What is rapportd and why does it want incoming network connections?
I've just updated to the latest MacOS 10.13.2 and after restarting, my machine asked me to allow incoming network connections for "rapportd".
After blocking it and checking in the firewall config, I can see that this is an executable in /usr/libexec/rapportd which was created on my machine on the 1st of December.
That's a day after I installed the security update 2017-001 (for the second time; autoupdate didn't seem to notice that I'd manually updated it), and I haven't installed or updated any other software recently / around that time. Google Chrome updates whenever it feels like it, so this could be related to a Chrome update (no idea when it last updated).
The internet suggests this is related to some banking protection program but that doesn't seem to fit here, and from a vague text-edit inspection of the binary I can see that it references /System/Library/PrivateFrameworks/Rapport.framework/Versions/A/Rapport (a framework created on my machine back in July and updated in October) which makes me think this is likely to be a new 1st-party OS daemon.
What does rapportd do?
Solution 1:
EDIT: It looks like the man page has been updated and now reads:
Daemon that enables Phone Call Handoff and other communication features between Apple devices.
I just had the same experience. The man page states that it is a:
Daemon providing support for the Rapport connectivity framework.
Checking the code signature with codesign -dv --verbose=4 /usr/libexec/rapportd shows it is signed by Apple and in a SIP-protected location (unless you turned off SIP), this appears to be legitimate Apple software. The man page implies it's related to communication, though I've yet to find any real documentation on it.
(Thanks to John Keates for the code-signature tip.)
Solution 2:
In addition to what already has been posted, /usr/libexec/rapportd is code signed by Apple and linked against a PrivateFramework (which Apple doesn't allow for others and therefore doesn't sign for others), and in a SIP-protected location. Unless you turn off SIP, this is simply part of the OS, put there by Apple.
You can check this on the commandline:
codesign -vvvv -R="anchor apple" /usr/libexec/rapportd
This should report something like:
/usr/libexec/rapportd: valid on disk
/usr/libexec/rapportd: satisfies its Designated Requirement
/usr/libexec/rapportd: explicit requirement satisfied
To show what libraries are linked to:
otool -L /usr/libexec/rapportd
Which will show something like:
/usr/libexec/rapportd:
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1450.14.0)
/System/Library/PrivateFrameworks/CoreUtils.framework/Versions/A/CoreUtils (compatibility version 1.0.0, current version 1.0.0)
/System/Library/PrivateFrameworks/Rapport.framework/Versions/A/Rapport (compatibility version 0.0.0, current version 0.0.0)
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1450.14.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.0.0)
Solution 3:
I believe it is used for iTunes Home Sharing and the Remote app to control iTunes.
I found this out because Little Snitch was blocking it and I couldn't work out why the iTunes remote stuff wasn't working because I accidentally closed the dialog :)
Once I allowed it my phone could then see iTunes on my laptop as well as discover the iTunes Home Sharing.