Jul 10, 2017 Normally, a router allows any device to connect — as long as it knows the appropriate passphrase. With MAC address filtering a router will first compare a device’s MAC address against an approved list of MAC addresses and only allow a device onto the Wi-Fi network if its MAC address has been specifically approved. Medicare Administrative Contractor (MAC) COVID-19 Test Pricing May 19, 2020. On March 5 and February 13, CMS announced new Healthcare Common Procedure Coding System (HCPCS) codes for healthcare providers and laboratories to test patients for SARSCoV2. Starting in April, laboratories performing the test can bill Medicare and other health. To send the message, it also requires Computer 2's MAC address. First, Computer 1 uses a cached ARP table to look up 192.168.0.55 for any existing records of Computer 2's MAC address (00:eb:24:b2:05:ac). If the MAC address is found, it sends an Ethernet frame with destination address 00:eb:24:b2:05:ac, containing the IP packet onto the link. Jun 10, 2020 TCP/IP networks based on IPv6 also implement a different approach to communicating MAC addresses compared to mainstream IPv4. Instead of 64-bit hardware addresses, IPv6 automatically translates a 48-bit MAC address to a 64-bit address by inserting a fixed (hardcoded) 16-bit value FFFE between the vendor prefix and the device identifier.
DATE
Combines separate values for year, month, and day and returns a date/time value.
DATEDIF
Returns the number of days, months, or years between two dates.
DATEVALUE
Converts a date text string and returns a date/time value. This function is provided for compatibility with other spreadsheet programs.
DAY
Returns the day of the month for a given date/time value.
DAYNAME
Returns the name of the day of the week from a date/time value or a number. Day 1 is Sunday.
DAYS360
Returns the number of days between two dates based on twelve 30‑day months and a 360‑day year.
EDATE
Returns a date that is some number of months before or after a given date.
EOMONTH
Returns a date that is the last day of the month some number of months before or after a given date.
HOUR
Returns the hour for a given date/time value.
MINUTE
Returns the minutes for a given date/time value.
MONTH
Returns the month for a given date/time value.
MONTHNAME
Returns the name of the month from a number. Month 1 is January.
NETWORKDAYS
Returns the number of working days between two dates. Working days exclude weekends and any other specified dates.
NOW
Returns the current date/time value from the system clock.
SECOND
Returns the seconds for a given date/time value.
TIME
Converts separate values for hours, minutes, and seconds into a date/time value.
TIMEVALUE
Returns the time as a decimal fraction of a 24‑hour day from a given date/time value or from a text string.
TODAY
Returns the current system date. The time is set to 12:00 a.m.
WEEKDAY
Returns a number that is the day of the week for a given date.
WEEKNUM
Returns the number of the week within the year for a given date.
WORKDAY
Returns the date that is the given number of working days before or after a given date. Working days exclude weekends and any other dates specifically excluded.
YEAR
Returns the year for a given date/time value.
YEARFRAC
Finds the fraction of a year represented by the number of whole days between two dates.
DUR2DAYS
Converts a duration value to a number of days.
DUR2HOURS
Converts a duration value to a number of hours.
DUR2MILLISECONDS
Converts a duration value to a number of milliseconds.
DUR2MINUTES
Converts a duration value to a number of minutes.
DUR2SECONDS
Converts a duration value to a number of seconds.
DUR2WEEKS
Converts a duration value to a number of weeks.
DURATION
Combines separate values for weeks, days, hours, minutes, seconds, and milliseconds and returns a duration value.
STRIPDURATION
Evaluates a given value and returns either the number of days represented, if a duration value; or the given value. This function is included for compatibility with other spreadsheet applications.
BASETONUM
Converts a number of the specified base into a number in base 10.
BESSELJ
Returns the integer Bessel function Jn(x).
BESSELY
Returns the integer Bessel function Yn(x).
BIN2DEC
Converts a binary number to the corresponding decimal number.
BIN2HEX
Converts a binary number to the corresponding hexadecimal number.
BIN2OCT
Converts a binary number to the corresponding octal number.
CONVERT
Converts a number from one measurement system to its corresponding value in another measurement system.
DEC2BIN
Converts a decimal number to the corresponding binary number.
DEC2HEX
Converts a decimal number to the corresponding hexadecimal number.
DEC2OCT
Converts a decimal number to the corresponding octal number.
DELTA
Determines whether two values are exactly equal.
ERF
Returns the error function integrated between two values.
ERFC
Returns the complementary ERF function integrated between a given lower bound and infinity.
GESTEP
Determines if one value is greater than or exactly equal to another value.
HEX2BIN
Converts a hexadecimal number to the corresponding binary number.
HEX2DEC
Converts a hexadecimal number to the corresponding decimal number.
HEX2OCT
Converts a hexadecimal number to the corresponding octal number.
NUMTOBASE
Converts a number from base 10 into a number in the specified base.
OCT2BIN
Converts an octal number to the corresponding binary number.
OCT2DEC
Converts an octal number to the corresponding decimal number.
OCT2HEX
Converts an octal number to the corresponding hexadecimal number.
ACCRINT
Calculates the accrued interest added to the purchase price of a security and paid to the seller when the security pays periodic interest.
ACCRINTM
Calculates the total accrued interest added to the purchase price of a security and paid to the seller when the security pays interest only at maturity.
BONDDURATION
Calculates the weighted average of the present value of the cash flows for an assumed par value of $100.
BONDMDURATION
Calculates the modified weighted average of the present value of the cash flows for an assumed par value of $100.
COUPDAYBS
Returns the number of days between the beginning of the coupon period in which settlement occurs and the settlement date.
COUPDAYS
Returns the number of days in the coupon period in which settlement occurs.
COUPDAYSNC
Returns the number of days between the settlement date and the end of the coupon period in which settlement occurs.
COUPNUM
Returns the number of coupons remaining to be paid between the settlement date and the maturity date.
CUMIPMT
Returns the total interest included in loan or annuity payments over a chosen time interval based on fixed periodic payments and a fixed interest rate.
CUMPRINC
Returns the total principal included in loan or annuity payments over a chosen time interval based on fixed periodic payments and a fixed interest rate.
DB
Returns the amount of depreciation of an asset for a specified period using the fixed‑declining balance method.
DDB
Returns the amount of depreciation of an asset based on a specified depreciation rate.
DISC
Returns the annual discount rate of a security that pays no interest and is sold at a discount to its redemption value.
EFFECT
Returns the effective annual interest rate from the nominal annual interest rate based on the number of compounding periods per year.
FV
Returns the future value of an investment based on a series of regular periodic cash flows (payments of a constant amount and all cash flows at constant intervals) and a fixed interest rate.
INTRATE
Returns the effective annual interest rate for a security that pays interest only at maturity.
IPMT
Returns the interest portion of a specified loan or annuity payment based on fixed, periodic payments and a fixed interest rate.
IRR
Returns the internal rate of return for an investment that is based on a series of potentially irregular cash flows that occur at regular time intervals.
ISPMT
Returns the interest portion of a specified loan or annuity payment based on fixed, periodic payments and a fixed interest rate. This function is provided for compatibility with tables imported from other spreadsheet applications.
MIRR
Returns the modified internal rate of return for an investment that is based on a series of potentially irregular cash flows that occur at regular time intervals. The rate earned on positive cash flows and the rate paid to finance negative cash flows can differ.
NOMINAL
Returns the nominal annual interest rate from the effective annual interest rate based on the number of compounding periods per year.
NPER
Returns the number of payment periods for a loan or annuity based on a series of regular periodic cash flows (payments of a constant amount and all cash flows at constant intervals) and a fixed interest rate.
NPV
Returns the net present value of an investment based on a series of potentially irregular cash flows that occur at regular time intervals.
PMT
Returns the fixed periodic payment for a loan or annuity based on a series of regular periodic cash flows (payments of a constant amount and all cash flows at constant intervals) and a fixed interest rate.
PPMT
Returns the principal portion of a specified loan or annuity payment based on fixed periodic payments and a fixed interest rate.
PRICE
Returns the price of a security that pays periodic interest per $100 of redemption (par) value.
PRICEDISC
Returns the price of a security that is sold at a discount to redemption value and does not pay interest per $100 of redemption (par) value.
PRICEMAT
Returns the price of a security that pays interest only at maturity per $100 of redemption (par) value.
PV
Returns the present value of an investment or annuity based on a series of regular periodic cash flows (payments of a constant amount and all cash flows at constant intervals) and a fixed interest rate.
RATE
Returns the interest rate of an investment, loan, or annuity based on a series of regular periodic cash flows (payments of a constant amount and all cash flows at constant intervals) and a fixed interest rate.
RECEIVED
Returns the maturity value for a security that pays interest only at maturity.
SLN
Returns the amount of depreciation of an asset for a single period using the straight‑line method.
SYD
Returns the amount of depreciation of an asset for a specified period using the sum‑of‑the‑years‑digits method.
VDB
Returns the amount of depreciation of an asset over a chosen time interval, based on a specified depreciation rate.
YIELD
Returns the effective annual interest rate for a security that pays regular periodic interest.
YIELDDISC
Returns the effective annual interest rate for a security that is sold at a discount to redemption value and pays no interest.
YIELDMAT
Returns the effective annual interest rate for a security that pays interest only at maturity.
AND
Returns TRUE if all arguments are true; otherwise it returns FALSE.
FALSE
Returns the Boolean value FALSE. This function is included for compatibility with tables imported from other spreadsheet applications.
IF
Returns one of two values depending on whether a specified expression evaluates to a Boolean value of TRUE or FALSE.
IFERROR
Returns a value that you specify if a given value evaluates to an error; otherwise it returns the given value.
ISBLANK
Returns TRUE if the specified cell is empty; otherwise it returns FALSE.
ISERROR
Returns TRUE if a given expression evaluates to an error; otherwise it returns FALSE.
ISEVEN
Returns TRUE if the value is even (leaves no remainder when divided by 2); otherwise it returns FALSE.
ISODD
Returns TRUE if the value is odd (leaves a remainder when divided by 2); otherwise it returns FALSE.
NOT
Returns the opposite of the Boolean value of a specified expression.
OR
Returns TRUE if any argument is true; otherwise it returns FALSE.
TRUE
Returns the Boolean value TRUE. This function is included for compatibility with tables imported from other spreadsheet applications.
ABS
Returns the absolute value of a number or duration.
CEILING
Rounds a number away from zero to the nearest multiple of the specified factor.
COMBIN
Returns the number of different ways you can combine a number of items into groups of a specific size, ignoring the order within the groups.
EVEN
Rounds a number away from zero to the next even number.
EXP
Returns e (the base of natural logarithms) raised to the specified power.
FACT
Returns the factorial of a number.
FACTDOUBLE
Returns the double factorial of a number.
FLOOR
Rounds a number toward zero to the nearest multiple of the specified factor.
GCD
Returns the greatest common divisor of the specified numbers.
INT
Returns the nearest integer that is less than or equal to the number.
LCM
Returns the least common multiple of the specified numbers.
LN
Returns the natural logarithm of a number, the power to which e must be raised to result in the number.
LOG
Returns the logarithm of a number using a specified base.
LOG10
Returns the base‑10 logarithm of a number.
MOD
Returns the remainder from a division.
MROUND
Rounds a number to the nearest multiple of a specified factor.
MULTINOMIAL
Returns the closed form of the multinomial coefficient of the given numbers.
ODD
Rounds a number away from zero to the next odd number.
PI
Returns the approximate value of π (pi), the ratio of a circle’s circumference to its diameter.
POLYNOMIAL
Evaluates a polynomial at a given point.
POWER
Returns a number raised to a power.
PRODUCT
Returns the product of one or more numbers.
QUOTIENT
Returns the integer quotient of two numbers.
RAND
Returns a random number that is greater than or equal to 0 and less than 1.
RANDBETWEEN
Returns a random integer within the specified range.
ROMAN
Converts a number to Roman numerals.
ROUND
Returns a number rounded to the specified number of places.
ROUNDDOWN
Returns a number rounded toward zero (rounded down) to the specified number of places.
ROUNDUP
Returns a number rounded away from zero (rounded up) to the specified number of places.
SERIESSUM
Computes and returns the sum of a power series.
SIGN
Returns 1 when a given number is positive, –1 when it is negative, and 0 when it is zero.
SQRT
Returns the square root of a number.
SQRTPI
Returns the square root of a number multiplied by π (pi).
SUM
Returns the sum of a collection of numbers.
SUMIF
Returns the sum of a collection of numbers, including only numbers that satisfy a specified condition.
SUMIFS
Returns the sum of the cells in a collection where the test values meet the given conditions.
SUMPRODUCT
Returns the sum of the products of corresponding numbers in one or more ranges.
SUMSQ
Returns the sum of the squares of a collection of numbers.
SUMX2MY2
Returns the sum of the difference of the squares of corresponding values in two collections.
SUMX2PY2
Returns the sum of the squares of corresponding values in two collections.
SUMXMY2
Returns the sum of the squares of the differences between corresponding values in two collections.
TRUNC
Truncates a number to the specified number of digits.
ADDRESS
Constructs a cell address string from separate row, column, and table identifiers.
AREAS
Returns the number of ranges the function references.
CHOOSE
Returns a value from a collection of values based on a specified index value.
COLUMN
Returns the column number of the column containing a specified cell.
COLUMNS
Returns the number of columns included in a specified range of cells.
HLOOKUP
Returns a value from a range of rows by using the top row of values to pick a column and a row number to pick a row within that column.
INDEX
Returns the value in the cell located at the intersection of the specified row and column within a range of cells.
INDIRECT
Returns the contents of a cell or range referenced by an address specified as a string.
INTERSECT.RANGES
Returns a range that is the intersection of the specified ranges.
LOOKUP
Finds a match for a given search value in one range, then returns the value in the cell with the same relative position in a second range.
MATCH
Returns the position of a value within a range.
OFFSET
Returns a range of cells that is the specified number of rows and columns away from the specified base cell.
ROW
Returns the row number of the row containing a specified cell.
ROWS
Returns the number of rows included in a specified range of cells.
TRANSPOSE
Returns a vertical range of cells as a horizontal range of cells, or vice versa.
UNION.RANGES
Returns a range that represents a range representing the union of the specified ranges.
VLOOKUP
Returns a value from a range of columns by using the left column of values to pick a row and a column number to pick a column in that row.
AVEDEV
Returns the average of the difference of a collection of numbers from their average (arithmetic mean).
AVERAGE
Returns the average (arithmetic mean) of a collection of numbers.
AVERAGEA
Returns the average (arithmetic mean) of a collection of values, including text and Boolean values.
AVERAGEIF
Returns the average (arithmetic mean) of the cells in a range that meet a given condition.
AVERAGEIFS
Returns the average (arithmetic mean) of the cells in a collection that meet all the given conditions.
BETADIST
Returns the cumulative beta distribution probability value.
BETAINV
Returns the inverse of the given cumulative beta distribution probability value.
BINOMDIST
Returns the individual term binomial distribution probability of the specified form.
CHIDIST
Returns the one‑tailed probability of the chi‑square distribution.
CHIINV
Returns the inverse of the one‑tailed probability of the chi‑square distribution.
CHITEST
Returns the value from the chi‑square distribution for the given data.
CONFIDENCE
Returns a value for creating a statistical confidence interval for a sample from a population with a known standard deviation.
CORREL
Returns the correlation between two collections using linear regression analysis.
COUNT
Returns the number of its arguments that contain numbers, numeric expressions, or dates.
COUNTA
Returns the number of its arguments that are not empty.
COUNTBLANK
Returns the number of cells in a range that are empty.
COUNTIF
Returns the number of cells in a range that satisfy a given condition.
COUNTIFS
Returns the number of cells in one or more ranges that satisfy given conditions (one condition per range).
COVAR
Returns the covariance of two collections.
CRITBINOM
Returns the smallest value for which the cumulative binomial distribution is greater than or equal to a given value.
DEVSQ
Returns the sum of the squares of deviations of a collection of numbers from their average (arithmetic mean).
EXPONDIST
Returns the exponential distribution of the specified form.
FDIST
Returns the F probability distribution.
FINV
Returns the inverse of the F probability distribution.
FORECAST
Returns the forecasted y value for a given x value based on sample values using linear regression analysis.
FREQUENCY
Returns an array of how often data values occur within a range of interval values.
GAMMADIST
Returns the gamma distribution in the specified form.
GAMMAINV
Returns the inverse gamma cumulative distribution.
GAMMALN
Returns the natural logarithm of the gamma function, G(x).
GEOMEAN
Returns the geometric mean.
HARMEAN
Returns the harmonic mean.
INTERCEPT
Returns the y‑intercept of the best‑fit line for the collection using linear regression analysis.
LARGE
Returns the nth‑largest value within a collection. The largest value is ranked number 1.
LINEST
Returns an array of the statistics for a straight line that best fits the given data using the least squares method.
LOGINV
Returns the inverse of the log‑normal cumulative distribution function of x.
LOGNORMDIST
Returns the log‑normal distribution.
MAX
Returns the largest number in a collection.
MAXA
Returns the largest number in a collection of values that may include text and Boolean values.
MEDIAN
Returns the median value in a collection of numbers. The median is the value where half the numbers in the collection are less than the median and half are greater.
MIN
Returns the smallest number in a collection.
MINA
Returns the smallest number in a collection of values that may include text and Boolean values.
MODE
Returns the most frequently occurring value in a collection of numbers.
NEGBINOMDIST
Returns the negative binomial distribution.
NORMDIST
Returns the normal distribution of the specified function form.
NORMINV
Returns the inverse of the cumulative normal distribution.
NORMSDIST
Returns the standard normal distribution.
NORMSINV
Returns the inverse of the cumulative standard normal distribution.
PERCENTILE
Returns the value within a collection that corresponds to a particular percentile.
PERCENTRANK
Returns the rank of a value in a collection as a percentage of the collection.
PERMUT
Returns the number of permutations for a given number of objects that can be selected from a total number of objects.
POISSON
Returns the probability that a specific number of events will occur using the Poisson distribution.
PROB
Returns the probability of a range of values if you know the probabilities of the individual values.
QUARTILE
Returns the value for the specified quartile of a given collection.
RANK
Returns the rank of a number within a range of numbers.
SLOPE
Returns the slope of the best‑fit line for the collection using linear regression analysis.
SMALL
Returns the nth‑smallest value within a range. The smallest value is ranked number 1.
STANDARDIZE
Returns a normalized value from a distribution characterized by a given mean and standard deviation.
STDEV
Returns the standard deviation, a measure of dispersion, of a collection of values based on their sample (unbiased) variance.
STDEVA
Returns the standard deviation, a measure of dispersion, of a collection of values that may include text and Boolean values, based on the sample (unbiased) variance.
STDEVP
Returns the standard deviation, a measure of dispersion, of a collection of values based on their population (true) variance.
STDEVPA
Returns the standard deviation, a measure of dispersion, of a collection of values that may include text and Boolean values, based on the population (true) variance.
TDIST
Returns the probability from the Student’s t‑distribution.
TINV
Returns the t value (a function of the probability and degrees of freedom) from the Student’s t‑distribution.
TTEST
Returns the probability associated with a Student’s t‑test, based on the t‑distribution function.
VAR
Returns the sample (unbiased) variance, a measure of dispersion, of a collection of values.
VARA
Returns the sample (unbiased) variance, a measure of dispersion, of a collection of values, including text and Boolean values.
VARP
Returns the population (true) variance, a measure of dispersion, of a collection of values.
VARPA
Returns the sample (unbiased) variance, a measure of dispersion, of a collection of values, including text and Boolean values.
WEIBULL
Returns the values of the Weibull distribution.
ZTEST
Returns the one‑tailed probability value of the Z‑test.
CHAR
Returns the character that corresponds to a decimal Unicode character code.
CLEAN
Removes most common nonprinting characters (Unicode character codes 0–31) from text.
CODE
Returns the decimal Unicode number of the first character in a specified string.
CONCATENATE
Joins (concatenates) strings.
DOLLAR
Returns a string formatted as a dollar amount from a given number.
EXACT
Returns TRUE if the argument strings are identical in case and content.
FIND
Returns the starting position of one string within another.
FIXED
Rounds a number to the specified number of decimal places and then returns the result as a string value.
LEFT
Returns a string consisting of the specified number of characters from the left end of a given string.
LEN
Returns the number of characters in a string.
LOWER
Returns a string that is entirely lowercase, regardless of the case of the characters in the specified string.
MID
Returns a string consisting of the given number of characters from a string starting at the specified position.
PROPER
Returns a string where the first letter of each word is uppercase and all remaining characters are lowercase, regardless of the case of the characters in the specified string.
REPLACE
Returns a string where a specified number of characters of a given string have been replaced with a new string.
REPT
Returns a string that contains a given string repeated a specified number of times.
RIGHT
Returns a string consisting of the given number of characters from the right end of a specified string.
SEARCH
Returns the starting position of one string within another, ignoring case and allowing wildcards.
SUBSTITUTE
Returns a string where the specified characters of a given string have been replaced with a new string.
T
Returns the text contained in a cell. This function is included for compatibility with tables imported from other spreadsheet applications.
TRIM
Returns a string based on a given string, after removing extra spaces.
UPPER
Returns a string that is entirely uppercase, regardless of the case of the characters in the specified string.
VALUE
Returns a number value even if the argument is formatted as text.
ACOS
Returns the inverse cosine (arccosine) of a number.
ACOSH
Returns the inverse hyperbolic cosine (hyperbolic arccosine) of a number.
ASIN
Returns the arcsine (the inverse sine) of a number.
ASINH
Returns the inverse hyperbolic sine of a number.
ATAN
Returns the inverse tangent (arctangent) of a number.
ATAN2
Returns the angle, relative to the positive x‑axis, of the line passing through the origin and the specified point.
ATANH
Returns the inverse hyperbolic tangent of a number.
COS
Returns the cosine of an angle that is expressed in radians.
COSH
Returns the hyperbolic cosine of a number.
DEGREES
Returns the number of degrees in an angle expressed in radians.
RADIANS
Returns the number of radians in an angle expressed in degrees.
SIN
Returns the sine of an angle that is expressed in radians.
SINH
Returns the hyperbolic sine of the specified number.
TAN
Returns the tangent of an angle that is expressed in radians.
TANH
Returns the hyperbolic tangent of the specified number.
Note: This chapter describes property list keys specific to the macOS implementation of App Sandbox. They are not available in iOS.
In your macOS Xcode project, configure fine-grained security permissions by enabling settings in the Summary tab of the target editor. These settings, in turn, add Boolean values to entitlement keys in the target’s .entitlements
property list file. The values are then incorporated into the target’s code signature when you build the project.
You can think of using App Sandbox entitlements as a two-step process:
Sandbox a target, which removes most capabilities for interacting with the system
Restore capabilities to the sandboxed target, as needed, by configuring App Sandbox entitlements
At runtime, if a target requires a capability or a system resource for which the target isn’t entitled, the sandbox daemon (sandboxd
) logs a violation message to the console.
For more information about App Sandbox, read App Sandbox Design Guide.
App Sandbox Entitlement Keys
This section describes the keys you can use to confer capabilities to a sandboxed app in macOS. The first key enables App Sandbox; the others configure the sandbox. If App Sandbox is not enabled, the other keys in this section are meaningless.
The value to use for any of these keys is a Boolean YES
or NO
, with the default value in each case being NO
. If you are editing the .entitlements
file directly in a text editor, the corresponding Boolean values to use are <true/>
and <false/>
. The default value for each key is false, so you can (and generally should) leave out the entitlement entirely rather than specifying a false value.
In cases where there are read-only and read/write entitlement key pairs, use of either key in the pair is mutually exclusive with the other.
Add these keys by using the Summary tab of the Xcode target editor. You can also add them directly to a target’s .entitlements
file with the Xcode property list editor.
For information on additional entitlements for handling special circumstances, see App Sandbox Temporary Exception Entitlements.
For each key in this table, providing a Boolean value of YES
enables the corresponding capability (unless otherwise noted).
Enables App Sandbox for a target in an Xcode project
Allows access to group containers that are shared among multiple apps produced by a single development team, and allows certain additional interprocess communication between the apps
Supported in macOS v10.7.5 and in v10.8.3 and later. The format for this attribute is described in Adding an App to an App Group.
Read-only access to the user’s Movies folder and iTunes movies
For details, see Enabling Access to Files in Standard Locations.
Read/write access to the user’s Movies folder and iTunes movies
For details, see Enabling Access to Files in Standard Locations.
Read-only access to the user’s Music folder
For details, see Enabling Access to Files in Standard Locations.
Read/write access to the user’s Music folder
For details, see Enabling Access to Files in Standard Locations.
Read-only access to the user’s Pictures folder
For details, see Enabling Access to Files in Standard Locations.
Read/write access to the user’s Pictures folder
For details, see Enabling Access to Files in Standard Locations.
Communication with AVB devices
For details, see Enabling Hardware Access.
Allowed Values For Macronutrients
Interaction with Bluetooth devices
For details, see Enabling Hardware Access.
Capture of movies and still images using the built-in camera, if available
For details, see Enabling Hardware Access.
Interaction with FireWire devices (currently, does not support interaction with audio/video devices such as DV cameras)
For details, see Enabling Hardware Access.
Recording of audio using the built-in microphone, if available, along with access to audio input using any Core Audio API that supports audio input
For details, see Enabling Hardware Access.
Interaction with serial devices
For details, see Enabling Hardware Access.
Interaction with USB devices, including HID devices such as joysticks
For details, see Enabling Hardware Access.
Read/write access to the user’s Downloads folder
For details, see Enabling Access to Files in Standard Locations.
Use of app-scoped bookmarks and URLs
For details, see Enabling Security-Scoped Bookmark and URL Access.
Use of document-scoped bookmarks and URLs
For details, see Enabling Security-Scoped Bookmark and URL Access.
Read-only access to files the user has selected using an Open or Save dialog
For details, see Enabling User-Selected File Access.
Read/write access to files the user has selected using an Open or Save dialog
For details, see Enabling User-Selected File Access.
Allows apps to write executable files.
For details, see Enabling User-Selected File Access.
Child process inheritance of the parent’s sandbox
For details, see Enabling App Sandbox Inheritance.
Network socket for connecting to other machines
For details, see Enabling Network Access.
Network socket for listening for incoming connections initiated by other machines
For details, see Enabling Network Access.
com.apple.security.personal-information.addressbook
Read/write access to contacts in the user’s address book; allows apps to infer the default address book if more than one is present on a system
For details, see Enabling Personal Information Access.
Read/write access to the user’s calendars
For details, see Enabling Personal Information Access.
Use of the Core Location framework for determining the computer’s geographical location
For details, see Enabling Personal Information Access.
Printing
For details, see Enabling Hardware Access.
Ability to use specific AppleScript scripting access groups within a specific scriptable app
For details, see Enabling Scripting of Other Apps.
Enabling App Sandbox
You enable App Sandbox individually for each target in an macOS Xcode project. For example, you may design a project as a main app, and some helpers in the form of XPC services. You then enable and configure the sandbox for each target individually.
To learn how to enable App Sandbox for your macOS app, which includes performing code signing, see App Sandbox Quick Start in App Sandbox Design Guide. The essential step is to ensure that the target editor checkbox named in Table 4-1 is selected.
Setting | Entitlement key |
---|---|
Enable App Sandboxing |
|
Enabling User-Selected File Access
Xcode provides a pop-up menu, in the Summary tab of the target editor, with choices to enable read-only or read/write access to files and folders that the user explicitly selects. When you enable user-selected file access, you gain programmatic access to files and folders that the user opens using an NSOpenPanel
object, and files the user saves using an NSSavePanel
object.
Certain other user interactions, such as dragging items to your app or choosing items from the Open Recent menu, automatically expand your sandbox to include those items. Similarly, when macOS resumes an app after a reboot, the sandbox is automatically expanded to include any items that are automatically opened.
To enable user-selected file access in your app, use the Xcode target editor setting shown in Table 4-2.
Note: If your app needs to create executable files that are typically executed in some way other than through Launch Services (shell scripts, for example), you should also specify the com.apple.security.files.user-selected.executable
entitlement.
By default, when writing executable files in sandboxed apps, the files are quarantined. Gatekeeper prevents quarantined executable files and other similar files (shell scripts, web archives, and so on) from opening or executing unless the user explicitly launches them from Finder.
If those executables are tools that are intended to run from the command line, such as shell scripts, this presents a problem. With this flag, the file quarantine system allows the app to write non-quarantined executables so that Gatekeeper does not prevent them from executing.
This entitlement does not have an Xcode checkbox, and thus must be added to your app’s entitlement property list manually. For details, see App Sandbox Entitlement Keys.
Setting | Entitlement keys |
---|---|
User Selected File |
|
Enabling Access to Files in Standard Locations
In addition to granting user-selected file access, you can employ entitlements to grant programmatic file access to the following user folders:
Downloads
Music
Movies
Pictures
The Xcode control for enabling Downloads folder access is a checkbox; the controls for enabling access to these other folders are pop-up menus.
When you enable programmatic access to the user’s Movies folder, you also gain access to their iTunes movies.
Reopening of files by macOS using Resume does not require the presence of any entitlement key.
To enable programmatic access to specific folders, use the Xcode target editor settings shown in Table 4-3.
Setting | Entitlement keys |
---|---|
Downloads Folder |
|
Music Folder |
|
Movies Folder |
|
Pictures Folder |
|
Enabling Security-Scoped Bookmark and URL Access
If you want to provide your sandboxed app with persistent access to file system resources, you must enable security-scoped bookmark and URL access. Security-scoped bookmarks are available starting in macOS v10.7.3.
To add the bookmarks.app-scope
or bookmarks.document-scope
entitlement, edit the target’s.entitlements
property list file using the Xcode property list editor. Use the entitlement keys shown in Table 4-4, depending on which type of access you want. Use a value of <true/>
for each entitlement you want to enable. You can enable either or both entitlements.
For more information on security-scoped bookmarks, read Security-Scoped Bookmarks and Persistent Resource Access in App Sandbox Design Guide.
Entitlement key | Description |
---|---|
| Enables use of app-scoped bookmarks and URLs |
| Enables use of document-scoped bookmarks and URLs. Version note: in macOS v10.7.3, this entitlement key was named |
Enabling Network Access
Xcode’s Network checkboxes in the Summary tab of the target editor let you enable network access for your app.
To enable your app to connect to a server process running on another machine (or on the same machine), enable outgoing network connections.
To enable opening a network listening socket so that other computers can connect to your app, allow incoming network connections.
Note: Both outgoing and incoming connections can send and receive data. The sole difference is in whether your app is initiating the connection or is receiving connections initiated by other apps or other hosts.
To enable network access, use the Xcode target editor settings shown in Table 4-5.
Setting | Entitlement key |
---|---|
Allow Incoming Connections |
|
Allow Outgoing Connections |
|
Enabling Hardware Access
To allow a sandboxed target to access hardware services on a system—USB, printing, or the built-in camera and microphone—enable the corresponding setting in the Summary tab of the Xcode target editor.
Camera access enables access to video and still image capture using the built-in camera, if available.
Microphone access enables access to audio recording using the built-in microphone, if available.
USB access enables the ability to interact with USB devices using USB device access APIs. On violation,
sandboxd
names the I/O Kit class your code tried to access.Printing access is required if you want to provide a target with the ability to print.
To enable access to hardware, use the Xcode target editor settings shown in Table 4-6.
Setting | Entitlement key |
---|---|
Allow Camera Access |
|
Allow Microphone Access |
|
Allow USB Access |
|
Allow Printing |
|
To allow access to hardware devices for which no checkbox exists in Xcode’s user interface, you must manually add the appropriate entitlement to your app’s entitlements property list. These additional entitlements are listed in Table 4-7. All of these keys take a Boolean value.
Entitlement key | Description |
---|---|
| Interaction with AVB devices by using the Audio Video Bridging framework |
| Interaction with Bluetooth devices |
| Interaction with FireWire devices (currently, does not support interaction with audio/video devices such as DV cameras) |
| Interaction with serial devices |
Enabling Personal Information Access
A user’s personal information is inaccessible to your sandboxed app unless you grant access using the appropriate settings.
Address Book access enables read/write access to contacts in the user’s address book.
Location Services access enables use of the Core Location framework to determine the computer’s geographic position.
Calendar access enables read/write access to the user’s calendars.
To enable access to personal information, use the Xcode target editor settings shown in Table 4-8.
Setting | Entitlement key |
---|---|
Allow Address Book Data Access |
|
Allow Location Services Access |
|
Allow Calendar Data Access |
|
Adding an App to an App Group
The com.apple.security.application-groups
(available in macOS v10.7.5 and v10.8.3 and later) allows multiple apps produced by a single development team to share access to a special group container. This container is intended for content that is not user-facing, such as shared caches or databases.
In addition, this attribute allows the apps within the group to share Mach and POSIX semaphores and to use certain other IPC mechanisms among the group’s members. For additional details and naming conventions, read “Mach IPC and POSIX Semaphores and Shared Memory” in App Sandbox Design Guide.
The value for this key must be of type array
, and must contain one or more string
values, each of which must consist of your development team ID, followed by a period, followed by an arbitrary name chosen by your development team. For example:
The group containers are automatically created or added into each app’s sandbox container as determined by the existence of these keys. The group containers are stored in ~/Library/Group Containers/<application-group-id>
, where <application-group-id>
is one of the strings from the array. Your app can obtain the path to the group containers by calling the containerURLForSecurityApplicationGroupIdentifier:
method of NSFileManager
.
Enabling App Sandbox Inheritance
If your app employs a child process created with either the posix_spawn
function or the NSTask
class, you can configure the child process to inherit the sandbox of its parent. However, using a child process does not provide the security afforded by using an XPC service.
Important: XPC (as described in External Tools, XPC Services, and Privilege Separation) complements App Sandbox and is the preferred technology for implementing privilege separation in an macOS app. Before using a child process, consider using an XPC service instead.
To enable sandbox inheritance, a child target must use exactly two App Sandbox entitlement keys: com.apple.security.app-sandbox
and com.apple.security.inherit
. If you specify any other App Sandbox entitlement, the system aborts the child process. You can, however, confer other capabilities to a child process by way of iCloud and notification entitlements.
The main app in an Xcode project must never have a YES
value for the inherit
entitlement.
Mac Value Guide
To add the inherit
entitlement, edit the target’s .entitlements
property list file using the Xcode property list editor. Use the entitlement key shown in Table 4-9 with a value of <true/>
.
Best Value Mac
Note: This property causes the child process to inherit only the static rights defined in the main app’s entitlements file, not any rights added to your sandbox after launch (such as PowerBox access to files).
If you need to provide access to files opened after launch, you must either pass the data to the helper or pass a bookmark to the child process. The bookmark need not be a security-scoped bookmark, but it can be, if desired.
If you are using other APIs to create child processes (such as NSWorkspace
) and wish to have a shared container directory, you must use an app group.
Entitlement key | Description |
---|---|
| Enables App Sandbox inheritance |
Enabling Scripting of Other Apps
If your app needs to control another scriptable app, your app can use the scripting targets entitlement to request access to one or more of the scriptable app’s scripting access groups.
Note: Before you can use this entitlement, the scriptable app must provide scripting access groups. If it does not, you can still control the app, but you use a temporary exception entitlement instead. In some cases, you may use both scripting-targets
entitlement and a temporary entitlement together, to provide support across different versions of the OS. For more information, see Apple Event Temporary Exception.
Entitlement key | Description |
---|---|
| Ability to use specific AppleScript scripting access groups within a specific scriptable app |
The scripting target entitlement contains a dictionary where each entry has the target app’s code signing identifier as the key, and an array of scripting access groups as the value. Scripting access groups are identified by strings and are specific to an app. For example, the following entry would grant access to composing mail messages with Apple’s Mail app:
For more information about how to add scripting access groups to an app, watch WWDC 2012: Secure Automation Techniques in OS X and read the manual page for sdef
.
Copyright © 2017 Apple Inc. All Rights Reserved. Terms of Use | Privacy Policy | Updated: 2017-03-27