evaluatedPolicyDomainState

Privacy & Security General
iceboy OP
Created Dec ’25
Replies 6
Boosts 0
Views 1.2k
Participants 2

Hi Apple Developers, I'm having a problem with evaluatedPolicyDomainState: on the same device, its value keeps changing and then switching back to the original. My current iOS version is 26.1. I upgraded my iOS from version 18.6.2 to 26.1. What could be the potential reasons for this issue?

{

    NSError *error;

    BOOL success = YES;

    char *eds = nil;

    int edslen = 0;

    LAContext *context = [[LAContext alloc] init];

    // test if we can evaluate the policy, this test will tell us if Touch ID is available and enrolled

    //    success = [context canEvaluatePolicy: LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&error];

    

    if (SystemVersion > 9.3) {

        // test if we can evaluate the policy, this test will tell us if Touch ID is available and enrolled

        success = [context canEvaluatePolicy: LAPolicyDeviceOwnerAuthentication error:&error];

    }

    else{

        // test if we can evaluate the policy, this test will tell us if Touch ID is available and enrolled

        success = [context canEvaluatePolicy: LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&error];

    }

    

    if (success)

    {

        if (@available(iOS 18.0, *)) {

            NSData *stateHash = nil;

            if ([context respondsToSelector:@selector(domainState)]) {

                stateHash = [[context performSelector:@selector(domainState)] performSelector:@selector(stateHash)];

            }else{

                stateHash = [context evaluatedPolicyDomainState];

            }

            eds = (char *)stateHash.bytes;

            edslen = (int)stateHash.length;

        } else {

            eds = (char *)[[context evaluatedPolicyDomainState] bytes];

            edslen = (int)[[context evaluatedPolicyDomainState] length];

        }

        

        

        CC_SHA256(eds, edslen, uviOut);

        

        *poutlen = CC_SHA256_DIGEST_LENGTH;

        

        

    }

    else

    {

        *poutlen = 32;

        gm_memset(uviOut, 0x01, 32);

    }

}
Answered by DTS Engineer in 873220022
The user previously …

Well, that’s quite an edge case.

Having said that, just because it’s an edge case doesn’t mean it shouldn’t work |-:

And what is the basis for generating this value?

I can’t go into those details. I don’t know off the top of my head but, even if I did, I’m reluctant to discuss implementation details like this unless there’s some specific benefit to it. And I’m not seeing that here.

Rather, this is clearly something that you should report as a bug.

IMPORTANT For this bug to get any sort of traction, you’ll need a sysdiagnose log. I’m presuming you can’t reproduce that yourself, so you’ll need to ask your user to either send you the sysdiagnose log or file their own bug, attach the log there, and send you the bug number.

Ideally they’d trigger this sysdiagnose log immediately after the value changes unexpectedly.

If you do manage to get a bug on file about this, please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  6
Boosts  0
Views  1.2k
Participants  2
DTS Engineer OP
Apple
3w
its value keeps changing and then switching back to the original

Can you expand on this? When does it change? Between different runs of your app? Or across OS upgrades? Or something else?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
iceboy OP
1w

The user previously upgraded to version 26.1, then downgraded to 18.6.2 for certain reasons, and has now upgraded back to 26.1. Currently, an issue has occurred once on version 26.1 where two values keep switching back and forth. Since we record this value on the server during user registration, we noticed that the user’s value has changed. Moreover, this value will not change randomly, and the user stated that they have not modified the facial recognition data of the device.

0
iceboy OP
1w

Could there be a caching situation for this value in the system? And what is the basis for generating this value?

0
DTS Engineer OP
Apple
1w
Recommended
The user previously …

Well, that’s quite an edge case.

Having said that, just because it’s an edge case doesn’t mean it shouldn’t work |-:

And what is the basis for generating this value?

I can’t go into those details. I don’t know off the top of my head but, even if I did, I’m reluctant to discuss implementation details like this unless there’s some specific benefit to it. And I’m not seeing that here.

Rather, this is clearly something that you should report as a bug.

IMPORTANT For this bug to get any sort of traction, you’ll need a sysdiagnose log. I’m presuming you can’t reproduce that yourself, so you’ll need to ask your user to either send you the sysdiagnose log or file their own bug, attach the log there, and send you the bug number.

Ideally they’d trigger this sysdiagnose log immediately after the value changes unexpectedly.

If you do manage to get a bug on file about this, please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
iceboy OP
6d

The user is not able to upload the diagnostic report for some reasons. Is there any way for me to work around this problem? How can I fix this value to one instead of having two values switching randomly? This situation is seriously affecting the user experience. At present, this client has reported this issue to us many times, but I still cannot get access to the user's mobile phone to troubleshoot it. I upload this value to the server as part of the registration data, and verify this value locally during authentication. From the user's registration database records, it can be seen that there are only two values for this user, and they keep switching constantly. Sometimes the switch happens once a month, and sometimes once a week. Could this possibly be caused by an API bug?

0
DTS Engineer OP
Apple
6d

I’m not sure what sort of help you’re expecting me to provide here. As I mentioned above, this looks like a bug to me. If I had a bug report with a sysdiagnose log, I might — and I want to stress the might here — be able to offer more insight. But without that, I’m flying completely blind.

In terms of a workaround, I see two potential options:

  • You could explore user-level workarounds with your user. For example:
    • You might have them reset Face ID (Settings > Face ID & Passcode > Reset Face ID) and re-enroll.
    • Or have them disable the device passcode and then re-enable it.
    • Or have them back up their device and restore from that backup.
    All of these things are common patterns for clearing out mysterious problems.
  • You could explore code-level workarounds. For example:
    • You might change your system to record multiple biometric domain states.
    • Or have an option to disable biometric domain state checking for specific users.

It’s hard to offer specific advice on either of these fronts because I don’t have a relationship with your user and I’m not aware of the constraints imposed on you by your product’s overall security architecture. These are things that you’ll need to explore on your own.

IMPORTANT Regarding those user-level workaround options, if you advise your user to apply them then I encourage you to ask them to save a sysdiagnose log even if they’re not prepared to share that log with anyone. At some point they might change their mind, and you want to get the log saved before they start resetting stuff.

As I said in this thread “grab sysdiagnose logs early and often” (-:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
evaluatedPolicyDomainState
First post date Last post date
 
 
Q