I’m currently working on a consulting job for a Mac OS X app. Since this app is distributed on the Mac App Store, it needs to adhere to the App Sandboxing requirement.
One of the enhancements on the to-do list is a feature where system administrators can lock down the editing portions of the app, leaving normal users with only the ability to execute existing presets. OS X provides a long-established way to do this in
SFAuthorizationView, an interface component that has existed since OS X 10.3, and which you can see used in many system preference panes. Unfortunately, the limited coverage of App Sandboxing entitlements gets in the way of using it in this app:
It’s at least somewhat understandable based on Apple’s policies to prevent obtaining a system-level authorization with this API, but it’s ridiculous that it’s also preventing using an app-level authorization. It prevents an entire usage pattern for no apparent gain.