Thanks for your reply. Well, it seems that I have found a work around for this problem. Using a Daemon running with sandbox capability. This way I am able to add BLE entitlement to the Daemon, and the user can grant a Bluetooth privilege. Now the authorization plug-in is sending requests by XPC to the Daemon, and the Daemon is doing the BLE stuff. cheers sivan

Many Enterprises are forcing file vault in their computers. Why wouldn't Apple enable the authorization plugins to run also under the vault login process? This also prevents the integration of password less login solutions for macOS. A reasonable workaround to this problem may be using a virtual smart card. But a virtual smart card is not working on macOS, but it can be hacked. So why wouldn't Apple make it easy to go forward with password less login solutions? cheers, sivan

Thanks for your reply! So what is Apple's path for providing end point security by third party companies? What is the path to increase security and participate in the login, unlock and sudo operations? cheers

Thanks for your answer. I have posted a question regarding setCodeSigningRequirement, in the post that you have mentioned above.

Hi, I am using NSXPCConnection with setCodeSigningRequirement. I tried different requirements. Simplest = "anchor apple generic". This one works. Requirement1 = "anchor apple generic and IssuerIsDeveloperID and LeafIsDeveloperIDApp". In this case my app can not connect with my daemon. Requirement2 = "anchor apple generic and certificate leaf[subject.OU] = ". In this case too, my app can not connect with my daemon. My app and daemon are signed with the same developer id cert and same team id. What am I missing here? Thanks, Sivan

thanks!