{"id":45202,"date":"2024-10-02T14:59:37","date_gmt":"2024-10-02T18:59:37","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=45202"},"modified":"2025-10-21T15:23:50","modified_gmt":"2025-10-21T19:23:50","slug":"local-network-privacy-on-sequoia","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2024\/10\/02\/local-network-privacy-on-sequoia\/","title":{"rendered":"Local Network Privacy on Sequoia"},"content":{"rendered":"<p><a href=\"https:\/\/hachyderm.io\/@command_tab\/113228686173654191\">Collin Allen<\/a>:<\/p>\n<blockquote cite=\"https:\/\/hachyderm.io\/@command_tab\/113228686173654191\"><p>Running into a Sequoia bug where third party binaries running under a launchd agent are denied local network access despite approving the privacy prompt. This has the effect of making my iOS app&rsquo;s CI unable to deploy successful builds, as my deployment tool is not one that ships with macOS.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/developer.apple.com\/forums\/thread\/760964\">Quinn<\/a>:<\/p>\n<blockquote cite=\"https:\/\/developer.apple.com\/forums\/thread\/760964\"><ul><li><p>If you run a tool from Terminal, then Terminal is considered the responsible code and, as a system app, it&rsquo;s not subject to local network privacy.<\/p><\/li><li><p>If you run an executable as a <code>launchd<\/code> daemon, it runs as <code>root<\/code> and local network privacy does not apply to code running as root.<\/p><\/li><\/ul><p>However, if you configure the executable to run as a <code>launchd<\/code> agent, you will see local network privacy prompts.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/developer.apple.com\/forums\/thread\/760964\">dverevkin<\/a>:<\/p>\n<blockquote cite=\"https:\/\/developer.apple.com\/forums\/thread\/760964\"><p>Here my experiments also show different results - if the bundled application is launched as a launchd daemon, the prompt will appear, even though the app runs with root privileges[&#8230;]<\/p><\/blockquote>\n\n<p>And, apparently, even approving the prompt doesn&rsquo;t work.<\/p>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2024\/09\/18\/macos-firewall-regressions-in-sequoia\/\">macOS Firewall Regressions in Sequoia<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2024\/09\/16\/macos-15-sequoia\/\">macOS 15 Sequoia<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2020\/10\/16\/local-network-privacy-faq\/\">Local Network Privacy FAQ<\/a><\/li>\n<\/ul>\n\n<p id=\"local-network-privacy-on-sequoia-update-2024-10-31\">Update (2024-10-31): <a href=\"https:\/\/support.apple.com\/en-us\/121011\">Apple<\/a>:<\/p>\n<blockquote cite=\"https:\/\/support.apple.com\/en-us\/121011\">\n<p>A third-party app or launch agent that wants to interact with devices on a user&rsquo;s local network must ask for permission the first time that it tries to browse the local network. This does not apply to launch daemons running as root. Similar to iOS and iPadOS, the user can go to System Settings &gt; Privacy &gt; Local Network to allow or deny this access giving users control over their privacy.<\/p>\n<\/blockquote>\n<p>This has been confusing for me because some users have been reporting that macOS is prompting for access:<\/p>\n<blockquote>Allow &lt;App&gt; to find devices on local networks?<\/blockquote>\n<p>even though my apps are not intentionally trying to find other devices. I don&rsquo;t want to scare potential customers away, especially for access that the app doesn&rsquo;t actually need!<\/p>\n<p>I don&rsquo;t know whether the prompt is incorrect or there&rsquo;s some API they&rsquo;re using that&rsquo;s doing something I didn&rsquo;t realize. All I can think of is that SpamSieve opens a port for communication with Apple Mail&mdash;but this uses loopback so it doesn&rsquo;t pertain to other devices. And EagleFiler supports Growl, which I think does something similar.<\/p>\n<p>It&rsquo;s hard to investigate this because I don&rsquo;t see a way to detect what&rsquo;s triggering the alert. Nothing of interest seems to be logged, and sampling the app while the alert is up doesn&rsquo;t show it blocked on any calls.<\/p>\n<p><a href=\"https:\/\/forums.developer.apple.com\/forums\/thread\/762917\">benson3816<\/a>:<\/p>\n<blockquote cite=\"https:\/\/forums.developer.apple.com\/forums\/thread\/762917\"><p>I would like to analyze when it popup and how it impacts my app user scenario. But this dialog only popup when Local Network privacy list not contain this app, once user pressed allow \/ don&rsquo;t allow, it won&rsquo;t popup again.<\/p><\/blockquote>\n<p>Local Network Privacy <a href=\"https:\/\/forums.developer.apple.com\/forums\/thread\/757949\">does not use TCC<\/a>, so you cannot use <code>tccutil<\/code> to reset it for testing.<\/p>\n<p><a href=\"https:\/\/forums.developer.apple.com\/forums\/thread\/757949\">Quinn<\/a>:<\/p>\n<blockquote cite=\"https:\/\/forums.developer.apple.com\/forums\/thread\/757949\"><p>I generally do this sort of testing in a VM, restoring the VM to a &lsquo;clean&rsquo; snapshot between each test.<\/p><\/blockquote>\n\n<p id=\"local-network-privacy-on-sequoia-update-2024-11-01\">Update (2024-11-01): Just after I wrote this post, Apple updated <a href=\"https:\/\/developer.apple.com\/documentation\/technotes\/tn3179-understanding-local-network-privacy\">TN3179: Understanding local network privacy<\/a>, but it doesn&rsquo;t seem to offer satisfying answers.<\/p>\n\n<p id=\"local-network-privacy-on-sequoia-update-2025-01-22\">Update (2025-01-22): Since I updated to <a href=\"https:\/\/mjtsai.com\/blog\/2024\/12\/12\/macos-15-2\/\">macOS 15.2<\/a>, many apps have been re-prompting me for local network access even though I had previously approved them. Also, <em>every<\/em> app now prompts me as soon as I open the <strong>Print<\/strong> panel. Maybe it&rsquo;s looking for printers on the local network, but I don&rsquo;t think it makes sense to present this as <em>the app<\/em> trying to access network devices.<\/p>\n\n<p id=\"local-network-privacy-on-sequoia-update-2025-04-29\">Update (<a href=\"#local-network-privacy-on-sequoia-update-2025-04-29\">2025-04-29<\/a>): <a href=\"https:\/\/mastodon.social\/@lapcatsoftware\/114347747166123343\">Jeff Johnson<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.social\/@lapcatsoftware\/114347747166123343\">\n<p>I got a bunch of new Local Network permission prompts after installing 15.4, as if my previously granted permissions were reset.<\/p>\n<\/blockquote>\n\n<p>I got a bunch of these, too, and on a fresh macOS 15.4 installation I even got a prompt for my own app, which I don&rsquo;t think tries to use the local network at all.<\/p>\n\n<p><a href=\"https:\/\/toot.community\/@betalogue\/114337759557048163\">Pierre Igot<\/a>:<\/p>\n<blockquote cite=\"https:\/\/toot.community\/@betalogue\/114337759557048163\"><p>This is the grief I got from macOS after my SECOND reboot following the 15.4 update. (I &ldquo;only&rdquo; got two of those after the first reboot, for different apps.)<\/p><p>Just how many times am I going to have to go through this, Apple? And exactly how is it making things more secure for me?<\/p><p>Why can&rsquo;t I just say once and for all that I fully trust my local network and that any app can &ldquo;discover, connect to, and collect data from&rdquo; it?<\/p><\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2025\/03\/31\/macos-15-4\/\">macOS 15.4<\/a><\/li>\n<\/ul>\n\n<p id=\"local-network-privacy-on-sequoia-update-2025-05-15\">Update (<a href=\"#local-network-privacy-on-sequoia-update-2025-05-15\">2025-05-15<\/a>): I was finally able to get a useful Activity Monitor sample of my app when it was showing the local network privacy alert. The triggering API seems to be <code>-[NSProcessInfo hostName]<\/code>. This is surprising because the <a href=\"https:\/\/developer.apple.com\/documentation\/technotes\/tn3179-understanding-local-network-privacy\">tech note<\/a> mentions &ldquo;Resolving a local DNS name,&rdquo; but this API is just returning the name the user has set; it&rsquo;s not resolving it to an IP address. But others are seeing the <a href=\"https:\/\/stackoverflow.com\/a\/64242102\/6311\">same thing<\/a>, and removing the call seems to fix the problem. Since <code>tccutil<\/code> can&rsquo;t reset this permission, I&rsquo;ve been testing by creating temporary macOS user accounts.<\/p>\n\n<p id=\"local-network-privacy-on-sequoia-update-2025-07-21\">Update (<a href=\"#local-network-privacy-on-sequoia-update-2025-07-21\">2025-07-21<\/a>): <a href=\"https:\/\/developer.apple.com\/documentation\/technotes\/tn3179-understanding-local-network-privacy\">TN3179<\/a>:<\/p>\n<blockquote cite=\"https:\/\/developer.apple.com\/documentation\/technotes\/tn3179-understanding-local-network-privacy\"><p>iOS 18 has a bug (FB14321888) that can cause the in-memory and persistent state of local network privacy to get out of sync after changing the user preference multiple times.<\/p><p>macOS fails to display the local network alert when a process with a very short lifespan performs a local network operation (FB16131937).  For example, if you create a <code>launchd<\/code> agent that performs a local network operation and immediately exits when that fails, macOS won&rsquo;t display the local network alert.  To work around this, update your code to not exit immediately after a local network operation fails.<\/p>\n<\/blockquote>\n\n<p id=\"local-network-privacy-on-sequoia-update-2025-08-12\">Update (<a href=\"#local-network-privacy-on-sequoia-update-2025-08-12\">2025-08-12<\/a>): <a href=\"https:\/\/mastodon.online\/@mwichary\/114993592709220888\">Marcin Wichary<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.online\/@mwichary\/114993592709220888\"><p>It&rsquo;s been over a year with these macOS pop-ups and I still have any idea why an app is asking, what should I say, what is the penalty for choosing Don&rsquo;t Allow, etc. What a frustrating experience.<\/p><p>(I&rsquo;m showing Chrome here but I am getting them for so many other apps without seemingly any rhyme or reason.)<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/mastodon.online\/@mwichary\/115004020235949455\">Marcin Wichary<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.online\/@mwichary\/115004020235949455\">\n<p>Well, this explains&#8230; some things.<\/p>\n<\/blockquote>\n\n<p id=\"local-network-privacy-on-sequoia-update-2025-10-21\">Update (<a href=\"#local-network-privacy-on-sequoia-update-2025-10-21\">2025-10-21<\/a>): <a href=\"https:\/\/mastodon.cloud\/@danwood\/115407591632228869\">Dan Wood<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.cloud\/@danwood\/115407591632228869\"><p>The utility app I&rsquo;m writing prompted me with a dialog asking to allow to find devices on local networks. I&rsquo;m not using any networking APIs at all, so WTF. I found this documentation page but it just obfuscates the issue. Any ideas of why this might be happening, and what build setting I can put into my apps that don&rsquo;t need to access local networks to prevent this idiotic prompt?<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/toot.community\/@justkwin\/115408277733526816\">Quinn<\/a>:<\/p>\n<blockquote cite=\"https:\/\/toot.community\/@justkwin\/115408277733526816\">\n<p>On macOS I most commonly see this when folks use <code>NSHost<\/code>. If that&rsquo;s the case here, there are <a href=\"https:\/\/developer.apple.com\/forums\/thread\/778533\">better options<\/a>, but the best one depends on what you&rsquo;re actually doing with it.<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Collin Allen: Running into a Sequoia bug where third party binaries running under a launchd agent are denied local network access despite approving the privacy prompt. This has the effect of making my iOS app&rsquo;s CI unable to deploy successful builds, as my deployment tool is not one that ships with macOS. Quinn: If you [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2024-10-02T18:59:40Z","apple_news_api_id":"df7dd17c-f3da-4954-87e3-938325f70d84","apple_news_api_modified_at":"2025-10-21T19:23:53Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAABw==","apple_news_api_share_url":"https:\/\/apple.news\/A333RfPPaSVSH45ODJfcNhA","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[131,595,456,110,500,30,2598,476,695,355,372,268],"class_list":["post-45202","post","type-post","status-publish","format-standard","hentry","category-technology","tag-bug","tag-eaglefiler","tag-googlechrome","tag-growl","tag-launchd","tag-mac","tag-macos-15-sequoia","tag-networking","tag-printing","tag-privacy","tag-spamsieve","tag-testing"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/45202","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=45202"}],"version-history":[{"count":9,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/45202\/revisions"}],"predecessor-version":[{"id":49707,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/45202\/revisions\/49707"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=45202"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=45202"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=45202"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}