3 Replies
      Latest reply on Jan 16, 2020 1:10 AM by eskimo
      hagen Level 1 Level 1 (0 points)

        Hi,

        our audio plugins communicate with a controlling hardware device via Apples IOHIDDevice API, which according to
        https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html
        should be sandbox excepted by the com.apple.security.device.usb key, which I have test-wise placed and enabled, but communication can’t be established from inside a sandboxed DAW (checked with Ableton Live).
        Any expertise on this?

        Thanks & cheers,

        Hagen.

        • Re: IOHIDDevice entitlements
          eskimo Apple Staff Apple Staff (12,705 points)

          Entitlements are only effective if applied to the main executable of a process.  I’m not an expert on audio plug-ins, but my general understanding is that these plug-ins are not main executables but rather libraries (MH_BUNDLE or MH_DYLIB) that are loaded within a host app.  If that’s the case here then it’s the host app’s entitlements that apply; the plug-in’s entitlements are simply ignored.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: IOHIDDevice entitlements
              hagen Level 1 Level 1 (0 points)

              Thanks Quinn, but I think you are wrong here:

              https://developer.apple.com/library/archive/technotes/tn2247

              is indicating the possibilty to control sandbox exceptions.

              Thanks & cheers,

              Hagen.

                • Re: IOHIDDevice entitlements
                  eskimo Apple Staff Apple Staff (12,705 points)

                  [TN2247] is indicating the possibilty to control sandbox exceptions.

                  Right.  But all of its discussion around entitlements is focused on the application that’s hosting the plug-ins.  I searched the technote for entitlement and here’s all the relevant quotes:

                  • The application indicates what services it requires access to via entitlements that are attached to the application through its code signature.

                  • If an application wishes to open Audio Components that are not Sandbox Safe, the application must be signed with the entitlement com.apple.security.temporary-exception.audio-unit-host.

                  • When an application with the com.apple.security.temporary-exception.audio-unit-host entitlement

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"