Multicast Entitlements

TN3179 is pretty clear that this is not related to the the com.apple.developer.networking.multicast entitlement, because that entitlement is neither required nor supported on macOS. Whatever issue you’re hitting it’s not that.

Basically, since my app didn't request these new entitlements until recently

Given the above, this is a red herring. Indeed, this isn’t an issue even on platforms, like iOS, where the multicast entitlement is supported. The multicast entitlement and local network privacy are different things. They can both block your ability to use multicasts, but other than that they don’t interact. Most notably, the multicast entitlement has no persistence. The system checks the entitlement each time your process tries to work with multicasts. It doesn’t interact with the persistent mechanism used by local network privacy.

Anyway, there are two common causes of multicast problems:

• Folks using the multicast APIs incorrectly — This is surprisingly easy to do because… well… BSD Sockets.
• Local network privacy

With regards the first, I recommend that you read through my Broadcasts and Multicasts, Hints and Tips post.

With regards the second, you wrote:

as there is no way currently to remove or change these network permissions once they are established. Is there a way to fix this?

The user should be able to change the setting in System Settings > Privacy & Security > Local Network. Is the issue that your app isn’t showing up there?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thank you for responding, and so quickly.

You are correct on the first point, I don't have multicast entitlements in my app (got a nasty crash when I tried), but I am mostly attempting to send multicast udp packets, and kept hitting a roadblock with these permissions.

The issue is with the Local Network Privacy permissions. The reason I think it is this, and not incorrect API usage, is I had the app installed on a brand new Mac Mini, and could not send UDP multicast packets from the app. I then ran the app from the Terminal, and it worked just fine. I realized I was missing these network permissions, and re-built and reinstalled it with these permissions enabled. The app worked temporarily after re-installing, but then restarting the machine, the app would again stop working and still not allow me to send these packets. It would work from the terminal (which says that the API's are used correctly. BSD sockets being what they are...)

I then created a new user on that machine, and had no issues with these permissions or the network, even after restarting the machine. So I deleted the original user, and used the second user for the app, which was fine in this case, but horrid if I ever had to ask a user to do it.

In the System Settings > Privacy & Security > Local Network the app in all cases had this enabled. There is no way to remove and re-force the request from this settings menu, and on my development machines, I see hundreds of these permissions for my app in this menu, with no way to remove them. This is on OSX 15.6.

Please check that your app:

• Has the NSLocalNetworkUsageDescription property set.
• Is signed with a stable code-signing identity.
• Has a build UUID for the main executable.

TN3179 has links to more info about each of these.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

• Yes, it is in the distributed plist.
• Yes, signed, notarized and stapled.
• Yes, running dwarfdump shows UUIDs for x86 and arm.

Thanks, Chris

Thanks for confirming that.

I re-read your earlier posts and my understanding is that things are working now but your concerned about this:

I … used the second user for the app, which [would be] horrid if I ever had to ask a user to do it.

Is that right?

Lemme explain why that matters. If your app works properly on a fresh Mac [1] then you know that it’s built correctly. If it encounters problems like this out in the wild, then there are limits as to what you can do about that. It would be nice, for example, if you could publish your own support article explaining how a user hitting weird problems with your app can reset local network privacy. However, I don’t have any advice to offer on that front because there’s no supported way to do that )-:

Having said that, my experience is that problems like this a much more common on development machines than user machines, because:

• A development machine is likely to see builds of your app that aren’t correctly set up.
• Even if that never happens, development machines see build upon build of your app, and that’s exposes all sorts of weird bugs.

So, I’d caution you not to extrapolate your experience to that seen by your app’s users.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Well, for a fresh user on a Mac that’s never seen your app before.