Hello everyone,
We develop an app called Unite (bundle ID: com.BZG.Unite),
which allows users to create standalone macOS applications from websites. These user-generated apps are based on a backend browser template called DefaultApp (bundle ID: com.bzg.default.app).
Here's how our setup works:
- Unite and DefaultApp: Both are signed with our Developer ID and include necessary provisioning profiles and entitlements.
- User-Created Apps: When a user creates an app with Unite, it generates a customized version of DefaultApp with the user's chosen name and settings. These apps are ad-hoc signed upon creation to reflect their unique identity.
Issue
Since updating to macOS 15, every time a user launches a created app, they encounter a persistent prompt asking for permission to access files outside the app's container. Granting full disk access in System Preferences suppresses the prompt, but this is not a practical solution for end-users.
Upon launching a user-created app (e.g., "ExampleTest"), the following prompt appears:
This prompt appears on every launch of the app.
Steps to Reproduce
- On a Mac running macOS 15, create a new app using Unite (e.g., "ExampleTest").
- Launch the newly created app.
- Observe the prompt requesting access to files outside the app's container.
- Close and relaunch the app; the prompt appears again.
What We Have Tried
Given that our apps use an app group (group.BZG.unite.sharedData)
to share data between Unite, DefaultApp, and user-created apps, we believe this is triggering the prompt due to changes in System Integrity Protection (SIP) in macOS 15. We are further confident given that if the user does not allow access, the app does launch, but shows an error indicating that the created app was unable to access the data that is typically in the shared group.
Here’s a summary of our troubleshooting efforts:
1. Adjusting App Group Configuration
- Ensured the app group name aligns with Apple's guidelines, including prefixing with the Team ID
(teamid.group.BZG.unite.sharedData).
- Verified that the app group is correctly declared in the
com.apple.security.application-groups
entitlement.
2. Provisioning Profile Creation
- Generated provisioning profiles via Xcode and the Developer Console, ensuring the app group entitlement is included.
- Applied the provisioning profile to the user-created app during code signing.
- Despite these efforts, the issue continues.
3. Entitlements and Code Signing
- Created an entitlements file for the user-created app, mirroring the entitlements from DefaultApp, including:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.application-identifier</key>
<string>id.com.BZG.ExampleTest</string>
<key>com.apple.developer.team-identifier</key>
<string>id</string>
<key>com.apple.security.application-groups</key>
<array>
<string>id.group.BZG.unite.sharedData</string>
</array>
<key>com.apple.security.app-sandbox</key>
<true/>
</dict>
</plist>
- Signed the user-created app with our Developer ID and the provisioning profile
- Verified the entitlements
4. Reviewing System Logs
- Observed error messages indicating unsatisfied entitlements:
message: com.BZG.ExampleTest: Unsatisfied entitlements: com.apple.security.application-groups
**5. Consulting Documentation and WWDC Sessions **
- Referenced post on App Groups in macOS vs iOS.
- Reviewed the macOS 15 Release Notes regarding SIP and app group container protection.
- Watched WWDC 2024 Session 10123: What's new in privacy, starting at 12:23.
Questions
- Is there a way to authorize the com.apple.security.application-groups entitlement in the provisioning profile for ad-hoc signed apps?
- Given the SIP changes in macOS 15, how can we enable our ad-hoc signed, user-generated apps to access the app group container without triggering the persistent prompt?
- Are there alternative approaches to sharing data between the main app and user-generated apps that comply with macOS 15's SIP requirements?
- Is there anything to try that we're missing here to solve this?
Any guidance on how to resolve this issue or workarounds to allow app group access without triggering the prompt would be greatly appreciated.
Thank you for your assistance!