How does TCC rely on the bundle ID esp. with multiple targets?

We distribute an macOS app bundle with a main executable, a helper executable, a nested app bundle and an XPCService.

myApp.app
└── Contents
   ├── _CodeSignature
   │  └── CodeResources
   ├── embedded.provisionprofile
   ├── Info.plist
   ├── MacOS
   │  ├── myHelperApp.app
   │  │  └── Contents...

   │  ├── mainExecutable
   │  └── helperExecutable
   ├── PkgInfo
   └── XPCServices
      └── myXPCService.xpc
         └── Contents...

Our mainExecutable requires FullDiskAccess and the helperExecutable requires Accessibility Access. Since this a product for enterprise customers, the TCC permissions usually get granted via a PPPC profile.

  1. What would be a good bundle identifier naming scheme for such a structure? com.example.myApp for the main app bundle/executable and com.example.myApp.helperExecutable etc. for all additional targets?
  2. When creating the PPPC profile, do I only refer to the bundle identifier of the main bundle com.example.myApp? If so, does that mean that every executable in that bundle has these privileges? At least this is what the manual approach would suggest, where the user can drag an entire app bundle to the privacy settings.
  3. The helperExecutable gets copied into the bundle during the build process. But when it is run from its Xcode scheme, it is run from the build directory, outside the final bundle. This requires the helper binary to be extra granted Accessibility permissions, at least during development. Is there a better way?

Thanks (Quinn)!

Answered by DTS Engineer in 701288022

1. What would be a good bundle identifier naming scheme for such a structure? com.example.myApp for the main app bundle/executable and com.example.myApp.helperExecutable etc. for all additional targets?

Yes. It’s also best practice to have your code signing identifiers aligned with your bundle identifiers (although I don’t think that TCC strictly requires that). I touch on that last topic in Signing a Mac Product For Distribution (search the page for pig-jato :-).

You can give your tool a bundle ID bya creating an Info.plist for it and then embedding that in the tool’s executable with the Create Info.plist Section in Binary build setting (CREATE_INFOPLIST_SECTION_IN_BINARY).

2. When creating the PPPC profile, do I only refer to the bundle identifier of the main bundle com.example.myApp?

That’s my expectation, although I must admit that I haven’t tested. This makes sense when you think of TCC’s big picture architecture, which has the concept of responsible code. This is something I touch on in On File System Permissions.

3. The helperExecutable gets copied into the bundle during the build process. But when it is run from its Xcode scheme, it is run from the build directory, outside the final bundle. This requires the helper binary to be extra granted Accessibility permissions, at least during development. Is there a better way?

Not that I’m aware of.

Thanks (Quinn)!

Dude, you must be psychic!

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Accepted Answer

1. What would be a good bundle identifier naming scheme for such a structure? com.example.myApp for the main app bundle/executable and com.example.myApp.helperExecutable etc. for all additional targets?

Yes. It’s also best practice to have your code signing identifiers aligned with your bundle identifiers (although I don’t think that TCC strictly requires that). I touch on that last topic in Signing a Mac Product For Distribution (search the page for pig-jato :-).

You can give your tool a bundle ID bya creating an Info.plist for it and then embedding that in the tool’s executable with the Create Info.plist Section in Binary build setting (CREATE_INFOPLIST_SECTION_IN_BINARY).

2. When creating the PPPC profile, do I only refer to the bundle identifier of the main bundle com.example.myApp?

That’s my expectation, although I must admit that I haven’t tested. This makes sense when you think of TCC’s big picture architecture, which has the concept of responsible code. This is something I touch on in On File System Permissions.

3. The helperExecutable gets copied into the bundle during the build process. But when it is run from its Xcode scheme, it is run from the build directory, outside the final bundle. This requires the helper binary to be extra granted Accessibility permissions, at least during development. Is there a better way?

Not that I’m aware of.

Thanks (Quinn)!

Dude, you must be psychic!

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

How does TCC rely on the bundle ID esp. with multiple targets?
 
 
Q