How to find WHY my app triggers LNP popoup on MacOS 15

Question

Created Sep ’24

Replies 4

Boosts 1

Participants 2

My App is a rather small menu-bar status-item app with 2 informational windows. It does NOT make use of ANY of the APIs mentioned here: https://developer.apple.com/forums/thread/663874 that are bound to need "Local Network" hence trigger TCC dialog.

Yet - on first run of the app, the dialog pops.

App is Obj-C, and the only APIs used are Notification-Center (for scheduling local notifications to the user), XPC connections and calls to other (our) apps for gathering that information, plus normal AppKit windowing (Controls, Text-fields, etc.) nothing else.

Obviously SOMETHING I do causes the thing - and I know for sure this app DOES NOT NEED access to the local network - only I do not know how to identify the specific API I need to avoid using (or change the way I'm using)

Are there any specific system logs to watch for?
Is there any official set of APIs that will trigger the dialog?
Provided that I cannot avoid this - could this permission be granted via MDM profile payload? Our product comes with

Answered by DTS Engineer in 804585022

Are there any specific system logs to watch for?

I’ve yet to come up with such a list. My experience from iOS is that not all LNP triggers will actually result in system log entries. However, some do, and so it is useful in to look in the system log to see what you can see. Search for both Local Network and LocalNetwork, case insensitively.

One approach that you can use is to add your own log points to your app’s startup sequence. If you then see an LNP log event, you can compare its timing with the timing of your log points.

The other approach is just to temporarily rip stuff out of your app until it stops generating the alert, and then more slowly add stuff back in to try to isolate the cause.

Is there any official set of APIs that will trigger the dialog?

No. It’s actually quite hard to do that because a) there are a lot of networking APIs, and b) they only trigger LNP when you talk to the local network. So, for example, the BSD Sockets connect call might trigger LNP, or you might only be using it for remote networking, or you might just be using it for IPC via a Unix domain socket.

Provided that I cannot avoid this - could this permission be granted via MDM profile payload?

Last I checked there’s no configuration profile payload to suppress LNP. I’m pretty sure I’ve sent others folks off to file an enhancement request for that. I don’t recall whether anyone did that, so I recommend that you file your own.

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Sep ’24

Recommended

Are there any specific system logs to watch for?

I’ve yet to come up with such a list. My experience from iOS is that not all LNP triggers will actually result in system log entries. However, some do, and so it is useful in to look in the system log to see what you can see. Search for both Local Network and LocalNetwork, case insensitively.

One approach that you can use is to add your own log points to your app’s startup sequence. If you then see an LNP log event, you can compare its timing with the timing of your log points.

The other approach is just to temporarily rip stuff out of your app until it stops generating the alert, and then more slowly add stuff back in to try to isolate the cause.

Is there any official set of APIs that will trigger the dialog?

No. It’s actually quite hard to do that because a) there are a lot of networking APIs, and b) they only trigger LNP when you talk to the local network. So, for example, the BSD Sockets connect call might trigger LNP, or you might only be using it for remote networking, or you might just be using it for IPC via a Unix domain socket.

Provided that I cannot avoid this - could this permission be granted via MDM profile payload?

Last I checked there’s no configuration profile payload to suppress LNP. I’m pretty sure I’ve sent others folks off to file an enhancement request for that. I don’t recall whether anyone did that, so I recommend that you file your own.

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

suMac OP

Sep ’24

Playing hide and seek with my code to catch the API that indirectly needs "Local Network" permission is not only tedious - it's almost impossible

Once the Dialog is up - a TCC entry is created in the TCC database records - no matter if the user answers yes or no, or doesn't even answer at all. It is created even if you cut the electricity to the Mac. From then on, no dialog will ever pop. The app gets a "NO" for Local network access, and works with that.

I have NOT found a reasonable way to reset this TCC entry, and as far as I understand - there isn't any. The best I could till now - is to erase the user account and recreate it.

But then --- reinstalling all the stuff there, and debugging with another subset of the code - this becomes insanely cumbersome.

This is really annoying!!! how can any API require permission, without having at least a name, or some footprint in the OS logs? This is Mac and not IOS, and the available APIs are quite extensive.

I'd like to know at least WHY my app wants this? I can't think of anything "network" in my app to start with! isn't this something that should be mentioned in the documentation somewhere?

0

Answer 3

suMac OP

Sep ’24

Once I remember there was some tool that you would run your binary through, and it would tell you which MacOS APIs you have used...

This was decades ago, maybe on the move from Carbon to Cocoa, or from 32 to 64 bit, or maybe even from MacOS to iOS... can't recall now. Does such tool exist ?

In my case, anything beyond very basic "Foundation" should be really minimal - so just looking at the list may be useful,

This app does almost nothing when launched (merely makes XPC connections to other components of the product, and receives some "configuration" data via these connections. Then - when required by other components, it emits Notifications (via Notification Center) and updates a small popover window "data model". That's all.

What could be this thing?

0

Answer 4

DTS Engineer OP

Apple

Sep ’24

I have NOT found a reasonable way to reset this TCC entry

I agree that there should be an easy way to reset this, and I encourage you to file an enhancement request for that.

I also think it’d be reasonable to file another ER for better logging in this space. It’d be nice if the system logged the backtrace of the call that triggered the prompt.

If you do file any bugs, please post their bug number, just for the record.

In the meantime, I use a VM to solve problems this like. That allows me to restore to a snapshot after each test.

Once I remember there was some tool that you would run your binary through, and it would tell you which [macOS] APIs you have used

There are various tools for this. The ‘ur’ tool is nm, but these days I tend to favour dyld_info.

I have a bunch of info about linking topic, include info on how to find documentation for these tools, in An Apple Library Primer.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0