--- title: Configuring the hardened runtime framework: xcode role: article role_heading: Article path: xcode/configuring-the-hardened-runtime --- # Configuring the hardened runtime Protect the runtime integrity of your macOS app by restricting access to sensitive resources and preventing common exploits. ## Overview Overview The Hardened Runtime is a collection of system-enforced restrictions that disable a set of functional capabilities, such as loading third-party frameworks, and prohibit access to restricted resources, such as the device’s built-in camera, to prevent certain classes of exploits from compromising the runtime integrity of your macOS app. If your app relies on something the Hardened Runtime restricts, you remove that specific protection by adding an entitlement to your app’s entitlements file. Xcode’s Hardened Runtime capability provides an easy way to manage those entitlements. Before you select the required runtime exceptions and access to restricted resources that your app requires, follow the steps in the Add a capability section of Adding capabilities to your app to add the Hardened Runtime capability to the target of your macOS app. If you create a new macOS app using a template, Xcode automatically adds the Hardened Runtime capability to your app. important: Apple only notarizes macOS apps that enable the Hardened Runtime capability. For more information, see Notarizing macOS software before distribution. Specify your app’s runtime exceptions Before your app can perform functionality that depends upon one or more runtime exceptions, you must add the entitlements for those exceptions by performing the following: Select your project in Xcode’s Project navigator. Select the app’s target in the Targets list. Click the Signing & Capabilities tab in the project editor. Locate the Runtime Exceptions section of the Hardened Runtime capability. Select one or more runtime exceptions by checking the corresponding checkboxes. Xcode automatically updates your app’s entitlements file to include the entitlements that correspond to the selected runtime exceptions, and sets the value of those entitlements to true. The following table describes the runtime exceptions the Hardened Runtime supports: | | | | | | | warning: Specific runtime exceptions, such as Disable Executable Memory Protection, remove core security barriers from your app. Always apply caution when using runtime exceptions and opt for the narrowest set of entitlements that enable the required functionality. Specify the resource access your app requires If your app accesses restricted or sensitive resources, such as the user’s photo library or address book, you must include the entitlements that provide access to those resources by following these steps: Select your project in Xcode’s Project navigator. Select the app’s target in the Targets list. Click the Signing & Capabilities tab in the project editor. Locate the Resource Access section of the Hardened Runtime capability. Select access to one or more resources by checking the corresponding checkboxes. After you select the required resource access, Xcode updates the entitlements file of your app to include the corresponding entitlements and sets the value of those entitlements to true. important: Apps that contain the necessary entitlements must still seek the user’s explicit permission before they can access restricted resources such as the camera. See each resource’s corresponding framework documentation for specific requirements. The following table describes the resource access entitlements the Hardened Runtime supports: | | | | | | | | ## See Also ### Security - [Configuring Family Controls](xcode/configuring-family-controls.md) - [Configuring the macOS App Sandbox](xcode/configuring-the-macos-app-sandbox.md) - [Configuring keychain sharing](xcode/configuring-keychain-sharing.md) - [Protecting local app data using containers on macOS](xcode/protecting-local-app-data-using-containers.md) - [Accessing app group containers in your existing macOS app](xcode/accessing-app-group-containers.md)