DCAppAttestService.isSupported always returns false on macOS 27

Privacy & Security App Attest & DeviceCheck
mmosbah OP
Created 12h
Replies 1
Boosts 0
Views 40
Participants 2

I've been implementing App Attest on macOS 27 following the WWDC 2026 Session 201 announcement. DCAppAttestService.shared.isSupported always returns false on my M4 Mac running macOS 27.0 (26A5368g), even with the correct entitlement and a valid provisioning profile.

What I have set up (correctly, as far as I can tell)

  • com.apple.developer.devicecheck.app-attest-opt-in capability enabled in the Developer Portal (value CDhash)
  • Entitlement present in both the binary and the embedded provisioning profile
  • Developer ID signed, ProvisionsAllDevices: true

The problem

DCAppAttestService.shared.isSupported returns false from every process type I tested:

  • An EndpointSecurity system extension
  • A launchd daemon
  • A sandboxed app running in user session

generateKey() fails with com.apple.devicecheck.error code 1 (featureUnsupported).

Root cause? (from devicecheckd logs)

I see these logs devicecheckd: [com.apple.devicecheck:aai] FeatureFlagsManager.m:35 Mac feature flag enabled { enabled=1 }.

devicecheckd: (AppAttestInternal) [com.apple.appattest:secl] SecurityController.swift:44 Failed to fetch value for entitlement. { entitlement=com.apple.devicecheck.daemon-client }

devicecheckd: (AppAttestInternal) [com.apple.appattest:aahl] AppAttestHandler.swift:48 Client connection is ineligible. { clientUUID=nil }

So the feature IS active in macOS 27 (Mac feature flag enabled=1), but devicecheckd immediately rejects any connecting process that doesn't hold the private entitlement com.apple.devicecheck.daemon-client.

What is com.apple.devicecheck.daemon-client?

Searching public entitlement databases shows this entitlement exists on iOSbut no macOS binary appears to hold it in any public database. It's not available to third-party developers via the Developer Portal. This check in SecurityController.swift:44 appears to be new in this beta.

Questions

Is com.apple.devicecheck.daemon-client the correct mechanism for third-party developers to use App Attest on macOS 27, or is this an internal gating mechanism that will be replaced/removed before GM?

Is App Attest on macOS 27 fully available to third-party developers in this seed, or is it still restricted to Apple-internal testing?

Is there a different entitlement or provisioning capability that third-party developers should request to allow DCAppAttestService.isSupported to return true?

Replies  1
Boosts  0
Views  40
Participants  2
Engineer OP
Apple
2h

At this point, on macOS 27, AppAttest is only supported for full Mac apps running in a user context, and not available in daemons, system extensions, and other non-app processes.

Items you may have seen in system logs would be for internal diagnostic logging, and does not mean they are available resources to be used.

If using AppAttest in non-app contexts is something you would like, filing a feature request explaining your use case would be the nest way to communicate to the team that this is something to be considered in the future.

DCAppAttestService.isSupported always returns false on macOS 27
First post date Last post date
 
 
Q