.entitlements
property list file. The values are then incorporated into the target’s code signature when you build the project.sandboxd
) logs a violation message to the console.YES
or NO
, with the default value in each case being NO
. If you are editing the .entitlements
file directly in a text editor, the corresponding Boolean values to use are <true/>
and <false/>
. The default value for each key is false, so you can (and generally should) leave out the entitlement entirely rather than specifying a false value..entitlements
file with the Xcode property list editor.YES
enables the corresponding capability (unless otherwise noted).Setting | Entitlement key |
---|---|
Enable App Sandboxing | com.apple.security.app-sandbox Feedback.app mac chrome settings. |
NSOpenPanel
object, and files the user saves using an NSSavePanel
object.com.apple.security.files.user-selected.executable
entitlement.Setting | Entitlement keys |
---|---|
User Selected File | com.apple.security.files.user-selected.read-only com.apple.security.files.user-selected.read-write |
Setting | Entitlement keys |
---|---|
Downloads Folder | com.apple.security.files.downloads.read-write |
Music Folder | com.apple.security.assets.music.read-only com.apple.security.assets.music.read-write |
Movies Folder | com.apple.security.assets.movies.read-only com.apple.security.assets.movies.read-write |
Pictures Folder | com.apple.security.assets.pictures.read-only com.apple.security.assets.pictures.read-write |
bookmarks.app-scope
or bookmarks.document-scope
entitlement, edit the target’s.entitlements
property list file using the Xcode property list editor. Use the entitlement keys shown in Table 4-4, depending on which type of access you want. Use a value of <true/>
for each entitlement you want to enable. You can enable either or both entitlements.Entitlement key | Description |
---|---|
com.apple.security.files.bookmarks.app-scope | Enables use of app-scoped bookmarks and URLs |
com.apple.security.files.bookmarks.document-scope | Enables use of document-scoped bookmarks and URLs. Version note: in macOS v10.7.3, this entitlement key was named com.apple.security.files.bookmarks.collection-scope |
Setting | Entitlement key |
---|---|
Allow Incoming Connections | com.apple.security.network.server |
Allow Outgoing Connections | com.apple.security.network.client |
sandboxd
names the I/O Kit class your code tried to access.Setting | Entitlement key |
---|---|
Allow Camera Access | com.apple.security.device.camera |
Allow Microphone Access | com.apple.security.device.audio-input |
Allow USB Access | com.apple.security.device.usb |
Allow Printing | com.apple.security.print |
Entitlement key | Description |
---|---|
com.apple.security.device.audio-video-bridging | Interaction with AVB devices by using the Audio Video Bridging framework |
com.apple.security.device.bluetooth | Interaction with Bluetooth devices |
com.apple.security.device.firewire | Interaction with FireWire devices (currently, does not support interaction with audio/video devices such as DV cameras) |
com.apple.security.device.serial | Interaction with serial devices |
Setting | Entitlement key |
---|---|
Allow Address Book Data Access | com.apple.security.personal-information.addressbook |
Allow Location Services Access | com.apple.security.personal-information.location |
Allow Calendar Data Access | com.apple.security.personal-information.calendars |
com.apple.security.application-groups
(available in macOS v10.7.5 and v10.8.3 and later) allows multiple apps produced by a single development team to share access to a special group container. This container is intended for content that is not user-facing, such as shared caches or databases.array
, and must contain one or more string
values, each of which must consist of your development team ID, followed by a period, followed by an arbitrary name chosen by your development team. For example:~/Library/Group Containers/<application-group-id>
, where <application-group-id>
is one of the strings from the array. Your app can obtain the path to the group containers by calling the containerURLForSecurityApplicationGroupIdentifier:
method of NSFileManager
.posix_spawn
function or the NSTask
class, you can configure the child process to inherit the sandbox of its parent. However, using a child process does not provide the security afforded by using an XPC service.com.apple.security.app-sandbox
and com.apple.security.inherit
. If you specify any other App Sandbox entitlement, the system aborts the child process. You can, however, confer other capabilities to a child process by way of iCloud and notification entitlements.YES
value for the inherit
entitlement.inherit
entitlement, edit the target’s .entitlements
property list file using the Xcode property list editor. Use the entitlement key shown in Table 4-9 with a value of <true/>
.NSWorkspace
) and wish to have a shared container directory, you must use an app group.Entitlement key | Description |
---|---|
com.apple.security.inherit | Enables App Sandbox inheritance |
scripting-targets
entitlement and a temporary entitlement together, to provide support across different versions of the OS. For more information, see Apple Event Temporary Exception. Entitlement key | Description |
---|---|
com.apple.security.scripting-targets | Ability to use specific AppleScript scripting access groups within a specific scriptable app |
sdef
.