I'm scanning for peripherals, and keep references to multiple CBUUIDs - one for each peripheral. I then start a connection to the peripheral. I never get a callback to say the connection succeeded, failed, or disconnected. I have a Mini-Moreph Bluetooth sniffer. The sniffer shows that the iPhone never tried to connect to any of the peripherals. The iPhone HCI logs show that a create connection request was sent, but a cancel connection request was sent 0.018 seconds later. No feedback was given to my application through CoreBluetooth. I've filed this through Feedback Assistant, but expect nothing will come of the report.

Hi! I was able to successfully persist my debug log entires using the OSLogPreferences key in my Info.plist and retrieve the logs from my iPhone using log collect. This worked to get log messages created when my app executed a background task tonight (2026-01-20 00:20). But log Debug and Default log messages from a normal run yesterday (2026-01-19 15:34) disappeared. I can query for the missing messages in the log archive I created yesterday but they are missing in the log archive I created today covering also yesterday. I had invoked: % sudo log collect --device-name "<my device name>" --last 25h --output /tmp/system_logs.logarchive ... %sudo log show /tmp/system_logs.logarchive --debug --info --predicate 'subsystem=="com.example.MyApp"' Is this expected and/or is there anything I could do to persist the logs for a longer period? For reference, that's what I have added to my Info.plist for the debug build configuration so far: <key>OSLogPreferences</key> <dict> <key>com.example.MyApp</key> <dict> <key>DEFAULT-OPTIONS</key> <dict> <key>Level</key> <dict> <key>Enable</key> <string>Debug</string> <key>Persist</key> <string>Debug</string> </dict> <key>Enable-Private-Data</key> <true/> </dict> </dict> </dict>

We are using a java program as an installer for a software suite. This program is bundled inside a signed and notarized Mac app, but it uses the system installed Java (from env). For installing software, it requires the App Management permission (currently under System Settings › Privacy & Security › App Management). Since the program runs via the system provided Java executable, that one is the executable, that needs said permission. In the past, it was possible to add java to said permissions list. With macOS 26.2 it is no longer possible. I think, this change happened with 26.2. It was definitely still working with macOS 15 (I can reproduce it there), and I am confident, that it also still worked under 26.1. In Console.app I can see errors like this one /AppleInternal/Library/BuildRoots/4~CCKzugBjdyGA3WHu9ip90KmiFMk4I5oJfOTbSBk/Library/Caches/com.apple.xbs/Sources/SecurityPref/Extension/Privacy/TCC+PrivacyServicesProvider.swift:227 add(record:to:) No bundle or no bundle ID found for record TCCRecord(identifier: "/opt/homebrew/Cellar/sdkman-cli/5.19.0/libexec/candidates/java/11.0.29-tem/bin/rmic", identifierType: SecurityPrivacyExtension.TCCIdentifierType.path, access: SecurityPrivacyExtension.TCCAccess.full, managed: false, allowStandardUserToSetSystemService: false, subjectIdentityBundleIdentifier: nil, indirectObjectIdentityBundleIdentifier: nil, indirectObjectIdentityFileProviderIdentifier: nil, tccAuthorization: <OS_tcc_authorization_record: 0xa97d0ba80>) This is reproducible for various different Java installations. I can also not add Java to the other permissions that I tried. Since Java is not installed in a bundled app but instead as a UNIX executable in a bin-folder, the error No bundle or no bundle ID found for record makes sense. I expect this to also affect other use cases where programs are provided as UNIX executables such as Python or C-Compilers like g++. While it is possible to bundle an entire JRE inside each app, we intentionally chose not to as this massively increases app size. If this issue is not resolved or a workaround can be found, this is the only option that remains for us. I am however worried that there are other use cases where this is not an option.

When I have to pull in hundreds of commits from upstream, I like to try to make sure things still compile - frequently, to try to limit how far I need to go to back fix things. One issue is missing symbols in the kext, since you won't know until you try to load the kext. And loading the kext each commit is not realistic. So I went and made up a call to something that does not exist, in my case, strqcmp(). I could not get the various tools like kmutil libraries --all-symbols to print out that this function was going to fail, so I wrote a little script (thanks ChatGPT); ./scripts/kpi_check.py --arch arm64e -k module/os/macos/zfs.kext/ First missing symbols: _crfree _crhold _strqcmp Hurrah. But sadly, my brain was then curious as to why crhold() and crfree() work. Worked for years. Only dtrace calls them in XNU sources but otherwise not mentioned there, not listed in my frameworks, nm is not seeing it. Somewhat of a rabbit hole. I don't even need to know, it does work after all. I should just let it go right? and yet... how does it work? My best guess is a symbols.alias pointing it to kauth_cred_ref() somewhere? Maybe? Anyway, pretty low priority but it's an itch...

Our app attempts to install a PDF workflow in ~/Library/PDF Services but on a clean install of newer macOS versions, that directory no longer exists. Attempting to create the folder requires prompting for user permission to access the ~/Library directory and then prompting the user to access the newly created ~/Library/PDF Services directory. This is annoying and awkward. Creating the PDF Service in the sandbox Library directory does nothing useful since the PDF workflow does not show up in the PDF workflow list in the print dialog. We would like to create both directories in one step, or have the OS create the folder like it used to. Is there an entitlement that will allow our app access to the ~/Library directory without requiring Full Disk Access? Is there a way to have the OS create a symlink in ~/Library for the PDF Services directory that works with macOS 14 and later?

As the title states, I’ve been trying to emulate some older Direct9 games, and rosetta can’t handle it because of that https://github.com/WineAndAqua/rosettax87 I’ve had to use this, but it really seems like something that I shouldn’t have to do I’ve tried Wineskin, wine, D9VK, MoltenVK, GPTk, and the only thing that’s close to working is using devel wine + d9vk with the xrosetta87 running like its a VPN, and then you play Without xrosetta87 it’s 0-0.5 FPS? with it, it’s like a buttery smooth 60+

Is it possible to use the Matter.xcframework without the MatterSupport extension for onboarding a Matter device to our own ecosystem(own OTBR and matter controller) for an official App Store release? Currently, we can achieve this in developer mode by adding the Bluetooth Central Matter Client Developer mode profile (as outlined here https://github.com/project-chip/connectedhomeip/blob/master/docs/guides/darwin.md). For an official release, what entitlements or capabilities do we need to request approval from Apple to replace the Bluetooth Central Matter Client Developer mode profile? Thank you for your assistance.

My team has developed an app with a Matter commissioner feature (for own ecosystem) using the Matter framework on the MatterSupport extension. Recently, we've noticed that commissioning Matter devices with the MatterSupport extension has become very unstable. Occasionally, the HomeUIService stops the flow after commissioning to the first fabric successfully, displaying the error: "Failed to perform Matter device setup: Error Domain=HMErrorDomain Code=2." (normally, it should send open commissioning window to the device and then add the device to the 2nd fabric). The issue is never seen before until recently few weeks and there is no code changes in the app. We are suspected that there is some data that fail to download from the icloud or apple account that cause this problem. For evaluation, we tried removing the HomeSupport extension and run the Matter framework directly in developer mode, this issue disappears, and commissioning works without any problems.

I'm pleased to share some significant updates that have recently been released for our Hypervisor and Virtualization frameworks. We've focused on enhancing efficiency, expanding capabilities, and addressing common developer needs. I believe these will be valuable for many of you. Here’s a look at what’s new: Hypervisor Updates We've introduced support for configuring the intermediate physical address (IPA) memory granularity of a VM. This allows for more granular memory mappings, enabling granularity sizes down to 4KB. This is particularly useful for certain specialized device drivers requiring finer memory control. Virtualization Framework Updates More Efficient VM Image Storage with ASIF: We've integrated support for the Apple Sparse Image Format (ASIF). This results in a smaller disk footprint and optimized transfer for VM disk images when using VZDiskImageStorageDeviceAttachment, improving storage efficiency. Custom Network Topologies with vmnet: We've added support for vmnet custom network topologies. This enables more flexible VM-to-VM communication based on logical networks with customized configurations, useful for complex testing or development environments. See VZVmnetNetworkDeviceAttachment to get started. Simplified VM Queue Discovery: It's now easier to discover a VM’s on-process thanks to a new property on VZVirtualMachine. This should aid in development and debugging when interacting directly with the VM's queue. These are some of the key highlights of the first beta, and I'm looking forward to seeing how these improvements will be utilized. I encourage you to explore the documentation for full details on these features.

Platforms: macOS 15.x (Sequoia), Intel-Based App type: Endpoint Security (ES) client, notarized Developer ID app + LaunchDaemon Goal: Boot-time ES client that runs on any Mac (managed or unmanaged) Summary Our ES client launches and functions when started manually (terminal), but when loaded as a LaunchDaemon it fails to initialize the ES connection with: (libEndpointSecurity.dylib) Failed to open service: 0xe00002d8: Caller lacks TCC authorization for Full Disk Access We can’t find a supported way to grant Full Disk Access (SystemPolicyAllFiles) to a system daemon on unmanaged Macs (no MDM). Local installation of a PPPC (TCC) profile is rejected as “must originate from a user-approved MDM server.” We’re seeking confirmation: Is MDM now the only supported path for a boot-time ES daemon that requires FDA? If so, what’s Apple’s recommended approach for unmanaged Macs? Environment & Artifacts Binary (path placeholder): /Library/Application Support///App/.app/Contents/MacOS/ Universal (x86_64 + arm64) Notarized, hardened runtime; Developer ID Team <TEAM_ID> Entitlements include: com.apple.developer.endpoint-security.client (present) Daemon plist (simplified; placeholders used): <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"><dict> <key>Label</key> <string>com.example.esd</string> <key>Program</key> <string>/Library/Application Support/<VENDOR>/<PRODUCT>/Platform/<daemon-exec></string> <key>WorkingDirectory</key> <string>/Library/Application Support/<VENDOR>/<PRODUCT>/Platform</string> <key>RunAtLoad</key><true/> <key>KeepAlive</key><true/> </dict></plist> Designated requirement (abridged & masked): identifier "<BUNDLE_ID>" and anchor apple generic and certificate 1[...] and certificate leaf[...] and certificate leaf[subject.OU] = "<TEAM_ID>" What works Launching the ES client manually (interactive shell) succeeds; ES events flow. Signature, notarization, entitlements, Gatekeeper: all OK. What fails (daemon) launchctl print system/ shows it starts, but Console logs: (libEndpointSecurity.dylib) Failed to open service: 0xe00002d8:Caller lacks TCC authorization for Full Disk Access System TCC DB shows ES consent rows but no allow for TCCServiceSystemPolicyAllFiles for the daemon binary. Installing a PPPC mobileconfig locally (system scope) is blocked as “must originate from a user-approved MDM server.” Repro (minimal) Install app bundle + LaunchDaemon plist above (placeholders). Verify entitlements & notarization: codesign -dvvv --entitlements :- "" spctl --assess --type execute -vv "" Start daemon & watch logs: sudo launchctl bootstrap system "/Library/LaunchDaemons/.plist" log stream --style compact --predicate 'process == "" OR subsystem == "com.apple.TCC"' --info Observe FDA denial message only in daemon context. Attempt to add FDA via PPPC profile (system scope) → rejected unless installed by user-approved MDM. Questions for Apple On macOS 14/15, is Full Disk Access for system daemons strictly MDM-only via PPPC (i.e., not installable locally)? Under what conditions would libEndpointSecurity report a Full Disk Access denial at client initialization, given ES consent is distinct from FDA? For unmanaged Macs needing boot-time ES processing, does Apple recommend a split: root LaunchDaemon (ES subscription; no protected file I/O) + per-user LaunchAgent (user-granted FDA) via XPC for on-demand disk access? Would moving ES connection code into a System Extension change FDA requirements for unmanaged devices, or is FDA still governed by PPPC/MDM? If behavior changed across releases, can Apple confirm the intended policy so vendors can document MDM requirements vs. unmanaged install paths? What we’ve tried Verified signature, notarization, hardened runtime, ES entitlement present. Confirmed context difference: manual run OK; daemon fails. Inspected system TCC: ES consent rows present; no FDA allow for daemon. Tried installing system-scoped PPPC locally → blocked as “must originate from a user-approved MDM server.” Considered LaunchAgent-only, but ES needs root; evaluating daemon+agent split to keep ES in root and put FDA-gated work in user space. What we need A definitive statement on the supported way to grant FDA to a system daemon on macOS 14/15. If MDM PPPC is required, we’ll ship “daemon mode requires MDM” and provide a daemon+agent fallback for unmanaged devices. If a compliant non-MDM path exists for daemon FDA on unmanaged Macs, please share exact steps. Thanks! Happy to provide additional logs privately if helpful.

I'm trying to embed a self-built copy of the WebKit frameworks to a macOS app. Most importantly I hope to get some features to work which Safari offers, but WKWebView in macOS doesn't (getDisplayMedia, Service Workers, WebInspector). Many years ago I was successful in using a self-built WebKit copy in this Mac app, but it seems the WebKit framework got more complex since them, I guess because of WKWebView's architecture. That time I had to open the projects for the main frameworks in Xcode, select the framework bundle in the target and change the "Installation Directory" setting to the path @executable_path/../Frameworks. After building WebKit using the build script, I could use otool -L to confirm the changed installation path, which then was displayed for example as @executable_path/../Frameworks/WebCore.framework/Versions/A/WebCore I tried the same with a current WebKit build: I copied the products for WebKit.framework, WebCore.framework, JavaScriptCore.framework, WebKitLegacy.framework, WebGPU.framework and WebInspectorUI.framework to my app and added it to the "Frameworks, Libraries and Embedded Content" section in the Project's Target/General tab and selected "Embed & Sign" for each framework. In "Build Phases" I made sure that WebCore.framework and WebGPU.framework are only in the "Copy Files" phase (Destination Frameworks) and not in "Link Binary with Libraries", as WebCore is linked through the WebKit umbrella framework and WebGPU gave another error (not sure about how to deal with that framework, as in the system it's in a PrivateFrameworks subfolder). In "Build Settings" I made sure that @executable_path/../Frameworks is entered for "Runpath Search Paths" (it was already probably because of Cocoapods, together with @loader_path/../Frameworks. When I build my app, the system's WebKit version is used. Only when I add the environment variable DYLD_FRAMEWORK_PATH with value @executable_path/../Frameworks in the run scheme, the embedded self-build WebKit frameworks are used. Because of currently necessary backward compatibility my app can use the legacy WebView or WKWebView. The legacy WebView works perfectly with the embedded WebKitLegacy.framework. But if I try to open any URL in WKWebView, no content is rendered and in the console output I can see: Safe Exam Browser[21391:145678] [Process] 0x10c67d760 - [PID=0] WebProcessProxy::didFinishLaunching: Invalid connection identifier (web process failed to launch) Safe Exam Browser[21391:145678] [Process] 0x10c67d760 - [PID=0] WebProcessProxy::processDidTerminateOrFailedToLaunch: reason=4 Safe Exam Browser[21391:145678] [ProcessSuspension] 0x10c005040 - [PID=0, throttler=0x10c67d8d8] ProcessThrottler::Activity::invalidate: Ending background activity / 'WebProcess initialization' Safe Exam Browser[21391:145678] [Process] 0x10c67d760 - [PID=0] WebProcessProxy::shutDown: Safe Exam Browser[21391:145678] [Process] 0x7fbe89064020 - [pageProxyID=40, webPageID=41, PID=0] WebPageProxy::processDidTerminate: (pid 0), reason 4 2022-02-14 12:53:01.764074+0100 Safe Exam Browser[21391:145678] [Process] 0x10c67d760 - [PID=0] WebProcessProxy::processTerminated: Safe Exam Browser[21391:145678] [Loading] 0x7fbe89064020 - [pageProxyID=40, webPageID=41, PID=0] WebPageProxy::dispatchProcessDidTerminate: reason=Crash Safe Exam Browser[21391:146842] [SEBOSXWKWebViewController webViewWebContentProcessDidTerminate:<Safe_Exam_Browser.SEBOSXWKWebView: 0x7fbe88f8b1c0>] I have the impression that the web process might fail to launch because I didn't embed all necessary parts of the self-built WebKit (the product folder contains a large number of XPC, dylib and .a files). Or some additional paths have to be adjusted before building WebKit, so that the embedded frameworks/libraries are used and not the system provided ones. I also looked at the bundle of the Safari Technology Preview and can see some similarities but also differences. I would be grateful if anybody could provide me with information how to embed a self-built copy of WebKit into a macOS app. Unfortunately I didn't find any Mac open source browser using an embedded copy of WebKit to get some inspiration from.

I’d like to propose that Apple consider introducing a controlled entitlement for the SIM Application Toolkit (STK) on iOS, allowing limited developer access through a secure, user-consented API layer. While I understand the historical restrictions around SIM access for privacy and carrier security, there are legitimate, high-impact use-cases in emerging markets where STK remains a critical part of everyday digital transactions. Currently, developers have no sanctioned way to trigger or interact with STK flows — which leaves millions of iPhone users unable to complete basic offline payment or authentication actions that their Android counterparts can. The Problem In regions such as Sub-Saharan Africa, South Asia, and Southeast Asia, entire financial ecosystems still depend on SIM-based STK interactions (commonly through USSD or encrypted STK sessions). On iOS: The “SIM Applications” menu is buried under Settings → Cellular → SIM Applications, often missing depending on carrier provisioning. Third-party developers cannot programmatically open or trigger STK actions. This results in incomplete or inconsistent payment experiences for iOS users — even when the same SIM card supports rich offline capabilities on Android devices. Proposed Solution Introduce a “SIMToolkitAccess” entitlement, gated behind the following controls: User Consent Prompt When first triggered, the system displays a native dialog: “App ‘X’ would like to initiate a SIM Toolkit action (e.g., payment or balance check). Do you allow this?” The user can approve once, always, or deny. Scoped Access Model Allow only STK command initiation (e.g., “Launch STK Menu,” “Send STK Request”) Prohibit background execution or passive SIM data reading. Require entitlement approval from Apple Developer Relations, similar to CarPlay, CallKit, or HealthKit. Secure Sandbox STK sessions run in a system-managed sandbox with zero data exposure to the calling app. The app simply receives a completion callback with a generic status code (e.g., .completed, .cancelled, .timeout). Key Use-Cases That Would Benefit Offline Mobile Payments (M-PESA, Airtel Money, T-Kash) Many users rely on STK-based menus for sending or receiving money, paying bills, and topping up accounts. → Enabling secure triggers from native apps would unify the payment UX between Android and iOS, increasing inclusivity. SIM-based Authentication / OTP Requests Telecoms and banks in these regions use STK channels for encrypted session-level identity verification. → Allowing STK initiation would enable secure, offline identity confirmation flows. Carrier Value-Added Services (Data Bundles, Utility Payments) Network operators still deliver bundles, electricity token purchases, and airtime loans via STK sessions. → Secure developer access would allow modern iOS apps to wrap these flows in more intuitive interfaces while maintaining carrier security. Offline Resilience / Disaster-Recovery Flows During power or data outages, STK is often the only operational payment method, as it runs directly on the GSM layer. → Allowing iOS apps to gracefully degrade to STK ensures users can still transact safely without internet access. Why It Matters This is not about exposing low-level carrier interfaces — it’s about giving developers the ability to deliver consistent, accessible, and inclusive financial experiences to iPhone users in markets where connectivity cannot be assumed. Apple’s leadership in privacy and safety would make it the perfect platform to define the secure standard for modernized STK integration — something Android’s open access model lacks. A gated entitlement model would preserve integrity while unlocking transformative use-cases for millions.

Background: We are developing a cross-platform mobile application that communicates with a custom NFC-enabled hardware device. The hardware expects ISO7816-style APDU commands for data exchange and functions correctly with Android using the IsoDep protocol. Observed Issue on iOS: On iOS, the tag is only detectable via NFCNdefReaderSession, which provides access to INFCNdefTag. Attempting to use NFCTagReaderSession with NFCPollingOption.Iso14443 (which is required for APDU communication) results in no tag detection. As a result, the tag is inaccessible for APDU-based communication on iOS. Since NFCNdefReaderSession does not support APDU, we are unable to establish the required command channel. Constraints: The hardware firmware cannot be changed to support NDEF-based command interpretation. The device expects raw ISO-DEP APDU commands (i.e., Class-Instruction-Param1-Param2-Data-Le). Impact: The lack of ISO7816 tag detection on iOS prevents the app from sending APDU commands, resulting in a platform-specific feature limitation. Functionality that relies on secure, structured APDU communication is unavailable to iOS users, even though it works seamlessly on Android.

Environment macOS Tahoe 26.2 (Build 25C56) Also tested with macOS 26.3 Developer Beta - same issue Windows Server 2022 DFS namespace Connection via Tailscale VPN (but also tested with direct network connection) Problem Description When connecting to a Windows Server 2022 DFS namespace from macOS Tahoe, the root namespace connects successfully, but all subfolders appear empty and return either: "No route to host" "Authentication error" (alternates inconsistently) Steps to Reproduce Set up a Windows Server 2022 DFS namespace (e.g., \\domain.com\fs) Add DFS folder targets pointing to file servers (e.g., \\fs02\share, \\fs03\share) From macOS Tahoe, connect via Finder: smb://domain.com/fs Root namespace mounts successfully Issue: Subfolders show as empty or return "No route to host" when accessed What Works Direct SMB connections to individual file servers work perfectly: smb://10.118.0.26/sharename ✓ smb://fs02.domain.com/sharename ✓ Same DFS namespace works from Windows clients Same DFS namespace worked from macOS Sonoma 14.4+ What Doesn't Work DFS referrals from macOS Tahoe 26.x to any DFS folder target The issue persists regardless of: Kerberos vs NTLM authentication SMB signing enabled/disabled on servers Various /etc/nsmb.conf configurations DNS resolution (tested with IPs and FQDNs) Historical Context A similar DFS referral bug existed in macOS Sonoma 14.0 and was fixed in 14.1. This appears to be a regression in macOS Tahoe 26. Request Please investigate the DFS referral handling in macOS Tahoe. The fact that direct SMB connections work while DFS referrals fail suggests an issue specifically in the DFS referral processing code. Feedback Assistant report will be filed separately.

Hi all, I'm building an iOS app extension using ExtensionKit that works exclusively with its containing host app, presenting UI via EXHostViewController. I'd like the extension to have read-only access to the host's task for process introspection purposes. I'm aware this would almost certainly require a special entitlement. I know get-task-allow and the debugger entitlement exist, but those aren't shippable to the App Store. I'm looking for something that could realistically be distributed to end users. My questions: Does an entitlement exist (or is one planned) that would grant an extension limited, read-only access to its host's task—given the extension is already tightly coupled to the host? If not, is this something Apple would consider adding? The use case is an extension that needs to inspect host process state without the ability to modify it. Is there a path to request such an entitlement through the provisioning profile process, or is this fundamentally off the table for App Store distribution? It seems like a reasonable trust boundary given the extension already lives inside the host's app bundle, but I understand the security implications. Any insight appreciated. Thanks!

I got this error despite documentation saying it exits: https://developer.apple.com/documentation/foundation/urlresourcevalues/tagnames I'm building for iPadOS 26.2

I am looking to extend the range for a device and the only option from a Bluetooth perspective is Coded PHY but I have not heard of any intent to support it from Apple. Does Apple intend to support Coded PHY and if so what is the roadmap?

There will be a cloud download icon on the folder, and when I click download, I will go to download the file below. Then this icon will disappear, but when I move a dataless file into the folder, the cloud download icon will appear again. I understand if there is any way to determine whether the folder has downloaded properties

our app has a helper to perform privileged operations which communicates with the main app via xpc_connection* previously that helper was installed via SMJobBless() into the /Library/LaunchDaemons/ and /Library/PrivilegedHelperTools/ due to various issues with the old SMJobBless() as well as it being deprecated we have ported the helper to the new SMAppService API where the helpers do not need to be installed but remain within the app bundle ( [[SMAppService daemonServiceWithPlistName:HELPER_PLIST_NAME] registerAndReturnError:&err] ) the new approach has been used in production for a year now and works fine in most cases and seems to be more reliable than the old SMJobBless(). however, we've observed two problems with the new helper architecture. • sometimes when users update the app (with the built-in Sparkle framework), the app does not seem to have FullDiskAccess, although the checkbox in the system settings remains toggled on. only once the Mac has been restarted, things work fine again. since this is cured by a reboot, lets ignore this issue • on some Macs, it just seems impossible to use the helper, while "installation" via SMAppService runs fine without error, using the helper always just fails with Connection invalid. This issue seems to affect ~0.2% of our users Macs, and we have found no cure yet how to get things into a working state on those Macs. luckily the issue also occurs 100% reproducible on one of the Macs in our office now. the problem seems to be a regression in macOS 26, as things worked absolutely fine on all previous macOS versions. we'd like to investigate why the helper just won't work on some Macs. unfortunately even enabling Console logging for just a few seconds yields thousands of messages nowadays, but this may be insightful: we found that on the "bad Mac", the "FATAL ERROR - fullPath is nil" always appears and subsequently no working XPC connection to the helper is ever established. on the "good Macs", this "fullPath is nil" error never appears, and the XPC connection works fine after all the required permissions (helper permission, FDA permission) are granted. so, my questons: • has anyone else seen a problem where a SMAppService / XPC based priviledged helper just won't work on a handful of Macs? • what about the "FATAL ERROR - fullPath is nil", is this the real root cause of the issue or should we look somewhere else? how can we prevent the issue on the affected Macs? the only thing that seems to be clear here is that this is a macOS 26 Tahoe bug.

I'm working on a command line tool, and trying to make it as fast as possible. I ran it under instruments' processor trace (really cool tool by the way, thanks for that) and found that the majority of the time it is taking to run, is actually spent in dyld, specifically dyld4::prepare(dyld4::APIs&, mach_o::Header const*). Out of a total run time of 1.27ms my code only takes 34.17μs or about 2.7%, that's a LOT of overhead! I re-ran my binary with the dyld activity instrument added to the mix, and it showed that the biggest known chunk of time that dyld spends during process startup is in "Run static initializer" from libSystem, though the majority of the time spent by dyld is unaccounted for and left labelled generically as "Launch Executable". Obviously I can't modify libSystem on my users' systems so is there anything I can do to reduce this overhead? Maybe some way to promise that I won't use the Obj-C runtime so that doesn't need setting-up or something?