MCP on macOS

Desktop AI tools with real boundaries

Use macOS-native sandboxing to constrain MCP servers on managed machines. Explicit file, process, and network limits — not broad default trust.

Sandbox launch config

json
{
  "mcpServers": {
    "native-container": {
      "command": "/usr/bin/sandbox-exec",
      "args": [
        "-f", "~/.mcp/config/mcp.sb",
        "node", "~/.mcp/server/server.js"
      ]
    }
  }
}
Why it matters

Local agents need boundaries too

Real sandbox, no Docker

macOS sandbox-exec constrains file, network, and process access.

Explicit permissions

Declare paths and endpoints the MCP server can reach. Everything else is denied.

Pairs with the control plane

Local tool isolation plus cloud-side policy enforcement.

Architecture

How the sandbox wraps MCP execution

Execution flow

Security posture

Deny by default

The sandbox profile starts from deny-all and adds explicit grants. Cloud execution needs IAM and VPC controls. Desktop execution needs filesystem and process controls. Same discipline.

Filesystem

Scoped to declared project paths.

Network

Outbound constrained or blocked for local tools.

Lifecycle

Supervisor-managed launch and logging.

scheme
(version 1)
(deny default)
(allow file-read* (subpath "/Users/yourname/projects"))
(allow process-exec (literal "/usr/local/bin/node"))

Same discipline as cloud. Applied locally.

Clear permissions, predictable lifecycle, observable execution — for the AI tools that run on your developers' machines.