How to Request com.apple.vm.* Entitlements?

Some APIs seem to require entitlements for any use (sandboxed or not) but don't have any indication where we might sign up. The particular usage here is com.apple.vm.networking for vmnet, as it looks like we can't even get started in development without it.
Answered by DTS Engineer in 625198022

A small correction

Indeed. I encourage you to prototype your product using that feature.

As far as getting the VM entitlements is concerned, there has been very few requests for them so we haven’t set up a formal process. Rather, just open a DTS tech support incident and we’ll take things from there.

Note This isn’t an actual tech support incident. Open a TSI requires a TSI asset but we’ll credit it back to you once we route your request.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
A small correction if others read this later, the entitlement is to run without root, not in every case.
Accepted Answer

A small correction

Indeed. I encourage you to prototype your product using that feature.

As far as getting the VM entitlements is concerned, there has been very few requests for them so we haven’t set up a formal process. Rather, just open a DTS tech support incident and we’ll take things from there.

Note This isn’t an actual tech support incident. Open a TSI requires a TSI asset but we’ll credit it back to you once we route your request.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Is the process to gain the com.apple.vm.networking entitlement outlined above still the process … ?

Yes.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Indeed. I encourage you to prototype your product using that feature.

VZVirtualMachineConfiguration.validate will fail without com.apple.vm.networking entitlement when attempting to setup a VZBridgedNetworkDeviceAttachment for a guest OS even when running as root. It does not seem possible to prototype without the entitlement.

It does not seem possible to prototype without the entitlement.

Yes and no.

This breaks down by entitlement. Let’s start with com.apple.vm.networking. It applies in two cases:

  • vmnet framework

  • Virtualization framework’s bridged networking support

The former is amenable to the prototype-as-root approach. The latter is not. I strongly recommend against trying to use Virtualization framework from a root context, and your experience suggests it doesn’t help anyway.

Note The original post on this thread specifically mentioned vmnet, and hence my comment.

With regards com.apple.vm.hypervisor, that’s largely irrelevant these days.

For com.apple.vm.device-access, its doesn’t apply to Virtualization framework and thus the prototype-as-root approach works there too.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

So is it possible to prototype with bridged networking with the virtualization frame work at all? Or is the entitlement required? Even code signing with the entitlement locally just immediately results in a killed process, root or otherwise.

It doesn't seem possible to even request the entitlement without paying to enroll in the developer program, sometimes you just want to test if something is possible locally....

So is it possible to prototype with bridged networking with the virtualization frame work at all?

No [1].

Even code signing with the entitlement locally just immediately results in a killed process, root or otherwise.

Correct. This is a restricted entitlement, which means it must be authorised by a provisioning profile. See TN3125 Inside Code Signing: Provisioning Profiles.

It doesn't seem possible to even request the entitlement without paying to enroll in the developer program

Correct.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Well, if you disable SIP you can then disable all entitlement checking on your Mac. See here.

The are three significant problems with that approach:

  • Disabling SIP is dangerous. See the IMPORTANT call on the above-mentioned post.

  • Disabling SIP significantly changes the behaviour of your Mac. If you get something working with SIP disabled, you can’t be guaranteed it’ll work with SIP enabled.

  • This, but even more so, once you start messing with boot arguments.

Honestly, if you want to used bridged networking in the context of Virtualization framework, you might as well just apply for the entitlement.

Just an update, the accepted answer is no longer the process. I just logged a DTS TSI and got back this "To request this entitlement, contact your Apple representative. For more information please review the following resource: https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_vm_networking".

How to Request com.apple.vm.* Entitlements?
 
 
Q