App Groups and macOS 15

Code Signing Entitlements
zulfishah OP
Created Oct ’24
Replies 7
Boosts 1
Views 330
Participants 3

Hi, I just updated my machine to macOS 15, and while developing and running my app (with Xcode), I keep getting messages about my app "would like to access data from other apps". This happens even from Xcode Previews, so it's pretty annoying. My production app doesn't seem to be affected by this problem; the system prompt just pops when running the debug version.

I came across something about App Groups in macOS and how something has changed in macOS15 regarding system permissions. I use the "group.***" prefix in my macOS app, without the team prefix. Is that the problem here? But why is my production app working fine, but the development app is triggering the prompt repeatedly?

Would love any feedback or workarounds. Thanks.

Answered by DTS Engineer in 810451022

I have a bunch of info about this issue in my App Groups: macOS vs iOS: Fight! I recommend that you read that before committing to any solution for the production deployment of your app.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  7
Boosts  1
Views  330
Participants  3
HOsy OP
Oct ’24

@zulfishah Please keep me updated if you find a solution. The prompts are extremely annoying, and worst of all, it doesn’t respect the "Allow" setting.

0
zulfishah OP
Oct ’24
Accepted Answer

I went to Settings -> Privacy & Security -> Full Disk Access, and enabled the setting there for my app. That stopped all the warnings coming up.

0
DTS Engineer OP
Apple
4w
Recommended

I have a bunch of info about this issue in my App Groups: macOS vs iOS: Fight! I recommend that you read that before committing to any solution for the production deployment of your app.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
HOsy OP
3w

@DTS Engineer I haven’t been able to resolve the issue, and I’ve also decided to skip trying full access permissions.

The problem only occurs in the debug build. This setup involves a macCatalyst app that includes a secondary macCatalyst command-line app. Both apps share the same application group (com.apple.security.application-groups). The second app functions as a native messaging host for browsers like Chrome and Firefox, serving as the interface between the browser extension and the main app to facilitate data exchange.

This setup was working without issues on macOS 14, but since updating to macOS 15, I keep seeing the permissions dialog. However, even when selecting “Allow,” the action isn’t being accepted or processed. In the release build, everything functions as expected without triggering any permissions dialog.

Is there a way to debug or resolve this permissions issue effectively? Any insights would be much appreciated!

Thanks in advance!

0
DTS Engineer OP
Apple
3w
This setup involves a macCatalyst app that includes a secondary macCatalyst command-line app.

Is the secondary “app” packaged in an app-like wrapper? Or is it just a standalone executable? That is, does your bundle look like this:

MyApp.app/
    Contents/
        MacOS/
            MyApp
            MySecondaryApp
        …

Or like this:

MyApp.app/
    Contents/
        MacOS/
            MyApp
            MySecondaryApp.app/
                Contents/
                    MacOS/
                        MySecondaryApp
                    …
        …

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
HOsy OP
3w

The secondary app is packaged in an app-like wrapper and worked perfect on macOS 14 without permission dialogs and it works in release builds on macOS 15 without permission dialogs.

MyApp.app/
    Contents/
        MacOS/
            MyApp
            MySecondaryApp.app/
                Contents/
                    MacOS/
                        MySecondaryApp
0
DTS Engineer OP
Apple
3w

Thanks for confirming that.

I would expect this to work. When you use an iOS-style app group ID in a Mac Catalyst app, Xcode generates a provisioning profile to authorise that use. So this use falls under case D in App Groups: macOS vs iOS: Fight!.

Consider this tiny test app I just created:

% codesign -d --entitlements - Debug-maccatalyst/Test766580.app
Executable=/Users/quinn/Library/Developer/Xcode/DerivedData/Test766580-beavevigoaauqrfhkfssttblupau/Build/Products/Debug-maccatalyst/Test766580.app/Contents/MacOS/Test766580
[Dict]
    …
    [Key] com.apple.security.application-groups
    [Value]
        [Array]
            [String] group.eskimo1.test
	[Key] com.apple.security.get-task-allow
	[Value]
		[Bool] true
    …
% security cms -D -i Debug-maccatalyst/Test766580.app/Contents/embedded.provisionprofile | plutil -p -
{
  …
  "Entitlements" => {
    …
    "com.apple.security.application-groups" => [
      0 => "group.eskimo1.test"
    ]
    …
  }
  …
}

Note the presence of com.apple.security.get-task-allow, showing that this is a development build. And that group.eskimo1.test is claimed by the entitlements and that claim is authorised by the profile.

Please run these commands over the development build of MyApp and confirm that the group entitlement and profile are as expected. Then do the same for the copy of MySecondaryApp embedded within MyApp.

IMPORTANT Make sure to look at the embedded app, because that’s the app that matters. There’ll likely be a copy of MySecondaryApp in Debug-maccatalyst, but that’s the app before it’s been embedded, and there’s a possibility that Xcode’s embedding is changing things.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
App Groups and macOS 15
First post date Last post date
 
 
Q