Monday, April 27, 2020

BlockBlock 1.0

BlockBlock 1.0 is a complete rewrite that uses Endpoint Security Framework (tweet).

Previously:

6 Comments RSS · Twitter

So even when you use EndPoint Security, you still have to go through Apple's Full Disk Access unfriendly UX…

Considering there've been "workarounds" in the past for Gatekeeper and FDA, I'm wondering if, at some point, installing and running a malware might not become more user friendly than installing and running a honest application (such as BlockBlock) on macOS.

10.14 is the end of the road for me and everyone I know (not exaggerating). Hopefully developers don't fall for Apple's typical pressure to adopt all the new APIs for a while longer. There's nowhere else to go once they abandon users who have gotten off the downgrade carousel.

Sören Nils Kuklau

So even when you use EndPoint Security, you still have to go through Apple’s Full Disk Access unfriendly UX…

Well, UX is hard.

Would it really have been better if Endpoint Security is exempt from it? How do you model that, UX-wise? Does an app with Endpoint Security silently appear with the checkbox ticked in Full Disk Access? That wouldn’t be great. Does it not appear at all in that list? That would be worse. Does it appear, with the checkbox ticked, and a “Endpoint Security apps always have Full Disk Access” description underneath? That’s better, I guess.

But… do all Endpoint Security apps even need Full Disk Access? And if not, isn’t it actually good that exactly such a far-reaching app is heavily sandboxed? The OS providing various warnings before an app can implant itself deeply into the system? Hell yes.

I do wish Apple provided a more unified UI for this, though. Not three “this app wants” dialogs, but one combined “this is the three things the app wants” dialog. I’m not sure if they copped out of that because the API is harder (can’t really show those dialogs on-demand any more in such a scenario), or in the name of simplicity™ which backfired.

> But… do all Endpoint Security apps even need Full Disk Access?

If you have in mind a type of an app using Endpoint Security that would not require it, I'm curious to know which one as I can't think of one right now myself.

If you need to report to the user that a file can not be accessed or an application can not be launched, you need to be able to read the file or application metadata at least. AFAIK, you can not do that correctly for files/apps located in folders "protected" by FDA.

> I do wish Apple provided a more unified UI for this, though…

If it was possible to grant access to the applications during the installation process, this would simplify the life of everyone:
- the developers' as they could list all the components that need FDA and provide the reason why. This could be displayed in Installer.app.
- the users' as they could know before installing the software that and why some components require FDA. If they are not happy with that, then they can just not install the software.

Of course, this would require to use an installer/installation package. But today's solution is worse.

@someone Today’s solution doesn't even have an API to ask for permission or check whether it’s been granted!

Sören Nils Kuklau

If you have in mind a type of an app using Endpoint Security that would not require it, I’m curious to know which one as I can’t think of one right now myself.

My understanding is Endpoint Security isn’t just about files, but processes, network access, etc.

If it was possible to grant access to the applications during the installation process, this would simplify the life of everyone:

But I don’t think this would require an installer. Just extend Info.plist such that an application can request permissions immediately on launch, rather than on-demand when it needs them. Then, macOS can show that in a combined dialog.

the developers’ as they could list all the components that need FDA and provide the reason why. This could be displayed in Installer.app.
the users’ as they could know before installing the software that and why some components require FDA. If they are not happy with that, then they can just not install the software.

Exactly. It could be more transparent and less obnoxious.

Especially on iOS, though, I think they want to avoid having huge, complicated dialog boxes.

Leave a Comment