Protecting local app data using containers on macOS
Secure your app’s local storage data from unauthorized access and modification.
Overview
App Sandbox provides automatic protection for your app’s data. App data containers that the system creates for apps that have the App Sandbox capability offer System Integrity Protection, which helps prevent potentially malicious software from modifying protected files and folders.
In macOS 15 and later, app group containers also offer System Integrity Protection for local files for an app even if it doesn’t have the App Sandbox capability. These app group containers limit access by any app that doesn’t belong to the app group. Any app not in the app group that attempts to access locations protected by an app group or app data container, results in a prompt to the user to authorize access. For more information, see the System Integrity Protection section of macOS Sequoia 15 Release Notes.
Add app group membership to your app
Follow the steps in Configuring app groups to add the App Groups Entitlement to your app’s target. Multiple apps and supporting processes signed by the same developer team may share the same app group.
See Diagnosing Issues with Entitlements for information on diagnosing any issues you encounter when you add the app groups entitlement.
Access an app group container
When your app becomes a member of an app group, there are a number of APIs you can use to read and write data to that group’s shared container. See Access an app group’s shared container for more details.