Persistent File Access Prompt in macOS 15 for Ad-Hoc Signed Apps Using App Groups

Question

BZG OP

Created 3w

Replies 1

Boosts 0

Participants 2

Hello everyone,

We develop an app called Unite (bundle ID: com.BZG.Unite), which allows users to create standalone macOS applications from websites. These user-generated apps are based on a backend browser template called DefaultApp (bundle ID: com.bzg.default.app). Here's how our setup works:

Unite and DefaultApp: Both are signed with our Developer ID and include necessary provisioning profiles and entitlements.
User-Created Apps: When a user creates an app with Unite, it generates a customized version of DefaultApp with the user's chosen name and settings. These apps are ad-hoc signed upon creation to reflect their unique identity.

Issue

Since updating to macOS 15, every time a user launches a created app, they encounter a persistent prompt asking for permission to access files outside the app's container. Granting full disk access in System Preferences suppresses the prompt, but this is not a practical solution for end-users.

Upon launching a user-created app (e.g., "ExampleTest"), the following prompt appears:

CleanShot 2024-10-31 at 13.16.16@2x.png

This prompt appears on every launch of the app.

Steps to Reproduce

On a Mac running macOS 15, create a new app using Unite (e.g., "ExampleTest").
Launch the newly created app.
Observe the prompt requesting access to files outside the app's container.
Close and relaunch the app; the prompt appears again.

What We Have Tried

Given that our apps use an app group (group.BZG.unite.sharedData) to share data between Unite, DefaultApp, and user-created apps, we believe this is triggering the prompt due to changes in System Integrity Protection (SIP) in macOS 15. We are further confident given that if the user does not allow access, the app does launch, but shows an error indicating that the created app was unable to access the data that is typically in the shared group.

Here’s a summary of our troubleshooting efforts:

1. Adjusting App Group Configuration

Ensured the app group name aligns with Apple's guidelines, including prefixing with the Team ID (teamid.group.BZG.unite.sharedData).
Verified that the app group is correctly declared in the com.apple.security.application-groups entitlement.

2. Provisioning Profile Creation

Generated provisioning profiles via Xcode and the Developer Console, ensuring the app group entitlement is included.
Applied the provisioning profile to the user-created app during code signing.
Despite these efforts, the issue continues.

3. Entitlements and Code Signing

Created an entitlements file for the user-created app, mirroring the entitlements from DefaultApp, including:

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.application-identifier</key>
    <string>id.com.BZG.ExampleTest</string>
    <key>com.apple.developer.team-identifier</key>
    <string>id</string>
    <key>com.apple.security.application-groups</key>
    <array>
        <string>id.group.BZG.unite.sharedData</string>
    </array>
    <key>com.apple.security.app-sandbox</key>
    <true/>
</dict>
</plist>

Signed the user-created app with our Developer ID and the provisioning profile
Verified the entitlements

4. Reviewing System Logs

Observed error messages indicating unsatisfied entitlements:

message: com.BZG.ExampleTest: Unsatisfied entitlements: com.apple.security.application-groups

**5. Consulting Documentation and WWDC Sessions **

Referenced post on App Groups in macOS vs iOS.
Reviewed the macOS 15 Release Notes regarding SIP and app group container protection.
Watched WWDC 2024 Session 10123: What's new in privacy, starting at 12:23.

Questions

Is there a way to authorize the com.apple.security.application-groups entitlement in the provisioning profile for ad-hoc signed apps?
Given the SIP changes in macOS 15, how can we enable our ad-hoc signed, user-generated apps to access the app group container without triggering the persistent prompt?
Are there alternative approaches to sharing data between the main app and user-generated apps that comply with macOS 15's SIP requirements?
Is there anything to try that we're missing here to solve this?

Any guidance on how to resolve this issue or workarounds to allow app group access without triggering the prompt would be greatly appreciated.

Thank you for your assistance!

Boost

Answer 1

DTS Engineer OP

Apple

2w

First up, terminology. I’m going to use site-specific browser, or SSB, to denote the standalone apps that your main app saves.

I don’t see an easy path forward here )-: Let’s start with this:

Is there a way to authorize the com.apple.security.application-groups entitlement in the provisioning profile for ad-hoc signed apps?

No. The whole point of app group container protection is to prevent ‘random’ apps from reading stuff from your app group containers. There’s not much point having the feature if there’s a way to bypass it.

Are there alternative approaches to sharing data between the main app and user-generated apps that comply with macOS 15's SIP requirements?

Possibly. I noticed that your app is sandboxed, but you’re also using Developer ID signing so it doesn’t have to be sandboxed. So I presume you’re sandboxing because it’s the right thing to do?

If so, that opens up more options, specifically, those around IPC. I’ll come back to that below.

Is there anything to try that we're missing here to solve this?

The one thing that you might not have come across is the com.apple.application-instance extended attribute discussed in Technote 2206 macOS Code Signing In Depth. It allows you to avoid re-signing your SSBs, and instead customise them using this extended attribute. That would avoid this problem entirely. Something to think about.

Coming back to the IPC thing, what sort of state do you need to share between your app and the SSBs? Normally you’d try to have each SSB isolated from the parent app, so I’m curious how much state we’re looking at.

If you only need to share small amounts of state then IPC might be an option. OTOH, if there’s a boatload of stuff that’s very file-system specific then IPC is going to be less fun.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0