9 Replies
      Latest reply on Nov 13, 2019 12:48 AM by eskimo
      rmpangahds Level 1 Level 1 (0 points)

        Hi all,

         

        We have a Google Drive like application that reads the user's documents folders. In Catalina, Documents are protected and require user consent.  I understand that when apps attempt to access these locations a User Consent pop up should be presented to the user by the OS.

         

        I have observed in Catalina 10.15 (19A602) that no user prompt appears when we try to access a file in Documents. The app is attempting to read these files without a user initiating the request thus we do not have "implicit" permissions.  In our app logs I can clearly see that we try to access  `~/Documents/someFile.txt`. This fails and the the error message I see  is  `Operation not permitted.`  This brings up a question, why didn't the user get a pop up to allow access to the Documents folder?

         

        To workaround this I directed users to the `Security & Privacy` pane  to give the app  File and Folder permissions. This would get around the problem however our app does not appear in the File and Folder permission section. Users also can not add apps using the plus icon since it is greyed out. I read that only apps that attempt to access the resource will appear in the File and Folder permissions. Requesting for Full Disk Access fixes these issues however it is a no go. We attempted to read a file from Documents, why isn't our app appearing in File and Folder permissions? I feel like I am at a dead end. Is there another workaround?

         

        Thanks in advance!

        • Re: App does not appear in File and Folder permissions
          eskimo Apple Staff Apple Staff (12,335 points)

          macOS has a concept of responsibility, which tracks which user-visible entity is responsible for the current process.  This is important because a macOS app can be fragmented into multiple processes, for example, an app and a helper tool, or an app and an XPC Service.  Tracking responsibility is way harder than you might think, and it sometimes breaks down.

          In your case it seems that something has failed in this responsibility tracking, so the system doesn’t know that the code doing the open is working on behalf of your app.  Hence no user approval dialog and no entry in Security & Privacy.

          Is the code doing the open running in your app’s process?  Or in some other process?  And if it’s some other process, how is that process related to your app?

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: App does not appear in File and Folder permissions
              rmpangahds Level 1 Level 1 (0 points)

              Hi Eskimo,

               

              Yes, tracking responsiblity seems extermly challenging. I can confirm that our app is a single process and this process attempts to open the file. We do not create any helper processes.

               

              Summary:

               

              Is the code doing the open running in your app’s process?  Yes

              Or in some other process? No

              And if it’s some other process, how is that process related to your app? No other process

               

              Thanks for your help Eskimo!

                • Re: App does not appear in File and Folder permissions
                  eskimo Apple Staff Apple Staff (12,335 points)

                  I can confirm that our app is a single process and this process attempts to open the file.

                  Interesting.  Thanks for confirming that.

                  Does your app do anything interesting at startup?  I’ve heard unconfirmed reports of issues similar to this caused by the app calling exec during the startup sequence.  For example, the app’s CFBundleExecutable property points to a shell script and the shell script sets up some stuff and then ends with an exec of the actual app.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                    • Re: App does not appear in File and Folder permissions
                      rmpangahds Level 1 Level 1 (0 points)

                      Hi Eskimo,

                       

                      We do not have  CFBundleExecutable property pointing to a shell script. We are a QT based application and during the in the main method we create the QT Client and call we call QTApplications's exec() method.  Below is how  main method looks like.

                       

                       

                      int main(int argc, char *argv[]) 
                      {
                      //Some setup
                      QApplication app(argc, argv);
                      //Other setup commands
                      int result = app.exec();
                      return result;
                      }

                      Here is some documenation on the QApplication exec() method:

                       

                      "Enters the main event loop and waits until exit() is called, then returns the value that was set to exit() (which is 0 if exit() is called via quit()).

                      It is necessary to call this function to start event handling. The main event loop receives events from the window system and dispatches these to the application widgets. Generally, no user interaction can take place before calling exec()"

                       

                      Could this be the culprit?

                       

                      Thanks again Eskimo!

                       

                       

                       



                        • Re: App does not appear in File and Folder permissions
                          eskimo Apple Staff Apple Staff (12,335 points)

                          Could this be the culprit?

                          It’s possible, but I’ve not seen reports like this from other Qt developers.

                          I’m not a Qt developer myself, but I do have a suggestion here: Create a vanilla Qt app from one of their standard templates and then modify it to access a file no the desktop.  If that doesn’t trigger the user approval alert, you know there’s something in play here that affects all Qt apps, and it’s probably time to escalate this to the Qt support channel.  If, OTOH, this vanilla app behaves as expected, you know that Qt isn’t the culprit, or not the sole culprit, and you’ll need to dig deeper into your own app.

                          Share and Enjoy

                          Quinn “The Eskimo!”
                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                          let myEmail = "eskimo" + "1" + "@apple.com"

                            • Re: App does not appear in File and Folder permissions
                              rmpangahds Level 1 Level 1 (0 points)

                              Thanks Eskimo !  I have some additional information and two more questions.

                               

                              I have recently noticed that this issue only exists on corp images of Catalina 10.15.0 (19A602). When I tested on native Catalina, I always see the user consent prompt and the the application is listed in File and Folder permissions. Not sure exactly why this is the case since corp images shouldn't make changes to this area of the OS (At least that what i am assuming).  My first question is, do you suspect that corp images could affect OS's abilitity to detect an app accessing to the protected folders?

                               

                              My last question is, were there any significant changes in 10.15 (19A603) compared to 10.15 (19A602)? Users that are seeing this issue are running 19A602. I noticed that the release notes did not change.

                               

                              Thanks again!!!

                                • Re: App does not appear in File and Folder permissions
                                  eskimo Apple Staff Apple Staff (12,335 points)

                                  My first question is, do you suspect that corp images could affect OS's abilitity to detect an app accessing to the protected folders?

                                  I’m not sure what a “corp image” is.

                                  were there any significant changes in 10.15 (19A603) compared to 10.15 (19A602)?

                                  I doubt it but, alas, I’m not in a position to check for sure.

                                  Share and Enjoy

                                  Quinn “The Eskimo!”
                                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                  let myEmail = "eskimo" + "1" + "@apple.com"

                                    • Re: App does not appear in File and Folder permissions
                                      rmpangahds Level 1 Level 1 (0 points)

                                      What I meant by "Corp image" is an enterprise version of  OS X. This version is managed by a Mobile Device Management (MDM) solution.

                                        • Re: App does not appear in File and Folder permissions
                                          eskimo Apple Staff Apple Staff (12,335 points)

                                          Ah, then I’ve no idea.  It very much depends on what your IT folks have done as part of your enterprise setup.  There’s so much scope for customisation, it’s hard to even hazard a guess.

                                          My recommendation is that you work with your IT folks to work through the changes they apply to determine which one is triggering this problem.  Once you know that, it may be clear as to whether this problem is a problem with the OS or with your setup.  And if it’s not clear, please reply back here with the info and we can take things from there.

                                          Share and Enjoy

                                          Quinn “The Eskimo!”
                                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                          let myEmail = "eskimo" + "1" + "@apple.com"