I have a regular GUI-based app that communicates with an Endpoint System Extension installed by another app.
Both the GUI app and Endpoint System Extension have the same Team ID and are part of the same App Groups.
But I still need to do one of the following to the GUI-based app to allow it to communicate with the Endpoint System Extension over XPC:
- Disable the sandbox
- Add com.apple.security.temporary-exception.mach-lookup.global-name to entitlements
For some reason I thought there was another way to resolve this. Am I missing anything?
(My goal is to allow an app distributed through the Mac App Store to communicate with my Endpoint System Extension if it exists, and I am worried about the "temporary-exception" entitlement needed to support this.)
I believe that:
-
Setting your
NSEndpointSecurityMachServiceNameservice name toTTT.GGG.SSS, whereTTTis your Team ID,GGGis a group name you choose, andSSSis the service name within that, and -
Signing your sandboxed app with the app group entitlement containing
TTT.GGG
should allow your app to connect to TTT.GGG.SSS.
Note that your sysex and your app can’t share an app group container — because one is running as root and the other is running as the logged in user — but the app group entitlement isn’t just about containers. It has other side effects, and one of those is opening up a hole in your sandbox for Mach service name lookups.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
