InternetAccessPolicy.plist
), but also in JSON format (InternetAccessPolicy.json
). They both have the same logical structure and you can use whichever one you prefer. All information on this page is valid for both formats, even if they only mention one.socket
up to high-level APIs like NSURLSession
. These kinds of connections can be documented in the Internet Access Policy using an entry in the Connections
array, as shown above.Services
array that documents the fact that your app uses MapKit and Little Snitch can show this fact to the user.NSURLSession
.ApplicationDescription
, Purpose
and DenyConsequences
, enter unique keys. Translate these keys to human readable text in localized InternetAccessPolicy.strings
files:.app/Contents/Resources/InternetAccessPolicy.plist
.app/Contents/Resources/
language.lproj/InternetAccessPolicy.strings
Key | Type | Description | |
---|---|---|---|
DeveloperName | String, optional | The human readable name of your company. Presented to the user as the source of the information. | |
ApplicationDescription | String, required | A general description of the app. | |
Website | String, optional | A URL pointing to the website of the app, including the URL scheme, e.g. “https://obdev.at/littlesnitch”. | |
Connections | Array, optional | An array of connection description dictionaries with the keys defined below | |
IsIncoming | Boolean, optional | Whether incoming (YES ) or outgoing (NO ) connections are matched. If omitted, matches outgoing connections. | |
Host | String, required | A comma-separated list of host or domain names, IP address ranges or a placeholder like local-net . See Which connection descriptions are shown for details. | |
NetworkProtocol | String, optional | Can be one of TCP , UDP or ICMP . If omitted, matches any protocol. | |
Port | String, optional | A comma-separated list of port ranges, e.g. 20-30, 80, 443 . Defaults to 0-65535 . | |
Relevance | String, optional | Indicates how important the connection is for the proper functioning of the application. Values can be Essential or Default . Defaults to Default . Use Essential only if your app is useless without this connection. You can still describe DenyConsequences if you choose default relevance. | |
Purpose | String, required | Describes the purpose of the connection. This text is shown to the user as-is, so use easy to understand sentences. Markdown-style links are supported. | |
DenyConsequences | String, optional | Describes the consequences of denying the connection. Markdown-style links are supported. | |
Services | Array, optional | An array of service description dictionaries with the keys defined below. | |
Identifier | String, optional | A unique identifier for the service. See Service identifiers below. | |
Name | String, required | A short, human-readable name for the service, e.g. “MapKit”. | |
Purpose | String, required | Describes the purpose of the service in context of the application. This text is shown to the user as-is, so use easy to understand sentences. Markdown-style links are supported. | |
Localizations | Dictionary, optional | For apps with embedded Info.plist , localization strings are placed here. See section Single executable applications above. |
Identifier
for a service as opposed to only the Name
and Purpose
, Little Snitch can understand what service you mean and give that entry special treatment. This is not implemented as of Little Snitch 4.4, but it is recommended that you add identifiers wherever possible so future versions of Little Snitch can – for example – add an appropriate icon for the service in the user interface when showing your app’s IAP./System/Library/Frameworks/MapKit.framework
. The bundle identifier in this framework’s Info.plist is com.apple.MapKit
.com.apple.CoreLocation
(/System/Library/Frameworks/CoreLocation.framework
)com.apple.GameKit
(/System/Library/Frameworks/GameKit.framework
)com.apple.aps
(/System/Library/PrivateFrameworks/ApplePushService.framework
)com.apple.StoreKit
(/System/Library/Frameworks/StoreKit.framework
)com.getdropbox.dropbox
.ApplicationDescription
followed by the Purpose
and DenyConsequences
for all relevant connection descriptions (see below for an explanation of Which connection descriptions are shown).DenyConsequences
are shown. This provides a means of last resort to inform your users that they are about to adversely affect your app’s functionality.DenyConsequences
. Note that what is shown here depends on the options the user has selected in the connection alert. For example, if they are about to deny “Any Connection”, more DenyConsequences
may be shown than if they only deny connections to the specific domain.DenyConsequences
. Note that what is shown here depends on what line the user clicked on. For example, if they clicked on the line next to an app’s name to deny any connection, more DenyConsequences
may be shown than if they only deny connections of that app to a specific domain.DenyConsequences
in various places when the user is about to create a rule that denies connections, e.g. using the rule editor or when creating rules from suggestions.Host
field of a connection description is a comma-separated list of host names, domain names, or other values as described below. The basic format and meaning is as follows:Host:
sw-update.example.com
Host:
*.example.com
10.0.0.1
), a comma-separated list of addresses, a range of addresses (e.g. 10.0.0.1-10.0.0.255
), or CIDR notation10.0.0.1/24
).local-net
to match any IPv4 or IPv6 address that is considered to be in the local network (like 10.0.0.0/8
, 172.16.0.0/12
, 192.168.0.0/16
, or fd00::/8
).bpf
to match any access to Berkeley Packet Filter devices (/dev/bpf*
).Host
values. For example, you could have a description for Host:
sw-update.example.com
(one specific host) and another, more general one for Host:
*.example.com
(the whole domain). Because the specific host is in the domain, both descriptions match when looking up information for sw-update.obdev.at
.Host:
www.example.com
and Host:
sw-update.example.com
that do not overlap, but when the user creates a rule for the domain example.com
, both descriptions are relevant.Purpose
fields are overly terse for illustration purposes):Host:
sw-update.example.com
Purpose: The app checks for software updates.
Host:
*.example.com
Purpose: The app checks for software updates and loads the latest news.
sw-update.example.com
, only Connection Description 1 will be shown (because it’s an exact match).example.com
, both Connection Description 1 and Connection Description 2 will be shown (because sw-update.example.com
is in that domain).Purpose
texts overlap in what they say. There’s no value in telling the user twice that the app checks for software updates.Host
description that is an exact match for domains and “any connection”:Host:
=*.example.com
Host:
=*
Host:
sw-update.example.com
Purpose: The app checks for software updates.
Host:
=*.example.com
Purpose: The app checks for software updates and loads the latest news.
Host:
=*
Purpose: The app checks for software updates and loads the latest news. Also, it connects to the third-party servers you enter.
sw-update.example.com
only Connection Description 1 will be shown (because it’s an exact match).example.com
only Connection Description 2 will be shown (because it’s an exact match).Host
is an exact match, only that single connection description’s Purpose
and DenyConsequences
will be shown. Otherwise, multiple matching descriptions may be shown.Host:
*
Host:
*
Purpose: The app connects to the third-party servers you enter.
www.apple.com
. Without this description, no information from your app’s IAP would be shown for that connection.Host:
sw-update.example.com
Host:
=*.example.com
Host:
=*
Host:
*.example.com
Host:
*
.app/Contents/Resources/InternetAccessPolicy.plist
.app/Contents/XPCServices/Contents/Resources/InternetAccessPolicy.plist
%APPNAME%
in localized strings of a nested IAP to refer to the enclosing app’s name. It will be substituted with the app name before being shown to the user.ApplicationDescription
is required for nested IAPs, too, but Little Snitch currently does not show it to the user.Info.plist
file embedded in the executable file. Since the Internet Access Policy is basically a property list, it can be be added to the embedded Info.plist
. Just create an Internet Access Policy as as described above, but instead of storing it in a separate file, add it to Info.plist
under the top level key InternetAccessPolicy
.Info.plist
files, and that is analogous to the strings-file method explained above. Localizations are added at the key path InternetAccessPolicy.Localizations.<language>
where <language>
is the language name used for.lproj
directories (e.g. en
for English).Key | Type | Value | |||||
---|---|---|---|---|---|---|---|
▾ | Root | Dictionary | (14 items) | ||||
▾ | InternetAccessPolicy | Dictionary | (3 items) | ||||
ApplicationDescription | String | StringsKey1 | |||||
▸ | Connections | Array | (2 items) | ||||
▸ | Services | Array | (2 items) | ||||
▾ | Localizations | Dictionary | (2 items) | ||||
▾ | en | Dictionary | (2 items) | ||||
StringsKey1 | String | EditHelper is part of myCompany’s text editing suite. It provides dictionary and spell checking services to other components. | |||||
StringsKey2 | String | EditHelper updates its dictionary from this server. | |||||
… |
Info.plist
file is included in a mach object section in the __TEXT
segment named __info_list
. It can be added using the -sectcreate __TEXT __info_plist
linker option. Fortunately, you don’t need to do this manually. Xcode can do it for you.Info.plist
. There are two settings which are relevant for us:Info.plist
file here.Yes
.DenyConsequences
should always begin with “If you deny these connections” (or the respective phrase in another language). Note: Earlier versions of this document recommended the use of singular wording (“this connection”), but it turned out that it works better in user interfaces in plural wording.InternetAccessPolicy.plist
file and instead logs a message to the system log (see Console.app and filter for Little Snitch). While you are writing and testing the Internet Access Policy for your app, it is easiest to run it from Xcode using a scheme that has proper code signing set up.InternetAccessPolicy.plist
file used.InternetAccessPolicy.strings
localization file, if used.DeveloperName
key at the top level of the InternetAccessPolicy.plist
. This is the preferred way to specify the source for the IAP. If you do not specify this value, Little Snitch reads your company’s name from the certificate that was used to sign the app. This works only for Developer ID and Development certificates, though. If your app is downloaded from the Mac App Store, you must specify the DeveloperName
.