My process running with root privilege, but got below error with API SecStaticCodeCreateWithPath(::_:) to create static code object for Cortex XDR Agent app, it working fine for other app like Safari on same device. 2025-07-22 02:02:05.857719(-0600)[23221:520725] DBG Found /Library/Application Support/PaloAltoNetworks/Traps/bin/Cortex XDR Agent.app,/Library/Application Support/PaloAltoNetworks/Traps/bin/Cortex XDR Agent.app running. Will verify the process now 2025-07-22 02:02:05.859209(-0600)[23221:520725] ERR Failed to create static code for path /Library/Application Support/PaloAltoNetworks/Traps/bin/Cortex XDR Agent.app/Contents/MacOS/Cortex XDR Agent. Error: Optional(UNIX[Operation not permitted]) Code Snippet let fileURL = URL(fileURLWithPath: processPath) var code: SecStaticCode? let rc = SecStaticCodeCreateWithPath(fileURL as CFURL, [], &code) if rc == errSecSuccess, let code = code { staticCode = code } else { ZSLoggerError("Failed to create static code for path \(processPath). Error: \(String(describing: SecCopyErrorMessageString(rc, nil)))") return nil }

Network.framework: Happy Eyeballs cancels also-ran only after WebSocket handshake (duplicate WS sessions) Hi everyone 👋 When using NWConnection with NWProtocolWebSocket, I’ve noticed that Happy Eyeballs cancels the losing connection only after the WebSocket handshake completes on the winning path. As a result, both IPv4 and IPv6 attempts can send the GET / Upgrade request in parallel, which may cause duplicate WebSocket sessions on the server. Standards context RFC 8305 §6 (Happy Eyeballs v2) states: Once one of the connection attempts succeeds (generally when the TCP handshake completes), all other connections attempts that have not yet succeeded SHOULD be canceled. This “SHOULD” is intentionally non-mandatory — implementations may reasonably delay cancellation to account for additional factors (e.g. TLS success or ALPN negotiation). So Network.framework’s current behavior — canceling after the WebSocket handshake — is technically valid, but it can have practical side effects at the application layer. Why this matters WebSocket upgrades are semantically HTTP GET requests (RFC 6455 §4.1). Per RFC 9110 §9.2, GET requests are expected to be safe and idempotent — they should not have side effects on the server. In practice, though, WebSocket upgrades often: include Authorization headers or cookies create authenticated or persistent sessions So if both IPv4 and IPv6 paths reach the upgrade stage, the server may create duplicate sessions before one connection is canceled. Questions / Request Is there a way to make Happy Eyeballs cancel the losing path earlier — for example, right after TCP or TLS handshake — when using NWProtocolWebSocket? If not, could Apple consider adding an option (e.g. in NWProtocolWebSocket.Options) to control the cancellation threshold, such as: after TCP handshake after TLS handshake after protocol handshake (current behavior) That would align the implementation more closely with RFC 8305 and help prevent duplicate, non-idempotent upgrade requests. Context I’m aware of Quinn’s post Understanding Also-Ran Connections. This report focuses specifically on the cancellation timing for NWProtocolWebSocket and the impact of duplicate upgrade requests. Although RFC 6455 and RFC 9110 define WebSocket upgrades as safe and idempotent HTTP GETs, in practice they often establish authenticated or stateful sessions. Thus, delaying cancellation until after the upgrade can create duplicate sessions — even though the behavior is technically RFC-compliant. Happy to share a sysdiagnose and sample project via Feedback if helpful. Thanks! 🙏 Example log output With Network Link Conditioner (Edge): log stream --info --predicate 'subsystem == "com.apple.network" && process == "WS happy eyeballs"' 2025-11-03 17:02:48.875258 [C3] create connection to wss://echo.websocket.org:443 2025-11-03 17:02:48.878949 [C3.1] starting child endpoint 2a09:8280:1::37:b5c3:443 # IPv6 2025-11-03 17:02:48.990206 [C3.1] starting child endpoint 66.241.124.119:443 # IPv4 2025-11-03 17:03:00.251928 [C3.1.1] Socket received CONNECTED event # IPv6 TCP up 2025-11-03 17:03:00.515837 [C3.1.2] Socket received CONNECTED event # IPv4 TCP up 2025-11-03 17:03:04.543651 [C3.1.1] Output protocol connected (WebSocket) # WS ready on IPv6 2025-11-03 17:03:04.544390 [C3.1.2] nw_endpoint_handler_cancel # cancel IPv4 path 2025-11-03 17:03:04.544913 [C3.1.2] TLS warning: close_notify # graceful close IPv4

Getting -10985 error from urlSession while attempting to make a connection. Not sure why this is happening if anyone is aware please help

Our application uses NEFilterPacketProvider to filter network traffic and we sometimes get a wired crash when removing/updating the network extension. It only happens on MacOS 11-12 . The crashing thread is always this one and it shows up after I call the completionHandler from the stopFilter func Application Specific Information: BUG IN CLIENT OF LIBDISPATCH: Release of a suspended object Thread 6 Crashed:: Dispatch queue: com.apple.network.connections 0 libdispatch.dylib 0x00007fff2039cc35 _dispatch_queue_xref_dispose.cold.1 + 24 1 libdispatch.dylib 0x00007fff20373808 _dispatch_queue_xref_dispose + 50 2 libdispatch.dylib 0x00007fff2036e2eb -[OS_dispatch_source _xref_dispose] + 17 3 libnetwork.dylib 0x00007fff242b5999 __nw_queue_context_create_source_block_invoke + 41 4 libdispatch.dylib 0x00007fff2036d623 _dispatch_call_block_and_release + 12 5 libdispatch.dylib 0x00007fff2036e806 _dispatch_client_callout + 8 6 libdispatch.dylib 0x00007fff203711b0 _dispatch_continuation_pop + 423 7 libdispatch.dylib 0x00007fff203811f4 _dispatch_source_invoke + 1181 8 libdispatch.dylib 0x00007fff20376318 _dispatch_workloop_invoke + 1784 9 libdispatch.dylib 0x00007fff2037ec0d _dispatch_workloop_worker_thread + 811 10 libsystem_pthread.dylib 0x00007fff2051545d _pthread_wqthread + 314 11 libsystem_pthread.dylib 0x00007fff2051442f start_wqthread + 15 I do have a DispatchSourceTimer but I cancel it in the stop func. Any ideas on how to tackle this?

TN 3115 states that apps that do not use AccessorySetupKit will loose the ability to launch into the background to service bluetooth in iOS26. Starting in iOS 26 and iPadOS 26, only apps that use AccessorySetupKit to setup Bluetooth accessories will be relaunched. Is there any more information regarding this? Will it affect any app under iOS26 or only those build against the iOS26 SDK? My app (dev build) is still relaunched, even though I'm running iOS26, so I wonder if there are any more conditions checked.

I would like to know whether BGContinuedProcessingTaskRequest supports executing asynchronous tasks internally, or if it can only execute synchronous tasks within BGContinuedProcessingTaskRequest? Our project is very complex, and we now need to use BGContinuedProcessingTaskRequest to perform some long-running operations when the app enters the background (such as video encoding/decoding & export). However, our export interface is an asynchronous function, for example video.export(callback: FinishCallback). This export call returns immediately, and when the export completes internally, it calls back through the passed-in callback. So when I call BGTaskScheduler.shared.register to register a BGContinuedProcessingTask, what should be the correct approach? Should I directly call video.export(nil) without any waiting, or should I wait for the export function to complete in the callback? For example: BGTaskScheduler.shared.register(forTaskWithIdentifier: "com.xxx.xxx.xxx.xxx", using: nil) { task in guard let continuedTask = task as? BGContinuedProcessingTask else { task.setTaskCompleted(success: false) return } let scanner = SmartAssetsManager.shared let semaphore = DispatchSemaphore(value: 0) continuedTask.expirationHandler = { logError(items: "xwxdebug finished.") semaphore.signal() } logInfo(items: "xwxdebug start！") video.export { _ in semaphore.signal() } semaphore.wait() logError(items: "xwxdebug finished！") }

Hello, I am currently researching for ways to get the versions of all of the Mach-O executables and dylibs installed on my MacOS machine. Based on my initial research, I am able to get the information of installed applications from commands like "lsappinfo" and "system_profiler SPApplicationsDataType". However, the above commands only give me information about applications installed in my machine, not all the Mach-O binaries and dylibs. I also saw otool -L output is not very reliable as some dylibs don't show the current version. Are there any alternate commands I can try to get this information? Can this be achievable through any frameworks on MacOS? Any pointers will help me a lot.

Howdy, I've been developing a packet tunnel extension meant to run on iOS and MacOS. For development I'm using xcodegen + xcodebuild to assemble a bunch of swift and rust code together. I'm moving from direct TUN device management on Mac to shipping a Network Extension (appex). With that move I noticed that on some mac laptops NE fails to start completely, whilst on others everything works fine. I'm using CODE_SIGN_STYLE: Automatic, Apple IDs are within the same team, all devices are registered as dev devices. Signing dev certificates, managed by xcode. Some suspicious logs: (NetworkExtension) [com.apple.networkextension:] Signature check failed: code failed to satisfy specified code requirement(s) ... (NetworkExtension) [com.apple.networkextension:] Provider is not signed with a Developer ID certificate What could be the issue? Where those inconsistencies across devices might come from?

I’d like to propose that Apple consider introducing a controlled entitlement for the SIM Application Toolkit (STK) on iOS, allowing limited developer access through a secure, user-consented API layer. While I understand the historical restrictions around SIM access for privacy and carrier security, there are legitimate, high-impact use-cases in emerging markets where STK remains a critical part of everyday digital transactions. Currently, developers have no sanctioned way to trigger or interact with STK flows — which leaves millions of iPhone users unable to complete basic offline payment or authentication actions that their Android counterparts can. The Problem In regions such as Sub-Saharan Africa, South Asia, and Southeast Asia, entire financial ecosystems still depend on SIM-based STK interactions (commonly through USSD or encrypted STK sessions). On iOS: The “SIM Applications” menu is buried under Settings → Cellular → SIM Applications, often missing depending on carrier provisioning. Third-party developers cannot programmatically open or trigger STK actions. This results in incomplete or inconsistent payment experiences for iOS users — even when the same SIM card supports rich offline capabilities on Android devices. Proposed Solution Introduce a “SIMToolkitAccess” entitlement, gated behind the following controls: User Consent Prompt When first triggered, the system displays a native dialog: “App ‘X’ would like to initiate a SIM Toolkit action (e.g., payment or balance check). Do you allow this?” The user can approve once, always, or deny. Scoped Access Model Allow only STK command initiation (e.g., “Launch STK Menu,” “Send STK Request”) Prohibit background execution or passive SIM data reading. Require entitlement approval from Apple Developer Relations, similar to CarPlay, CallKit, or HealthKit. Secure Sandbox STK sessions run in a system-managed sandbox with zero data exposure to the calling app. The app simply receives a completion callback with a generic status code (e.g., .completed, .cancelled, .timeout). Key Use-Cases That Would Benefit Offline Mobile Payments (M-PESA, Airtel Money, T-Kash) Many users rely on STK-based menus for sending or receiving money, paying bills, and topping up accounts. → Enabling secure triggers from native apps would unify the payment UX between Android and iOS, increasing inclusivity. SIM-based Authentication / OTP Requests Telecoms and banks in these regions use STK channels for encrypted session-level identity verification. → Allowing STK initiation would enable secure, offline identity confirmation flows. Carrier Value-Added Services (Data Bundles, Utility Payments) Network operators still deliver bundles, electricity token purchases, and airtime loans via STK sessions. → Secure developer access would allow modern iOS apps to wrap these flows in more intuitive interfaces while maintaining carrier security. Offline Resilience / Disaster-Recovery Flows During power or data outages, STK is often the only operational payment method, as it runs directly on the GSM layer. → Allowing iOS apps to gracefully degrade to STK ensures users can still transact safely without internet access. Why It Matters This is not about exposing low-level carrier interfaces — it’s about giving developers the ability to deliver consistent, accessible, and inclusive financial experiences to iPhone users in markets where connectivity cannot be assumed. Apple’s leadership in privacy and safety would make it the perfect platform to define the secure standard for modernized STK integration — something Android’s open access model lacks. A gated entitlement model would preserve integrity while unlocking transformative use-cases for millions.

Hello, I would like to inquire about a specific behavior I've observed with Live Activities to determine if it is a bug. When our application is closed but the device is in use, an alarm triggers a Live Activity to appear at the top of the screen. However, it seems that tapping the background area of this Live Activity does not trigger the .widgetURL and .onOpenURL Could you please confirm if this is the intended behavior? or should I config another setting for desired action like trigger .onOpenURL? Thank you for your time and assistance. Best regards,

Hi, I'm using SwiftData in my app, and I want to sent data to iCloud with CloudKit, but I found that If the user turns off my App iCloud sync function in the settings App, the local data will also be deleted. A better way is maintaining the local data, just don't connect to iCloud.How should I do that? I need guidance!!! I'm just getting started with CloudKit And I would be appreciated!

Is this intended behavior? I want my app to act like the regular Clock app and snooze alarms when user taps volume down button but apparently volume down button stops the alarm. Is this normal or am I missing something?

I use the code below to rename a file, it works ok, but then the system calls accommodatePresentedItemDeletion(completionHandler:) on a NSFilePresenter that presents the file, immediately after the call to presentedItemDidMove(to:) What am I doing wrong? NSFileCoordinator().coordinate(writingItemAt: oldURL, options: .forMoving, writingItemAt: newURL, options: [], error: &error) { (actualURL1, actualURL2) in do { coordinator.item(at: actualURL1, willMoveTo: actualURL2) try FileManager().moveItem(at: actualURL1, to: actualURL2) coordinator.item(at: actualURL1, didMoveTo: actualURL2) } catch {...} }

I read this thread https://developer.apple.com/forums/thread/788979 thoroughly, but I’m still confused regarding indexing files content. I'm building a notes app where the notes are stored in files. A file can contain several notes (think paragraphs). Each note and the file document itself have a unique ID, all embedded in the file. So far so good, when the user opens a file in the app, I index all the notes in it using several CSSearchableItem, one for each note. Each CSSearchableItem gets a unique ID based on the note and file IDs. The notes are then visible in Spotlight search and when the user taps one of them, the app is called with a Spotlight activity and I present the note. I learned that I should create a CSImportExtension to allow the system to index files when app is not running. But the only method is update(_:forFileAt:), which allows to provide back to the system a single attributes set. How can I index the notes in a file as separate items? What happens if an iCloud document file is edited remotely and the app is not running, or is editing another file? Does the system detect it and run CSImportExtension on the file? All the notes and documents IDs are unique, and when the user duplicates the document file from within the app, new unique IDs are set in the duplicate file. But the user can also duplicate files outside the app, in which case the IDs remain the same in the duplicate file. How does Spotlight react to indexing two distinct items, with the same ID, but different 'contentURL'? What if I index a note from a file, and set the current contentURL of the file, and then the user moves the file. Next time when I index a note from this file, Spotlight will get an item with the same uniqueIdentifier but with a different contentURL. Won't this confuse the system? How to handle the case of deleted files: Unless a file is pending editing, the app doesn’t know it has been deleted, so it won’t remove the corresponding items from Spotlight. I should mention that I use a Core Data database, which stores the mapping from file document IDs to file URLs, actually to bookmarks, so I can track the files even if the user renames or moves them.

I face this issue only on macOS 26 and only on the Intel architecture. I'm unable to download files from a file provider's folder when I make them read-only. STEPS TO REPRODUCE Download the sample from https://developer.apple.com/documentation/fileprovider/synchronizing-files-using-file-provider-extensions?language=objc Follow the steps on the page to configure the project. Build the project. Run it. Add a domain. Open the domain's folder in the Finder. Move a file to the domain's folder. Right-click on the file in the domain's folder and select "Remove Download". Close the Finder's window with the domain's folder and kill all the "Provider" processes to get rid of running instances of the extension. Change Item's capabilities in Item.swift to make the items read-only: var result: NSFileProviderItemCapabilities = [ .allowsContentEnumerating, .allowsReading ] Rebuild the project and run it. Open the domain's folder and try to drag and drop the file from the extension's folder to, let's say, the Desktop folder. EXPECTED RESULT The file is copied ACTUAL RESULT A dialog pops up with text "The file “filename” cannot be downloaded. Do you want to skip it?" Stop/Skip

I am trying to build my app and want to be able to integrate with apple ads services so I can get my users attribution token. I tried a added the "com.apple.developer.adservices" entitlement but now that I build my app it fails with the following error include the com.apple.developer.adservices entitlement. Profile qualification is using entitlement definitions that may be out of date. Connect to network to update. What do I need to do to make this work, I tried and cant fina any docs online

I'm experiencing a critical issue with SwiftData custom migrations where objects created during migration appear to be inserted successfully but aren't persisted or found by queries after migration completes. The migration logs show objects being created, but subsequent queries return zero results. I'm migrating from schema version V2 to V2_5, which involves: Renaming Person class to GroupData Keeping the same data structure but changing the class name while keeping the old class. Using a custom migration stage to copy data from old to new schema Below is an extract of my two schema and migration plan: Environment: Xcode 16.0, iOS 18.0, Swift 6.0 SchemaV2 enum LinkMapV2: VersionedSchema { static let versionIdentifier: Schema.Version = .init(2, 0, 0) static var models: [any PersistentModel.Type] { [AnnotationData.self, Person.self, History.self] } @Model final class Person { @Attribute(.unique) var id: UUID var name: String var photo: String var requirement: String var statue: Bool var annotationId: UUID? var number: Int = 0 init(id: UUID = UUID(), name: String = "", photo: String = "", requirement: String = "", status: Bool = false, annotationId: UUID? = nil, number: Int = 0) { self.id = id self.name = name self.photo = photo self.requirement = requirement self.statue = status self.annotationId = annotationId self.number = number } } } Schema V2_5 static let versionIdentifier: Schema.Version = .init(2, 5, 0) static var models: [any PersistentModel.Type] { [AnnotationData.self, Person.self, GroupData.self, History.self] } // Keep the old Person model for migration @Model final class Person { @Attribute(.unique) var id: UUID var name: String var photo: String var requirement: String var statue: Bool var annotationId: UUID? var number: Int = 0 init(id: UUID = UUID(), name: String = "", photo: String = "", requirement: String = "", status: Bool = false, annotationId: UUID? = nil, number: Int = 0) { self.id = id self.name = name self.photo = photo self.requirement = requirement self.statue = status self.annotationId = annotationId self.number = number } } // Add the new GroupData model that mirrors Person @Model final class GroupData { @Attribute(.unique) var id: UUID var name: String var photo: String var requirement: String var status: Bool var annotationId: UUID? var number: Int = 0 init(id: UUID = UUID(), name: String = "", photo: String = "", requirement: String = "", status: Bool = false, annotationId: UUID? = nil, number: Int = 0) { self.id = id self.name = name self.photo = photo self.requirement = requirement self.status = status self.annotationId = annotationId self.number = number } } } Migration Plan static let migrationV2toV2_5 = MigrationStage.custom( fromVersion: LinkMapV2.self, toVersion: LinkMapV2_5.self, willMigrate: { context in do { let persons = try context.fetch(FetchDescriptor<LinkMapV2.Person>()) print("=== MIGRATION STARTED ===") print("Found \(persons.count) Person objects to migrate") guard !persons.isEmpty else { print("No Person data requires migration") return } for person in persons { print("Migrating Person: '\(person.name)' with ID: \(person.id)") let newGroup = LinkMapV2_5.GroupData( id: person.id, // Keep the same ID name: person.name, photo: person.photo, requirement: person.requirement, status: person.statue, annotationId: person.annotationId, number: person.number ) context.insert(newGroup) print("Inserted new GroupData: '\(newGroup.name)'") // Don't delete the old Person yet to avoid issues // context.delete(person) } try context.save() print("=== MIGRATION COMPLETED ===") print("Successfully migrated \(persons.count) Person objects to GroupData") } catch { print("=== MIGRATION ERROR ===") print("Migration failed with error: \(error)") } }, didMigrate: { context in do { // Verify migration in didMigrate phase let groups = try context.fetch(FetchDescriptor<LinkMapV2_5.GroupData>()) let oldPersons = try context.fetch(FetchDescriptor<LinkMapV2_5.Person>()) print("=== MIGRATION VERIFICATION ===") print("New GroupData count: \(groups.count)") print("Remaining Person count: \(oldPersons.count)") // Now delete the old Person objects for person in oldPersons { context.delete(person) } if !oldPersons.isEmpty { try context.save() print("Cleaned up \(oldPersons.count) old Person objects") } // Print all migrated groups for debugging for group in groups { print("Migrated Group: '\(group.name)', Status: \(group.status), Number: \(group.number)") } } catch { print("Migration verification error: \(error)") } } ) And I've attached console output below: Console Output

anyone has the same problem which is that your device activity extension ain't working even tho all the code work perfectly in the console, I setup it in the right way , tried to make schedule and it did the same exact thing when I tried to create usage threshold. anyone know the reason for this bug? here is my extension code import ManagedSettings import FamilyControls import Foundation import OSLog import UserNotifications class MonitoringExtension: DeviceActivityMonitor { private let defaults = UserDefaults(suiteName: "group.com.William.app") private let logger = Logger(subsystem: "com.William.app", category: "MonitoringExtension") override func eventDidReachThreshold(_ event: DeviceActivityEvent.Name, activity: DeviceActivityName) { let activityRaw = activity.rawValue logger.info("Limite atteinte: \(activityRaw)") scheduleNotification(title: "Limite dépassée", body: "Tu as utilisé trop de temps sur \(activityRaw).") guard let data = defaults?.data(forKey: "\(activityRaw)_selection"), let selection = try? JSONDecoder().decode(FamilyActivitySelection.self, from: data) else { logger.warning("Pas de sélection pour \(activityRaw)") return } let store = ManagedSettingsStore() // ← LE SEUL QUI MARCHE store.shield.applications = selection.applicationTokens if !selection.categoryTokens.isEmpty { store.shield.applicationCategories = .specific(selection.categoryTokens) } logger.info("BLOCAGE ACTIF via ManagedSettingsStore.default") } override func intervalDidEnd(for activity: DeviceActivityName) { super.intervalDidEnd(for: activity) let store = ManagedSettingsStore() store.clearAllSettings() // ← Débloque à minuit logger.info("Restrictions levées à la fin de l'intervalle") } private func scheduleNotification(title: String, body: String) { UNUserNotificationCenter.current().requestAuthorization(options: [.alert, .sound]) { granted, _ in guard granted else { return } let content = UNMutableNotificationContent() content.title = title content.body = body let request = UNNotificationRequest(identifier: UUID().uuidString, content: content, trigger: nil) UNUserNotificationCenter.current().add(request) } } }

In the future, is there any plans to have AppMigrationKit for macOS-Windows cross transfers (or Linux, ChromeOS, HarmonyOS NEXT, etc)? Additionally, will the migration framework remain just iOS <-> Android or will it extend to Windows tablets, ChromeOS Tablets, HarmonyOS NEXT, KaiOS, Series 30+, Linux mobile, etc.

I don't see any where how to make my payment