DeviceActivityReportExtension sandbox blocks all output channels — how to export resolved Application.bundleIdentifier?
Application.bundleIdentifier only resolves to a non-nil value inside a DeviceActivityReportExtension (ExtensionKit/XPC). The main app and DeviceActivityMonitor extension always return nil.
However, the Report Extension's sandbox silently blocks every output channel I've tested:
- UserDefaults (App Group): Reads succeed, writes silently dropped
- File writes (App Group container): Fail silently or throw
- HTTP requests: Network blocked entirely
- Local Notifications: "Couldn't communicate with a helper application"
- UIPasteboard: Writes silently fail
- iCloud KVS: synchronize() returns false
Both targets share the same com.apple.security.application-groups entitlement and group identifier. The main app reads and writes to the shared container normally — only the extension's writes fail.
This means resolved bundle identifiers can only be rendered in the extension's own SwiftUI view and cannot be communicated anywhere else.
My question:
Is this sandbox restriction intentional? If so, what is the recommended mechanism for the host app (or a backend) to obtain the resolved bundle identifiers that only the Report Extension can access?
Environment: Xcode 16.3, iOS 18.3, physical device.
Sample project: https://drive.google.com/file/d/1DPyN2BCUt5p-RKEPA0zsDFFEvgZVHlS_/view?usp=sharing — a minimal two-target project that demonstrates every failing channel. Run on a physical device, grant Screen Time access, select apps, and observe that bundle ID resolution shows PASS but all write channels show FAIL.
