Before updating to macOS 15 Sequoia, I used to be able to create file bookmarks with this code: let openPanel = NSOpenPanel() openPanel.runModal() let url = openPanel.urls[0] do { let _ = try url.bookmarkData(options: [.withSecurityScope]) } catch { print(error) } Now I get an error Error Domain=NSCocoaErrorDomain Code=256 "Failed to retrieve app-scope key" These are the entitlements: com.apple.security.app-sandbox com.apple.security.files.user-selected.read-write com.apple.security.files.bookmarks.app-scope Strangely, my own apps continued working, after updating to macOS 15 some days ago, until a few moments ago. Then it seems that all of a sudden my existing bookmarks couldn't be resolved anymore, and no new bookmarks could be created. What could be the problem?

I'm using the SwiftUI .fileImporter() modifier to present a file open panel to the user, and then I access the returned file URL using String(contentsOf:encoding:). Then I get an error, "The file “order_history.csv” couldn’t be opened because you don’t have permission to view it." The thing is, my app (recently created in Xcode 16.1 beta from macOS template) has the User Selected File entitlement set to "Read Only." It should allow reading such a file, should it not?

I am trying to open external/mounted storage in Finder. I simply just want to show the root directory. I have tried multiple things, none worked. NSWorkspace.shared.open() Does work when opening the user's disk (e.g. Macintosh HD), but when comes to any of the external storages a warning appears: "The application "ABC" does not have permission to open "Folder Name". Now, the app ha been granted all permissions in the preferences (Full Disk Access + Files and Folders). Furthermore, I don't even need or care of accessing this directory from within my app. I want the Finder to open it. I am using com.apple.security.files.user-selected.read-only and testing on MacOS: 14.6.1

Hi, I developed a utility app that allows monitoring system activity and usage. It is a sandboxed app distributed via the Mac App Store. Because in the sandbox I cannot fetch enough data about system activity (like processor temperature, fans, etc.), I developed a little Helper app (non-sandboxed), which currently is distributed via my website, and to enable extra features it provides, the user is asked to download and install it manually (it installs itself as a daemon). I'm looking for ways to improve the user experience. Ideally, it would be a button inside the main app, which would download and install the helper app, without asking the user to do more than pressing a button. As far as I understand, in the previous versions of macOS, it would be possible with privileged helpers and SMJobBless, but those are deprecated APIs now. Another way I tried, is simply downloading the installer app from the website, but opening it programmatically from the main app is tricky since it cannot remove it from the quarantine, in other words, it fails with "operation not permitted". Any advice is appreciated!

My app, which has been on the Mac App Store for many years, has an update being blocked by App review. The only change made is a bug fix (documented in the release notes). First rejection: Said I was using an entitlement I didn't need. My response: I explained the feature that required the entitlement. App goes back in review and gets rejected again for completely different reasons. They don't want me to write files in my App Sandbox container and instead write them in a more traditional user facing location (like in the Documents folder). They keep sending me a link to the "App Sandbox Design Guide" in the Documentation Archive (which appears to redirect to a different page?) and are quoting a section that is nowhere to be found in the link they send me (on the page I'm redirected to). I keep explaining to them that I cannot write outside my sandbox container and that this isn't my choice. And they keep rejecting my app and sending me a broken link to the "App Sandbox design guide." It isn't my fault that I have to write to my sandboxed container by default or have a non-functioning app. In any case, I don't understand why a bug fix update is being held up and I'm getting some vague instructions about possibly having to design some long winded explanation to the user in some ridiculously complicated onboarding process about choosing a folder in a save panel, why you have to choose the folder in the save panel (because I need your permission), OR just quit the app you just bought because it'll otherwise do nothing if you don't choose a folder in the save panel. Users got enough panels to deal with. At the very least App review shouldn't send me broken links from the Documentation Archive. So I'm using my sandbox container by default (because by default I cannot do anything else). I've been doing this for a long time and I don't understand why it is suddenly a problem. What is my sandboxed container for if I can't write to it? If documentation such as the "App Sandbox Design Guide" is still relevant and important why is it being archived anyway ? The link redirects I cannot find the section the reviewer is citing in the provided link. I don't mind being asked to do something to improve the app but I've wasted a lot of time trying to satisfy app review in the past only to misinterpret what they actually are asking me to do causing more wasted time and energy and not getting a whole lot in return. And I don't think it's fair to block a bug fix update.

This post is in response to the information on app groups posted here: https://developer.apple.com/forums/thread/721701 I have a multi-platform (macOS and iOS) app that uses an app group to store the Core Data database, so that extensions and widgets can also access the database. It seems to be impossible to add an app group in Xcode that doesn't start with group.. When I use the team identifier as detailed here , Xcode prepends group. to the app group identifier. So far, I've simply been using an app group identifier that looks like this: group.com.example.MyAppName. This has worked on macOS and iOS. However, I noticed that when the app launches on macOS 15, the user is shown a dialog that says " would like to access data from other apps." If the user selects "Don't Allow", the app will crash, since it can't access the Core Data database located in the app group directory. How can I work around this, considering that this is a multi-platform app, and both the iOS and macOS versions need to store the Core Data database in the app group directory? What is the proper way to configure app groups for multi-platform apps?

Apple provides a way for the app developer to migrate app data from previous locations to the Mac App Store app container folder, see Migrating your app’s files to its App Sandbox container. My question is, it seems this feature only allows us to migrate or move the existing app files into the sandbox folder, however, I'd like to "copy" these files instead of "move" them. Instead of using the "Move" key in the plist file, I have already tried "Copy" key and it didn't work.

Hello everyone, I need help with an issue that is unclear to me. I developed an application with Unity and now I'm using xCode to distribute it both outside the App Store and on the App Store. As for the first option, no problem, I was able to build the app and upload it for validation. However, regarding the App Store, I have a problem with "App Sandbox," which seems to be mandatory in this case. My application is essentially a party game where one part functions as a desktop application and another part as a mobile application. The desktop application launches a parallel process (which I included in a group within xcode and signed with my developer ID) that makes the two parts communicate through a socket on the local network. When I enable App Sandbox, it seems that the process is not launched by the main application. I have also enabled the two options, Incoming Connection (server/client), under App Sandbox, but it still did not work. I thank you in advance for the support.Sandbox app + parallel process + LAN Socket

Is it possible to run multiple instance of an app at the same time such that each instance is running in its own sandbox environment? For eg- Each app should have it's own ~/Library and other shared directories. Maybe something like chroot, but I am not sure it would be possible. And by sandbox I really mean isolation, not necessarily macOS App Sandbox.

I am trying to understand the mechanics of how iOS/iPadOS apps work on macs with Apple Silicon. In particular, I'd like to understand the runtime environment of these apps. I installed one to test it on a mac. I ran codesign --entitlements on a mac, on an iOS app downloaded form the mac app store. I was very surprised to see the sandbox entitement was NOT present. On iOS all apps are sandboxed, so I was very surprised to see that the macOS translation was not sandbox. This seems like a significant weakening of the security. Can anyone shed some light on that?

I am trying to get the list of printers using NSPrinter.printerNames, but it doesn't return any items. static func getPrinterList() -> [(name: String, isAvailable: Bool)] { let printerNames = NSPrinter.printerNames return printerNames.map { name in let isAvailable = NSPrinter(name: name) != nil return (name: name, isAvailable: isAvailable) } } The printerNames is a empty string array. I checked the settings for printers and screens, and there is a printer device listed. I need to set something else?

I have an Electron app built for macOS, and it was distributed via 'Developer ID' for years, it worked well and I was able to access the photos in the system Photos library. Surely I already have the 'NSPhotoLibraryUsageDescription' key in Info.plist. Recently we are trying to publish this app to Mac App Store, so I have to turn on the sandbox, after that the app starts giving XPC errors while accessing the Photos library. The errors look like: PHAuthorizationStatus: Authorized CoreData: XPC: sendMessage: failed #0 CoreData: XPC: Unable to sendMessage: to server ... CoreData: XPC: sendMessage: failed #7 CoreData: XPC: Unable to connect to server with options { NSPersistentHistoryTrackingKey = 1; NSXPCStoreServerEndpointFactory = "<PLXPCPhotoLibraryStoreEndpointFactory: 0x7fc67e8af370>"; skipModelCheck = 1; } CoreData: XPC: Unable to load metadata: Error Domain=NSCocoaErrorDomain Code=134060 "A Core Data error occurred." UserInfo={Problem=Unable to send to server; failed after 8 attempts.} CoreData: fault: Unable to create token NSXPCConnection. NSXPCStoreServerEndpointFactory 0x7fc67e8af370 -newEndpoint returned nil CoreData: error: Failed to create NSXPCConnection It seems the app could detect the current PHAuthorizationStatus which is Authorized, but it can't fetch the photos from the Photos library (using PhotoKit). I learned from here that I could look for errors from the sandboxd daemon, so I did that, here is what I saw: Sandbox: Picture Keeper(32625) deny(1) mach-lookup com.apple.photos.service Violation: deny(1) mach-lookup com.apple.photos.service Process: Picture Keeper [32625] Path: /Applications/Picture Keeper.app/Contents/MacOS/Picture Keeper Load Address: 0x103bd3000 Identifier: com.simplifieditproducts.picturekeepermas Version: 4575 (4.5.75) Code Type: x86_64 (Native) Parent Process: Picture Keeper [1] Responsible: /Applications/Picture Keeper.app/Contents/MacOS/Picture Keeper User ID: 501 Date/Time: 2024-08-26 16:16:14.645 EDT OS Version: macOS 14.5 (23F79) Release Type: User Report Version: 8 MetaData: {"process_path":["Users","Kevin","Projects","Electron","picturekeeper-electron","dist","picturekeeper","mas-dev","Picture Keeper.app","Contents","MacOS","Picture Keeper"],"apple-internal":false,"primary-filter":"global-name","policy-description":"Sandbox","flags":5,"platform-policy":false,"build":"macOS 14.5 (23F79)","process-path":"\/Applications\/Picture Keeper.app\/Contents\/MacOS\/Picture Keeper","responsible-process-path":"\/Applications\/Picture Keeper.app\/Contents\/MacOS\/Picture Keeper","primary-filter-value":"com.apple.photos.service","platform_binary":"no","responsible-process-signing-id":"com.simplifieditproducts.picturekeepermas","hardware":"Mac","target":"com.apple.photos.service","action":"deny","mach_namespace":1,"checker-pid":1,"container":"\/Users\/Kevin\/Library\/Containers\/com.simplifieditproducts.picturekeepermas\/Data","binary-in-trust-cache":false,"team-id":"LU744924UY","process":"Picture Keeper","global-name":"com.apple.photos.service","platform-binary":false,"pid":32625,"summary":"deny(1) mach-lookup com.apple.photos.service","checker":"launchd","responsible-process-team-id":"xxxxx","operation":"mach-lookup","normalized_target":["com.apple.photos.service"],"errno":1,"uid":501,"profile-flags":0,"profile-in-collection":false,"sandbox_checker":"launchd","signing-id":"com.simplifieditproducts.picturekeepermas","release-type":"User"} I believe I already have the necessary entitlements for the Photos library, see: codesign -d --entitlements - /Applications/Picture\ Keeper.app/Contents/MacOS/Picture\ Keeper [Dict] [Key] com.apple.application-identifier [Value] [String] xxxx.com.simplifieditproducts.picturekeepermas [Key] com.apple.developer.team-identifier [Value] [String] xxxx [Key] com.apple.security.app-sandbox [Value] [Bool] true [Key] com.apple.security.application-groups [Value] [Array] [String] xxxx.com.simplifieditproducts.picturekeepermas [Key] com.apple.security.assets.movies.read-only [Value] [Bool] true [Key] com.apple.security.assets.music.read-only [Value] [Bool] true [Key] com.apple.security.assets.pictures.read-write [Value] [Bool] true [Key] com.apple.security.cs.allow-dyld-environment-variables [Value] [Bool] true [Key] com.apple.security.cs.allow-jit [Value] [Bool] true [Key] com.apple.security.cs.allow-unsigned-executable-memory [Value] [Bool] true [Key] com.apple.security.cs.disable-executable-page-protection [Value] [Bool] true [Key] com.apple.security.cs.disable-library-validation [Value] [Bool] true [Key] com.apple.security.device.usb [Value] [Bool] true [Key] com.apple.security.files.bookmarks.app-scope [Value] [Bool] true [Key] com.apple.security.files.bookmarks.document-scope [Value] [Bool] true [Key] com.apple.security.files.downloads.read-only [Value] [Bool] true [Key] com.apple.security.files.user-selected.read-write [Value] [Bool] true [Key] com.apple.security.network.client [Value] [Bool] true [Key] com.apple.security.network.server [Value] [Bool] true [Key] com.apple.security.personal-information.location [Value] [Bool] true [Key] com.apple.security.personal-information.photos-library [Value] [Bool] true By the way, the Photos library related code was built into a .node file (which is a dylib), and it will be loaded by the main executable during runtime. Anything I missed? Thank you!

We have a cross platform App available on Mac, iOS & soon tvOS. We are adding a new App Group to be used by this app. We also have a as yet unpublished future Mac Catalyst app that will need access to the App Group. The Apple docs suggest prefixing app groups on Mac with the team ID but not on other platforms. We would like to avoid prefixing with the team ID because: my understanding is that Mac Catalyst apps don't use the team ID and we would like to support that use case to communicate between our current cross platform app and the future catalyst app. Having a single code base but different group container IDs per platform means a bunch of extra conditional logic in the project we would rather avoid. So with that context our aim is to have an app group that is named consistently across platforms and meets sandboxing requirements for App Store distribution. However when developing using the non-team prefixed app group name on macOS Sequioa I see the following alert every time I launch the app. I have the App Group listed correctly in the entitlements file and if I change the app group name on macOS from group.com.example to (TEAMID).com.example then it works as expected so I think the rest of the setup is correct. Looking at the Sequoia Beta release notes it states: Specifically, the app must use FileManager to get the app group container path and meet one of the following requirements: the app is deployed through Mac App Store; the app group identifier is prefixed with the app’s Team ID; or the app group identifier is authorised by a provisioning profile embedded within the app. I am using Xcode managed signing and looking at the provisioning profiles I can see that the iOS one includes the app group but the macOS one does not. I assume that if I could somehow get the app group correctly add to the macOS provisioning profile then all would be good. But I am now stuck on how to get the app group added to the macOS provisioning profile. It seems whatever I try Xcode does not want to add it. Presumably this is because it expects you to instead use a team ID prefixed app group which would not need to be added. Is there any magic I can do to make this work with automatic signing? If not then how would I go about setting it up manually and is that the best solution?

We have an app that is published both on iOS and macOS (Catalyst). Now, the iOS app is sharing group containers between app extension and main app target, but it's not sandboxed. The macOS Catalyst app is sandboxed but the group containers were removed a week ago with the latest AppStore submission. We are facing the same issue and still seeing the error message saying "You can only transfer sandboxed apps that are not sharing a group container." when transferring the app. It's not clear why we are having that message as the group containers were removed from the macOS app. Can anyone from Apple give a bit more details what can we do to fix that?

Hi, I'm writing a sandboxed Daemon that I register from my sandboxed application via SMAppService. The registration is successful, and the daemon is called based on logs. However when I'm trying to save a keychain item into the keychain, I see entries like this in the logs: (Security) SecItemAdd [com.apple.securityd:atomicfile] create /Library/Keychains/System.keychain.sb-1c133873-RPL9wo: Operation not permitted [com.apple.securityd:security_exception] UNIX error exception: 1 [com.apple.securityd:security_exception] CSSM Exception: 100001 UNIX[Operation not permitted] [com.apple.securityd:security_exception] CSSM Exception: 100001 UNIX[Operation not permitted] I'm attempting to create the item with the regular SecItemAdd function call: var query: [String: Any] = [ kSecClass as String: kSecClassGenericPassword, kSecAttrLabel as String: "[redacted string]", kSecAttrAccount as String: "[redacted string]", kSecAttrService as String: "[redacted string]", kSecValueData as String: secretData ] SecItemAdd(query as CFDictionary, nil) I'm guessing this is because the System keychain is outside of the sandbox for the daemon. Is there a way to create items for the System Keychain from a sandboxed daemon?

multiprocessing.Queue() method of python getting "PermissionError: [Errno 1] Operation not permitted" error if it is sandboxed: CODE: import multiprocessing tensorflow_coordinates_queue = multiprocessing.Queue() ERROR: ./test_temp9 Traceback (most recent call last): File "/Applications/test_temp9.app/Contents/MacOS/test_temp9.py", line 4, in <module> File "/Applications/test_temp9.app/Contents/MacOS/multiprocessing/context.py", line 103, in Queue File "/Applications/test_temp9.app/Contents/MacOS/multiprocessing/queues.py", line 43, in __init__ File "/Applications/test_temp9.app/Contents/MacOS/multiprocessing/context.py", line 68, in Lock File "/Applications/test_temp9.app/Contents/MacOS/multiprocessing/synchronize.py", line 162, in __init__ File "/Applications/test_temp9.app/Contents/MacOS/multiprocessing/synchronize.py", line 57, in __init__ PermissionError: [Errno 1] Operation not permitted BUNDELED WITH NUITKA: echo *** | sudo -S python3.9 -m nuitka --run --standalone --macos-disable-console --macos-create-app-bundle --macos-app-mode=ui-element --enable-plugin=pyside6 --macos-app-icon=icons/app_icon.png --include-data-dir=icons=icons test_temp9.py SIGNED WITH FOLLOWING SH: sign.txt sign2.txt ENTITLEMENTS: app.entitlements.txt

When using the following API, is it expected that the app would require both incoming and outgoing permissions with App Sandbox? public func sendto(_: Int32, _: UnsafeRawPointer!, _: Int, _: Int32, _: UnsafePointer<sockaddr>!, _: socklen_t) -> Int Since I'm only sending UDP broadcasts, I would have expected outgoing to be sufficient. Thanks!

When making a custom System Settings panel, I want the project to automatically move the prefpane file to /Library/PreferencePanes/. With Run Script, the build fails because of denial to perform the operation. Sudo doesn't help, too. PREFPANE_SRC="${BUILT_PRODUCTS_DIR}/App.prefPane" PREFPANE_DST="$HOME/Library/PreferencePanes/" echo "PrefPane source path: $PREFPANE_SRC" echo "PrefPane destination path: $PREFPANE_DST" if [ -d "$PREFPANE_SRC" ]; then echo "Installing preference pane to ${PREFPANE_DST}" cp -R "${PREFPANE_SRC}" "${PREFPANE_DST}" else echo "Preference pane not found: ${PREFPANE_SRC}" exit 1 fi

I'm attempting to create an application that uses a System Extension / Network Extension to implement a PacketTunnelProvider. After creating and configuring the packet device, I want to spawn a child process to do the actual reading and writing of network packets. I want to do this because the child is written in Go (it uses wireguard-go and my company's Go-SDK). When I call posix_spawn from within the System Extension, I get "Operation not permitted" as the error, and sandboxd drops a log with Violation: deny(1) process-exec* /private/var/root/Library/Containers/<my system extension>/Data/Documents/<my-child-binary> Is it possible to execute other processes from within the System Extension sandbox? Do the binaries have to be stored in a particular place, and if so, where? I attempted to build with the App Sandbox removed from the System Extension capabilities, and this seemed to fail before even executing my Network Extension code, so I'm guessing System Extensions are required to be sandboxed, but it would be nice to have that confirmed.

Hi everyone, I'm currently testing my app's subscription feature in the sandbox environment, but I'm encountering an issue where my subscriptions are not appearing in the StoreView. I've implemented the StoreKit configurations and ensured that the product IDs are correctly set up. However, when I try to display the subscriptions in the StoreView, nothing appears. Here are a few details about my setup: I’m using StoreKit to manage auto-renewable subscriptions. The product IDs are correctly registered and match those in App Store Connect. Testing in the sandbox environment. I’ve confirmed that my internet connection is stable, and there are no apparent issues with the request. Despite this, the StoreView remains empty, and I'm unable to see any subscription options. Has anyone else encountered this problem? If so, how did you resolve it? Any help or suggestions would be greatly appreciated! Thanks in advance!