I administer a couple of Mac labs at our school. (OSX Yosemite)
The students use these computers by logging into a local shared account that is limited by Parental Controls.
For the most part this works fine, but our IST students are now creating new applications using things like Game Maker by Yoyo etc. When a student app is created, it cannot be run unless it is allowed via Parental Controls. Even if Allow Always is set on a debug version of the app, it will not run the second time as the signature of the file changes each time it is run.
Are there any workarounds that anybody has used to allow these sorts of app builders run under Parental Controls?
Related
I was thinking of this today and was wondering what is it on MacOS app that prevent me from running, for example, 5 instances of a specific app?
I was thinking it could be the bundle_id (similar to iOS) but when I copied and renamed the app (to appname_2) edited the bundle_id (to bundle_id_2) for that specific app it didn't launch and instead just put that application in the foreground.
Maybe there's a method that checks the Mac address of the device and only allows one app to run per Mac address.
Due to it being hard to find and info on this online, wondering if it's possible to run multiple versions of an app on my Mac.
I'm pretty sure a virtual machine would work but if I wanted to run 100 instances of that specific app then id run all out of ram and would render my Mac useless for actual work.
The LaunchServices (Finder, NSWorkspace APIs, etc.) on MacOS allow you run one app per user session. Nothing prevents you from launching an app a second time when you don't use Launch Services. (And your assumption is correct that LaunchServices looks at the BundleID to see if the app is already running).
e.g. when you open two Terminal windows and start Mail via (/Applications/Mail.app/Contents/MacOS/Mail) in both you have two Mail instances. open /Applications/Mail.app/ won't work two times because it'll use LaunchServices.
According to the Mac App Store Review Guidelines:
2.4.5 Apps distributed via the Mac App Store have some additional requirements to keep in mind:
(i) They must be appropriately sandboxed, and follow macOS File System Documentation. They should also only use the appropriate macOS APIs for modifying user data stored by other Apps (e.g. bookmarks, Address Book, or Calendar entries).
...
(iv) They may not download or install standalone apps, kexts, additional code, or resources to add functionality or significantly change the app from what we see during the review process.
(v) They may not request escalation to root privileges or use setuid attributes.
Sandboxing already precludes the use of APIs such as AuthorizationCreate(), and anyway, item (v) is pretty clear.
Certainly an app like, say, Parallels (MAS link) can't be coded without ever resorting to privilege escalation. Indeed, the regular (non-MAS) Parallels app installs at least 3 kexts, one of them being the hypervisor, without which I believe Parallels would be absolutely useless. So they are clearly violating these rules.
If a developer wished to write an app that, like Parallels, needs privilege escalation and is completely useless without it, how would the developer go about bypassing these restrictions? Or is it just a question of being big enough that Apple will turn a blind eye to this during the review process? Can you request an exception to Apple?
No comment on the App Store policy issue (unfortunately), but I can answer your question about Parallels. The version of Parallels on the Mac App Store does not use a kext, nor does it need to. The Hypervisor framework makes it possible to write a Parallels-like application without needing root privileges, or writing and distributing a custom kext (which requires separate approval by Apple). The Hypervisor framework is also usable from sandboxed apps. I believe this framework was created specifically to workaround this problem. Hope this helps!
Not sure how clear the title is, but basically I've created a program for Windows which my company can use to build games remotely from their desktops. Currently the Windows aspect works without a hitch, but I'm struggling to get our Mac to build.
We use psexec for the Windows side, and I tried to use it for Mac as well (just hoping), to be stuck with an Invalid Handle error.
The way the program works is the user selects from their system tray what they want to build, we have two options that require the Mac, both of those currently are the only ones that don't work.
We do have the ability to remotely access the Mac as well, but we're looking to mostly automate the process so that literally anyone (even the non-technically savvy) can click two buttons and create a build.
The requirement is to be able to run a kiosk application on Windows 10 which has unrestricted capability on the host computer to make arbitrary system calls and launch any kind of app including Appx and Win32. The kiosk app can be fully trusted - it may be thought of as a side-loaded in-house app for machines equipped with conventional keyboard and mouse to be used in a public setting. The user should not be able to circumvent or escape the kiosk app.
Assigned access fits the general idea, except that assigned access only works for Appx which are not full trust (no access to the needed APIs to launch Win32 apps, etc.). These restrictions appear to be by design, so it would be unlikely this approach could successfully meet the stated requirements. Although it is possible to author a WPF app as a "full trust" Appx, it won't work in kiosk mode.
Replacing the Windows shell with a custom one (the kiosk app) would work except that some of the tasks the kiosk app needs to be able to perform require the presence of the explorer shell (e.g. launch an Appx - requires services provided by the explorer shell).
Running a Win32 app above the lock screen might be a solution, if it were possible (I believe this is what assigned access does with its Appx).
Running an app in any normal fashion would require that many hotkey combinations are disabled or intercepted, including [CTRL][Alt][Del], which seems to be a major issue/challenge. It seems there is no way to prevent the user from invoking task manager or otherwise circumventing an app to gain unsecured/unmediated access to the system.
Is there any way to meet the requirement as I've outlined? If so, what is the technique and (if relevant), what APIs are central to the approach?
Update:
Although the full-trust converted WPF AppX could be installed and selected for assigned access, it "did not work" because of some issues found to have been recorded in the event log, specifically: Applications and Services Logs > Microsoft > Windows > Apps > Microsoft-Windows-TWinUI/Operational. Observed behavior was that upon user login, a blue screen would be displayed with the familiar Windows spinner, which would flicker every second or so as if something was being retried over and over. The associated event log messages (all source "Apps") are:
ActivateApplicationForContractByAppIdAsUserWithHost of the app LockDownSample_y1sem70fxfdf6!LockDownSample for the Windows.Launch contract failed with This app does not support the contract specified or is not installed.. (Event ID: 5985)
The app LockDownSample_y1sem70fxfdf6!LockDownSample is not registered for the Windows.Launch contract or is not installed. (Event ID: 5951)
The app Microsoft.WindowsMaps_8wekyb3d8bbwe!App is not registered for the Windows.PreInstalledConfigTask contract or is not installed. (also Event ID: 5951)
Activation via contract helper of the app Microsoft.WindowsMaps_8wekyb3d8bbwe!App for the Windows.PreInstalledConfigTask contract failed with Class not registered. (Event ID: 5990)
Is this due to an intentionally imposed limitation, or is this something which can be resolved?
Update 2:
Found this recent question:
Windows 10 assigned access app fails to start due to not registered for Windows.Launch contract
This fairly accurately describes my experience with Assigned Access for a full-trust kiosk app, concluding with the answer "not yet supported".
I write RealBasic apps for use on my own computer only. I have a few scripts that access Contacts and Calendar data. All of these scripts work great and Mountain Lion (ML) even automatically updated the application names for me.
The same scripts also run from within a compiled RealBasic app I wrote (a client booking system) that need to run from here as they have arguments passed to them. The ones that access Contacts caused ML to ask for permission the first time they ran, and then everything worked fine. But those that access Calendar never asked for permission and of course, don't run at all - so my main controlling app is broken.
I am aware of Apple's new AppleScript restrictions - but given the above Contacts behavior, clearly there is a way to allow programs to be controlled by AppleScripts.
Is there any way I can tell Calendar to allow the script to run? (Contacts has this in the Security settings in ML's settings app, but there is no entry for Calendar.)
(I am a private hobbyist not a developer so I am not verified, signed and sealed!)