“eskimo”

OK. In that case I don’t see any way to make this work )-: When you set an on-demand rule, connections that match that rule are held until the demand is satisfied. This makes sense when you think about the intended use case for on-demand rules, namely, a split VPN. Typically this pans out as follows: There’s a site that’s only available on the organisation’s intranet. The device manager deploys an on-demand VPN configuration to access that intranet. The user runs an app that connects to that site. The system treats that as demand and starts the VPN connection. And holds the app’s connection until the VPN connection is established. Once that’s done, it releases the app’s connection, which then connects to the site over the VPN. This yields an obvious chicken’n’problem when the VPN provider relies on a connection that also matches the on-demand rule. The system can avoid this problems if the provider does it directly, from within its own process. This is the same sort of logic that NECP uses to avoid VPN loops.

I can’t see how you’d make that work given that no third-party code can run at the FileVault unlock screen. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com

[quote='876592022, Pushpak-Ambadkar123, /thread/815498?answerId=876592022#876592022, /profile/Pushpak-Ambadkar123'] how we can achieve same in case of NEURLFilterManager [/quote] This is just a special case of my previous answer: There are no configuration options like this with URL filter. If you’d like to see us add something for this, you should file an enhancement request explaining your requirements. Oh, one further point here. With URL filter it’s possible for third-party apps to opt in to filtering via the NEURLFilter type. What they do in the .deny case is up to them. You could imagine an extension to that API that returns the reason for the denial — so they could add that to their own custom UI — but that does present some privacy concerns. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com

[quote='876583022, TChrist, /thread/813973?answerId=876583022#876583022, /profile/TChrist'] the Memory utilization increased again. [/quote] Bummer. But my previous advice still holds: If you continue to have problems with this on 26.4b1, it’s best to file a new bug with the details. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com

[quote='876587022, rbmanian75, /thread/815676?answerId=876587022#876587022, /profile/rbmanian75'] I tried this and it works. [/quote] Yay! [quote='876587022, rbmanian75, /thread/815676?answerId=876587022#876587022, /profile/rbmanian75'] If i make this changes whether the app will pass the app review? [/quote] I don’t work for App Review and thus can’t make definitive statements about their policy. However, my experience is that App Review is very skeptical about any use of temporary exception entitlements. However, one valid use case is working around bugs, and so I think it’s worthwhile you attempting this here. You can improve your chances by limiting this entitlement claim to specific OS versions. You do that with the :before:MAJOR.MINOR clause, as illustrated by this page. Now, the question is, what to use for MAJOR.MINOR? The obvious choice here is 26.4, on the assumption that the bug in question will be fixed in some later seed of macOS 26.4 beta. However, I can’t guarantee that that will happen. And, i

[quote='876600022, anosidium, /thread/815819?answerId=876600022#876600022, /profile/anosidium'] You advised that I should enable all the settings. [/quote] Well, yes, if you read that one sentence in isolation. However, I made it clear that one specific setting, Enable Soft Mode for Memory Tagging, reduces security, so if you goal is security then enabling that is probably not a good choice (-: [quote='876600022, anosidium, /thread/815819?answerId=876600022#876600022, /profile/anosidium'] I am therefore inclined not to enable it. [/quote] Or you could profile your app and see if it makes a difference in pratice. That’s generally the best way to approach performance trade-offs. [quote='876600022, anosidium, /thread/815819?answerId=876600022#876600022, /profile/anosidium'] I am not entirely sure what is meant by logging in [Soft Mode] [/quote] Quoting Enabling enhanced security for your app: This entitlement makes hardware memory tagging operate in soft mode, where the system produces a simulated crash instead

[quote='816041021, LCTech, /thread/816041, /profile/LCTech'] if i extract the ipa file and compare the checksum will it match? [/quote] This question doesn’t make sense because a .ipa is only used to upload your app to the App Store. It has no presence on the device itself. But regarding the big picture question about checking app integrity, see my reply here. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com

I read through your posts a couple of time and I’m not sure what you’re asking about here. Please elaborate. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com

See my reply here. [quote='816045021, crewshin, /thread/816045, /profile/crewshin'] everything I'm seeing suggests I need to put in a request to Apple to turn on NetworkExtension [/quote] Does “everything I’m seeing” refer to stuff from Apple? Or stuff on the ’net? Because if it’s advice from Apple then I’d appreciate you replying here with info on where you saw Apple give you that advice, because I’d like to correct it. Sadly, I can’t fix the Internet (-: Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com

There isn’t a specific affordance for renewing certificates. Rather, you simply create a new one. That’s the same for all our code-signing certificate types. For Developer ID I generally do this using the Developer website rather than Xcode. That’s because Developer ID certificates are precious, as I explain in The Care and Feeding of Developer ID. When you create a certificate using the website, you supply a certificate signing request (CSR). This includes the public key that’ll be embedded in the certificate, the one that matches your private key so that, when the website issues your certificate, the certificate and the private key form a code-signing identity. That gives you two choices: You can create a new CSR, containing the public key from a newly generated key pair. You can reuse the CSR you used previously. Note From a certain perspective, you could interpret the first option as ‘creating a new certificate’ and the second option as ‘renewing a certificate’, but that’s a bit of a stretch. I prefer the

The Developer website is misleading here, at least AFAICT. When you go to create a certificate, the In-House and Ad Hoc option says: Sign your iOS app for In-House or for Ad Hoc distribution. [All emphasis in these quotes is mine.] However, that certificate isn’t limited to iOS. For example: If you create tvOS In House provisioning profile, it will let you select the iOS Distribution certificate. I believe [1] that other platforms, like visionOS, are covered by the In House provisioning profile, despite the fact that the website says: To sign iOS apps for In House Distribution, you need a Certificate. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com [1] It’s actually hard for me to test this right now, so my conclusion is based on an analogy. If I created an Ad Hoc profile, it lets me select the iOS Distribution certificate but it also then lets me select non-iOS devices, like an Apple Vision Pro. So if things work this way

I recommend that you seek help via Apple > Developer > Contact Us > Development and Technical > Entitlements, which is the standard escalation path for entitlement issues. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com

Let’s focus this discussion in your other thread. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com

[quote='876494022, ellinj, /thread/815390?answerId=876494022#876494022, /profile/ellinj'] Is there any Keychain support for non-X.509 certificate formats? [/quote] No. Or, more specifically, the keychain only supports X.509 for kSecClassCertificate items. That doesn’t stop you storing the raw data as kSecClassGenericPassword. As to what you should do, that depends on how you’re using the word “certificate”: Apple uses [1] certificate to refer to the signed wrapper around the public key. We then use digital identity to refer to the combination of a certificate and the private key that matches the public key in that certificate. See TN3161 Inside Code Signing: Certificates for more on this. However, it’s common for folks to use a single term, certificate, to refer to both the certificate and digital identity, with ‘hilarious’ confusion being the result. So, if you’re using certificate ‘correctly’ then the certificate contains just the public key and you can store it wherever you want [2]. OTOH, if your certific

[quote='876460022, jamie_sq, /thread/805609?answerId=876460022#876460022, /profile/jamie_sq'] If it's possible to provide positive confirmation [/quote] Yep. My reading of FB20884404 is that we identified the underlying issue and rolled that fix into Xcode 26.4b1. You should’ve also been notified of the fix in Feedback Assistant. [quote='876460022, jamie_sq, /thread/805609?answerId=876460022#876460022, /profile/jamie_sq'] thanks to whoever worked on this! [/quote] I’ll pass that along. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = eskimo + 1 + @ + apple.com