How can I achieve a safe space on the same computer,Realize a multi-purpose machine.
In the safe space, I can use the A application, but not the B application. I can use the C network, but not the D network. I can read and write files inside the safe space.
Outside the safe space, I can use all applications, all networks I can use , but I can't read and write files in secure space
ps:Content FIlter and endpoint control the entire computer. Can't achieve dual use in one machine
You're seemingly headed for what is known as mandatory access controls with compartmentation; a trusted execution environment. Mandatory controls do get expensive to build and operate, and mandatory controls are gnarly to manage, too. And macOS doesn't particularly support mandatory controls for user apps, and particularly not after Xcode 9 and macOS High Sierra and TrustedBSD.
The usual response to these requirements is multiple "system high" Macs, or maybe multiple guests in a VM if your local security policy allows that. Which also gets expensive, but less so. All as you seem to be aware.
If you really need this isolation for your apps, then SELinux might interest.
Intel tried providing something similar to your requirements with SGX, but has seemingly largely given up on this outside of servers. Apple doesn't offer anything similar to third-party developers.
PS: For low-level information on macOS, the set of books comprising the New OSX Book might interest.
PPS: You'll likely need to discuss these requirements with the folks managing the content filter and endpoint security on this Mac.
Thx @Hoffman
your are Apple R & D personnel?
Yes,I need Mandatory controls。Safe space also be called a sandbox
In sandbox,I can access some special networks(Such as the company intranet),deny some network(Such as Youtube).and I can only read and write in a safe space,OutSide safe space without permission
Now I can control whether to access network XXXX through content filter I can also control the permissions of file YYYY through endpoint security,or whether to Open Application ZZZZ a through endpoint security
But I can't Outside the sandbox, it is allowed to access network XXXX、 read and write files YYYY 、Can open Application ZZZZ In the sandbox, it is not allowed to access network XXXX、can not read or write file YYYY、Can not open Application ZZZZ
Unable to judge Inside or outside the sandbox Use network XXXX、files YYYY、Application ZZZZ. This is the problem I'm facing now