Is there a way for my macos app to run NSRunningApplication.terminate()?

When my macOS app (currently in TestFlight and set for Mac App Store distribution) tries to terminate another app, both terminate() and forceTerminate() consistently return false. However, I can retrieve a list of all running applications so some related APIs do work.

I suspect this limitation is due to sandboxing. I have three questions:

  1. Is there any permission or entitlement I can add in Xcode to allow my app to terminate other applications?
  2. If no such permission exists, is there a way to guide users on how to launch my app (distributed through the Mac App Store) without sandboxing? For example, could they set it up to launch as a daemon or agent?
  3. If unsandboxing is impossible, would I need to create a separate target specifically without sandboxing? In other words, my MacOS app would communicate with my unsandboxed daemon that would do all the terminate()-ing?
Answered by DTS Engineer in 813143022

Is there any permission or entitlement I can add in Xcode to allow my app to terminate other applications?

This depends on exactly what you're trying to quit. This thread covers it in more detail, but you basically need "com.apple.security.temporary-exception.apple-events", where it's value is an array of the app bundle ids you need to target.

However, there are two issues you'll have with that:

  1. You need to list every target, so you can't quit "any" app.

  2. Whether not you'll be granted the entitlement depends ENTIRELY on what you're actually targeting. I suspect there wouldn't be any issue with targeting "your apps" and significant issues with targeting other apps.

If no such permission exists, is there a way to guide users on how to launch my app (distributed through the Mac App Store) without sandboxing? For example, could they set it up to launch as a daemon or agent?

No. Your apps sandbox configuration is "part" of your app code signature and, by design, the system won't allow that to be bypassed.

If unsandboxing is impossible, would I need to create a separate target specifically without sandboxing?

If your goal is quit "any" app then, yes, I think that's what you'd need to do. I'm still looking in case I've missed something, but I'm not aware of any entitlement that would allow you to send AppleEvents to "anyone".

In other words, my MacOS app would communicate with my unsandboxed daemon that would do all the terminate()-ing?

Basically, though there's huge variety of ways you can make something like this. Also, strictly speaking, what you're describing would use an "agent" not a "daemon". You need to be running in the user context to send AppleEvents. Finally, this would definitely not be allowed on the app store.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

Is there any permission or entitlement I can add in Xcode to allow my app to terminate other applications?

This depends on exactly what you're trying to quit. This thread covers it in more detail, but you basically need "com.apple.security.temporary-exception.apple-events", where it's value is an array of the app bundle ids you need to target.

However, there are two issues you'll have with that:

  1. You need to list every target, so you can't quit "any" app.

  2. Whether not you'll be granted the entitlement depends ENTIRELY on what you're actually targeting. I suspect there wouldn't be any issue with targeting "your apps" and significant issues with targeting other apps.

If no such permission exists, is there a way to guide users on how to launch my app (distributed through the Mac App Store) without sandboxing? For example, could they set it up to launch as a daemon or agent?

No. Your apps sandbox configuration is "part" of your app code signature and, by design, the system won't allow that to be bypassed.

If unsandboxing is impossible, would I need to create a separate target specifically without sandboxing?

If your goal is quit "any" app then, yes, I think that's what you'd need to do. I'm still looking in case I've missed something, but I'm not aware of any entitlement that would allow you to send AppleEvents to "anyone".

In other words, my MacOS app would communicate with my unsandboxed daemon that would do all the terminate()-ing?

Basically, though there's huge variety of ways you can make something like this. Also, strictly speaking, what you're describing would use an "agent" not a "daemon". You need to be running in the user context to send AppleEvents. Finally, this would definitely not be allowed on the app store.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

Is there a way for my macos app to run NSRunningApplication.terminate()?
 
 
Q