How does VMWare access USB devices without have any specifics of the USB device? Does it use the same profile/entitlement process or does it take a different approach?
The way to capture USB devices is on macOS is with IOUSBHostDevice passing the IOUSBHostObjectInitOptionsDeviceCapture option.
Note that this requires the "com.apple.vm.device-access" restricted entitlement.
My colleague wrote:
Note that this requires the "com.apple.vm.device-access" restricted entitlement.
There are a few things to note about this. First, this is a managed capability; you have to apply to Apple for authority to use it.
Second, this entitlement is only relevant to hypervisor apps that ship in the Mac App Store. Apps that are distributed directly (using Developer ID signing) don’t need this entitlement because they can achieve the same goal by escalating privileges.
Finally, while I can’t comment on other developer’s apps, it’s easy to see which entitlements a macOS app has:
% codesign -d --entitlements - /Applications/Pages.app
…
[Dict]
…
[Key] com.apple.application-identifier
[Value]
[String] 74J34U3R6X.com.apple.iWork.Pages
…
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Hypervisor, Virtualization, and IOUSBHost frameworks are macOS only.
@BenjaminApple , IOUSBHost seems to be a part of Driver kit (i.e. also exists in iPadOS on an M processor). Is there something I can read that will explain how USB access should work on iPadOS ? I think I also read that the driver kit includes portions of IOKit and this has me further confused as to what should work and what should not work.
Thanks for helping me steer through this!
Do any of the approaches to escalating privileges work on iPadOS?
No.
It struck me that it might be possible to run a virtual machine on an M1 iPad with more USB access than a normal app.
I can’t imagine how that might work. In general, a guest can’t have more privileges than a host.
Also, as my colleague pointed out, neither of our VM frameworks (Hypervisor and Virtualization) are available on iPadOS.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
@BenjaminApple and @eskimo , IOUSBHost seems to be a part of Driver kit (i.e. also exists in iPadOS on an M processor). Is there something I can read that will explain how USB access should work on iPadOS ? I think I also read that the driver kit includes portions of IOKit and this has me further confused as to what should work and what should not work. Thanks for helping me steer through this
DriverKit on iPadOS has significant restrictions. As an app developer you cannot use it to access arbitrary USB devices. A DEXT developer can create a DEXT for their USB device and then access it via the DEXT’s user client from their app. They can also make that user client available to other apps.
The entitlements required to do this are available to all developers for development. To distribute your DEXT you have to request access to the distribution managed capabilities. See Developer > System Extensions and DriverKit for more background on this. Also, Finding a Capability’s Distribution Restrictions.
In short, if you’re hoping to use DriverKit as part of some sort of VM app, that’s unlikely to work for both technical and business reasons.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
@eskimo , you said above that "The entitlements required to do this are available to all developers for development". I have not been able to figure out how to do that on iPadOS. (I believe that) iPadOS apps need to be signed and provisions provided and entitlements granted. It is possible to develop software for iPadOS that does not require Apple to grant entitlement for a specific USB device (to associate with a DEXT)? Or is there another approach? Or am I not understanding correctly?
Thanks!!!
Gene
Just to clarify, by “all developers” I mean “developers who are members of an Individual or Organization team”. This stuff won’t work for a Personal Team. I’m not sure what the story is for an Enterprise team, or other cases, like Managed Apple IDs.
With that proviso, DriverKit entitlements are managed by the Capabilities tab in Certificates, Identifies & Profiles > Identifiers. There are a lot of DriverKit capabilities there. If you apply the technique from Finding a Capability’s Distribution Restrictions you’ll see that they’re all assigned:
A Platform Support value of iOS and macOS [1]
A Distribution Support value of Development
If you are granted authorisation to use these in production, you’ll see similar DriverKit entries show up in the Additional Capabilities tab. These have additional Distribution Support values, most notably App Store and Developer ID.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] iOS is standing in for iPadOS here. DriverKit is not available on iOS proper.
Thank you again!