Hi, we are looking for a solution to install an extension to Microsoft PowerPoint app in a way that's compatible with the new macOS 15 behavior for Group Containers content.
PowerPoint extensions
Microsoft PowerPoint can be extended by PowerPoint Add-in (.ppam) files. These files must be installed in the app's container at this location:
~/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Add-Ins.localized/
The PPAM file must be also registered in the MicrosoftRegistrationDB.reg file which is a sqlite database stored at this location:
~/Library/Group Containers/UBF8T346G9.Office/MicrosoftRegistrationDB.reg
These locations can be access by non-sandboxed app on macOS 14 and earlier.
Slido integration
Our Slido app for macOS is distributed outside the Mac App Store, it is not sandboxed and it signed and notarized. The Slido app will install the PPAM file to the documented location and register it in the database.
This installation did not require additional user approval on macOS 14 and older. With changes to macOS 15, a new permissions dialog is shown with this text:
"Slido" would like to access data from other apps.
This will allow Slido to integrate with Microsoft PowerPoint app.
[Don't Allow] [Allow]
We understand this is a security feature, yet we would like to make the experience for customers much better.
As users are able to save PPAM files to the location by themselves without additional permissions, they expect the Slido app would be able to do so as well when run in the user context.
Slido installs its files to this location:
~/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Add-Ins.localized/SlidoAddin.localized/
- Can we obtain
com.apple.security.temporary-exception.files.home-relative-path.read-writeto theSlidoAddin.localizedfolder? Even when we are different TeamID? - Can we obtain a user permission which will be persisted so next time the Slido app can verify its files and uninstall them without further prompts?
By having access to the SlidoAddin.localized folder our app would not be able to access any other data in Microsoft PowerPoint.
We understand accessing the MicrosoftRegistrationDB.reg file is more sensitive and getting exception to access it would not be feasible. But we are trying to find out our options to make the experience seamless as that's what is expected by our customers on Apple platform.
I am thankfully for any guidance and constructive feedback.
Jozef, Tech Leader at Slido integrations team
Let’s start with your technical questions:
Can we obtain com.apple.security.temporary-exception.files.home-relative-path.read-write to the SlidoAddin.localized folder?
No. That specific question doesn’t make sense, because temporary exception entitlements apply to the App Sandbox restrictions and you’re not sandboxed. You’re hitting a MAC restriction, per the terminology in sOn File System Permissions.
But, addressing the spirit of the question, there is no entitlement that allows third-party developers to bypass this check.
Can we obtain a user permission which will be persisted so next time the Slido app can verify its files and uninstall them without further prompts?
No. As things are currently set up, this privilege is only granted to the calling process.
IMO the best path forward is to reach out to the app vendor for guidance. I see two possibilities here:
-
Either they do want to support third-party extensions like this, in which case they should provide a supported way to install them. Or adopt ExtensionKit, which causes this whole problem to go away (-:
-
Or they don’t, which is a bigger picture concern.
You are, of course, feel to file a bug with Apple about this. However, based on your description of the issue, macOS 15 seems to be doing exactly what it should be doing.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
