On MacOSX 10.14 (Mojave) the behavior changed, the following code runs on 10.13 but fail on 10.14.The creation of "CGEventTapCreate" is failing (returning null) on Mojave but works before.Any thoughts? Thanks in advance!// alterkeys.c // http://osxbook.com // // Complile using the following command line: // clang -Wall -o alterkeys alterkeys.c -framework ApplicationServices // #include <ApplicationServices/ApplicationServices.h> // This callback will be invoked every time there is a keystroke. // CGEventRef myCGEventCallback(CGEventTapProxy proxy, CGEventType type, CGEventRef event, void *refcon) { // Paranoid sanity check. if ((type != kCGEventKeyDown) && (type != kCGEventKeyUp)) return event; // The incoming keycode. CGKeyCode keycode = (CGKeyCode)CGEventGetIntegerValueField( event, kCGKeyboardEventKeycode); // Swap 'a' (keycode=0) and 'z' (keycode=6). if (keycode == (CGKeyCode)0) keycode = (CGKeyCode)6; else if (keycode == (CGKeyCode)6) keycode = (CGKeyCode)0; // Set the modified keycode field in the event. CGEventSetIntegerValueField( event, kCGKeyboardEventKeycode, (int64_t)keycode); // We must return the event for it to be useful. return event; } int main(void) { CGEventMask eventMask = CGEventMaskBit(kCGEventLeftMouseDown) | CGEventMaskBit(kCGEventLeftMouseUp); CFMachPortRef eventTap = CGEventTapCreate(kCGSessionEventTap, kCGHeadInsertEventTap, 0, eventMask, myCGEventCallback, NULL); if (!eventTap) { fprintf(stderr, "failed to create event tap\n"); exit(1); } // Create a run loop source. CFRunLoopSourceRef runLoopSource = CFMachPortCreateRunLoopSource( kCFAllocatorDefault, eventTap, 0); // Add to the current run loop. CFRunLoopAddSource(CFRunLoopGetCurrent(), runLoopSource, kCFRunLoopCommonModes); // Enable the event tap. CGEventTapEnable(eventTap, true); // Set it all running. CFRunLoopRun(); // In a real program, one would have arranged for cleaning up. exit(0); }

Modern versions of macOS use a file system permission model that’s far more complex than the traditional BSD rwx model, and this post is my attempt at explaining that model. If you have a question about this, post it here on DevForums, tagging your thread with Files and Storage so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" On File System Permissions Modern versions of macOS have four different file system permission mechanisms: Traditional BSD permissions Access control lists (ACLs) App Sandbox Mandatory access control (MAC) The first two were introduced a long time ago and rarely trip folks up. The second two are newer, more complex, and specific to macOS, and thus are the source of some confusion. This post is my attempt to clear that up. Error Codes App Sandbox and the mandatory access control system are both implemented using macOS’s sandboxing infrastructure. When a file system operation fails, check the error to see whether it was blocked by this sandboxing infrastructure. If an operation was blocked by BSD permissions or ACLs, it fails with EACCES (Permission denied, 13). If it was blocked by something else, it’ll fail with EPERM (Operation not permitted, 1). If you’re using Foundation’s FileManager, these error are both reported as Foundation errors, for example, the NSFileReadNoPermissionError error. To recover the underlying error, get the NSUnderlyingErrorKey property from the info dictionary. App Sandbox File system access within the App Sandbox is controlled by two factors. The first is the entitlements on the main executable. There are three relevant groups of entitlements: The com.apple.security.app-sandbox entitlement enables the App Sandbox. This denies access to all file system locations except those on a built-in allowlist (things like /System) or within the app’s containers. The various “standard location” entitlements extend the sandbox to include their corresponding locations. The various “file access temporary exceptions” entitlements extend the sandbox to include the items listed in the entitlement. Collectively this is known as your static sandbox. The second factor is dynamic sandbox extensions. The system issues these extensions to your sandbox based on user behaviour. For example, if the user selects a file in the open panel, the system issues a sandbox extension to your process so that it can access that file. The type of extension is determined by the main executable’s entitlements: com.apple.security.files.user-selected.read-only results in an extension that grants read-only access. com.apple.security.files.user-selected.read-write results in an extension that grants read/write access. Note There’s currently no way to get a dynamic sandbox extension that grants executable access. For all the gory details, see this post. These dynamic sandbox extensions are tied to your process; they go away when your process terminates. To maintain persistent access to an item, use a security-scoped bookmark. See Accessing files from the macOS App Sandbox. To pass access between processes, use an implicit security scoped bookmark, that is, a bookmark that was created without an explicit security scope (no .withSecurityScope flag) and without disabling the implicit security scope (no .withoutImplicitSecurityScope flag)). If you have access to a directory — regardless of whether that’s via an entitlement or a dynamic sandbox extension — then, in general, you have access to all items in the hierarchy rooted at that directory. This does not overrule the MAC protection discussed below. For example, if the user grants you access to ~/Library, that does not give you access to ~/Library/Mail because the latter is protected by MAC. Finally, the discussion above is focused on a new sandbox, the thing you get when you launch a sandboxed app from the Finder. If a sandboxed process starts a child process, that child process inherits its sandbox from its parent. For information on what happens in that case, see the Note box in Enabling App Sandbox Inheritance. IMPORTANT The child process inherits its parent process’s sandbox regardless of whether it has the com.apple.security.inherit entitlement. That entitlement exists primarily to act as a marker for App Review. App Review requires that all main executables have the com.apple.security.app-sandbox entitlement, and that entitlements starts a new sandbox by default. Thus, any helper tool inside your app needs the com.apple.security.inherit entitlement to trigger inheritance. However, if you’re not shipping on the Mac App Store you can leave off both of these entitlement and the helper process will inherit its parent’s sandbox just fine. The same applies if you run a built-in executable, like /bin/sh, as a child process. When the App Sandbox blocks something, it typically generates a sandbox violation report. For information on how to view these reports, see Discovering and diagnosing App Sandbox violations. To learn more about the App Sandbox, see the various links in App Sandbox Resources. For information about how to embed a helper tool in a sandboxed app, see Embedding a Command-Line Tool in a Sandboxed App. Mandatory Access Control Mandatory access control (MAC) has been a feature of macOS for many releases, but it’s become a lot more prominent since macOS 10.14. There are many flavours of MAC but the ones you’re most likely to encounter are: Full Disk Access (macOS 10.14 and later) Files and Folders (macOS 10.15 and later) Data container protection (macOS 14 beta and later) Data Vaults (see below) Mandatory access control, as the name suggests, is mandatory; it’s not an opt-in like the App Sandbox. Rather, all processes on the system, including those running as root, as subject to MAC. Data Vaults are not a third-party developer opportunity. See this post if you’re curious. In the Full Disk Access and Files and Folders cases, users grant a program a MAC privilege using System Settings > Privacy & Security. Some MAC privileges are per user (Files and Folders) and some are system wide (Full Disk Access). If you’re not sure, run this simple test: On a Mac with two users, log in as user A and enable the MAC privilege for a program. Now log in as user B. Does the program have the privilege? If a process tries to access an item restricted by MAC, the system may prompt the user to grant it access there and then. For example, if an app tries to access the desktop, you’ll see an alert like this: “AAA” would like to access files in your Desktop folder. [Don’t Allow] [OK] To customise this message, set Files and Folders properties in your Info.plist. This system only displays this alert once. It remembers the user’s initial choice and returns the same result thereafter. This relies on your code having a stable code signing identity. If your code is unsigned, or signed ad hoc (“Signed to run locally” in Xcode parlance), the system can’t tell that version N+1 of your code is the same as version N, and thus you’ll encounter excessive prompts. Note For information about how that works, see TN3127 Inside Code Signing: Requirements. The Files and Folders prompts only show up if the process is running in a GUI login session. If not, the operation is allowed or denied based on existing information. If there’s no existing information, the operation is denied by default. For all the details about data container protection, see WWDC 2023 Session 10053 What’s new in privacy. On managed systems the site admin can use the com.apple.TCC.configuration-profile-policy payload to assign MAC privileges. For testing purposes you can reset parts of TCC using the tccutil command-line tool. For general information about that tool, see its man page. For a list of TCC service names, see the posts on this thread. Note TCC stands for transparency, consent, and control. It’s the subsystem within macOS that manages most of the privileges visible in System Settings > Privacy & Security. TCC has no API surface, but you see its name in various places, including the above-mentioned configuration profile payload and command-line tool, and the name of its accompanying daemon, tccd. While tccutil is an easy way to do basic TCC testing, the most reliable way to test TCC is in a VM, restoring to a fresh snapshot between each test. If you want to try this out, crib ideas from Testing a Notarised Product. The MAC privilege mechanism is heavily dependent on the concept of responsible code. For example, if an app contains a helper tool and the helper tool triggers a MAC prompt, we want: The app’s name and usage description to appear in the alert. The user’s decision to be recorded for the whole app, not that specific helper tool. That decision to show up in System Preferences under the app’s name. For this to work the system must be able to tell that the app is the responsible code for the helper tool. The system has various heuristics to determine this and it works reasonably well in most cases. However, it’s possible to break this link. I haven’t fully research this but my experience is that this most often breaks when the child process does something ‘odd’ to break the link, such as trying to daemonise itself. If you’re building a launchd daemon or agent and you find that it’s not correctly attributed to your app, add the AssociatedBundleIdentifiers property to your launchd property list. See the launchd.plist man page for the details. Scripting MAC presents some serious challenges for scripting because scripts are run by interpreters and the system can’t distinguish file system operations done by the interpreter from those done by the script. For example, if you have a script that needs to manipulate files on your desktop, you wouldn’t want to give the interpreter that privilege because then any script could do that. The easiest solution to this problem is to package your script as a standalone program that MAC can use for its tracking. This may be easy or hard depending on the specific scripting environment. For example, AppleScript makes it easy to export a script as a signed app, but that’s not true for shell scripts. TCC and Main Executables TCC expects its bundled clients — apps, app extensions, and so on — to use a native main executable. That is, it expects the CFBundleExecutable property to be the name of a Mach-O executable. If your product uses a script as its main executable, you’re likely to encounter TCC problems. To resolve these, switch to using a Mach-O executable. For an example of how you might do that, see this post. Revision History 2023-06-13 Replaced two obsolete links with links to shiny new official documentation: Accessing files from the macOS App Sandbox and Discovering and diagnosing App Sandbox violations. Added a short discussion of data container protection and a link to WWDC 2023 Session 10053 What’s new in privacy. 2023-04-07 Added a link to my post about executable permissions. Fixed a broken link. 2023-02-10 In TCC and Main Executables, added a link to my native trampoline code. Introduced the concept of an implicit security scoped bookmark. Introduced AssociatedBundleIdentifiers. Made other minor editorial changes. 2022-04-26 Added an explanation of the TCC initialism. Added a link to Viewing Sandbox Violation Reports.  Added the TCC and Main Executables section. Made significant editorial changes. 2022-01-10 Added a discussion of the file system hierarchy. 2021-04-26 First posted.

I have created a command line application with Xcode, the application acquires permissions to capture screen (for example) however then I would like to remove only it with the command tccutil reset All [bundler id] the problem is that my executable seems to have no bundler id and I don't know how to remove it. I have also modified the Product Bundle Identifier option in the Build Settings tab but this didn't work either.

I have given location permission for the app i'm developing. Now i need to reset location permission and want to see the permission pop-up. I have tried tccutil reset and /var/db/locationd/clients.plist is not accessible. Both are failing even with sudo. Please suggest any methods.

In iOS 16, UIDevice.name has changed to only return the model of the device, not the user specified name. There is an entitlement, com.apple.developer.device-information.user-assigned-device-name that can be requested to keep the old behaviour, but I can't find any info on how to request that entitlement. Anyone able to help?

Hi, in the video wwdc2022-10096 at about 05:45 it is explained how to allow other software to update your software by adding team-idetifiers an signing-identifiers to an Info.plist. I would need a few more details. Which Info.plist file do I have to change? I use pkgbuild to build the packages and productbuild to combine them. pkgbuild --analyse --root generates an .plist-file for every single package. Do I have to add the Information there? productbuild --sythesize generates an xml-file discribing the whole thing. This would refer better to the installer as a whole, but it is not an info.plist. How and where exactly to add the information? I tried to use plutil, but it doesn't like array-names to start with numbers as team-identifiers often do. Also it crashes quite often. The .plist-files generated by pkgbuild either contain an empty array or several unnamed items. [ ] Do I even need to add something threre? The other one contains several Items: [   0 => {     "BundleIsRelocatable" => 0     "BundleIsVersionChecked" => 1     "BundleOverwriteAction" => "upgrade"     "NSUpdateSecurityPolicy" => {       "AllowProcesses" => {         "123ABC" => [           0 => "com.example.pal.about"         ]       }     }     "RootRelativeBundlePath" => "Library/PreferencePanes/***.prefPane"   }   1 => {     "BundleIsRelocatable" => 0     "BundleIsVersionChecked" => 1     "BundleOverwriteAction" => "upgrade"     "NSUpdateSecurityPolicy" => {       "AllowProcesses" => {         "123ABC" => [           0 => "com.example.pal.about"         ]       }     }     "RootRelativeBundlePath" => "Library/Frameworks/***.framework"   }   2 => {     "BundleHasStrictIdentifier" => 1     "BundleIsRelocatable" => 0     "BundleIsVersionChecked" => 1     "BundleOverwriteAction" => "upgrade"     "NSUpdateSecurityPolicy" => {       "AllowProcesses" => {         "123ABC" => [           0 => "com.example.pal.about"         ]       }     }     "RootRelativeBundlePath" => "Applications/***.app"   } ] Should it look like this? A more detailed example would be great. Thanks!

I've searched and tried many ways to enable "Developer Mode" on my iPhone 11 (iOS 15.5). I've tried to find it in my settings, but my iPhone doesn't have the "Privacy & Security" option in my settings. What could be the reason and the possible solution for it?

Hello 👋🏽 I am a new iOS developer and I am having a hard time understanding the behavior of the new UIPasteControl to avoid showing the system prompt. Does anyone has any example code I could look at to understand the behavior. Idk how to set the target of the button to the general pasteboard. also I am using objective-c . thanks cristian

Hi, I have an extensive macOS test suite that accesses a lot of files located on an external volume (several Tbytes of databases, images,...). After moving to Ventura this test suite is broken. More specifically, when trying to access .sqlite databases I receive a SQL error 23: unauthorised access. This is just the symptom of the fact that I do not seem to have the access rights on those files from the test suite. I verified that by moving such a .sqlite file to /tmp, it opens fine and the corresponding test succeeds. I tried fixing those rights by giving Full Disk Access (FDA) to Xcode, to xctest...but the problem persists. Anyone out there having the same issue that found a fix ? I should add that this test suite is associated with a framework (Swift package) and I have no Xcode project associated with it...just a plain Package.swift file. So I can't really fiddle with project level settings. They surely must exist a way to access any file from a test suite even if it is located on an external disk, etc... Thanks Matthieu

Hello everyone, We noticed that iOS 16 devices no longer have access to user-assigned device name and, after digging in the forums, found out the information to request the entitlement. https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_device-information_user-assigned-device-name We've submitted the request back in Oct, received a Case-ID number, but nothing after that... Tried emailing them back in Nov (privacy-entitlement at apple dot com), but never heard back... Has anyone successfully requested and received the entitlement? Any hints/tips on how to get it? Appreciate your help

We have used Forticlient AV/VPN clients in our environment and I find that after using their client uninstaller there are items still listed in the privacy settings for Full Disk Access. The files they reference have been removed but the TCC.db still contains the "Allowed" setting. I have run into this issue in Big Sur, Monterey and Ventura. Using the tccutil reset SystemPolicyAllFiles removes them from the GUI (and everything else unfortunately from Full Disk Access) but I find that when querying the TCC.db they still exist with Full Disk Access. Trying to target by bundleID just generates an error. (i.e. tccutil reset SystemPolicyAllFiles com.forticlient.FortiClient returns tccutil: No such bundle identifier "com.fortinet.FortiClientAgent": The operation couldn’t be completed. (OSStatus error -10814.) With the handy script from Mac-Nerd I can see that there are still entries. Mac-TCC-DB-Translator.sh output (excerpted) How can I clear these entries from the TCC.db other than deleting the file? That would be excessively destructive in our environment and troublesome for users.

I'm not sure what is special about Gmail of if this is an issue on other sites as well, but my declarativeNetRequest rules are totally ignored in a Safari Extension that runs on Gmail. I make an web extension that blocks email trackers (1x1 pixel images embedded in emails to track if and when you open email sent to you). All images in Gmail are loaded through Google's proxy: googleusercontent.com/proxy/#originalURL But no matter what I do, I can't block a single image that is loaded in an email. To try and prove it is a bug in Safari, I created a new template web extension in Xcode. I block all resourceTypes (images and other should be all that is needed) and added two rules: Block all images loaded through Google's proxy server (this should block all embedded images in all emails) Block any image with copper in the URL (just in case the blocking doesn't apply to the proxy root url for some reason). {   "id": 1,   "priority": 1,   "action": { "type": "block" },   "isUrlFilterCaseSensitive": false,   "condition": {    "regexFilter": "googleusercontent.com/proxy",    "resourceTypes": [     "image",     "media",     "main_frame",     "sub_frame",     "stylesheet",     "script",     "font",     "xmlhttprequest",     "ping",     "websocket",     "other"    ]   }  },  {   "id": 2,   "priority": 1,   "action": { "type": "block" },   "isUrlFilterCaseSensitive": false,   "condition": {    "regexFilter": "copper",    "resourceTypes": [     "image",     "media",     "main_frame",     "sub_frame",     "stylesheet",     "script",     "font",     "xmlhttprequest",     "ping",     "websocket",     "other"    ]   }  } ] = = = = = = Even though I know this isn't needed, I also added the requester domain (mail.google.com) and the proxy domain (googleusercontent.com) to the permissions list in the manifest file: ... "declarative_net_request": {    "rule_resources": [{      "id": "ruleset_1",      "enabled": true,      "path": "rules.json"     }]   },  "permissions": [    "declarativeNetRequest",    "*://mail.google.com/*",   "*://*.googleusercontent.com/proxy/*" ] = = = = = = If I open an email from copper, the image still loads in Gmail: = = = = = = If I right click and select "Open Image in New Tab", the image will not load and I am told it was blocked = = = = = = If I open a test page that has two images in it, one the image from the email, the image is blocked and the other image is not (as expected, the second image is from wikipedia and should not be blocked) = = = = = = Running the same extension in Chrome DOES block the image in Gmail (and in all the other cases too) = = = = = = Sidenotes: This is a reposting of this post which was locked when the wwdc21-10131 tag was applied to the post which disabled my ability to reply, comment, or update the post. Please do NOT apply tags that lock the post. As requested on the original post by @bweinstein, I filed a bug report on Feedback assistant under FB 10544296 last year and haven't gotten any replies on it. I verified before reposting this (on Mar 1, 2023) that the bug still exists.

Hi, The "Siri & Search" option is listed in my app's settings and I'd like to know how to remove it. I'm pretty sure it wasn't listed when I first started developing my app over a year ago and I never added any Siri related entitlements to my app, not sure when it started being there. It seems half of the apps on my device (from other developers) have this listed, other half do not, so it's not there by default. I've checked my entitlements file, nothing related to Siri. Checked capabilities, nothing there either related to Siri. I know my users could go and manually block the app's data from being accessible but I'd rather remove the option entirely and definitely don't want it on by default. Shows up on at least iOS 15 and iOS 16. Thanks! Colin

Hello, I'm responsible for several apps within my company. We tried to apply for the user-assigned device name entitlement, but again we didn't get the approval: "Thank you for your interest in the user-assigned device name entitlement. We are unable to approve your request at this time." We use in our app the bluetooth connect and want to show the user in the vehicles the device name. Currently it's just "iPhone". Does somebody know how I can contact Apple to fix this? I chose this answers: Will your app display the user assigned device name to the user? No Will your app use the device name solely for functionality in a way that the user can easily see and understand? Yes Will your app functionality support interaction between multiple devices operated by the same user? Yes Will your app share the device name with any service providers or third parties other than a cloud hosting service provider? No Would be great to get any feedback with this. Thanks a lot.