App Store Connect's privacy label system creates impossible review situations by checking live app versions instead of submitted builds. Problem: Developer has a live app with tracking on the App Store Developer create a new app version with all tracking removed Privacy labels from AppStore Connect cannot be updated because system references live version with tracking App gets rejected for privacy label mismatch with submitted build Cannot fix labels until approved, cannot get approved with wrong labels Expected behavior: Privacy label system should allow updates for pending app versions or check submitted build instead of live version. Steps to reproduce: Submit app update with tracking removed Try to update privacy labels to "no tracking" from AppStore Connect System shows error: "Your app contains NSUserTrackingUsageDescription, indicating that you will request permission to track users. You must indicate which data types are tracking users. If this is incorrect, update your app binary and upload a new build to App Store Connect." App gets rejected despite submitted build having no tracking This affects any developer trying to remove tracking functionality from AppStore Connect in such a scenario. I have opened a bug in Feedback Assistant: FB19459680

Hi everyone, I'm facing a frustrating App Store rejection that I can't seem to resolve. My app was rejected under Guideline 2.1 - Information Needed with the following message: "The app uses the AppTrackingTransparency framework, but we are unable to locate the App Tracking Transparency permission request when reviewed on iPadOS 18.5." However, in my latest version (2.9 Build 18), I have: Removed all SDKs that collect IDFA or perform tracking. Removed the AppTrackingTransparency framework entirely. Removed the NSUserTrackingUsageDescription key from Info.plist. Confirmed that no third-party SDKs are accessing IDFA or similar. Not using the app_tracking_transparency package (I'm using Flutter). I included a detailed review note explaining all of this, yet the app still gets rejected for not showing the ATT prompt — even though ATT is not used at all. Also, I can't update the App Privacy section until this new version is approved, which still reflects tracking from a previous live version (2.3). Has anyone faced something similar? Questions: Is there a way to confirm what part of the build might still be triggering ATT detection on Apple's side? Could an unused pod or leftover reference be the issue? How do I fully verify that ATT is not linked anywhere in the final binary? Any guidance or tips from others who’ve resolved this would be hugely appreciated! Thanks

Hi everyone, I have a macOS application that uses Screen Recording permission. I build my app with an adhoc signature (not with a Developer ID certificate). For example, in version 1.0.0, I grant Screen Recording permission to the app. Later, I build a new version (1.1.0) and update by dragging the new app into the Applications folder to overwrite the previous one. However, when I launch the updated app, it asks for Screen Recording permission again, even though I have already granted it for the previous version. I don’t fully understand how TCC (Transparency, Consent, and Control) determines when permissions need to be re-granted. Can anyone explain how TCC manages permissions for updated builds, especially with adhoc signatures? Is there any way to retain permissions between updates, or any best practices to avoid having users re-authorize permissions after every update?

We have a Java application built for macOS. On the first launch, the application prompts the user to allow local network access. We've correctly added the NSLocalNetworkUsageDescription key to the Info.plist, and the provided description appears in the system prompt. After the user grants permission, the application can successfully connect to a local server using its hostname. However, the issue arises after the system is rebooted. When the application is launched again, macOS does not prompt for local network access a second time—which is expected, as the permission was already granted. Despite this, the application is unable to connect to the local server. It appears the previously granted permission is being ignored after a reboot. A temporary workaround is to manually toggle the Local Network permission off and back on via System Settings > Privacy & Security, which restores connectivity—until the next reboot. This behavior is highly disruptive, both for us and for a significant number of our users. We can reproduce this on multiple systems... The issues started from macOS Sequoia 15.0 By opening the application bundle using "Show Package Contents," we can launch the application via "JavaAppLauncher" without any issues. Once started, the application is able to connect to our server over the local network. This seems to bypass the granted permissions? "JavaAppLauncher" is also been used in our Info.plist file

Hey there! So, I'm trying to see what I'm able to do with the Device Activity Report Extension, and I have a few questions about the following quote: To protect the user’s privacy, your extension runs in a sandbox. This sandbox prevents your extension from making network requests or moving sensitive content outside the extension’s address space. In particular, what constitutes the address space for this extension? Can I save data to a UserDefaults object that only the extension can access? (Apps like Opal allow the user to label apps as "distracting" and "non-distracting", and I'm wondering how they do that!) From what I've read, I believe it cannot write to a shared app group or model (and I just want to confirm this) It also seems that there's nothing preventing it from reading data from the main app, so I'm just wondering if it's able to read data from an app group or model with no problem. Thanks in advance!

Hello everyone, Ujjwal here, founder and CEO of a new iOS app in the mental wellness space. Our mission is to provide accessible, AI-driven support for individuals dealing with anxiety, depression, and loneliness. From the very beginning, this has presented us with a unique and critical challenge: How do we effectively market an app to reach those who need it most, while upholding the absolute highest standards of user privacy? We've built our app, ThunDroid, with a "privacy-by-design" philosophy. We leverage on-device processing for our core AI features, utilize end-to-end encryption, and have proudly integrated 'Sign in with Apple' to maximize user anonymity. We believe these are not just features, but ethical obligations to our users, especially given the nature of the data they trust us with. The challenge, however, arises in marketing. This leads us to focus on mission-driven, organic marketing, but it's a slower path to reaching users who might be in immediate need of support. This brings me to my question for this knowledgeable community. What best practices or creative strategies have you found effective for marketing applications? I appreciate any insights or experiences you're willing to share as we continue to grow ThunDroid responsibly. Thank you for your time and consideration. App Store link: (would love to hear your reviews) [https://apps.apple.com/in/app/thundroid-ai-human-companion/id6746182736)

Hi everyone, I’m working on a concept for an iOS app that would allow a user to remotely control an Enterprise iOS device, similar to how AnyDesk or TeamViewer work on desktop. I understand that apps like TeamViewer for iOS offer screen sharing, and some level control but not a full level control. Before I invest further in development, I’d like to clarify a few points: Is there any official Apple-supported way (public or private API) to allow remote control of an iOS device? Has Apple ever approved apps that allow true remote control of iOS (not just screen sharing)? If full control is not allowed, what are the permitted alternatives (e.g. screen broadcast via ReplayKit, remote assistance mode, etc.)? Would such an app be considered for enterprise distribution only (via MDM), or is there a potential App Store path? Any insight or experience from developers who’ve tried this would be very appreciated. Thanks!

My application needs local network access. When it is started for the first time, the user gets a prompt to enable local network access (as expected). The application is then shown as enabled in Privacy & Security / Local Network and local network access is working. If macOS is then shutdown and restarted, local network access is blocked for the application even though it is still shown as enabled in Privacy & Security / Local Network. Local network access can be restored either by toggling permission off and on in Privacy & Security / Local Network or by disabling and enabling Wi-Fi. This behaviour is consistent on Sequoia 15.1. It happens sometimes on 15.0 and 15.0.1 but not every time. Is my application doing something wrong or is this a Sequoia issue? If it is a Sequoia issue, is there some change I can make to my application to work around it?

For context, my company develops a data loss prevention (DLP) product. Part of our functionality is the ability to detect sensitive data being pasted into a web browser or cloud-based app. The AppKit release notes for April 2025 document an upcoming “macOS pasteboard privacy” feature, which will presumably ship in macOS 26. Using the user default setting “EnablePasteboardPrivacyDeveloperPreview” documented in the release notes, I tested our agent under macOS 15.5, and encountered a modal alert reading " is trying to access the pasteboard" almost immediately, when the program reads the General pasteboard to scan its contents. Since our product is aimed at enterprise customers (and not individual Mac users), I believed Apple would implement a privacy control setting for this new feature. This would allow our customers to push a configuration profile via MDM, with the “Paste from Other Apps” setting for our application preset to “Allow”, so that they can install our product on their endpoints without manual intervention. Unfortunately, as of macOS 26 beta 4 (25A5316i), there does not seem to be any such setting documented under Device Management — for example in PrivacyPreferencesPolicyControl.Services, which lists a number of similar settings. Without such a setting available, a valuable function of our product will be effectively crippled when macOS 26 is released. Is there such a setting (that I've overlooked)? If not, allow me to urge Apple to find the resources to implement one, so that our customers can preset “Paste from Other Apps” to “Allow” for our application.

Our app is connected to a hardware wifi without network. Under normal circumstances, we can communicate with the device. At some point, the communication suddenly stops, and the ping prompts "No route to host". The only way to reconnect is to restart the device. It feels like the system has marked ARP. Is there any way to reconnect the device without restarting the device?

I am developing a macOS application (targeting macOS 13 and later) that is non-sandboxed and needs to install and trust a root certificate by adding it to the System keychain programmatically. I’m fine with prompting the user for admin privileges or password, if needed. So far, I have attempted to execute the following command programmatically from both: A user-level process A root-level process sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/cert.pem While the certificate does get installed, it does not appear as trusted in the Keychain Access app. One more point: The app is not distributed via MDM. App will be distributed out side the app store. Questions: What is the correct way to programmatically install and trust a root certificate in the System keychain? Does this require additional entitlements, signing, or profile configurations? Is it possible outside of MDM management? Any guidance or working samples would be greatly appreciated.

Hello Developer Forums Team, I’ve seen that some banking apps prevent screenshots on certain sensitive screens. I’m working on a similar feature in my SDK and want to confirm if my implementation complies with App Store guidelines. Since there’s no public API to block screenshots, I’m using a workaround based on the secure rendering behavior of UITextField (isSecureTextEntry = true). I embed my custom content (e.g., a UITableView) inside the internal secure container of a UITextField, which results in blank content being captured during screenshots—similar to what some banking apps do. Approach Summary I create a UITextField I detect its internal secure container by matching UIKit internal class names as strings I embed my real UI content into that container I do not use or call any private APIs, just match view class names via strings. ScreenshotPreventingView.swift final class ScreenshotPreventingView: UIView { private let textField = UITextField() private let recognizer = HiddenContainerRecognizer() private var contentView: UIView? public var preventScreenCapture = true { didSet { textField.isSecureTextEntry = preventScreenCapture } } public init(contentView: UIView? = nil) { super.init(frame: .zero) self.contentView = contentView setupUI() } private func setupUI() { guard let container = try? recognizer.getHiddenContainer(from: textField) else { return } addSubview(container) NSLayoutConstraint.activate([ container.topAnchor.constraint(equalTo: topAnchor), container.bottomAnchor.constraint(equalTo: bottomAnchor), container.leadingAnchor.constraint(equalTo: leadingAnchor), container.trailingAnchor.constraint(equalTo: trailingAnchor) ]) if let contentView = contentView { setup(contentView: contentView, in: container) } DispatchQueue.main.async { self.preventScreenCapture = true } } private func setup(contentView: UIView) { self.contentView?.removeFromSuperview() self.contentView = contentView guard let container = hiddenContentContainer else { return } container.addSubview(contentView) container.isUserInteractionEnabled = isUserInteractionEnabled contentView.translatesAutoresizingMaskIntoConstraints = false let bottomConstraint = contentView.bottomAnchor.constraint(equalTo: container.bottomAnchor) bottomConstraint.priority = .required - 1 NSLayoutConstraint.activate([ contentView.leadingAnchor.constraint(equalTo: container.leadingAnchor), contentView.trailingAnchor.constraint(equalTo: container.trailingAnchor), contentView.topAnchor.constraint(equalTo: container.topAnchor), bottomConstraint ]) } } HiddenContainerRecognizer.swift struct HiddenContainerRecognizer { private enum Error: Swift.Error { case unsupportedOSVersion(version: Float) case desiredContainerNotFound(_ containerName: String) } func getHiddenContainer(from view: UIView) throws -> UIView { let containerName = try getHiddenContainerTypeInStringRepresentation() let containers = view.subviews.filter { subview in type(of: subview).description() == containerName } guard let container = containers.first else { throw Error.desiredContainerNotFound(containerName) } return container } private func getHiddenContainerTypeInStringRepresentation() throws -> String { if #available(iOS 15, *) { return "_UITextLayoutCanvasView" } if #available(iOS 14, *) { return "_UITextFieldCanvasView" } if #available(iOS 13, *) { return "_UITextFieldCanvasView" } if #available(iOS 12, *) { return "_UITextFieldContentView" } let currentIOSVersion = (UIDevice.current.systemVersion as NSString).floatValue throw Error.unsupportedOSVersion(version: currentIOSVersion) } } How I use it in my Screen let container = ScreenshotPreventingView() override func viewDidLoad() { super.viewDidLoad() container.preventScreenCapture = true container.setup(contentView: viewContainer) //viewContainer is UIView in storyboard, in which all other UI elements are placed in e.g. UITableView self.view.addSubview(container) container.translatesAutoresizingMaskIntoConstraints = false NSLayoutConstraint.activate([ container.topAnchor.constraint(equalTo: self.view.topAnchor), container.bottomAnchor.constraint(equalTo: self.view.bottomAnchor), container.leadingAnchor.constraint(equalTo: self.view.leadingAnchor), container.trailingAnchor.constraint(equalTo: self.view.trailingAnchor) ]) } What I’d Like to Confirm Is this approach acceptable for App Store submission? Is there a more Apple-recommended approach to prevent screen capture of arbitrary UI? Thank you for your help in ensuring compliance.

General: Forums topic: Privacy & Security Forums tag: Privacy Developer > Security — This also covers privacy topics. App privacy details on the App Store UIKit > Protecting the User’s Privacy documentation Bundle Resources > Privacy manifest files documentation TN3181 Debugging an invalid privacy manifest technote TN3182 Adding privacy tracking keys to your privacy manifest technote TN3183 Adding required reason API entries to your privacy manifest technote TN3184 Adding data collection details to your privacy manifest technote TN3179 Understanding local network privacy technote Handling ITMS-91061: Missing privacy manifest forums post Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

While I was submitting a new feedback today for an iPhone/iPad storage issue, I saw a new log called “iOS storage log”. I could find no reference to this when I searched online. It made me wonder if it was new and if it contained personal data? Most of us only have one device, with all our personal data. Therefore, I’d appreciate any input on what personal data these logs contain.

Hi Apple Devs & WebKit Team, We operate https://excnum.com — a personal website currently under reconstruction. It's HTTPS-secure, hosted on a clean VPS, and now features a simple placeholder page with no active forms, scripts, or external redirects. However, Safari on both iOS and macOS is flagging it as a “deceptive website”, blocking all access. This warning appears even though: The site uses a valid SSL certificate via Cloudflare There are no redirects, tracking scripts, or dynamic code We serve a static landing page (“under maintenance”) with zero interaction No malware, phishing, or obfuscation exists — verified with multiple tools A review request has already been submitted at: https://websitereview.apple.com We believe the site may have been blacklisted previously under past ownership or prior configurations. It has since been completely restructured and cleared, but the Safari warning persists. This false flag is harming visibility and trust for an otherwise neutral website. Any advice on how to expedite re-evaluation or request a manual delisting from the deceptive site list would be much appreciated. Thank you! — Alex Admin, EXCNUM.COM

I've developed a Mac app distributed through the App Store that uses NSAppleScript to control Spotify and Apple Music. I'm experiencing inconsistent behavior with automation permission prompts that's affecting user experience. Expected Behavior: When my app first attempts to send Apple Events to Spotify or Apple Music, macOS should display the automation permission prompt, and upon user approval, the app should appear in System Preferences > Security & Privacy > Privacy > Automation. Actual Behavior: Initial permission prompts work correctly when both apps are actively used after my app download. If a user hasn't launched Spotify/Apple Music for an extended period, the permission prompt fails to appear when they later open the music app. The music app doesn't appear in the Automation privacy pane too. Once this happens, permission prompts never trigger again for that app Steps to Reproduce: Fresh install of my app Don't use Spotify for several days/weeks Launch Spotify Trigger Apple Events from my app to Spotify No permission prompt appears, app doesn't show in Automation settings If you're using Apple Music during this time it runs without any problems. Troubleshooting Attempted: Used tccutil reset AppleEvents [bundle-identifier] - no effect Verified target apps are fully launched before sending Apple Events Tried different AppleScript commands to trigger permissions Problem occurs inconsistently across different Macs Technical Details: macOS 13+ support Using standard NSAppleScript with simple commands like "tell application 'Spotify' to playpause" App Store distribution (no private APIs) Issue affects both Spotify and Apple Music but seems more prevalent with Apple Music Questions: Is there a reliable way to programmatically trigger the automation permission prompt? Are there timing dependencies for when macOS decides to show permission prompts? Could app priority/usage patterns affect permission prompt behavior? I use MediaManager to run the functions and initialize it on AppDidFinishLaunching method and start monitoring there. Any insights or workarounds would be greatly appreciated. This inconsistency is affecting user onboarding and app functionality.

I want iOS device identifier for a framework that is used in multiple vendor's apps. I'm developing a framework to control a peripheral. The framework has to send unique information to register the device with the peripheral. My naive idea was to use IdentifierForVendor. But this API provides the device identifier for the same vendor's apps, not the framework. (The framework will be used by multiple vendors.) Is there a usable device identifier for the framework, regardless of app vendor? Please tell me any solution.

Hello, I have a command line application that uses iTunesLibrary to "save" the state of what I have listened to. I have it run every night via a LaunchAgent. You can see the source here: https://github.com/bolsinga/itunes_json Prior to Sequoia it would run nightly. I'd just have to grant it access to the Music library once, and it would be fine thereafter. However with Sequoia it requires UI interaction to grant it access every time. This makes it no longer run unattended overnight, defeating its purpose. I have the console logs of when this happens. You can see it in my issue tracking it here: https://github.com/bolsinga/itunes_json/issues/410 One thing that makes me wonder is that it is a command line application, not a bundle. How do I make a command line application get access to MusicKit / iTunesLibrary, and keep it thereafter? I'd like to get my pre-Sequoia behavior back. I've filed FB15592660 too. I've granted it access to run in the background, as well as access to my Music library (please see attached screenshots). AMPLibraryAgent 10:48:29.489944-0700 xpc Connection from framework client invalidated pid:57606 clientname:iTunesLibrary(itunes_json) AMPLibraryAgent 10:48:29.492763-0700 service Unloading domains(14) for ClientID:iTunesLibrary(itunes_json)-1229 previous open:15 new open:1 itunes_json 10:48:59.980864-0700 connection [0x157f05800] activating connection: mach=true listener=false peer=false name=com.apple.amp.library.framework tccd 10:48:59.982568-0700 access AUTHREQ_ATTRIBUTION: msgID=1795.214, attribution={accessing={TCCDProcess: identifier=itunes_json, pid=57652, auid=501, euid=501, binary_path=/Users/bolsinga/Applications/itunes_json/Products/usr/local/bin/itunes_json}, requesting={TCCDProcess: identifier=com.apple.AMPLibraryAgent, pid=1795, auid=501, euid=501, binary_path=/System/Library/PrivateFrameworks/AMPLibrary.framework/Versions/A/Support/AMPLibraryAgent}, }, tccd 10:48:59.982651-0700 access requestor: TCCDProcess: identifier=com.apple.AMPLibraryAgent, pid=1795, auid=501, euid=501, binary_path=/System/Library/PrivateFrameworks/AMPLibrary.framework/Versions/A/Support/AMPLibraryAgent is checking access for accessor TCCDProcess: identifier=itunes_json, pid=57652, auid=501, euid=501, binary_path=/Users/bolsinga/Applications/itunes_json/Products/usr/local/bin/itunes_json tccd 10:48:59.995636-0700 access AUTHREQ_SUBJECT: msgID=1795.214, subject=/Users/bolsinga/Applications/itunes_json/Products/usr/local/bin/itunes_json, tccd 10:48:59.996283-0700 access -[TCCDAccessIdentity staticCode]: static code for: identifier /Users/bolsinga/Applications/itunes_json/Products/usr/local/bin/itunes_json, type: 1: 0xc00341b00 at /Users/bolsinga/Applications/itunes_json/Products/usr/local/bin/itunes_json tccd 10:49:00.018205-0700 access Failed to match existing code requirement for subject /Users/bolsinga/Applications/itunes_json/Products/usr/local/bin/itunes_json and service kTCCServiceMediaLibrary cdhash H"6bc380972f4df49b337a2a05308fb7b98fbe6473" or cdhash H"0708bcaabbfbab8770522050f7e2642d4d864f31" cdhash H"6bc380972f4df49b337a2a05308fb7b98fbe6473" or cdhash H"0708bcaabbfbab8770522050f7e2642d4d864f31" tccd 10:49:00.018997-0700 access AUTHREQ_PROMPTING: msgID=1795.214, service=kTCCServiceMediaLibrary, subject=Sub:{/Users/bolsinga/Applications/itunes_json/Products/usr/local/bin/itunes_json}Resp:{TCCDProcess: identifier=itunes_json, pid=57652, auid=501, euid=501, binary_path=/Users/bolsinga/Applications/itunes_json/Products/usr/local/bin/itunes_json}, AMPLibraryAgent 10:49:02.489170-0700 xpc ampld> register framework ClientName:iTunesLibrary(itunes_json) tccd 10:49:02.488189-0700 events Publishing <TCCDEvent: type=Create, service=kTCCServiceMediaLibrary, identifier_type=Path, identifier=/Users/bolsinga/Applications/itunes_json/Products/usr/local/bin/itunes_json> to 4 subscribers: { 633 = "<TCCDEventSubscriber: token=633, state=Initial, csid=(null)>"; 628 = "<TCCDEventSubscriber: token=628, state=Passed, csid=com.apple.chronod>"; 464 = "<TCCDEventSubscriber: token=464, state=Passed, csid=com.apple.cloudd>"; 513 = "<TCCDEventSubscriber: token=513, state=Passed, csid=com.apple.photolibraryd>"; } AMPLibraryAgent 10:49:02.490391-0700 xpc ampld> registered framework ClientName:iTunesLibrary(itunes_json) with clientID:1230 itunes_json 10:49:02.792084-0700 connection [0x147e04340] activating connection: mach=true listener=false peer=false name=com.apple.amp.artworkd itunes_json 10:49:02.801482-0700 <Missing Description> openDatabase 0xe4af30f4493e5ef5 artwork folder Y '<private>' itunes_json 10:49:02.805087-0700 <Missing Description> openDatabase 0xf2db6e8d7672edc9 artwork folder Y '<private>' itunes_json 10:49:02.806736-0700 <Missing Description> openDatabase 0xfb2acd898c951851 artwork folder Y '<private>' itunes_json 10:49:02.813286-0700 <Missing Description> openDatabase 0xf0f4919c5ff0e88 artwork folder Y '<private>' itunes_json 10:49:09.634928-0700 connection [0x600002b6a0d0] activating connection: mach=true listener=false peer=false name=com.apple.cfprefsd.daemon itunes_json 10:49:09.635019-0700 connection [0x600002b78000] activating connection: mach=true listener=false peer=false name=com.apple.cfprefsd.agent AMPLibraryAgent 10:49:12.382878-0700 xpc Connection from framework client invalidated pid:57652 clientname:iTunesLibrary(itunes_json) AMPLibraryAgent 10:49:12.383474-0700 service Unloading domains(14) for ClientID:iTunesLibrary(itunes_json)-1230 previous open:15 new open:1 itunes_json.log

Hey, there are plans to design a government app. When a citizen will login they will see their passport, driving license etc... What is the solution of avoiding mandatory in-app user data deletion?

We were recently approved for the "User Assigned Device Name" for a specific app Identifier. The "Additional Capabilities" tab isn't present on that App ID. I am an admin in the developer portal, and this does not appear for the account holder as well. Any help would be appreciated.