You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: ICTR
ICTR Author
User level: Level 1
4 points

Microsoft Office on Mojave unusable due to sandbox errors

We have 2 Macs running Mojave and on both of them working with MS Office is quite a pain. Seemingly randomly the macOS sandbox decides we cannot access Excel/Word/PowerPoint files. The error shown to end-users is "You do not have permission to save files to this location" and the error as listed in the Console is:

Sandbox: Microsoft PowerP(601) deny(1) file-read-xattr /Volumes/myshare/foo.pptx


In some cases it temporarily works to enable Full Disk Access for the problematic Office application, but in the end the issue will always come back; after a while a completely different file will be uneditable. After a full system reboot it's also possible to edit the exact same file, but again only temporarily.


This occurs for files stored locally as well as those on a network share (AFP). I tried clearing the com.apple.quarantine attributes but that doesn't seem to work reliably either.


I've read a ton of other forums and they mentioned some possible fixes, such as rebuilding font databases and whatnot. None of this works either. The Office applications are fully updated and both Macs are running 10.14.5. I know 10.14.6 is out but the release notes don't indicate anything remotely related to this issue, so I very much doubt it was fixed in that.

Posted on Sep 6, 2019 12:22 AM

Reply

Similar questions

4 replies
User profile for user: ICTR
ICTR Author
User level: Level 1
4 points

Sep 9, 2019 3:53 AM in response to John Lockwood

Thanks for the helpful reply, unfortunately most of it doesn't seem to apply.


  1. I never knew this directory was used by Office, I always thought it was something Apple/OS X used itself. The dir does exist though, and has permissions of 777.
  2. The share is actually hosted on a Synology NAS, with its own set of user accounts. Both Mac users log in to the share using the same NAS account. Oddly enough, there are 2 folders.xxx directories under .TemporaryItems but neither match the UIDs of the local users. There's folders.501 and .504 but one of the local Mac users has UID 503 according to dscl . -list /Users UniqueID. The other Mac's local account has UID 502, which is also missing from .TemporaryItems. At least these 2 don't overlap so that shouldn't be the issue. Perhaps I could/should create the folders.502/503 folders manually using the respective user accounts? Or does Office clean them up when the last file is removed from under it regardless (which I doubt because the 501 and 504 dirs are completely empty themselves)?
  3. I'm painfully aware of Office's major lack of supporting collaboration with the desktop applications, but both users work in very different directories on this network share. There's an almost-nonexistent possibility that they'd edit the same file simultaneously. Other than that, it's quite a hassle to (have to) open files from a NAS in the web-based Office editors. We're using a NAS so all the files are at least centrally available, and not so much because of collaboration.
  4. Won't using SMB cause other problems though? Here's one example, but I don't know if it was fixed in the end: MACOS Mojave-SMB issues - Apple Community


The thing that sticks out the most (to me) is that Office works fine for a little bit when granted Full Disk Access. As far as I know this shouldn't even apply to network shares, only local volumes.

Reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,691 points

Sep 6, 2019 7:19 AM in response to ICTR

Microsoft Office for years and years has had issues with network shares and Mac clients. There are/have been multiple overlapping issues. The type of problem you are describing is more consistent with using a network share and not local files, your example file path is also consistent with a network share.


  1. Office stores temporary files on the same network share in an invisible folder. Permissions on the network share might prevent the creation of this invisible folder and this will then of course cause problems. This folder is called .TemporaryItems and will be a the root/top of the network share, based on your example it would therefore be at /Volumes/myshare/.TemporaryItems on the file server you should check this invisible folder exists and has the right permissions of rwxrwxrwx
  2. Even if the folder exists it will then contain sub-folders one for each user, these sub-folders will be named with the uidNumber of the respective user. The problem here is that if you are using purely local user accounts on the client Mac these will not match the uidNumber of the file server or directory server. It is even possible if not likely that multiple Mac clients each with different local account names might all have the same uidNumber as the Mac operating system starts on a single Mac creating them at 501 and increments from there. Therefore two Macs each with one account might end up using the same 501 number. This can result in two users trying to use the same temporary sub-folder. The way to avoid this is to have a directory server, to have each Mac 'bound' to that directory server, to configure it so that it automatically creates Mobile Accounts on the client Macs. The Mobile Accounts on the client Macs work just like a local account but synchronise their credentials to the directory server and this also ensures each user has a matching uidNumber on the client Mac to what their directory server account is and hence completely solves this particular problem.
  3. When accessing files on a file server programs are supposed to use routines to properly read and write and more importantly to detect and manage the possibility of two or more users/programs accessing the same file at the same time. Microsoft have a very poor reputation over this. This in particular means the Office feature allowing multiple users to work at the same time on the same document - especially Excel causes problems.
  4. It maybe that using SMB rather than AFP might be better. Apple have (almost) discontinued support for AFP and for several years have been encouraging people to switch to using SMB instead.


Especially if you want multiple users to work on the same document at the same time then a web-browser based approach is far more reliable. This could be Google Docs with Google Drive, or it could be Office via a web-browser using Office365. See - https://support.office.com/en-us/article/quick-access-to-your-office-files-in-the-browser-dc1024b4-92be-46eb-81a7-aea85368baa0

Reply

Microsoft Office on Mojave unusable due to sandbox errors

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up