1

Is there a way to programmatically determine whether an app is allowed to be launched in Security & Privacy settings in macOS?

I am trying to silently launch an .app that is downloaded from the web from within a Cocoa application, but if the user does not allow apps from outside the Mac App Store my app would simply fail to launch with a dialog recommending the user to change their settings. I would like to know whether the app will launch successfully, and if it won't, open the Security & Privacy settings myself so that the users alters them.

Basically, I am looking for the function AppIsAllowedToLaunch:

if (AppIsAllowedToLaunch(appURL)) {
  // open the app at appURL
} else {
  // open Security & Privacy settings, inform the user that they should change settings
}

What I tried:

  • open(2) always returns with a zero exit code, whether the app is launched successfully or not
  • [NSWorkspace.sharedWorkpace launchApplicationAtURL:options:configuration:error] returns an instance of NSRunningApplication. Not only does this object not allow me to check whether the app has been launched successfully, but it also requires me to try to launch the app to see what happens, instead of performing the check beforehand, which is what I need
  • Open-source open(2) alternatives are mostly outdated and do not reflect the changes to Security & Settings that allow users to block non-Mac App Store apps from launching. The original open(2) is unfortunately not open-sourced.
  • spctl -a /path/to/app.app will correctly return 3 if the app is not allowed to launch as per Security & Privacy settings. But it also returns 3 if the app requires root privileges to run (and the app I'm launching does), so I cannot use this method.

There has to be some system framework (probably LaunchServices or Security) or a system database (akin to /var/db/SystemPolicyConfiguration/KextPolicy) that has to be queried in order to check if the app can be launched successfully.

My app is not sandboxed and is not distributed via Mac App Store. It is run with user privileges.

Dmitry Serov
  • 861
  • 11
  • 22
  • "`spctl -a /path/to/app.app` will correctly return 3 if the app is not allowed to launch as per Security & Privacy settings. But it also returns 3 if the app requires root privileges to run (and the app I'm launching does), so I cannot use this method" - assuming this is correct and there is no other way why not first download a small app that doesn't require root privileges to run and use this method to determine if it can run and hence distinguish the two 3 cases? – CRD Dec 28 '18 at 21:36

1 Answers1

0

Try using spctl --assess --raw app.app.

--raw provides an XML output in addition to an exit code. I could not find documentation for those values, but they might contain the info you need.

pointum
  • 2,987
  • 24
  • 31
  • Unfortunately, the output I get from the command isn't rich enough for my goals. There is no difference in output, no matter if only Mac App Store apps are allowed or not. – Dmitry Serov Dec 25 '18 at 13:10