Entitlements for VMWare et al access to access USB devices

The way to capture USB devices is on macOS is with IOUSBHostDevice passing the IOUSBHostObjectInitOptionsDeviceCapture option. Note that this requires the "com.apple.vm.device-access" restricted entitlement.

My colleague wrote:

Note that this requires the "com.apple.vm.device-access" restricted entitlement.

There are a few things to note about this. First, this is a managed capability; you have to apply to Apple for authority to use it.

Second, this entitlement is only relevant to hypervisor apps that ship in the Mac App Store. Apps that are distributed directly (using Developer ID signing) don’t need this entitlement because they can achieve the same goal by escalating privileges.

Finally, while I can’t comment on other developer’s apps, it’s easy to see which entitlements a macOS app has:

% codesign -d --entitlements - /Applications/Pages.app 
…
[Dict]
	…
    [Key] com.apple.application-identifier
    [Value]
        [String] 74J34U3R6X.com.apple.iWork.Pages
	…

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

@eskimo , thanks for your help!

Do any of the approaches to escalating privileges work on iPadOS? It struck me that it might be possible to run a virtual machine on an M1 iPad with more USB access than a normal app.

Hypervisor, Virtualization, and IOUSBHost frameworks are macOS only.

Do any of the approaches to escalating privileges work on iPadOS?

No.

It struck me that it might be possible to run a virtual machine on an M1 iPad with more USB access than a normal app.

I can’t imagine how that might work. In general, a guest can’t have more privileges than a host.

Also, as my colleague pointed out, neither of our VM frameworks (Hypervisor and Virtualization) are available on iPadOS.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

@BenjaminApple and @eskimo , IOUSBHost seems to be a part of Driver kit (i.e. also exists in iPadOS on an M processor). Is there something I can read that will explain how USB access should work on iPadOS ? I think I also read that the driver kit includes portions of IOKit and this has me further confused as to what should work and what should not work. Thanks for helping me steer through this

DriverKit on iPadOS has significant restrictions. As an app developer you cannot use it to access arbitrary USB devices. A DEXT developer can create a DEXT for their USB device and then access it via the DEXT’s user client from their app. They can also make that user client available to other apps.

The entitlements required to do this are available to all developers for development. To distribute your DEXT you have to request access to the distribution managed capabilities. See Developer > System Extensions and DriverKit for more background on this. Also, Finding a Capability’s Distribution Restrictions.

In short, if you’re hoping to use DriverKit as part of some sort of VM app, that’s unlikely to work for both technical and business reasons.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

@eskimo , you said above that "The entitlements required to do this are available to all developers for development". I have not been able to figure out how to do that on iPadOS. (I believe that) iPadOS apps need to be signed and provisions provided and entitlements granted. It is possible to develop software for iPadOS that does not require Apple to grant entitlement for a specific USB device (to associate with a DEXT)? Or is there another approach? Or am I not understanding correctly?

Thanks!!!

Gene

Just to clarify, by “all developers” I mean “developers who are members of an Individual or Organization team”. This stuff won’t work for a Personal Team. I’m not sure what the story is for an Enterprise team, or other cases, like Managed Apple IDs.

With that proviso, DriverKit entitlements are managed by the Capabilities tab in Certificates, Identifies & Profiles > Identifiers. There are a lot of DriverKit capabilities there. If you apply the technique from Finding a Capability’s Distribution Restrictions you’ll see that they’re all assigned:

• A Platform Support value of iOS and macOS [1]

• A Distribution Support value of Development

If you are granted authorisation to use these in production, you’ll see similar DriverKit entries show up in the Additional Capabilities tab. These have additional Distribution Support values, most notably App Store and Developer ID.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] iOS is standing in for iPadOS here. DriverKit is not available on iOS proper.

Thank you again!

Is it possible with the new macOS Sequoia Beta 2 Host to have a macOS VM (Sonoma or Sequoia) guest VM getting USB passthrough from the host? I am looking for very basic USB2 device passthrough, thanks

I’ll respond on the other thread where you asked this.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

The way to capture USB devices is on macOS is with IOUSBHostDevice passing the IOUSBHostObjectInitOptionsDeviceCapture option. Note that this requires the "com.apple.vm.device-access" restricted entitlement.

How can we use this with macOS Virutlaization framework to get usb passtrhough done in macOS.

Note that this requires the com.apple.vm.device-access managed capability.

Yes. Or that you escalate privileges to root.

How can we use this with macOS Virutlaization framework to get usb passtrhough done in macOS.

Not really.

The issue here isn’t on the USB side, it’s on the Virtualization framework side. There’s no way to present an arbitrary USB device attachment to the VM.

You can do this with Hypervisor framework, but that’s operating at a much lower level.

Normally I’d recommend that you file an enhancement request for this feature, but in this case that’s not necessary. It’s a much request feature for Virtualization framework |-:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"