I’m trying to understand the intended macOS File Provider behavior when unsynchronised local files exist inside a provider volume that gets deleted. Scenario: A local file is moved (not copied) from a normal filesystem location into a File Provider-backed cloud volume. The provider is disabled/offline or upload is pending, so the file has not yet synchronised to the cloud. The File Provider volume/domain is then deleted from Finder and the deletion is confirmed. In this situation, the unsynchronised file appears to be lost entirely instead of being moved to ~/.Trash. My question is: Why doesn’t macOS preserve unsynchronised local content by automatically moving it to Trash before removing the File Provider domain? From a user perspective, Finder presents the provider volume as a normal filesystem hierarchy, so deleting the volume feels equivalent to deleting a local folder or mounted drive, where local-only files would normally be recoverable via Trash. Is the current behavior expected because: File Provider storage is treated as provider-managed cache rather than canonical filesystem data? Finder delegates deletion semantics entirely to the provider extension? The backing files may not exist as normal files at deletion time? Or are providers expected to implement their own recovery/trash logic? More generally: Is there an Apple-recommended pattern for preventing loss of unsynchronised files during domain removal? Are providers expected to retain pending uploads somewhere recoverable? Is there any supported API for preserving unsynced local items before deleting a domain? I’m asking because this behavior can easily lead to unexpected data loss when users assume Finder trash semantics apply to File Provider volumes.

I’m trying to understand the intended macOS File Provider behavior when unsynchronised local files exist inside a provider volume that gets deleted. Scenario: A local file is moved (not copied) from a normal filesystem location into a File Provider-backed cloud volume. The provider is disabled/offline or upload is pending, so the file has not yet synchronised to the cloud. The File Provider volume/domain is then deleted from Finder and the deletion is confirmed. In this situation, the unsynchronised file appears to be lost entirely instead of being moved to ~/.Trash. My question is: Why doesn’t macOS preserve unsynchronised local content by automatically moving it to Trash before removing the File Provider domain? From a user perspective, Finder presents the provider volume as a normal filesystem hierarchy, so deleting the volume feels equivalent to deleting a local folder or mounted drive, where local-only files would normally be recoverable via Trash. Is the current behavior expected because: File Provider storage is treated as provider-managed cache rather than canonical filesystem data? Finder delegates deletion semantics entirely to the provider extension? The backing files may not exist as normal files at deletion time? Or are providers expected to implement their own recovery/trash logic? More generally: Is there an Apple-recommended pattern for preventing loss of unsynchronised files during domain removal? Are providers expected to retain pending uploads somewhere recoverable? Is there any supported API for preserving unsynced local items before deleting a domain? I’m asking because this behavior can easily lead to unexpected data loss when users assume Finder trash semantics apply to File Provider volumes.

I’m trying to understand which storage capacity key is the correct one to use when deciding whether my app can start downloading offline video content. I read the documentation here: https://developer.apple.com/documentation/foundation/checking-volume-storage-capacity but I still don’t fully understand the intended usage difference between: volumeAvailableCapacityKey volumeAvailableCapacityForImportantUsageKey My app allows users to download videos for offline viewing. These downloads may remain on the device for a long time (days or even months), so they are not just temporary cache files. On one hand, this seems to match the description of “storing data based on a user request”, which suggests using volumeAvailableCapacityForImportantUsageKey. On the other hand, my understanding is that this value may assume the system is willing to aggressively purge caches and reclaim space for this “important usage”. I’m worried this could lead to unexpected or unpleasant side effects for the user if my app relies on that space. What confuses me even more is that the values are significantly different on my device: iPhone Settings reports about 142 GB free volumeAvailableCapacityKey returns only ~56 GB volumeAvailableCapacityForImportantUsageKey returns ~132 GB So my question is: For an app that downloads videos for offline playback — where the user explicitly requested the download, but the content may stay on device for a long time — which value is the recommended one to use when deciding whether there is enough free space to start the download? Should offline media downloads generally be treated as “important usage” in the sense intended by this API?

Model Name: MacBook Air Model Identifier: Mac17,3 I know it's possible to retrive model-identifier by running the command "sysctl hw.model", but is there another key to retrieve the model-name? ("MacBook Air" instead of "Mac17,3")

Hi, I am displaying the running linux ubuntu VM in VzVirtualMachineView. I wouldl like to simulate right click by calling vZVirtualMachineView.rightMouseDown to trigger right click on the guest. I tried it and it does not work. For mac os guests it is working. For linux guests it is not working Any help would be appreciated to fix the issue.

Hi guys, I am building a custom virtualization utility for macOS using the native Virtualization Framework. My goal is to allow local guest virtual machines to run in Bridged Mode (VZBridgedNetworkDeviceAttachment) so they can acquire their own distinct local IP address from my router and expose service ports directly to the local network. When attempting to compile and run my app with the com.apple.vm.networking entitlement, Xcode throws the following error:"Entitlement com.apple.vm.networking not found and could not be included in profile. This likely is not a valid entitlement and should be removed from your entitlements file" I understand that this is a restricted capability that is hidden from the standard Apple Developer Portal by default. I have already reached out via email to Apple Developer Support to request it, but I have not received a definitive answer on the process or exact entitlement string name. For those who have successfully shipped or tested a virtualization app with bridged networking, Is com.apple.vm.networking the correct string name for modern macOS versions, or is there a newer, specific identifier required? What is the actual entitlement that i should see in my developer account? I can't seem to find it in the docs as well. Would it be called "VM Networking" Thanks,

On macOS Tahoe 26.5 and happening since 26.0 each time I search for document inside iCloud I get a jetsam event.

Hello Everyone, Like probably several other Enterprise customers and more, we have been bitten by a bug with regards to VPN and Endpoint Security and the new M5 / M5 Pro SoCs shipping in the latest MacBook devices. I have raised the following feedback IDFB22753954 (which itself references an internal issue I believe, if we need to mark it as a dupe: 172793638 ). The technical sequence leading to the crash is as follows I believe: The macOS system process neagent successfully initializes the GlobalProtect network extension. The GP Network extension transitions from an 'inactive' state to a 'running' state. As network traffic begins flowing through the extension, a critical flaw in the macOS kernel's memory allocation (specifically related to the Apple Network Extension framework) is triggered. This memory management failure at the kernel level results in a kernel panic at an unpredictable point during packet processing. Because this is a core operating system vulnerability, any third-party application or security solution that leverages Apple's Network Extension framework is susceptible to these crashes. This has been confirmed across multiple vendors within the cybersecurity industry from what I understand. Crashes_M5Pro_1.txt Thank you in advance for your help! Kind Regards, Goffredo

Hi! I'm trying to create an iOS peripheral service with UUID=180F which stands for standard GATT BAS. I'm getting the error: CBErrorDomain Code=8 "The specified UUID is not allowed for this operation." Is this prohibited by the system?

ES_EVENT_TYPE_AUTH_SIGNAL DENY causes Dock icon to disappear and LaunchServices to lose track of the process Platform: macOS 11.0 (Big Sur) – macOS 15 (Sequoia) Xcode: 16.4 (16F6) Language: Swift, EndpointSecurity framework Testing OS: macOS 15.5 (primary), reproduced on macOS 11.0+ [1]Description I'm developing a System Extension using the EndpointSecurity framework for a security product. My extension subscribes to ES_EVENT_TYPE_AUTH_SIGNAL to block unauthorized signals sent to protected GUI applications (self-protection feature). When I respond with ES_AUTH_RESULT_DENY to an AUTH_SIGNAL event targeting a GUI application, the system enters an inconsistent state: The Dock icon disappears — loginwindow removes the app's UI via its applicationQuit event, even though the process is still running LaunchServices loses track of the application's PID — it can no longer determine the PID from the LSASN Activity Monitor's subsequent Force Quit attempts fail silently — no kill() syscall is issued because LaunchServices cannot resolve the PID The issue only resolves after: Restarting Activity Monitor (clears its internal cache), or Relaunching the protected application (re-registers with LaunchServices) Expected: Signal is denied, the process keeps running, Dock icon remains visible, and Activity Monitor can still force-quit the process normally. Actual: Dock icon disappears after the first blocked signal. Subsequent Force Quit attempts do nothing — no kill() syscall is issued. The process remains alive but is invisible to the system. [2]Minimal Reproducible Code Requires System Extension entitlement: com.apple.developer.endpoint-security.client entitlements.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.endpoint-security.client</key> <true/> </dict> </plist> SignalBlockingDemo.swift import EndpointSecurity import Foundation var client: OpaquePointer? es_new_client(&client) { _, message in guard message.pointee.event_type == ES_EVENT_TYPE_AUTH_SIGNAL else { return } let sig = message.pointee.event.signal.sig let target = message.pointee.event.signal.target.pointee let targetPid = audit_token_to_pid(target.audit_token) // es_string_token_t does not guarantee null-termination — read via buffer let esToken = target.executable.pointee.path let targetPath: String let count = Int(esToken.length) if count > 0, let rawPtr = esToken.data { let buf = UnsafeBufferPointer( start: UnsafeRawPointer(rawPtr).assumingMemoryBound(to: UInt8.self), count: count) targetPath = String(decoding: buf, as: UTF8.self) } else { targetPath = "" } // Protect a specific GUI app — replace with your target path let protectedPath = "/Applications/Numbers.app/Contents/MacOS/Numbers" guard targetPath == protectedPath else { es_respond_auth_result(client!, message, ES_AUTH_RESULT_ALLOW, false) return } print("[ES] Blocking signal \(sig) -> pid \(targetPid) (\(targetPath))") // After this DENY: Dock icon disappears, LaunchServices loses the PID es_respond_auth_result(client!, message, ES_AUTH_RESULT_DENY, false) } let events: [es_event_type_t] = [ES_EVENT_TYPE_AUTH_SIGNAL] es_subscribe(client!, events, UInt32(events.count)) print("Signal blocking active. Press Enter to stop.") _ = readLine() es_unsubscribe_all(client!) es_delete_client(client!) Build & run: swiftc -o SignalBlockingDemo SignalBlockingDemo.swift codesign --force --sign - --entitlements entitlements.plist SignalBlockingDemo sudo ./SignalBlockingDemo [3]Steps to Reproduce Build and run SignalBlockingDemo as above (targets Numbers.app) Launch Numbers.app — note its PID Open Activity Monitor In Activity Monitor, select Numbers → click Force Quit (⊗) Observe: ES extension logs "Blocking signal 15" — signal is denied Bug: Numbers.app Dock icon disappears, even though the process is alive Press Enter in the demo terminal to stop signal blocking In Activity Monitor, click Force Quit again on the Numbers process Bug: No error shown in Activity Monitor UI, but the process is NOT terminated In Console.app (filter: LaunchServices), observe: "Unable to determine pid of LSASN:{hi=0x1;lo=0x...}" Confirm: No kill() syscall is issued — verify with DTrace script below DTrace verification (trace_kill.d): syscall::kill:entry /execname == "Activity Monitor"/ { printf("%Y: Activity Monitor calling kill(%d, %d)\n", walltimestamp, arg0, arg1); } sudo dtrace -s trace_kill.d During the broken Force Quit: no output (no kill() issued). After restarting Activity Monitor and retrying: kill() appears and process terminates. [4 What We've Tried Allowing ALL signals → Dock icon never disappears, behavior is normal Subscribing to AUTH_SIGNAL but always returning ALLOW → no issue Denying signals only on headless daemon processes → no issue observed Always allowing signals from launchd (PID 1) → does not prevent the Dock issue Always allowing SIGCHLD, SIGWINCH, SIGCONT → does not prevent the Dock issue Hypothesis: loginwindow observes the AUTH_SIGNAL event (or a related notification) and proactively removes the Dock UI entry when a termination signal targets a GUI app — regardless of whether the signal was ultimately denied. This seems like a coordination gap between EndpointSecurity's signal interception and loginwindow/LaunchServices' app lifecycle management. [5] Specific Questions Is it expected that loginwindow removes the Dock UI entry for a GUI app when AUTH_SIGNAL is received, even if the signal is ultimately denied (ES_AUTH_RESULT_DENY)? Is there a known coordination mechanism between EndpointSecurity's AUTH_SIGNAL and loginwindow / LaunchServices that we should be aware of when implementing self-protection for GUI apps? Is there a recommended pattern or API for protecting a GUI app from termination signals via AUTH_SIGNAL without disrupting its Dock presence and LaunchServices registration? Should we notify loginwindow or LaunchServices to re-register the application after denying a signal, and if so, how? [6] Additional Context The issue reproduces on macOS 11.0 through macOS 15.5 Tested with Numbers.app and other GUI applications — all reproduce the same behavior The issue is NOT reproducible when the protected process is a headless daemon (no Dock presence) launchd (PID 1) senders are always allowed in our policy SIGCHLD, SIGWINCH, SIGCONT are excluded from our deny list DTS Case ID: 19226051 Feedback ID :FB22338746

I am working on a cross-platform application where, on Android and Windows, I explicitly load dynamic libraries at runtime (e.g., LoadLibrary/GetProcAddress on Windows and equivalent mechanisms on Android). This allows me to control when and how modules are loaded, and to transfer execution flow from the main executable into the dynamically loaded library. I want to follow a similar approach on macOS (and also iOS) and explicitly load a framework (instead of relying on implicit linking via import). From my exploration so far, I have come across the following options: Using Bundle (NSBundle) - Load framework using: let bundle = Bundle(path: path) try bundle?.load() Access functionality via NSPrincipalClass and @objc methods (class-based entry) Using dlopen + dlsym Load the framework binary and resolve symbols: let handle = dlopen(path, RTLD_NOW) let sym = dlsym(handle, "EntryPoint") Expose Swift functions using @_cdecl Using a hybrid approach (Bundle + dlsym) - Use Bundle for loading and dlsym for symbol access From what I understand: Bundle works well for class-based/plugin-style designs using the Objective-C runtime while dlopen/dlsym works at the symbol level and is closer to what I am doing on other platforms However, my requirement is specifically: Explicit runtime loading (not compile-time linking) Ability to transfer execution flow from the main executable into the dynamically loaded framework **What is the recommended approach on macOS for this kind of explicit dynamic loading, or is implicit loading the way to go? Also, would it differ for interactive and non-interactive apps? ** In what scenarios would Apple recommend using Bundle instead of dlopen? Is there any other methods best for this explicit loading of frameworks on Apple?

We see a major delay for the first open("disk.img", O_RDONLY); we perform. If it helps, we use clonefile() to copy a sparsed image. if (-1 == (fd = open(path, (mode & O_ACCMODE) | O_CLOEXEC))) return -1; 1791 Thread_1071327 DispatchQueue_1: com.apple.main-thread (serial) 1791 start (in dyld) + 6076 [0x189f72b98] 1791 main (in anka_image) + 20 [0x102171bb8] 1791 clp_main (in libpolicy.dylib) + 2120 [0x102a49eac] 1790 process_info (in anka_image) + 68 [0x1021723f4] + 1790 vdsk_open (in libvdsk.dylib) + 92 [0x1021d90e8] + 1790 vdsk_open_native (in libvdsk.dylib) + 164 [0x1021d91c0] + 1790 open (in libsystem_kernel.dylib) + 64 [0x18a2dd6a4] + 1790 __open (in libsystem_kernel.dylib) + 8 [0x18a2d2678] What advice do you have for diagnosing what is causing the first open to do this? Is this some sort of security scan happening? Indexing?

I have a custom-developed USB NCM device for a networking use case. My device is successfully enumerated by macOS at the USB layer, and it issues a USB SET_INTERFACE(altsetting = 1) to enable the NCM layer, but sometimes (about 50% of the time), the Mac then issues a USB SET_INTERFACE(altsetting = 0), which disables the interface. It never issues a SET_INTERFACE(altsetting = 1) command to re-enable it. In Network settings, the device just stays in the "Disconnected" state forever. For context, the NCM specification says that all NCM devices must have two "alternate settings" at the USB interface level. Altsetting 0 is the default "disabled" startup state where no data endpoints are enabled, and altsetting 1 is the "enabled" state where data IN/OUT endpoints are enabled and packets can be transferred. The NCM spec also says that SET_INTERFACE(altsetting=0) can be used by the host to 'reset' the NCM layer of the device back to known settings. I suspect this is what the Mac is trying to do, though it only does it 50% of the time. The remainder of the time, the device stays in altsetting 1 and traffic works just fine. My question is, how can I get to the bottom of why the Mac is sometimes sending the SET_INTERFACE(altsetting=0) command or, if this behavior is usual, why is it not then re-enabling using SET_INTERFACE(altsetting=1) ? "log stream --info --debug" shows no information on this, and the NCM driver is a closed-source kernel extension so I have no visibility of what it's doing and why. I've sniffed the USB bus using a packet analyzer and can't see anything odd there (no timing issues or dropped packets etc). Any tips would be appreciated. I'm on Tahoe 26.4.1. I really don't want to develop a custom driver for this device and would prefer to operate with the native NCM driver.

as of this posting, chdir(2) is now following symbolic links. As per the man page, this IS NOT what it is supposed to do. This is a recent change as of 5/13/26

Hello I am implementing an NFC Reader session in my app, and presenting the bottom sheet works completely fine. However, I am facing an issue with screen rotation. If I rotate the device while the NFC bottom sheet is active, the sheet does not adapt or resize according to the new screen orientation. Is there a way to force the NFC bottom sheet to update its layout or fix this rotation issue?Any help or workarounds would be greatly appreciated. Thanks!

Hello I am experiencing a layout issue where UI components overlap in a bottom sheet during screen rotation while an NFC Reader session is active. The NFC Reader session initializes and displays the bottom sheet properly. However, if the device is rotated while this sheet is on screen, the layout breaks, and elements appear overlapped. I have attached a sample image demonstrating this rendering issue. Is there a known workaround to fix this layout distortion or force a proper layout update during an active NFC session?Any insights or suggestions would be greatly appreciated. Thanks!

I am coding in Perl and I want to create Environment Variables (External to the app) specifically for this app only, however my custom ENV variables are deliberately blocked by the OS for security purposes (as described in documentation).

Howdy! I'm in the R&amp;D phase of this project and I need help. I can't find any sources that verify what I want to do is even possible. I need to connect an iPhone or iPad using a USB cord to an external device which will transfer files to the iPhone or iPad. I have an app already made which can organize the files and whatever else I need to do (app is from a similar project). I'll refer to this device as Alfred (for poops and giggles) The plan (if possible) is for Alfred to recognize my app and use its documents folder as the destination of the transfer. The iDevice doesn't have to communicate with Alfred, but that would be a bonus. I don't want Alfred to run on an SOC. My goal is to have it be as simple as possible. No OS, just firmware. If the only way to interact with Apple Devices is Bluetooth or Wifi than so be it. If Matter or Thread could be utilized I wouldn't be apposed. Any help with this project would be greatly appreciated. Thanks in advance.

Hello, I'm evaluating possibility to use virtualization to setup on-permise parallel testing system for a product I work on. My compatibility range is wide, i.e. it would cover macOS 12 - 26, so any testcase needs to be executed on at least 5 different OS versions (and introducing any parallization to the test execution would mean I deal with higher number of VMs). As far as I understand, there is a constraint in Apple Software License, that limits number of OS VM installations per one physical system to 2 (section 2.B.(iii)) in case of OS downloaded from the Internet or through App Store. Clearly these days a single high-end Mac hardware could sustain more than 2 VMs running in parallel. The license also mentions it is also possible to be in a volume or maintenance license program and then the terms of this program apply instead. So I wonder how do people normally deal with the above limitation? What is the path I need to follow if I want to be able to run more than "2 additional copies or instances of" macOS on my VMs?

Hello, I have followed the instructions in https://developer.apple.com/documentation/backgroundassets to setup background asset to work on the iPhone. I am able to confirm successfully test the asset packs locally on the iPhone. However, when I try to run the my test code on the Mac (Designed for iPad), I get this error. BackgroundAssets/AssetPackManager.swift:206: Fatal error: The app couldn’t be validated: The bundle’s info dictionary lacks a string value for the key “BAAppGroupID”. Is this feature not supported on the Mac?