Sandkorn

See what your apps can do

See which apps are sandboxed and their entitlements

Sandkorn is a new and easy to use utility that shows you which of your macOS apps that are sandboxed. It also shows you what entitlements those apps have.

A sandbox is an access control technology for macOS, see here for more info.

Many apps are restricted in a sandbox - all new Mac App Store apps are - but it is hard to know what those restrictions are for each app. And it is even harder to get an overview of all your apps. But Sandkorn helps you with that.

By using Sandkorn you can now in a simple way see what apps have no restrictions at all or, for instance, are limited to accessing your contacts or some particular folder.

Download

Download from Mac App Store →

Screenshots

Sandkorn screenshot 1 Sandkorn screenshot 2 Sandkorn screenshot 3 Sandkorn screenshot 4

Some features

How it works

Sandkorn checks for apps and executables within each folder in the Folders sidebar, by default it includes the Applications and Utilities folders. It doesn’t check subfolders, so you have to add each subfolder that you want to be included by using the plus sign at the bottom or Add Folder in the File menu.

For each app that it finds, Sandkorn tries to find any other executables within that app bundle, for instance plugins and XPC services. And then it looks for all entitlements that those use.

View modes
In Sandkorn you can see the information either by listing the apps or by a list of each entitlement used by your apps. In that way you can both check a specific app if you are curious about that and also check a specific entitlement if, for instance, you want to see what apps can use the camera.
Overview of usage

You get an easy overview of the usage with the help of checkboxes and the color of the name.

Each app in the list has a checkbox next to it. In Application mode the checkbox shows if an app is sandboxed or not and in Entitlement mode it shows if the app has the entitlement or not. Gray text means that it is not sandboxed or does not have the entitlement.

Please note that an app can be shown in the sandboxed list and under an entitlement but have the checkbox turned off and have gray name. That happens when the app has an executable within it that is sandboxed or has that entitlement.

Show
You can use the Show menu above the list to only see apps that are sandboxed or not and also only those within one folder. In the Entitlement mode you can choose to see only one group of entitlements.
Filter
Above the list you can use the Filter feature to only show the app or an entitlement with a particular. Please note that it can show apps that does not have a name included in the filter string if an executable within that app has a name that matches the filter.
Entitlement names
Sandkorn tries to display more helpful and shorter names for some of the entitlements, for instance “Network - Incoming” rather than “com.apple.security.network.server”. If you want to see the actual key name you can use the tooltip for each entitlement or change to show raw keys in the View menu.
Entitlement groups
Sandkorn groups the entitlements in different groups as best as it can according to the documentation and from its keys.
Selecting an app

When you select an app in the list Sandkorn shows the entitlement details on right hand side. And at the bottom you can select an entitlement group and look at all the values (if the text value is large you can use the “Complete Text” button to see the whole value).

If you are in Entitlement mode it tries to select the corresponding value of the entitlement at the bottom if the entitlement is not in the General group.

Reveal in Finder
If you want to see the app in Finder you can use Reveal in Finder in the File menu or the follow link button at the top right corner.
Raw
If you want to you can look at the raw values of the entitlement plist by using the Raw button at the top right corner.

FAQ
The name?
“Sandkorn” means grains of sand in Swedish.
Can I change the entitlements?
Unfortunately no. It is not technically possible to correctly change the entitlements without the original certificate from the developer, so only the app’s developer can change the entitlements.
Does it notice changes that occurs on my disk?
Sandkorn should notice any changes within the folders specified that it should check. But if you want to manually refresh it you can use Refresh in the File menu and Sandkorn then also clears the cache to make sure that all values are updated.
What does it see within an app bundle?
A normal app consists of many files and folders and Sandkorn checks it to see if it can find any more executables that have entitlements. For performance reasons it only checks a limited amount of subfolders and these are at the moment:
  • Contents/Helpers
  • Contents/PlugIns
  • Contents/XPCServices
  • Contents/Library/Automator
  • Contents/Library/LaunchServices
  • Contents/Library/LoginItems
  • Contents/Library/QuickLook
  • Contents/Library/Spotlight
Why does it take so long to load the first time?

Unfortunately it can take quite amount of time to extract the entitlements from each app. And this needs to be done hundreds of time for normal macOS installation. So it can take some seconds the first time the app launches.

But it should be much faster for subsequent launches as Sandkorn caches the information and only checks for changed data. If you want to remove that cache you can do it from the File menu.

What are the Other and Apple Private entitlements groups?
If an entitlement key starts with “com.apple.private” it is grouped in Apple Private. All other keys that are not documented or can in any other way be grouped, are in the Other group.
Where can I find more information about the entitlements?
You can find some information about the entitlements that are documented here.