{"id":23428,"date":"2018-11-19T16:16:51","date_gmt":"2018-11-19T21:16:51","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=23428"},"modified":"2019-07-23T16:56:16","modified_gmt":"2019-07-23T20:56:16","slug":"hardened-runtime-and-sandboxing","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2018\/11\/19\/hardened-runtime-and-sandboxing\/","title":{"rendered":"Hardened Runtime and Sandboxing"},"content":{"rendered":"<p><a href=\"https:\/\/lapcatsoftware.com\/articles\/hardened-runtime-sandboxing.html\">Jeff Johnson<\/a>:<\/p>\n<blockquote cite=\"https:\/\/lapcatsoftware.com\/articles\/hardened-runtime-sandboxing.html\">\n<p>The relationship between the hardened runtime and sandboxing can be confusing to Mac developers, both because the hardened runtime is new and because it&rsquo;s not well documented by Apple. I&rsquo;ll attempt to explain the relationship here. App sandboxing was introduced in Mac OS X 10.7 Lion and eventually became a requirement for all Mac App Store apps, though developers can also choose to sandbox apps distributed outside the Mac App Store. The hardened runtime was introduced in macOS 10.14 Mojave and is currently optional for all apps, though it is required in order to notarize your app. Apple has announced that at some point in the future, all apps distributed outside the Mac App Store will need to be notarized, which means they will need to be \"hardened\" too. I suspect that Apple will eventually require Mac App Store apps to hardened as well. This may be surprising to developers, who associate sandboxing with the App Store and the hardened runtime with Developer ID, but the two technologies are independent of the distribution method and independent of each other, which means that a single app can be sandboxed and hardened.<\/p>\n<p>[&#8230;]<\/p>\n<p>Some protections of the hardened runtime such as debugging and Address Book are indeed enforced by SIP. However, it turns out that the Apple Events protection is not enforced by SIP but rather applies to hardened apps regardless of whether SIP is enabled.<\/p>\n<\/blockquote>\n\n<p>Previously: <a href=\"https:\/\/mjtsai.com\/blog\/2018\/08\/31\/aedeterminepermissiontoautomatetarget-added-but-aepocalyse-still-looms\/\">AEDeterminePermissionToAutomateTarget Added, But AEpocalyse Still Looms<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"<p>Jeff Johnson: The relationship between the hardened runtime and sandboxing can be confusing to Mac developers, both because the hardened runtime is new and because it&rsquo;s not well documented by Apple. I&rsquo;ll attempt to explain the relationship here. App sandboxing was introduced in Mac OS X 10.7 Lion and eventually became a requirement for all [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2018-11-19T21:16:54Z","apple_news_api_id":"ed9f3e47-5ae4-4a17-875b-2a262361b2c4","apple_news_api_modified_at":"2019-07-23T20:56:19Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAQ==","apple_news_api_share_url":"https:\/\/apple.news\/A7Z8-R1rkSheHWyomI2GyxA","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[],"tags":[159,466,465,30,1609,1842,71,53,1235],"class_list":["post-23428","post","type-post","status-publish","format-standard","hentry","tag-applescript","tag-codesigning","tag-gatekeeper","tag-mac","tag-macos-10-14","tag-notarization","tag-programming","tag-sandboxing","tag-system-integrity-protection"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/23428","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=23428"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/23428\/revisions"}],"predecessor-version":[{"id":23429,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/23428\/revisions\/23429"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=23428"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=23428"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=23428"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}