“A Summary of the WWDC25 Group Lab”

vasultm, It’s better to reply as a reply, rather than in the comments; see Quinn’s Top Ten DevForums Tips for this and other titbits. As to the main issue, I haven’t yet driven it to a conclusion but, for the moment, my historical advice stands: There’s no supported way to transfer app group IDs between teams. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com

Update (MDM‑managed macOS 14.4 device): After some additional testing with our third‑party MDM, the Custom macOS app now does get installed via MDM (the notarized Developer ID PKG is assigned to a group with Install Method = MDM and Auto Deploy, and /Applications/MyProxy.app appears on the target Mac with the expected bundle id and version). However, on that MDM‑managed macOS 14.4 (Apple Silicon) device the app still cannot be launched. Finder shows a generic “MyProxy can’t be opened” error, and the process is killed immediately on launch. The key detail from the system log is that the decision is coming from the ConfigurationProfiles / MDM side rather than from Gatekeeper: taskgated-helper[…]: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] Disallowing com.myapp.agent.MyProxy because no eligible provisioning profiles found At the same time: spctl --assess -vvv -t exec /Applications/MyProxy.app reports source=Notarized Developer ID. codesign -dvv confirms the app is signed with

Thanks for your post. This is very interesting but I also think we have released many news about why Xcode does not say universal on the template even though they are all universal depending on your target. This thread should be utilized by other developers to provide links to Apple News and videos that explain the path forward. I extend an invitation to anyone who possesses resources and links. I know is confusing if the Xcode template does not say universal, but is all about the target and I would prefer you think about the target after you create the app, so this is still relevant: https://developer.apple.com/documentation/apple-silicon/building-a-universal-macos-binary There is an announcement in this WWDC video about the platforms we are supporting I would recommend you to watch as will answer many questions. Platforms State of the Union - WWDC25 - VideosApple Developerhttps://developer.apple.com · Jun 9, 2025 https://developer.apple.com/videos/play/wwdc2025/102/ The steps outlined below are sta

As a follow‑up for anyone hitting the same issue: Per Quinn’s advice, I switched to manual signing outside Xcode and followed the “Exporting a Developer ID Network Extension” guidance. The code signing / notarization side now looks correct and works locally: Host app and DNS Proxy system extension are both signed with Developer ID Application for our team (for example, TEAMID1234). com.apple.developer.networking.networkextension in both host and system extension entitlements uses `dns-proxy-systemextension. The app bundle identifier is com.myapp.agent.MyProxy. The installer pkg is signed with Developer ID Installer: MyApp Inc (TEAMID1234), notarized with notarytool (status: Accepted), stapled, and passes `pkgutil --check-signature. On the test Mac (macOS 14.4, Apple Silicon), sudo installer -pkg MyProxy_…pkg -target / succeeds, the app appears in/Applications, and spctl --assess -vvv -t exec reportssource=Notarized Developer ID`. The app launches and the DNS Proxy system extension runs (any remaining issues a

[quote='816702021, Pavel, /thread/816702, /profile/Pavel'] I need to develop a … Transparent Proxy … that sends data to the host application for analysis. [/quote] You mean the container app, right? [1] If so, this architecture is a concern. A transparent proxy operates system wide, so: There may be 0, 1, or more active GUI login sessions. Each active GUI login session can be running an instance of your container app. So if multiple users are logged in and they each run a copy of your container app, what are you expecting to happen? This architecture also informs your XPC architecture. A NE sysex, which operates much like a launchd daemon, can’t connect to a named XPC endpoint advertised by an app because the system wouldn’t know which app to connect to [2]. Given the above, the only architecture that works is for your sysex to advertise the named XPC endpoint and for your apps to connect to it. And that’s exactly what’s demonstrated by the Filtering Network Traffic sample code. There are a couple of things t

[quote='816782021, alexfromapex, /thread/816782, /profile/alexfromapex'] Has anyone gotten Postgres to run in a sandboxed app? [/quote] Not personally, but I can shed some light on the App Sandbox side of this. System V IPC is a compatibility API an macOS. We recommend against using it in new code. Given that, it shouldn’t come as a big surprise that it doesn’t have a good story regarding the App Sandbox. The alternative, Posix IPC, works in the App Sandbox as long as you conform to the naming guidelines described in App Groups Entitlement [1]. So, to make this work you’ll need to: Sign your executables to claim access to an app group. Configure the library to use Posix IPC. With a name that’s authorised by that app group. I don’t have any expertise with this specific third-party library, so I’ve no insight into the last two. I’m happy to help with the first. I have lots of background on that in App Groups: macOS vs iOS: Working Towards Harmony. Share and Enjoy — Quinn “The