One of the requirements of App Store apps is that they run in a sandbox. What does mean, and how does it affect the app? And why does privacy protection also use a sandbox?
entitlement
Whether they enable an App Store app to go beyond its sandbox, provide access to features that are privacy-protected, or give access to macOS features only permitted for approved apps, entitlements are important.
Although macOS won’t tell, Apparency will, even down to launch constraints. Other alternatives, and how to check in the command line.
Everything you need to know about Containers, Group Containers and Daemon Containers, providing a sandboxed Home folder for apps.
Why is it, what is it, and how can you tell whether an app runs in it? What can you do to remove an app’s entitlements?
There’s a lot standing between your app and what it can edit and save: POSIX permissions, ACLs, SIP, TCC, and maybe the sandbox too.
App signatures are about more than just the certificate. That provides a chain of trust going back to Apple, and supports integrity checks and entitlements.
Final in series. Examines how the hardened runtime controls access to protected private data and services, and how some use private entitlements.
Second in the series. Considers in detail what the hardened environment offers the user, and how notarized apps can opt out of its protection.
First of three articles looking in detail at what notarization involves, and the benefits it might have to users. Considers the question of legacy apps.
The Eclectic Light Company 