Any way to bypass Apple Events sandboxing during development in Xcode?

zevrix · May 3, 2020, 12:53am

I suspect that it’s impossible - but maybe I’m missing something…

I wonder if it’s possible to bypass Apple Events sandboxing authorization dialogs during the development stage in Xcode?

Right now, every time I build and run my apps in Xcode, I have to approve two (sometimes three) AE authorization dialogs on the app’s launch.

It happens countless times a day - as every new build triggers those dreaded dialogs again.

I can’t be the only one who deals with it, right?

So I wonder if there’s a hack or trick or whatever to bypass those dialogs during development.

Thanks,
Leo

Shane_Stanley · May 3, 2020, 1:40am

If there is a way around it, I’d love to know what it is.

Shane_Stanley · May 3, 2020, 12:14pm

I may be wrong, but I think tha’s useful only when using a device management system.

zevrix · May 3, 2020, 7:17pm

Fredrik, thanks for interesting info.

I think Shane is right though - as the GitHub info starts with the following:

Privacy Preferences Policy Control Payload profiles can only be installed on a device that is either:

Enrolled in an MDM using DEP
Enrolled in an MDM using User Approved MDM enrolment

zevrix · May 4, 2020, 7:09am

Thanks Fredrik, more interesting info to go through (including your initial post with the TCC.framework details).

Admittedly, I’m not sure yet how to apply this to my apps - if possible at all. Maybe I’ll take another look at Adam Chester’s PlugIns folder solution later again to understand better how it works.

If not this, then hopefully some other hack or loophole can be found eventually.

I believe that the situation with Apple Events sandboxing is totally unacceptable. There should be a simple option in Xcode to bypass the dialogs with automatic approval during the development cycle. I did submit a request via Apple’s Feedback Assistant - but am sure not holding my breath that it ever happens.

zevrix · May 5, 2020, 2:59am

Yeah I sure believe that Python is quite powerful. I don’t have any experience with it though. So I wouldn’t even know where to start - let alone if it can be done at all.

Thanks for your efforts though! I’ll try digging around and post updates if I find anything.

Best,
Leo

Shane_Stanley · May 5, 2020, 4:20am

No doubt. But what is being asked for here is, essentially, a way to bypass Apple’s security. If that can be done, whatever the language used, chances are the exploit will be quickly blocked.

zevrix · May 5, 2020, 11:50pm

Ok looks like I did it! Ha.

In a fully legitimate way.

I went back to Fredrik’s first suggestion which Shane correctly attributed to device management systems only.

I never knew what MDM is. I first thought it must be some kind of enterprise-grade systems that cost thousands of dollars.

But after looking it up I found that you can get basic plans for free (or as low as $2/month).

So in short: I signed up for a free trial with ManageEngine (whose plan is also free for up to 25 devices):

https://www.manageengine.com/mobile-device-management/

All I know is that after setting everything up - it does what I need. There are no Apple Events sandboxing dialogs anymore after “build and run” Xcode cycles - every new build launches uninterrupted like in good old times!

Well, it took much longer than writing this - namely, several hours. Plus I thought my brain will melt before I could piece everything together.

But what the hell - it seems to work now.

Thanks Fredrik’s! In the end your advice was extremely useful - as well as Shane’s contribution.

If anyone is interested in details and has any questions - just let me know.

Cheers,
Leo

technomorph · May 10, 2020, 4:48am

Can you not just disable sandboxing?

Or just disable SIP .

https://www.macworld.co.uk/how-to/mac/how-turn-off-mac-os-x-system-integrity-protection-rootless-3638975/

zevrix · May 10, 2020, 4:55am

Apple Events sandboxing cannot be disabled - and SIP is not related to this particular issue.

But regardless - I received a reply from Apple yesterday and it turns out there’s an easier way to deal with it.

I’ll post an update shortly.

zevrix · May 10, 2020, 6:36am

Here’s an update with much easier solution.

Maybe Shane will find this info useful too…

I received a reply to my feedback from Apple (shockingly fast - after a few days).

Their point was that I just need to sign my apps in Xcode (and specifically not with adhoc signing, whatever it is).

I indeed don’t sign my apps in Xcode at all. I sign them with a custom script once an update is ready for release.

So I activated “Automatically manage signing” in Xcode - and lo and behold the Apple Event dialogs on new build launches went away.

Now, the signature produced by Xcode most likely doesn’t satisfy the notarization and other distribution needs (which is why I didn’t use it in the first place). The Xcode signing will really only be used to get rid of the aforementioned authorization dialogs.

For the notarization I’ll keep using my custom scripts before the release.

Thanks again to everyone who chimed in.

Best,
Leo

Shane_Stanley · May 10, 2020, 8:06am

Thanks, Leo. Unfortunately that doesn’t always work for me because I’m working on apps that get released with another team’s identity.