DriverKit has different access control mechanisms on macOS and iOS [1]. You can see a list of relevant entitlements in the Entitlements section of the main DriverKit page.
These are all restricted entitlements, which means that their use must be authorised by a provisioning profile [2]. For the iOS entitlements, any developer can gain this authorisation for development only by using Xcode or the Developer website to set capabilities on their App ID. That’s not the case for the macOS ones. On macOS, some entitlements work like they do on iOS but some entitlements must be authorised by Apple even for development work.
This can be very confusing, so let me walk you through an example. Let’s say you’re creating a DriverKit driver that publishes a user client and you want any program to be able to access that user client. On iOS you need the com.apple.developer.driverkit.allow-third-party-userclients
entitlement. If you go to the Developer website and edit your App ID, you’ll see the following under the Capabilities tab:
I’ve clicked on the info button next to the capability to show it’s scope. Note that:
That last point seems to contracted my earlier statement, that this stuff is for development only, but that’s only true at this micro level. All DriverKit development requires another entitlement, the main com.apple.developer.driverkit
one, and if you click on the info button next to that one you’ll see that it’s only available for development:
The upshot is this on iOS you can develop a DriverKit driver with a ‘universal’ user client without applying for any additional capabilities.
And that brings us to macOS. You’ll note from the above that com.apple.developer.driverkit
is available for development on macOS. However, macOS uses a different entitlement for user client access, namely the com.apple.developer.driverkit.allow-any-userclient-access
entitlement. If you work through the list under the Capabilities tab, you’ll see that none of them enable this entitlement. To authorise a claim that entitlement, you need to apply for and be granted an addition capability:
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Well, iPadOS, I guess.
[2] For more background on that, see TN3125 Inside Code Signing: Provisioning Profiles.