This framework is based on Apple's BetterAuthorizationSample and is very complicated, even with this code to guide you.  You don't want to do this unless it is absolutely necessary.  

Are you sandboxed?  In turn, BetterAuthorizationSample uses the Authorization Services framework, in whose documentation it is now stated that the authorization services API is not supported within an app sandbox because it allows privilege escalation.

Are you still supporting Mac OS X 10.5?   For applications requiring Mac OS X 10.6 or later, you should use the Services Management framework, function SMJobBless(), should be used instead of AuthorizedTasksInCocoa.

If your app requires 10.6+, read this overview which has a solution for Mac OS 10.7, using XPC., and then our updated implementation, CocoaPrivilegedTasks.

If you need to work in Mac OS 10.6, try this sample project.


If an application needs to perform an task for which its user does not have sufficient privileges and needs authorization, I call this task is called a "Authorized Task".  (BookMacster uses this code for one task, which is to allow non-admin users to write their License Information to the "anyUser" /System/Preferences.)  Apple's developer documentation has a lot to say about how applications should perform authorized tasks while maintaining system security.  Prior to late 2007, the recommended example of how to implement these recommendations was provided in Apple's MoreAuthSample sample code.  

MoreAuthSample was replaced by BetterAuthorizationSample [1] in late 2007.  I was hoping that it would be easier to incorporate into a project than MoreAuthSample.  But I still found a steep learning curve, partly due to the partitioning that must be done to maintain security up to Apple's high standards, but largely due to idioms in the top-layer demo app which are "un-Cocoa-like".  I started keeping a list of things I didn't like, but after a dozen items, with still alot to learn, I decided to improve upon it instead of publishing a rant.  This project is the result.

I only touched the Demo App and the Helper Tool, which you have touch anyhow.  This project uses the three "Reuseable Library" files from Apple's BetterAuthorizationSample without any modifications, so that if Apple updates these files you can just plug in the new versions.  There are a few things in the Reuseable Library that I'd like to change too, but so far I've resisted that temptation.  The Helper Tool has been partitioned into files systematically so that you can build your own Helper Tool Target to do just the tasks you need by including required files, instead of hacking the demo.  Also, the re-useable code in the demo app has been partitioned off into a framework that you simply add to your application.   (As usual, to add a framework, you add to linked files, add dependency, add to Copy Files.)

AuthorizedTasksInCocoa does all the same things as the demo app in BetterAuthorizationSample, with one exception.  It does not present an NSAlert panel before installing the "BAS" helper tool.  I don't think there is any need for that, because there is no reason why the user would not want it installed, other than the fact that they don't know what "BAS" means and get mad at your app for asking the question.  So I omitted this code from the framework.  The installer gets installed silently when needed.  Note also that MoreAuthSample installed its helper tool silently too.


Like BetterAuthorizationSample, projects incorporating AuthorizedTasksInCocoa must be run in Mac OS 10.4.6 or later.


Visit this project's GitHub Repository to download, fetch, or clone this code.


[1] Apple's BetterAuthorizationSample.  "The real source."

[2] Apple's QA1277, which explains some tricks you might see in dealing with security credentials.

[3] Apple's Authorization Services Programming Guide.