but it would be polling, which seems inefficient I think this is what Disk Arbitration is for (see the documentation’s recommendation to use it and you may also find the archived documentation on it useful as well). The service itself still needs to launch before the disk mounts so that it can listen for these events, though. I think you could just use #3 and use Disk Arbitration to respond when your disk appears (and disappears, if you need to handle that) in an efficient way.

Both of these are policy decisions App Review will need to make, however, I will say that it's possible that #1 might be allowed Marking this as solved because App Review approved my app that uses SMAppService.daemon to run a sandboxed launch daemon, so at least in this context, this was allowed. 🎉

Thanks for the insights! I'm surprised to see that the relevant code is open-source. I'm also surprised, but pleased, to hear that my first workaround isn't guaranteed to be hopeless; I'll give it a try and see what App Review thinks. the "diskutil" command line tool Unfortunately, this didn't seem to get around the issue. I tried let process = Process() process.executableURL = URL(filePath: "/usr/sbin/diskutil") process.arguments = ["mount", "readOnly", diskBSDName] try? process.run() which had the expected behavior when App Sandbox was disabled but did not work when App Sandbox was enabled. It's certainly worth filing an enhancement request asking for the sandbox to handle this better. I filed FB16728800 and attached a sample project to it.

It’s not a very elegant solution, but since VPN and NetworkExtension traffic is not routed through Private Relay, you could set up a VPN server on your local network (e.g. WireGuard), and use the associated iOS/macOS app to connect to the server. In your VPN configuration, only route traffic destined for the local network through the VPN (so that Internet traffic still goes through Private Relay as normal, not the VPN), and set the DNS server in your VPN to be your local DNS server. I am hoping a better solution exists/will exist at some point, though! I’ve made a suggestion to allow users to choose whether to route DNS queries through Private Relay (FB9184754), and I suggest you make similar feedback for your use case.