We have a daemon process that handles requests made from apps running in user sessions. These requests are submitted via mach ports. The "client" app is third-party, so it has a different signing cert etc. Currently, the app can be sandboxed and just needs to include a particular application group entitlement, and mach port IPC works fine. However, if the app is also hardened, the IPC no longer works.
Is there some new entitlement that can be added to allow such IPC to work? We would prefer not to add the complexity of a user agent that brokers requests between the client app and our system process, although I think that is one approach (with apple events or XPC). But still it would mean the user agent could not be hardened.
We can jump through security hoops as needed, as long as the capability is available.