We create custom VPN tunnel by overriding PacketTunnelProvider on MacOS. Normal VPN connection works seamlessly. But if we enable onDemand rules on VPN manager, intemittently during tunnel creation via OnDemand, internet goes away on machine leading to a connection stuck state. Why does internet goes away during tunnel creation?

My application installs a system extension. When I try to remove the app from the Applications folder (cmd + backspace) I get an error message: "The operation can’t be completed right now because another operation is in progress, such as moving or copying an item or emptying the Bin." According to systemextensionsctl the extension state is "terminating for uninstall but still running". I can see an error in the console logs: kernelmanagerd Failed to terminate dext com.my.driver-dk, error: Kernel request failed: (os/kern) invalid address (1) sysextd a category delegate declined to terminate extension with identifier: com.my.driver-dk sysextd failed to terminate extension with identifier: com.my.driver-dk: Optional(Error Domain=kernelmanagerd.KMError Code=38 "(null)") Issue occurs with macOS 13 - works fine with macOS 12 and macOS 11 What is the problem here? Have there been any changes in macOS in that regard?

I am trying to sign my Mac app to use Network Extensions capability. But every time I create a profile it displays that to me: on the other hand on the website it displays this to me:

Hello, After upgrading to macOS 26.2, I’ve noticed a significant performance regression when calling evaluateJavaScript in an iOS App running on Mac (WKWebView, Swift project). Observed behavior On macOS 26.2, the callback of evaluateJavaScript takes around 3 seconds to return. This happens not only for: evaluateJavaScript("navigator.userAgent") but also for simple or even empty scripts, for example: evaluateJavaScript("") On previous macOS versions, the same calls typically returned in ~200 ms. Additional testing I created a new, empty Objective-C project with a WKWebView and tested the same evaluateJavaScript calls. In the Objective-C project, the callback still returns in ~200 ms, even on macOS 26.2. Question Is this a known issue or regression related to: iOS Apps on Mac, Swift + WKWebView, or behavioral changes in evaluateJavaScript on macOS 26.2? Any information about known issues, internal changes, or recommended workarounds would be greatly appreciated. Thank you. Test Code Swift class ViewController: UIViewController { private var tmpWebView: WKWebView? override func viewDidLoad() { super.viewDidLoad() // Do any additional setup after loading the view. setupUserAgent() } func setupUserAgent() { let t1 = CACurrentMediaTime() tmpWebView = WKWebView(frame: .zero) tmpWebView?.isInspectable = true tmpWebView?.evaluateJavaScript("navigator.userAgent") { [weak self] result, error in let t2 = CACurrentMediaTime() print("[getUserAgent] \(t2 - t1)s") self?.tmpWebView = nil } } } Test Code Objective-C - (void)scene:(UIScene *)scene willConnectToSession:(UISceneSession *)session options:(UISceneConnectionOptions *)connectionOptions { NSTimeInterval startTime = [[NSDate date] timeIntervalSince1970]; WKWebView *webView = [[WKWebView alloc] init]; dispatch_async(dispatch_get_main_queue(), ^{ [webView evaluateJavaScript:@"navigator.userAgent" completionHandler:^(id result, NSError *error) { NSTimeInterval endTime = [[NSDate date] timeIntervalSince1970]; NSLog(@"[getUserAgent]: %.2f s", (endTime - startTime)); }]; }); }

[Q] When is the kTCCServiceEndpointSecurityClient set by macOS and in which conditions? From what I'm gathering, the kTCCServiceEndpointSecurityClient can not be set by a configuration profile and the end user can only grant full disk access. I searched for documentation on Apple's develop website (with the "kTCCServiceEndpointSecurityClient" search) and did not get any useful result. Using a more complete search engine, or the forum search engine, only points to the old annoying big bug in macOS Ventura. The problem I'm investigating is showing a process being listed as getting granted kTCCServiceEndpointSecurityClient permissions in the TCC database when: it's not an Endpoint Security client. it does not have the ES Client entitlement. the bundle of the process includes another process that is an ES Client and is spawn-ed by this process but I don't see why this should have an impact. This process is supposed to have been granted kTCCServiceSystemPolicyAllFiles via end user interaction or configuration profile. AFAIK, the kTCCServiceEndpointSecurityClient permission can only be set by macOS itself. So this looks like to be either a bug in macOS, an undocumented behavior or I'm missing something. Hence the initial question. macOS 15.7.3 / Apple Silicon

I noticing that Monterey defaults to the NSWindowToolbarStyleAutomatic / NSWindowToolbarStyleUnified toolbar style, which suppresses the "use Small Size" menu item and customization checkbox. So I've set the window to use NSWindowToolbarStyleExpanded. However, the toolbar will no longer change to a smaller icon size, as it did in MacOS 10.14, 10.15, and 11.0. I've tried to set the toolbar item sizing to "Automatic" for all of our toolbar icons, but that results in bad positioning in both Regular and Small Size mode -- the height is way too big. The native size of the icon .png files are 128 x 128. What's odd is that if I resize the window with the toolbar to be wider, the NSToolbarItems in the overflow area will be displayed in the toolbar are 128 x 128, where the rest of the toolbar icons get displayed as a 32 x 32 icon. The only way to get it to layout remotely correct is to make the NSToolbarItem to have an explicit minimum size of 24 x 24 and maximum size of 32 x 32. And that USED to allow "small size", but on Monterey, it no longer does. Anyone had any success with small size icons on Monterey?

In this app I use tooltips extensively. They work perfectly well, except in a popover where they may appear or not (just some flash and immediately disappear). In the popover there are 12 colour buttons, each with its own tracking area and 3 control buttons, with their tracking areas. Here when it works, hovering over "C" button or "Annuler" button: But then, when I move to another colour button, a few 2 or 3 may work, but most don't display their tooltip at all. I know that the tooltip is set because I replicate the message in a help line at the bottom of the screen and this line always update: Let messageForColor = "Choisir la couleur…" if button.isEnabled { // show tooltip button.toolTip = messageForColor } else { button.toolTip = nil } if button.isEnabled { // Shows helpline at the bottom of screen button.helpMessage = messageForColor } Maybe it comes from some useDefault (I modified NSInitialTool TipDelay and I'm not sure I have reset to the default value) I noted that if I wait for 10 seconds or so (keeping the popover opened), everything seems to work properly again. Just as if there was some lengthy initialisation going on. So questions: Is there a known issue of Tooltips in a popover ? Are there other parameters to set in userDefaults to avoid immediate disparition of the tooltip in popover ? How to reset the factory setting for the UserDefaults in the app ?

I have been updating some NSXPCConnection code in my macOS 26 app (not sandboxed) to use XPCSession and friends instead. And it is working well and the experience has been generally good. But I have run into a problem when using XPCSession.setPeerRequirement() which I really want to use. It works well when I use something simple like XPCPeerRequirement.isFromSameTeam() but I want to check some more requirements and also use the code from multiple apps (but same team). That is, I want to check for multiple identifiers and team ID and version (and perhaps also in the future that the certificate is a Developer ID). And previously I would use SecRequirementCreateWithString with an entitlement string conceptually like this: var entitlement = "anchor apple generic and (" entitlement += "identifier idA" entitlement += " or identifier idB" entitlement += ")" entitlement += " and certificate leaf[subject.OU] = TeamID" entitlement += #" and info [CFBundleShortVersionString] >= "1.0""# and it works just as it should when creating and using that SecRequirement so I don't think that there is anything particularly wrong with the entitlement. And I had hoped that I could use the same string with XPCPeerRequirement.hasEntitlement(entitlement) but it doesn't work (I get a general "Peer forbidden" error). So I think that I don't really understand what sort of entitlement that hasEntitlement() wants. And also I don't really understand the other ways available to create a XPCPeerRequirement. I have also tried to use a XPCDictionary with XPCPeerRequirement(lightweightCodeRequirements:) but I can't get that to work either (and it seems a bit wrong to have to drop down to use e.g. xpc_object_t with new modern API:s). So my question is: is it possible to create a XPCPeerRequirement with an entitlement like above and, in that case, how? Or is there some other work-around to use XPCSession.setPeerRequirement() with a more complex requirement, e.g. is there a way to combine multiple XPCPeerRequirements into one? Thank you for reading this. /Peter

This is a very basic macOS Finder-style test app using AppKit. I am experiencing a "jump" in the vertical scroll position of my NSTableView (inside an NSScrollView) specifically when the window is resized horizontally. This happens when columns are visually added or removed. Framework: AppKit (Cocoa) Xcode/macOS: 26.2 Code: https://github.com/MorusPatre/Binder/blob/main/ContentView%20-%20Scroll%20Jump%20during%20Resize.swift

I'm currently observing a problem similar to this thread https://developer.apple.com/forums/thread/737334 The difference is that this is happening after updating a system extension. Basically same error, sysextd complains it can not check that the system extension is notarized: macOS Error 3 + Error code=-67050. I think macOS (Sequoia 15.3.2 or 15.7.2 if it matters) is wrong in this case for the following reasons: when using spctl assess -t install, the system extension is reported to be correctly notarized. when restarting the Mac, the updated system extension is correctly checked and staged. if I run spctl assess before sysextd tries to check the system extension, it works. I'm currently thinking of 2 reasons why the check does not work: sysextd is somehow trying to work with a cached assessment that has become invalid after the system extension was updated. macOS needs way more time between the update of the files and the request to update the staged extension. I tried adding a 5-second delay. This does not seem to work or at least reliably. I tried just touching the system extension, no positive result. Unfortunately, in macOS Sequoia, it is not possible anymore to reset-default using spctl and see if it solves the issue, at least the next time the update is performed. [Q] Is there some magic operation that would help macOS correctly check the notarization of an updated system extension?

Context: I am building a macOS file (currently image only) browser using SwiftUI. The core view is a ScrollView containing a LazyVGrid. The layout is dynamic: as the window resizes, I calculate the optimal number of columns and spacing using a GeometryReader. The Issue: While scrolling is pretty smooth (thanks to custom image caching and prefetching), window resizing is significantly laggy. After having scrolled the UI stutters and drops frames heavily while dragging the window edge. The Code: https://github.com/MorusPatre/Binder

I'd like to create a Quick Look extension for a file type for which a location or region on a Map should be shown as preview. However the MapView would only show a grid without any map. From within the MapKit delegate I can see from the "Error" parameter (a server with this domain can not be found) that this seems to be a network issue. The Quick Look extension seems to have no access to the internet and therefore the MapView can not load any map data. I've then also done some other tests via URLSession, which also only fails with connection errors. I haven't seen any limitations or restrictions mentioned in the API documentation. Is this the expected behavior? Is this a bug? Or am I missing something?

I have Mac apps that embed “Helper Apps” inside their main bundle. The helper apps do work on behalf of the main application. The helper app doesn’t show a dock icon, it does show minimal UI like an open panel in certain situations (part of NSService implementation). And it does make use of the NSApplication lifecycle and auto quits after it completes all work. Currently the helper app is inside the main app bundle at: /Contents/Applications/HelperApp.app Prior to Tahoe these were never displayed to user in LaunchPad but now the Spotlight based AppLauncher displays them. What’s the recommended way to get these out of the Spotlight App list on macOS Tahoe? Thanks in advance.

I'm building an automated wallpaper updater that fetches images from an API and sets them as desktop wallpaper on macOS Tahoe. The automation uses AppleScript combined with database manipulation to ensure wallpaper applies to all spaces. Current implementation (via Apple Shortcuts): wallpaper_path="$1" osascript -e "tell application \"System Events\" to tell every desktop to set picture to POSIX file \"$wallpaper_path\"" sqlite3 ~/Library/Application\ Support/Dock/desktoppicture.db "UPDATE data SET space=NULL WHERE space IS NOT NULL;" 2>/dev/null killall -HUP Dock Issue First run: Works perfectly - sets wallpaper on all spaces/desktops, "Show on all spaces" is ON After first run: "Show on all spaces" automatically toggles OFF in System Settings Second run onwards: New wallpaper only updates on the active space, inactive spaces show old wallpaper Expected: "Show on all spaces" should remain ON after programmatic wallpaper changes Actual: System Settings automatically disables it, breaking subsequent updates Tested workarounds (all failed): UPDATE data SET space=NULL to clear per-space entries Using every desktop instead of current desktop in AppleScript killall Dock vs killall -HUP Dock vs killall -USR1 Dock Clearing space_id entries from pictures table Running DELETE FROM pictures WHERE space_id IS NOT NULL before setting The database manipulation doesn't prevent macOS from automatically creating per-space entries and disabling the "Show on all spaces" toggle. Question: Is there a way to programmatically set wallpaper while preserving the "Show on all spaces" setting on macOS Tahoe? Environment: macOS: Tahoe (latest) Architecture: Apple Silicon Use case: Daily automated wallpaper updates via Shortcuts

I need to use Xcode version 16 for a college project. However, I cannot install it on my mac. M2Pro - ios Tahoe 26.2. Is there any workaround for this? Is my best option to downgrade to Sequoia? I'm a little apprehensive about this but willing to give it a try. Can anyone recommend a good, reliable video for this?

Hello, We're developing endpoint security software using the Endpoint Security framework, and we've encountered challenges with the behavior change in macOS 15 regarding provisioning UDIDs in cloned VMs. The Change Prior to macOS 15, cloning a VM preserved its UDID (format: 0000FE00-9C4ED9F68BBDC72D). Starting with macOS 15, cloned VMs receive a new UDID generated from the host's Secure Enclave (format: b043d27202c7ac37ca3c6b82673302225485cae9), making each clone effectively a new device. Our Workflow We maintain a clean base VM image and clone it for each test run. We add the base VM's UDID to our provisioning profile once, then create clones which (previously) retained that same UDID, allowing us to start new testing cycles without re-registering devices. This is essential because our product involves low-level system integration through the Endpoint Security framework, and if something goes wrong during development, it has the potential to affect system stability. To prevent any cascading issues between test runs or different product versions, we need each test to start from a known clean state rather than reusing the same VM. The Challenge With each VM clone generating a new UDID, we're hitting Apple's device registration limits quickly. This particularly impacts: New team members who spin up VMs for the first time and can't run signed builds Our CI/CD pipeline where multiple test environments need provisioning profiles Developers testing different branches who need separate clean environments Current Workaround We've found that VMs created on macOS 14 and upgraded to macOS 15+ retain their original UDID format. However, we're concerned this workaround may stop working in future macOS versions, which would leave us without a viable path forward. If the workaround stops working, our fallback would be signing each CI build with a Developer ID signature to allow running on any device. However, we'd prefer to avoid this as it would significantly increase load on Apple's signing infrastructure for what are essentially internal test builds. We completely understand the security reasoning behind tying UDIDs to the host's Secure Enclave for Apple Account support. However, for development workflows that don't require Apple Account features in VMs but do require clean, isolated test environments, the previous behavior was quite valuable. Question Is there a recommended approach for teams in our situation? We're happy to explore alternative workflows if there's a pattern we're missing, or we'd be glad to provide more context if this is a use case Apple is considering for future updates. Thanks for any guidance you can provide! Feedback case: FB21389730

I'm developing a passkey manager using ASCredentialProviderViewController. I've set a custom AAGUID in the attestation object during registration: let aaguid = Data([ 0xec, 0x78, 0xfa, 0xe8, 0xb2, 0xe0, 0x56, 0x97, 0x8e, 0x94, 0x7c, 0x77, 0x28, 0xc3, 0x95, 0x00 ]) However, when I test on webauthn.io, the relying party receives: AAGUID: 00000000-0000-0000-0000-000000000000 Provider Name: "iCloud Keychain" It appears that macOS overwrites the AAGUID to all zeros for third-party Credential Provider Extensions. This makes it impossible for relying parties to distinguish between different passkey providers, which is one of the key purposes of AAGUID in the WebAuthn specification. Is this expected behavior? Is there a way for third-party Credential Provider Extensions to use their own registered AAGUID? Environment: macOS 26.2 Xcode 26.2

I have written this function: @available(macOS 26.0, *) func instancing() async -> Entity { let entity = Entity() do { // 1. Create a CustomMaterial let library = offscreenRenderer.pointRenderer!.device.makeDefaultLibrary()! let surfaceShader = CustomMaterial.SurfaceShader( named: "surfaceShaderWithCustomUniforms", // This must match the function name in Metal in: library ) let instanceCount = 10 // No idea how to actually use this... // let bufferSize = instanceCount * MemoryLayout<UInt32>.stride // // // Create the descriptor // var descriptor = LowLevelBuffer.Descriptor(capacity: bufferSize, sizeMultiple: MemoryLayout<UInt32>.stride) // // // Initialize the buffer // let lowLevelBuffer = try LowLevelBuffer(descriptor: descriptor) // lowLevelBuffer.withUnsafeMutableBytes { rawBytes in // // Bind the raw memory to the UInt32 type // let pointer = rawBytes.bindMemory(to: UInt32.self) // pointer[1] = 0xff_0000 // pointer[0] = 0x00_ff00 // pointer[2] = 0x00_00ff // pointer[3] = 0xff_ff00 // pointer[4] = 0xff_00ff // pointer[5] = 0x00_ffff // pointer[6] = 0xff_ffff // pointer[7] = 0x7f_0000 // pointer[8] = 0x00_7f00 // pointer[9] = 0x00_007f // } var material = try CustomMaterial(surfaceShader: surfaceShader, lightingModel: .lit) material.withMutableUniforms(ofType: SurfaceCustomUniforms.self, stage: .surfaceShader) { params, resources in params.argb = 0xff_0000 } // 2. Create the ModelComponent (provides the MESH and MATERIAL) let mesh = MeshResource.generateSphere(radius: 0.5) let modelComponent = ModelComponent(mesh: mesh, materials: [material]) // 3. Create the MeshInstancesComponent (provides the INSTANCE TRANSFORMS) let instanceData = try LowLevelInstanceData(instanceCount: instanceCount) instanceData.withMutableTransforms { transforms in for i in 0..<instanceCount { let instanceAngle = 2 * .pi * Float(i) / Float(instanceCount) let radialTranslation: SIMD3<Float> = [-sin(instanceAngle), cos(instanceAngle), 0] * 4 // Position each sphere around a circle. let transform = Transform( scale: .one, rotation: simd_quatf(angle: instanceAngle, axis: [0, 0, 1]), translation: radialTranslation ) transforms[i] = transform.matrix } } let instancesComponent = try MeshInstancesComponent(mesh: mesh, instances: instanceData) // 4. Attach BOTH to the same entity entity.components.set(modelComponent) entity.components.set(instancesComponent) } catch { print("Failed to create mesh instances: \(error)") } return entity } and this is the corresponding Metal shader typedef struct { uint32_t argb; } SurfaceCustomUniforms; [[stitchable]] void surfaceShaderWithCustomUniforms(realitykit::surface_parameters params, constant SurfaceCustomUniforms &customParams) { half3 color = { static_cast<half>((customParams.argb >> 16) & 0xff), static_cast<half>((customParams.argb >> 8) & 0xff), static_cast<half>(customParams.argb & 0xff) }; params.surface().set_base_color(color); } which works well and generates 10 red spheres. While listening to the WWDC25 presentation on what's new in RealityKit I am positive to hear the presenter saying that it is possible to customise each instance using a LowLevelBuffer, but so far all my attempts have failed. Is it possible, and if so how ? Thanks for reading and for your help. Kind regards, Christian

It's quite common for app bundles to be distributed in .zip files, and to be stored on-disk as filesystem-compressed files. However, having them both appears to be an edge case that's broken for at least two major releases! (FB19048357, FB19329524) I'd expect a simple ditto -x -k appbundle.zip ~/Applications (-x: extract, -k: work on a zip file) to work. Instead it spits out countless errors and leaves 0 Byte files in the aftermath 😭 Please fix.

Hi,Does anyone else encountered a delayed or unresponsive change when trying to change input languageon macos Sierra?Beta1 and 2 same problem.Working great on El Capitan.Thanks in advanced