sandboxd (Sandbox Daemon) is a safe macOS security process. sandboxd enforces the macOS App Sandbox — a security technology that restricts what applications can access. When an app is sandboxed, sandboxd controls its access to files, network, hardware devices, and inter-process communication based on the app's entitlements. All Mac App Store apps must be sandboxed. sandboxd running in the background with minimal resource usage is normal — it only activates when sandbox policy decisions are needed. Be concerned if you see a flood of sandbox denial messages for a specific app, which could indicate the app is trying to access resources beyond its declared capabilities, potentially signaling malicious behavior.
Sandbox Daemon
sandboxd enforces the macOS App Sandbox — a security technology that restricts what applications can access. When an app is sandboxed, sandboxd controls its access to files, network, hardware devices, and inter-process communication based on the app's entitlements. All Mac App Store apps must be sandboxed.
Apps failing to access files or folders they need due to sandbox restrictions
Sandbox violation errors in Console when apps attempt unauthorized operations
Performance overhead from sandbox policy evaluation on file-heavy operations
Apps crashing when denied access to a required resource
If an app can't access files or resources, go to System Settings > Privacy & Security and check the relevant categories (Files & Folders, Full Disk Access, etc.). Grant the app the permissions it needs to function.
Open Console.app and filter for 'sandbox' or 'deny.' These messages show exactly what operation was blocked and which app triggered it, helping you understand what permission the app needs.
Each sandboxed app has a container at ~/Library/Containers/[bundle-id]/. Deleting this folder resets the app's sandboxed data and permissions. The app will recreate it on next launch with fresh defaults. Back up any data in the container first.
If a sandboxed app consistently can't access something it needs, the developer may need to add the correct entitlements to their app. Report the specific sandbox violation message from Console to help them fix the issue.
sandboxd running in the background with minimal resource usage is normal — it only activates when sandbox policy decisions are needed. Be concerned if you see a flood of sandbox denial messages for a specific app, which could indicate the app is trying to access resources beyond its declared capabilities, potentially signaling malicious behavior.
CoreLock audits the sandbox entitlements of all installed applications, identifies apps that request unusually broad permissions, and monitors for sandbox escape attempts — a technique malware uses to break out of the sandbox and gain unrestricted system access.
Download CoreLock Freesyspolicyd implements macOS Gatekeeper — the security feature that verifies applications are from identified developers ...
tccd manages the macOS TCC (Transparency, Consent, and Control) framework — the privacy permission system that controls ...
trustd is the macOS daemon responsible for evaluating certificate trust chains. Whenever your Mac needs to verify an SSL...
sandboxd is the daemon that enforces the macOS App Sandbox security model. The App Sandbox restricts what each application can access — files, network, hardware, and other processes. sandboxd evaluates each access request against the app's declared entitlements and either allows or denies it, protecting your data from compromised applications.
Apps are blocked when they try to access resources not included in their sandbox entitlements. This is usually by design — the app only needs access to specific resources. If an app legitimately needs access, grant it through System Settings > Privacy & Security. If you see unexpected denials, it may indicate the app is trying to do something it shouldn't.
sandboxd is an important security component but is primarily relevant for sandboxed apps (all Mac App Store apps and many others). It significantly limits the damage a compromised app can do by restricting its access to only what it explicitly needs. Disabling it would weaken macOS's security posture.
Download CoreLock to identify suspicious processes, detect threats, and keep your Mac running smoothly.
Download CoreLock FreeAvailable for macOS and Windows