macos-entitlements-generator
Generate entitlements.plist with appropriate sandbox capabilities for macOS applications. This skill configures the App Sandbox, hardened runtime, and specific entitlements required for app functionality.
Capabilities
- Generate entitlements.plist configuration
- Configure App Sandbox entitlements
- Set up hardened runtime entitlements
- Configure file access permissions
- Enable network access
- Configure hardware access (camera, microphone)
- Set up inter-app communication
- Generate both development and distribution entitlements
Input Schema
{
"type": "object",
"properties": {
"projectPath": {
"type": "string",
"description": "Path to the Xcode project"
},
"appFeatures": {
"type": "array",
"items": {
"enum": [
"network-client", "network-server",
"file-read", "file-write",
"downloads-read", "downloads-write",
"pictures-read", "pictures-write",
"music-read", "music-write",
"movies-read", "movies-write",
"user-selected-files",
"camera", "microphone",
"usb", "bluetooth",
"print", "calendar", "contacts",
"location", "apple-events",
"jit", "unsigned-memory"
]
}
},
"appGroups": {
"type": "array",
"items": { "type": "string" },
"description": "App group identifiers"
},
"keychainGroups": {
"type": "array",
"items": { "type": "string" },
"description": "Keychain access groups"
},
"disableSandbox": {
"type": "boolean",
"default": false,
"description": "Disable sandbox (not recommended)"
},
"isMASApp": {
"type": "boolean",
"default": false,
"description": "Target Mac App Store"
}
},
"required": ["projectPath", "appFeatures"]
}
Output Schema
{
"type": "object",
"properties": {
"success": { "type": "boolean" },
"files": {
"type": "array",
"items": {
"type": "object",
"properties": {
"path": { "type": "string" },
"type": { "enum": ["entitlements", "info-plist-additions"] }
}
}
},
"warnings": {
"type": "array",
"items": { "type": "string" }
}
},
"required": ["success"]
}
Entitlements.plist Examples
Basic App with Network Access
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<!-- App Sandbox -->
<key>com.apple.security.app-sandbox</key>
<true/>
<!-- Network access -->
<key>com.apple.security.network.client</key>
<true/>
<!-- User-selected files (via Open/Save panels) -->
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
</dict>
</plist>
Media App with Camera/Microphone
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<!-- Camera access -->
<key>com.apple.security.device.camera</key>
<true/>
<!-- Microphone access -->
<key>com.apple.security.device.microphone</key>
<true/>
<!-- Network for streaming -->
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
<!-- Save recordings -->
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
<key>com.apple.security.files.movies.read-write</key>
<true/>
</dict>
</plist>
Developer Tool with JIT
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<!-- JIT compilation (NOT allowed in Mac App Store) -->
<key>com.apple.security.cs.allow-jit</key>
<true/>
<!-- Disable library validation for plugins -->
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<!-- File access -->
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
</dict>
</plist>
App with Hardened Runtime (Direct Distribution)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<!-- Hardened runtime (required for notarization) -->
<key>com.apple.security.cs.allow-jit</key>
<false/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<false/>
<key>com.apple.security.cs.disable-library-validation</key>
<false/>
<!-- App-specific needs -->
<key>com.apple.security.automation.apple-events</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
</dict>
</plist>
App Groups and Keychain
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<!-- App Groups for sharing data with extensions -->
<key>com.apple.security.application-groups</key>
<array>
<string>$(TeamIdentifierPrefix)com.mycompany.myapp</string>
</array>
<!-- Keychain access groups -->
<key>keychain-access-groups</key>
<array>
<string>$(AppIdentifierPrefix)com.mycompany.myapp</string>
</array>
<key>com.apple.security.network.client</key>
<true/>
</dict>
</plist>
Common Entitlement Keys
File System
| Key | Description |
|-----|-------------|
| files.user-selected.read-only | Read user-selected files |
| files.user-selected.read-write | Read/write user-selected files |
| files.downloads.read-only | Read Downloads folder |
| files.downloads.read-write | Read/write Downloads folder |
| files.pictures.read-only | Read Pictures folder |
| files.music.read-only | Read Music folder |
| files.movies.read-only | Read Movies folder |
Network
| Key | Description |
|-----|-------------|
| network.client | Outgoing connections |
| network.server | Incoming connections |
Hardware
| Key | Description |
|-----|-------------|
| device.camera | Camera access |
| device.microphone | Microphone access |
| device.usb | USB device access |
| device.bluetooth | Bluetooth access |
| print | Printing |
Hardened Runtime
| Key | Description |
|-----|-------------|
| cs.allow-jit | Allow JIT compilation |
| cs.allow-unsigned-executable-memory | Allow unsigned executable memory |
| cs.disable-library-validation | Load arbitrary plugins |
| cs.disable-executable-page-protection | Disable W^X |
Privacy Keys (Info.plist)
When using certain entitlements, add corresponding privacy descriptions:
<!-- Info.plist additions -->
<key>NSCameraUsageDescription</key>
<string>This app needs camera access for video calls.</string>
<key>NSMicrophoneUsageDescription</key>
<string>This app needs microphone access for audio recording.</string>
<key>NSAppleEventsUsageDescription</key>
<string>This app needs to control other applications for automation.</string>
<key>NSLocationUsageDescription</key>
<string>This app needs your location for local weather.</string>
Best Practices
- Request minimum permissions: Only what the app needs
- Use user-selected files: Prefer over broad folder access
- Document entitlement usage: Explain to Apple reviewers
- Test in sandbox: Always test sandboxed behavior
- Separate dev/prod entitlements: Different needs for each
- Check MAS restrictions: Some entitlements are prohibited
Related Skills
macos-notarization-workflow- Code signing and notarizationmacos-codesign-workflow- Code signingsecurity-hardeningprocess - Security audit
Related Agents
swiftui-macos-expert- macOS developmentdesktop-security-auditor- Security review