new restrictions where sandboxed daemons are not allowed to set StandardInputPath, StandardOutputPath and StandardErrorPath's anymore. Removing these from the daemon plist file solved the issue for me. -- Is your app targeting the Mac App Store? I hope at some point in the future the answer will be yes. At this moment in time, the app requires privilege escalation to change the energy mode. Which can only be done via the pmset command, if I am correct. This unfortunately requires root privileges. I have tried NSAppleScript (by trying the order of privilege escalation mentioned here https://forums.developer.apple.com/forums/thread/708765) but have been unable to find a way to store such some sort of authorization for it, requiring either the user to enter their password every time or storing their password (which is something I definitely don't want to do). -- To be clear, that entitlement is not documented for third-party use. Yes I was somewhat aware of this as there was no documentation of it online. The functionality was only mentioned rarely on some forums online. I checked how it was used by other apps and by finding examples of the syntax online. I used this entitlement as using the pmset command to change the energy mode from a sandboxed daemon isn't possible (it will write to a preference file which violates normal sandboxing restrictions). This left me with the option to either 1) remove the sandbox from the daemon, which after macOS 14.2 would require the removal of the sandbox from the main application, or 2) I could include this, undocumented, entitlement. I opted for the last as it allowed me to keep the sandboxing in both the daemon and main application. I included a file-write to only allow writing to the specific preference file pmset uses. I personally prefer this over removing the sandbox from both the daemon and main application (especially since the app only needs to be able to change the energy mode)
Mar ’24