Hi.
We are writing to report a critical issue we've encountered following the recent release of iOS 26 beta 6.
After updating our test devices, we discovered that our application is no longer able to establish HTTPS connections to several of our managed FQDNs. This issue was not present in beta 5 and appears to be a direct result of changes introduced in beta 6.
The specific FQDNs that are currently unreachable are:
d.socdm.com
i.socdm.com
tg.scodm.com
We have reviewed the official iOS & iPadOS 26 Beta 6 Release Notes, particularly the updates related to TLS. While the notes mention changes, we have confirmed that our servers for all affected FQDNs support TLS 1.2, so we believe they should still be compliant.
We have also investigated several of Apple's support documents regarding TLS connection requirements (e.g., HT214774, HT214041), but the information does not seem to apply to our situation, and we are currently unable to identify the root cause of this connection failure.
https://support.apple.com/en-us/102028
https://support.apple.com/en-us/103214
Although we hope this issue might be resolved in beta 7 or later, the official release is fast approaching, and this has become a critical concern for us.
Could you please provide any advice or insight into what might be causing this issue? Any guidance on potential changes in the networking or security frameworks in beta 6 that could affect TLS connections would be greatly appreciated.
We have attached the relevant code snippet that triggers the error, along with the corresponding Xcode logs, for your review.
Thank you for your time and assistance.
#import "ViewController.h"
@interface ViewController ()
@end
@implementation ViewController
- (void)viewDidLoad {
[super viewDidLoad];
NSURL *url = [NSURL URLWithString:@"https://i.socdm.com/sdk/js/adg-script-loader-b-stg.js"];
NSMutableURLRequest *req = [NSMutableURLRequest requestWithURL:url
cachePolicy:NSURLRequestReloadIgnoringLocalCacheData
timeoutInterval:30.0];
[self sendWithRequest:req completionHandler:^(NSData *_Nullable data,
NSHTTPURLResponse *_Nonnull response,
NSError *_Nullable error) {
if (error){
NSLog(@"Error occurred: %@", error.localizedDescription);
return;
}else{
NSLog(@"Success! Status Code: %ld", (long)response.statusCode);
}
}];
}
- (void) sendWithRequest:(NSMutableURLRequest *)request
completionHandler:(void (^ _Nullable)(NSData *_Nullable data,
NSHTTPURLResponse *response,
NSError *_Nullable error))completionHandler {
NSURLSessionConfiguration *configuration = [NSURLSessionConfiguration defaultSessionConfiguration];
NSURLSession *session = nil;
session = [NSURLSession sessionWithConfiguration:configuration
delegate:self
delegateQueue:nil];
NSURLSessionTask *task = [session dataTaskWithRequest:request
completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
[session finishTasksAndInvalidate];
NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
if (error) {
if (completionHandler) {
completionHandler(nil, httpResponse, error);
}
}
else {
if (completionHandler) {
completionHandler(data, httpResponse, nil);
}
}
}];
[task resume];
}
@end
error
Connection 1: default TLS Trust evaluation failed(-9807)
Connection 1: TLS Trust encountered error 3:-9807
Connection 1: encountered error(3:-9807)
Task <C50BB081-E1DA-40FF-A1E5-A03A2C4CB733>.<1> HTTP load failed, 0/0 bytes (error code: -1202 [3:-9807])
Task <C50BB081-E1DA-40FF-A1E5-A03A2C4CB733>.<1> finished with error [-1202] Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “i.socdm.com” which could put your confidential information at risk." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
"<cert(0x10621ca00) s: *.socdm.com i: GlobalSign RSA OV SSL CA 2018>",
"<cert(0x106324e00) s: GlobalSign RSA OV SSL CA 2018 i: GlobalSign>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://i.socdm.com/sdk/js/adg-script-loader-b-stg.js, NSErrorFailingURLStringKey=https://i.socdm.com/sdk/js/adg-script-loader-b-stg.js, NSUnderlyingError=0x1062bf960 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x10609d140>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9807, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9807, kCFStreamPropertySSLPeerCertificates=(
"<cert(0x10621ca00) s: *.socdm.com i: GlobalSign RSA OV SSL CA 2018>",
"<cert(0x106324e00) s: GlobalSign RSA OV SSL CA 2018 i: GlobalSign>"
)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
"LocalDataTask <C50BB081-E1DA-40FF-A1E5-A03A2C4CB733>.<1>"
), _kCFStreamErrorCodeKey=-9807, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <C50BB081-E1DA-40FF-A1E5-A03A2C4CB733>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x10609d140>, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “i.socdm.com” which could put your confidential information at risk.}
Error occurred: The certificate for this server is invalid. You might be connecting to a server that is pretending to be “i.socdm.com” which could put your confidential information at risk.
折りたたむ
Prioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.
Selecting any option will automatically load the page
Post
Replies
Boosts
Views
Activity
Hi,
A user logs in to the file vault, and DisableFDEAutoLogin is false. The file vault login succeeds, but the login to the selected user fails. The user gets the login screen again. If the user puts an invalid password to try and login again, the loginwindow:FDESupport plugin will change the user's password to the invalid one.
Hello,
We’ve resumed the migration process after a break. Since my colleague is no longer with us, I had to go through the steps again myself.
As before, we’re trying to migrate "Sign In with Apple" users from tenant TENANT_A with client_id=CLIENT_ID_A to tenant TENANT_B with client_id=CLIENT_ID_B
I followed the procedure described here: [Apple Developer Documentation](https://developer.apple.com/documentation/technotes/tn3159-migrating-sign-in-with-apple-users-for-an-app-transfer – Migrating Sign In with Apple Users, essentially repeating what my coworker previously attempted in coordination with your employee Stephanie.
Here’s a summary of the steps and the issue we’re facing:
STEP 1 - get authcode for TEAM A
curl --location 'https://appleid.apple.com/auth/token'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'grant_type=client_credentials'
--data-urlencode 'scope=user.migration'
--data-urlencode 'client_id=pl.CLIEND_ID_A'
--data-urlencode 'client_secret=<TEAM_A_SECRET>'
I receive response:
{
"access_token": "<ACCESS_TOKEN_TEAM_A>",
"token_type": "Bearer",
"expires_in": 3600
}
STEP 2 - get authcode for TEAB B
curl --location 'https://appleid.apple.com/auth/token'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'grant_type=client_credentials'
--data-urlencode 'scope=user.migration'
--data-urlencode 'client_id=CLIENT_ID_B'
--data-urlencode 'client_secret=<TEAB_B_SECRET>'
I receive response:
{
"access_token":"<ACCESS_TOKEN_TEAB_B>",
"token_type": "Bearer",
"expires_in": 3600
}
STEP 3 - get transfer_sub from TEAM A
curl --location 'https://appleid.apple.com/auth/usermigrationinfo'
--header 'Authorization: Bearer <ACCESS_TOKEN_TEAM_A>'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'client_id=CLIENT_ID_A'
--data-urlencode 'client_secret=<TEAM_A_SECRET>'
--data-urlencode 'sub=USER_SUB_FROM_TEAM_A'
--data-urlencode 'target=TENANT_B'
I receive response:
{
"transfer_sub": "USER_SUB_FROM_TEAM_B"
}
STEP 4 - Team B exchanges transfer identifers
curl --location 'https://appleid.apple.com/auth/usermigrationinfo'
--header 'Authorization: Bearer <ACCESS_TOKEN_TEAM_B'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'client_id=CLIENT_ID_B'
--data-urlencode 'client_secret=<TEAM_B_SECRET>'
I receive response:
{
"error": "invalid_request"
}
We’ve created a new client_id under tenant B and want to migrate users there. However, we skipped the step described in Step 3 of the documentation(https://developer.apple.com/documentation/technotes/tn3159-migrating-sign-in-with-apple-users-for-an-app-transfer#3-Team-A-initiates-app-transfer-to-Team-B), which involves initiating an app transfer. The reason is that this client_id is used solely for web authentication, not for a mobile app, so we don’t have an app to transfer.
Based on our analysis and your documentation, it seems this flow only works if the client_id matches across both tenants, which can only be achieved through an app transfer, something we cannot proceed with.
Apple previously insisted that we migrate these users, but as shown above, we’re stuck. Is there any alternative flow available, or can you assist us in completing this migration?
Topic:
Privacy & Security
SubTopic:
Sign in with Apple
My application is supporting hybrid transport on FIDO2 webAuthn specs to create credential and assertion. And it support legacy passkeys which only mean to save to 1 device and not eligible to backup.
However In my case, if i set the Backup Eligibility and Backup State flag to false, it fails on the completion of the registrationRequest to save the passkey credential within credential extension, the status is false instead of true.
self.extension.completeRegistrationRequest(using: passkeyRegistrationCredential)
The attestation and assertion flow only works when both flags set to true.
Can advice why its must have to set both to true in this case?
Hi,
Before I begin my investigation, I want to explain our code-level support process for issues related to Sign in with Apple—as the issue you’re reporting may be the result of any of the following:
An error in your app or web service request.
A configuration issue in your Developer Account.
An internal issue in the operation system or Apple ID servers.
To ensure the issue is not caused by an error within your app or web service request, please review TN3107: Resolving Sign in with Apple response errors to learn more about common error causes and potential solutions when performing requests.
If the technote does not help identify the cause of the error, I need more information about your app or web services to get started. To prevent sending sensitive JSON Web Tokens (JWTs) in plain text, you should create a report in Feedback Assistant to share the details requested below. Additionally, if I determine the error is caused by an internal issue in the operating system or Apple ID servers, the appropriate engineering teams have access to the same information and can communicate with you directly for more information, if needed. Please follow the instructions below to submit your feedback.
Gathering required information for troubleshooting Sign in with Apple authorization and token requests
For issues occurring with your native app, perform the following steps:
Install the Accounts/AuthKit profile on your iOS, macOS, tvOS, watchOS, or visionOS device.
Reproduce the issue and make a note of the timestamp when the issue occurred, while optionally capturing screenshots or video.
Gather a sysdiagnose on the same iOS, macOS, tvOS, watchOS, or visionOS device.
Create a report in Feedback Assistant, and ensure your feedback contains the following information:
the primary App ID or Bundle ID
the user’s Apple ID, email address, and/or identity token
the sysdiagnose gathered after reproducing the issue
the timestamp of when the issue was reproduced
screenshots or videos of errors and unexpected behaviors (optional)
For issues occurring with your web service, ensure your feedback contains the following information:
the primary App ID and Services ID
the user’s Apple ID, email address, and/or identity token
the failing request, including all parameter values, and error responses (if applicable)
the timestamp of when the issue was reproduced (optional)
screenshots or videos of errors and unexpected behaviors (optional)
Important: If providing a web service request, please ensure the client secret (JWT) has an extended expiration time (exp) of at least ten (10) business days, so I have enough time to diagnose the issue. Additionally, if your request requires access token or refresh tokens, please provide refresh tokens as they do not have a time-based expiration time; most access tokens have a maximum lifetime of one (1) hour, and will expire before I have a chance to look at the issue.
Submitting your feedback
Before you submit to Feedback Assistant, please confirm the requested information above (for your native app or web service) is included in your feedback. Failure to provide the requested information will only delay my investigation into the reported issue within your Sign in with Apple client.
After your submission to Feedback Assistant is complete, please respond in your existing Developer Forums post with the Feedback ID. Once received, I can begin my investigation and determine if this issue is caused by an error within your client, a configuration issue within your developer account, or an underlying system bug.
Cheers,
Paris X Pinkney | WWDR | DTS Engineer
Topic:
Privacy & Security
SubTopic:
Sign in with Apple
Tags:
Sign in with Apple REST API
Sign in with Apple
Sign in with Apple JS
Would really appreciate support with this invalid_client issue:
I have a web app and have aligned the JWT Header and Payload
JWT Header
{
"alg": "ES256",
"kid": "ABC123DEFG"
}
JWT Payload
{
"iss": "DEF123GHIJ",
"iat": 1234567890,
"exp": 1234567890,
"aud": "https://appleid.apple.com",
"sub": "com.yourapp.service"
The domains and callback are aligned and correct
I've even created a new p8 and updated the Key_ID
Sending Credentials to Apple (Token Request) Content-Type: application/x-www-form-urlencoded
However, still no luck. Can anyone assist with identifying the possible error?
Many thanks
Topic:
Privacy & Security
SubTopic:
Sign in with Apple
Tags:
Sign in with Apple REST API
Sign in with Apple
Sign in with Apple JS
Hi ,
I have a requirement like,
Develop an app for iPad and app uses .net core apis.
App will be in kiosk mode, and app doesn't have any type of authentication even OTP also.
As the apis will be publishing to all over internet, how can we achieve security to apis?
Kindly provide suggestions for this implementation
With Let's Encrypt having completely dropped support for OCSP recently [1], I wanted to ask if macOS has a means of keeping up to date with their CRLs and if so, roughly how often this occurs?
I first observed an issue where a revoked-certificate test site, "revoked.badssl.com" (cert signed by Let's Encrypt), was not getting blocked on any browser, when a revocation policy was set up using the SecPolicyCreateRevocation API, in tandem with the kSecRevocationUseAnyAvailableMethod and kSecRevocationPreferCRL flags.
After further investigation, I noticed that even on a fresh install of macOS, Safari does not block this test website, while Chrome and Firefox (usually) do, due to its revoked certificate. Chrome and Firefox both have their own means of dealing with CRLs, while I assume Safari uses the system Keychain and APIs.
I checked cert info for the site here [2]. It was issued on 2025-07-01 20:00 and revoked an hour later.
[1] https://letsencrypt.org/2024/12/05/ending-ocsp/
[2] https://www.ssllabs.com/ssltest/analyze.html?d=revoked.badssl.com
Hi,
We are using the MSAL library to authenticate users, with SSO authentication implemented through the Microsoft Authenticator app.
The problem is that once or twice a day, a prompt for forced authentication appears, indicating that silent token acquisition is failing and resulting in a requirement for forced authentication. Below are some of the logs:
=================================================
2025-08-28 11:00:05.034 [Info] [AppDelegate.swift:121] application(:didFinishLaunchingWithOptions:) > MSAL message: TID=751353 MSAL 1.8.1 iOS 18.5 [2025-08-28 10:00:05 - EC9D1457-2D70-4878-926F-553391EBC9D3] [MSAL] Silent flow finished. Result (null), error: -51115 error domain: MSIDErrorDomain
2025-08-28 11:00:05.034 [Info] [AppDelegate.swift:121] application(:didFinishLaunchingWithOptions:) > MSAL message: TID=751353 MSAL 1.8.1 iOS 18.5 [2025-08-28 10:00:05 - EC9D1457-2D70-4878-926F-553391EBC9D3] [MSAL] acquireTokenSilent returning with error: (MSALErrorDomain, -50002) Masked(not-null)
====================================================
We initially raised this issue with Microsoft, but according to them:
In the app's logs, the single one failure it contains, was when the SSO extension returned the error com.apple.AuthenticationServices.AuthorizationError, -6000 during a silent call. This error code is generated by the system framework (Apple), not by our code. It indicates that the framework encountered an unexpected internal issue before or after calling the SSO extension.
MSAL returning interaction_required to the client app is the most effective way to recover from this error (as you mention, after the user selects the account the app continues working as expected).
Additionally, as you also mention, the interactive call is made by switching to Authenticator (not displaying a "window" without leaving Eva Lite app), which means MSAL is not able to use the SSO extension and is using the fallback to legacy authentication.
The recommended next step is for the customer to request support directly from Apple as this is an issue on their side. Additionally, the customer can also try to update to the latest iOS, in case Apple has already fixed this issue.
=============================================
STEPS TO REPRODUCE
There is no such steps its just that this is an enterprise application which is getting used on managed devices[iPhone 14]. The device are managed using some intune policy.
Platform and Version:
iOS
Development Environment: Xcode 15, macOS 13.6.1
Run-time Configuration: iOS 18
Please let me know if there are any solutions to resolve this problem. Thank you.
I keep getting the following error when trying to run Passkey sign in on macOS.
Told not to present authorization sheet: Error Domain=com.apple.AuthenticationServicesCore.AuthorizationError Code=1 "(null)"
ASAuthorizationController credential request failed with error: Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1004 "(null)"
This is the specific error.
Application with identifier a is not associated with domain b
I have config the apple-app-site-association link and use ?mode=developer
Could there be any reason for this?
Topic:
Privacy & Security
SubTopic:
General
Tags:
macOS
Objective-C
Authentication Services
Passkeys in iCloud Keychain
Hello everyone.
Hope this one finds you well)
I have an issue with integrating a FIDO2 server with ASAuthorizationController.
I have managed to register a user with passkey successfully, however when authenticating, the request for authentication response fails. The server can't validate signature field.
I can see 2 possible causes for the issue: ASAuthorizationPlatformPublicKeyCredentialAssertion.rawAuthenticatorData contains invalid algorithm information (the server tries ES256, which ultimately fails with false response), or I have messed up Base64URL encoding for the signature property (which is unlikely, since all other fields also require Base64URL, and the server consumes them with no issues).
So the question is, what encryption algorithm does ASAuthorizationController use? Maybe someone has other ideas regarding where to look into?
Please help. Thanks)
I am working on implementing mTLS authentication in my iOS app (Apple Inhouse & intune MAM managed app). The SCEP client certificate is deployed on the device via Intune MDM. When I try accessing the protected endpoint via SFSafariViewController/ASWebAuthenticationSession, the certificate picker appears and the request succeeds. However, from within my app (using URLSessionDelegate), the certificate is not found (errSecItemNotFound).
The didReceive challenge method is called, but my SCEP certificate is not found in the app. The certificate is visible under Settings > Device Management > SCEP Certificate.
How can I make my iOS app access and use the SCEP certificate (installed via Intune MDM) for mTLS requests?
Do I need a special entitlement, keychain access group, or configuration in Intune or Developer account to allow my app to use the certificate?
Here is the sample code I am using:
final class KeychainCertificateDelegate: NSObject, URLSessionDelegate {
func urlSession(_ session: URLSession,
didReceive challenge: URLAuthenticationChallenge,
completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {
guard challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodClientCertificate else {
completionHandler(.performDefaultHandling, nil)
return
}
// Get the DNs the server will accept
guard let expectedDNs = challenge.protectionSpace.distinguishedNames else {
completionHandler(.cancelAuthenticationChallenge, nil)
return
}
var identityRefs: CFTypeRef? = nil
let err = SecItemCopyMatching([
kSecClass: kSecClassIdentity,
kSecMatchLimit: kSecMatchLimitAll,
kSecMatchIssuers: expectedDNs,
kSecReturnRef: true,
] as NSDictionary, &identityRefs)
if err != errSecSuccess {
completionHandler(.cancelAuthenticationChallenge, nil)
return
}
guard let identities = identityRefs as? [SecIdentity],
let identity = identities.first
else {
print("Identity list is empty")
completionHandler(.cancelAuthenticationChallenge, nil)
return
}
let credential = URLCredential(identity: identity, certificates: nil, persistence: .forSession)
completionHandler(.useCredential, credential)
}
}
func perform_mTLSRequest() {
guard let url = URL(string: "https://sample.com/api/endpoint") else {
return
}
var request = URLRequest(url: url)
request.httpMethod = "POST"
request.setValue("application/json", forHTTPHeaderField: "Accept")
request.setValue("Bearer \(bearerToken)", forHTTPHeaderField: "Authorization")
let delegate = KeychainCertificateDelegate()
let session = URLSession(configuration: .ephemeral, delegate: delegate, delegateQueue: nil)
let task = session.dataTask(with: request) { data, response, error in
guard let httpResponse = response as? HTTPURLResponse, (200...299).contains(httpResponse.statusCode) else {
print("Bad response")
return
}
if let data = data {
print(String(data: data, encoding: .utf8)!)
}
}
task.resume()
}
Hello Apple Team
We are integrating App Attest with our backend and seeing a 400 Bad Request response when calling the attestation endpoint. The issue is that the response does not include an X-Request-ID or JSON error payload with id and code, which makes it hard to diagnose. Instead, it only returns a receipt blob.
Request Details
URL:
https://data-development.appattest.apple.com/v1/attestationData
Request Headers:
Authorization: eyJraWQiOiI0RjVLSzRGV1JaIiwidHlwIjoiSldUIiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJOOVNVR1pNNjdRIiwiZXhwIjoxNzU3MDUxNTYwLCJpYXQiOjE3NTcwNDc5NjB9.MEQCIF236MqPCl6Vexg7RcPUMK8XQeACXogldnpuiNnGQnzgAiBQqASdbJ64g58xfWGpbzY3iohvxBSO5U5ZE3l87JjfmQ
Content-Type: application/octet-stream
Request Body:
(Binary data, logged as [B@59fd7d35)
Response
Status:
400 Bad Request
Response Headers:
Date: Fri, 05 Sep 2025 04:52:40 GMT
x-b3-traceid: 4c42e18094022424
x-b3-spanid: 4c42e18094022424
Response Body (truncated):
"receipt": h'308006092A864886F70D01070...
Problem
The response does not include X-Request-ID.
The response does not include JSON with id or code.
Only a receipt blob is returned.
Questions
Can the x-b3-traceid be used by Apple to trace this failed request internally?
Is it expected for some failures to return only a receipt blob without X-Request-ID?
How should we interpret this error so we can handle it properly in production?
Thanks in advance for your guidance.
We are interested in using a hardware-bound key in a launch daemon. In a previous post, Quinn explicitly told me this is not possible to use an SE keypair outside of the system context and my reading of the Apple documentation also supports that.
That said, we have gotten the following key-creation and persistence flow to work, so we have some questions as to how this fits in with the above.
(1) In a launch daemon (running thus as root), we do:
let key = SecureEnclave.P256.Signing.PrivateKey()
(2) We then use
key.dataRepresentation
to store a reference to the key in the system keychain as a kSecClassGenericPassword.
(3) When we want to use the key, we fetch the data representation from system keychain and we "rehydrate" the key using:
SecureEnclave.P256.Signing.PrivateKey(dataRepresentation: data)
(4) We then use the output of the above to sign whatever we want.
My questions:
in the above flow, are we actually getting a hardware-bound key from the Secure Enclave or is this working because it's actually defaulting to a non-hardware-backed key?
if it is an SE key, is it that the Apple documentation stating that you can only use the SE with the Data Protection Keychain in the user context is outdated (or wrong)?
does the above work, but is not an approach sanctioned by Apple?
Any feedback on this would be greatly appreciated.
Hello
I'm using Auth0 for handling auth in my app
When the user wants to sign in, it will show the auth system pop-up
And when the user wants to log out it shows the same pop-up
My issue is how to replace the Sign In text in this pop-up to show Sign Out instead of Sign In when the user wants to sign out?
Hello everyone,
I'm developing a FIDO2 service using the AuthenticationServices framework. I've run into an issue when a user manually deletes a passkey from their password manager.
When this happens, the ASAuthorizationError I get doesn't clearly indicate that the passkey is missing. The error code is 1001, and the localizedDescription is "The operation couldn't be completed. No credentials available for login." The userInfo also contains "NSLocalizedFailureReason": "No credentials available for login."
My concern is that these localized strings will change depending on the user's device language, making it unreliable for me to programmatically check for a "no credentials" scenario.
Is there a more precise way to determine that the user has no passkey, without relying on localized string values?
Thank you for your help.
Topic:
Privacy & Security
SubTopic:
General
Tags:
Authentication Services
Passkeys in iCloud Keychain
Hello Developers,
I have ran into a problem while sending mail to apple private relay email. We have built a mobile application where user can sign up through apple and they can sign up using hide-my-email feature. Which provides private relay address for us. Now we want to communicate with them using private relay mail address. The technology we are using to send emails are amazon SES, have done SPF, DMIK, DMARC and added domains in apple identity services for mail communication, passed an SPF check as well. But still mail is not getting delivered
what am i doing wrong or apple doesn't support third party apps for sending emails to private relay? Is there any other way to achieve this please let me know
Using the same body as attached in image is working fine for rest emails.
Topic:
Privacy & Security
SubTopic:
Sign in with Apple
Tags:
Sign in with Apple REST API
Privacy
Sign in with Apple
Testing my security agent plugin on Tahoe and find that when unlocking the screen, I now get an extra window that pops up over the SFAuthorizationPluginView that says "macOS You must enter a password to unlock the screen" with a Cancel (enabled) and OK button (disabled). See the attached photo. This is new with Tahoe.
When unlocking the screen, I see the standard username and password entry view and I enter my password and click OK. That is when this new view appears. I can only click cancel so there is no way to complete authenticating.
We are using SecPKCS12Import C API in our application to import a self seigned public key certificate. We tried to run the application for the first time on Tahoe and it failed with OSStatus -26275 error.
The release notes didn't mention any deprecation or change in the API as per https://developer.apple.com/documentation/macos-release-notes/macos-26-release-notes.
Are we missing anything? There are no other changes done to our application.
We are facing an issue with Keychain sharing across our apps after our Team ID was updated. Below are the steps we have already tried and the current observations:
Steps we have performed so far:
After our Team ID changed, we opened and re-saved all the provisioning profiles.
We created a Keychain Access Group: xxxx.net.soti.mobicontrol (net.soti.mobicontrol is one bundle id of one of the app) and added it to the entitlements of all related apps.
We are saving and reading certificates using this access group only. Below is a sample code snippet we are using for the query:
[genericPasswordQuery setObject:(id)kSecClassGenericPassword forKey:(id)kSecClass];
[genericPasswordQuery setObject:identifier forKey:(id)kSecAttrGeneric];
[genericPasswordQuery setObject:accessGroup forKey:(id)kSecAttrAccessGroup];
[genericPasswordQuery setObject:(id)kSecMatchLimitOne forKey:(id)kSecMatchLimit];
[genericPasswordQuery setObject:(id)kCFBooleanTrue forKey:(id)kSecReturnAttributes];
Issues we are facing:
Keychain items are not being shared consistently across apps.
We receive different errors at different times:
Sometimes errSecDuplicateItem (-25299), even when there is no item in the Keychain.
Sometimes it works in a debug build but fails in Ad Hoc / TestFlight builds.
The behavior is inconsistent and unpredictable.
Expectation / Clarification Needed from Apple:
Are we missing any additional configuration steps after the Team ID update?
Is there a known issue with Keychain Access Groups not working correctly in certain build types (Debug vs AdHoc/TestFlight)?
Guidance on why we are intermittently getting -25299 and how to properly reset/re-add items in the Keychain.
Any additional entitlement / provisioning profile configuration that we should double-check.
Request you to please raise a support ticket with Apple Developer Technical Support including the above details, so that we can get guidance on the correct setup and resolve this issue.