Hi all,
Question: Can Apple confirm that, on macOS 15 without MDM/supervision, there is no supported API, entitlement, auth right, or config file that can enable a Safari App Extension without some form of user interaction?
Environment
• OS / Safari: macOS 15.0.1 (Sequoia), Safari 18.x
• Distribution: Signed, notarized, stapled PKG installs a host app that contains a Safari App Extension
• Management: No MDM allowed (and thus no supervision)
• Goal: Have the extension come up enabled immediately after install, without requiring the user to click the checkbox in Safari Settings ▸ Extensions
What we already know / tried
-
Normal install flow – After PKG install, the extension shows up disabled. User must check the box to enable.
-
SFSafariApplication.showPreferencesForExtension(...) – We can deep‑link the user to our row, but they still need to click “Enable.”
-
Accessibility/UI scripting – We can script the click if the user grants our helper Accessibility permission. That still involves user interaction.
-
.mobileconfig with Safari Extensions Management (AlwaysOn) – From what I can tell, this requires a supervised device enrolled in MDM. Installing that profile manually on an unsupervised Mac does not enforce the “AlwaysOn” state.
-
Auth rights / Developer mode – Looked at auth.db rights like com.apple.Safari.allow-unsigned-app-extensions, and the Develop menu “Allow Unsigned Extensions.” Neither appears to auto‑enable a signed extension, and we don’t want to use private/unsupported APIs anyway.
Thanks in advance for any clarification.