Elevator Pitch

• sandbox-exec is a built-in macOS CLI tool that runs apps in a customizable sandbox by explicitly allowing or denying access to files, network, and other resources.

Key Takeaways

• You run commands with sandbox-exec -f profile.sb command_to_run, where the profile defines permissions using a Scheme-like rule syntax.
• Profiles generally follow either “deny by default” (most secure) or “allow by default” (easier but less secure) approaches.
• Debugging is largely log-driven (Console.app or log stream), and the tool has practical limits (deprecation, complex apps, trial-and-error, no GUI, OS update changes).

Most Memorable Quotes

• "sandbox-exec is a built-in macOS command-line utility that enables users to execute applications within a sandboxed environment."
• "This approach is the most secure approach, ideal for running untrusted code, but requires careful configuration to make applications functional."
• "Major macOS updates might change how sandbox-exec works or what rules are effective."