A Summary of the WWDC25 Group Lab

I am attempting to read and write data to an Office Group Container, and I am consistently prompted with the App would like to access data from other apps alert. How can I configure the application or environment to suppress this repeated permission prompt?

Hi everyone, I'm working on an app that stores multiple secrets in the Keychain, each protected with .userPresence. My goal is to authenticate the user once via FaceID/TouchID and then read multiple Keychain items without triggering subsequent prompts. I am reusing the same LAContext instance for these operations, and I have set: context.touchIDAuthenticationAllowableReuseDuration = LATouchIDAuthenticationMaximumAllowableReuseDuration However, I'm observing that every single SecItemCopyMatching call triggers a new FaceID/TouchID prompt, even if they happen within seconds of each other using the exact same context. Here is a simplified flow of what I'm doing: Create a LAContext. Set touchIDAuthenticationAllowableReuseDuration to max. Perform a query (SecItemCopyMatching) for Item A, passing [kSecUseAuthenticationContext: context]. Result: System prompts for FaceID. Success. Immediately perform a query (SecItemCopyMatching) for Item B, passing the same [kSecUseAuthenticationContext: context]. Result: System pro

I can't upload my macOS app to app store connect. Each time i try to upload, i see this message: Provisioning profile failed qualification Profile doesn't support App Groups. An empty app without an app group uploads fine, but if i add an app group to it, it does not upload.

Hi, I’m implementing a macOS DNS Proxy as a system extension and running into a persistent activation error: OSSystemExtensionErrorDomain error 9 (validationFailed) with the message: extension category returned error This happens both on an MDM‑managed Mac and on a completely clean Mac (no MDM, fresh install). Setup macOS: 15.x (clean machine, no MDM) Xcode: 16.x Team ID: AAAAAAA111 (test) Host app bundle ID: com.example.agent.NetShieldProxy DNS Proxy system extension bundle ID: com.example.agent.NetShieldProxy.dnsProxy The DNS Proxy is implemented as a NetworkExtension system extension, not an app extension. Host app entitlements From codesign -d --entitlements :- /Applications/NetShieldProxy.app: xml com.apple.application-identifier AAAAAAA111.com.example.agent.NetShieldProxy com.apple.developer.system-extension.install com.apple.developer.team-identifier AAAAAAA111 com.apple.security.app-sandbox com.apple.security.application-groups group.com.example.NetShieldmac com.apple.security.files.user-

I’m reaching out regarding an issue we’ve been experiencing with BGProcessingTask since upgrading to Xcode 26.1.1. Issue Summary Our daily background processing task—scheduled shortly after end‑of‑day—has stopped triggering reliably at night. This behavior started occurring only after updating to Xcode 26.1.1. Prior to this update, the task consistently ran around midnight, executed for ~10–15 seconds, and successfully rescheduled itself for the next day. Expected Behavior BGProcessingTask should run at/near the scheduled earliestBeginDate, which we set to roughly 2 hours after end-of-day. The task should execute, complete, and then reschedule itself. Actual Behavior On devices running builds compiled with Xcode 26.1.1, the task does not trigger at all during the night. The same code worked reliably before the Xcode update. No system logs indicate rejection, expiration, or background task denial. Technical Details This is the identifier we use: private enum DayEndProcessorConst { static let taskIdent

Summary I am seeking clarification regarding an App Store rejection under Guideline 4.2 – Design – Minimum Functionality, specifically around expectations for booking and payment flows in apps that rely on third-party, industry-standard reservation platforms. This app is a production application for a licensed transportation (black car / limo) service. It includes multiple native iOS features implemented via Capacitor and custom Swift plugins. However, the booking and payment flow depends on a third-party transportation platform (RideBits) that does not currently support deep linking with prefilled parameters or programmatic booking APIs. Before committing to a significant architectural change, I am hoping to understand whether Apple’s expectation under Guideline 4.2 is that all transactional booking and payment flows must be fully native and controlled by the app developer, even when third-party systems are operationally required. ⸻ App Context The app is designed for a real transportation business

[CRITICAL] Metal API Memory Leak - Heap Memory Never Released to OS (CWE-400) Security Classification This issue constitutes a resource exhaustion vulnerability (CWE-400): Aspect Details Type Uncontrolled Resource Consumption CWE CWE-400 Vector Local (any Metal application) Impact System instability, denial of service User Control None - no mitigation available Recovery Requires application restart Summary Metal heap allocations are never released back to macOS, even when the memory is entirely unused. This causes continuous, unbounded memory growth until system instability or crash. The issue affects any application using Metal API heap allocation. This was discovered in Unreal Engine 5, but reproduces in a completely blank UE5 project with zero application code - confirming this is Metal framework behavior, not application-level. Environment OS: macOS Tahoe 26.2 Hardware: Apple Silicon M4 Max (also reproduced on M1, M2, M3) API: Metal Reproduction Steps Run any Metal application that allocates and