In macOS 11 and before, a sandboxed application could launch an application outside the sandbox with [[NSWorkspace sharedWorkspace] openApplicationAtURL: [NSURL fileURLWithPath: @“…”] configuration:[NSWorkspaceOpenConfiguration configuration] completionHandler:^(NSRunningApplication* nsrunningapp, NSError* nserror) noexcept { }]; Or -[NSWorkspace launchApplicationAtURL:options:configuration:error:] In macOS 12, when I do the former to launch a helper application inside our own bundle the following is traced to the Console: error 16:22:56.542768+0200 CoreServicesUIAgent LAUNCH:Application launch of disabled, bundled executable is not permitted, so returning kLSNoLaunchPermissionError, <private>, status=-10826 error 16:22:56.542794+0200 CoreServicesUIAgent LAUNCH: Launch failure with -10826/kLSNoLaunchPermissionErr <private> error 16:22:56.543032+0200 CoreServicesUIAgent LAUNCH: Launch failed in CSUI with error Error Domain=NSOSStatusErrorDomain Code=-10826 "kLSNoLaunchPermissionErr: User doesn't have permission to launch the app (managed networks)" UserInfo={_LSLine=3787, _LSFunction=_LSOpenStuffCallLocal} error 16:22:56.543292+0200 CoreServicesUIAgent handle LS launch error: {\n AppPath = "...";\n ErrorCode = "-10826";\n} And an error message “User doesn't have permission to launch the app (managed networks)” is shown to the user. This seems to be a problem with our helper app, because I can launch e.g. Microsoft Visual Code that way. The problem occurs both in ad-hoc signed debug builds as well as properly signed and notarised release builds. Is there anything we have to do differently for macOS 12?