My Use case :
I have an automation framework for Mac that launches 2 instances of the same app ( same bundle id) available at different locations to simulate two endpoint cases for media calls. With introduction of Mojave permissions, when I grant permission( camera , mic & accessibility) for one instance of the app, the other instance doesn't have the same permissions.
Since the bundle id is same, is it not that providing permission for the app is carried over to both instances?
I tried pushing a system profile to provide permissions but that doesn't seem to work
Also added an apple script to continuously check for permission pop-up and click ok to it. This works for mic and camera but not for accessibility. Also when each instance is launched the permission would be asked again.
Is there a way to by default provide all access to the application by default without asking for any permission pop-ups?
Or is there any way to tweak something at the OS level to not ask for permissions at all ( behave same as <10.14) .. I tried disabling system integrity but that doesn't seems solve this issue
You need to code-sign all versions/copies of the app using the same identity.
When an app is not code-signed and the system needs to record its identity (as for permissions), it generates an ad hoc code signature. That signature, though, only matches that exact build of the app. Another copy of the app that is different in any code-signature-relevant way is not considered to have the same identity. In fact, it's likely to be considered "malicious" as it appears to have been tampered with.
If you code-sign your app with appropriate designated requirements, that enables the system to understand that two different versions of an app have the same identity and should share permissions. This is key to an app maintaining permissions through an upgrade to a new version, for example.
Related
I have an app, in which the user can initiate a short, asynchronous download to access data on the internet, and then the app displays that data. The app is not yet released, but I have tested it on both simulator and several physical devices. On none of them, however, I can locate the app inside the settings menu where I could, for instance, restrict its network access to WiFi only, etc.
I assumed that if my app accesses the internet, it would automatically appear in the settings menu, but apparently it is not so. Am I doing something wrong? What is the process to allow the user to access such basic settings?
I use XCode 10.3, and probram in Objective-C.
If the problem is that there's not a settings entry for your app, please keep in mind that sometimes, in order for an app to be registered, you may need to close your app and the settings app and try opening it again.
If the problem is that you don't see the standard settings for location services, cellular data etc, then you may find maddy's answer here to be helpful: Why is my iOS app forcing a Settings Bundle might be helpful.
Copying the relevant part from this answer:
The iOS 8+ settings page appears […] if the app does any of the
following:
Attempts to access data via a cellular network
Various privacy data
Camera
Microphone
Photo library
Contacts
Location
Notifications
Background data fetch
A settings page may not appear for an app if none of these conditions
have yet been met.
How do I setup the pubnub cocoa objective-c client api to NOT store anything on the keychain? Is it possible to store the keys on the Application Support folder instead? When I am using XCode the keychain messagebox modal appears three times even when I press the 'Always Allow' button. It stops for a while but then after a few minutes it asks me again the same way again.
I've checked on my side and it really requested password for each read from Keychain. Tried to find solution and after system reboot, tried again - it requested for password one or three times and then just keep working. As for now, there is no option to configure client without Keychain usage.
Earlier Keychain worked like well after single password input. Looks like one of system updates broke how system interact with developed applications.
Maybe it is somehow related to security and checking "Automatically manage signing" and specifying proper profiles will help you (I'm unable to check this, since Keychain gives me access w/o asking password now since I marked awlays).
Keychain used to store few fields: publish sequence number, uuid, and push token. It had been added to Keychain to survive application re-install.
We will review macOS Keychain usage and if it will be allowed, we will add ability to use file-based data storage (maybe by default for macOS).
I was trying to program a simple TODO app for Yosemite with sandboxing. Apple has its tutorials for the same but they are not very elaborate. I wanted to know sandbox APIs like sandbox_init() and APIs for console logs (heard sandboxed apps use some special APIs). Could someone please point me to some open source app with sandboxing on Yosemite, so that I could see the APIs that it is using.
You don't need to use sandbox_init() etc. in order to create a sandboxed app.
Roughly, you need to understand:
Use the APIs to find well known directories and don't assume that /Users/username/Documents is the Documents folder, for example.
The app has no access to user files and must gain access via NSOpenPanel.
If the app wants to retain access it has already gained then it needs to create and store bookmark URLs, which can be reloaded during a later invocation.
If the sandboxed app spawns a child process, then that child process needs it's own set of entitlements.
Once you understand that it's normally just a case of setting Use Sandbox in the app capabilities and you're off.
I have recently started working with Apple Configurator to use features meant for Supervised devices.
In the Restrictions payload there's a key called autonomousSingleAppModePermittedAppIDs with the description below
Optional. Supervised only. If present, allows apps identified by the bundle IDs listed in the array to autonomously enter Single App Mode.
Availability: Available only in iOS 7.0 and later.
I tried sending this key in the restrictions payload with a couple of app identifiers, but could not find any change in the behaviour of the OS. The Guided Access allowed all apps to enter into the SingleApp mode.
What I understand (and expect) from this is we can allow a list of apps to enter Guided Access (Single App) mode and no other app except the allowed ones will be visible on the device. Can you help me understand the things I'm missing or misunderstanding.
I believe the idea of this key that application itself can request a guided mode (vs guided mode triggered by a user or AppLock profile).
I believe application should use following API to request a guided mode:
void UIAccessibilityRequestGuidedAccessSession(BOOL enable, void(^completionHandler)(BOOL didSucceed));
In the case, if it's not on this list, this request will be rejected.
P.S. A device needs to be supervised.
Apple Configurator doesn't have the settings to manage "autonomousSingleAppModePermittedAppIDs"
Instead I decided to manually edit a profile and include the appropriate XML with the above key (referenced from here).
Upon trying to install the modified profile, Configurator explicitly says "The profile must be installed by a Mobile Device Management server."
The profile will install fine if this key/value pair is removed.
It looks like you MUST use an MDM to install a profile for use with Autonomous Single App Mode.
I was not able to find autonomousSingleAppModePermittedAppIDs in Apple Configurator. Looks like need to buy Apple Profile Manager (OS X Server in the App Store) for this which costs about $20.
I am working on a MAC application. Is there a provision to store data generated by the app (be it an image or any other document) at a location accessible only by the application. I read through the sandbox feature, but the container created is still accessible by the user directly. Since I am from an iOS background, wondering if the feature to store application data in iOS devices , not accessible by the user directly, is available in Mac applications too? Please advice.
Is there a provision to store data generated by the app (be it an
image or any other document) at a location accessible only by the
application.
No. An administrative user can access any file on the machine. I can think of three options:
Rethink the requirement. The user should be in charge of the application, not the other way around. An application that needs to hide user data from the user sounds suspicious.
Store the data on a server that the user can only access through your application.
Encrypt the data so that the user will have a hard time using it.
By the way, data is only hidden from the user on iOS because the entire file system is hidden. The permission system is about the same as on OS X.