Hi,
we are looking for a solution to install an extension to Microsoft PowerPoint app in a way that's compatible with the new macOS 15 behavior for Group Containers content.
PowerPoint extensions
Microsoft PowerPoint can be extended by PowerPoint Add-in (.ppam) files. These files must be installed in the app's container at this location:
~/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Add-Ins.localized/
The PPAM file must be also registered in the MicrosoftRegistrationDB.reg file which is a sqlite database stored at this location:
~/Library/Group Containers/UBF8T346G9.Office/MicrosoftRegistrationDB.reg
These locations can be access by non-sandboxed app on macOS 14 and earlier.
Slido integration
Our Slido app for macOS is distributed outside the Mac App Store, it is not sandboxed and it signed and notarized. The Slido app will install the PPAM file to the documented location and register it in the database.
This installation did not require additional user approval on macOS 14 and older. With changes to macOS 15, a new permissions dialog is shown with this text:
"Slido" would like to access data from other apps.
This will allow Slido to integrate with Microsoft PowerPoint app.
[Don't Allow] [Allow]
We understand this is a security feature, yet we would like to make the experience for customers much better.
As users are able to save PPAM files to the location by themselves without additional permissions, they expect the Slido app would be able to do so as well when run in the user context.
Slido installs its files to this location:
~/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Add-Ins.localized/SlidoAddin.localized/
Can we obtain com.apple.security.temporary-exception.files.home-relative-path.read-write to the SlidoAddin.localized folder? Even when we are different TeamID?
Can we obtain a user permission which will be persisted so next time the Slido app can verify its files and uninstall them without further prompts?
By having access to the SlidoAddin.localized folder our app would not be able to access any other data in Microsoft PowerPoint.
We understand accessing the MicrosoftRegistrationDB.reg file is more sensitive and getting exception to access it would not be feasible. But we are trying to find out our options to make the experience seamless as that's what is expected by our customers on Apple platform.
I am thankfully for any guidance and constructive feedback.
Jozef, Tech Leader at Slido integrations team
Prioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.
Post
Replies
Boosts
Views
Activity
Hi, I try to decrypt some string. Does this code looks good? I get error: CryptoKit.CryptoKitError error 3.
do {
guard let encryptedData = Data(base64Encoded: cardNumber),
let securityKeyData = Data(base64Encoded: securityKey),
let ivData = Data(base64Encoded: iv),
let privateKeyData = Data(base64Encoded: privateKey) else {
throw NSError(domain: "invalid_input", code: 1, userInfo: [NSLocalizedDescriptionKey: "Invalid Base64 input."])
}
let privateKey = try P256.KeyAgreement.PrivateKey(derRepresentation: privateKeyData)
let publicKey = try P256.KeyAgreement.PublicKey(derRepresentation: securityKeyData)
let sharedSecret = try privateKey.sharedSecretFromKeyAgreement(with: publicKey)
let symmetricKey = sharedSecret.hkdfDerivedSymmetricKey(
using: SHA256.self,
salt: Data(),
sharedInfo: Data(),
outputByteCount: 32
)
let encryptedDataWithoutTag = encryptedData.dropLast(16)
let tagData = encryptedData.suffix(16)
let nonce = try AES.GCM.Nonce(data: ivData)
let sealedBox = try AES.GCM.SealedBox(nonce: nonce, ciphertext: encryptedDataWithoutTag, tag: tagData)
let decryptedData = try AES.GCM.open(sealedBox, using: symmetricKey)
resolve(decryptedCardNumber)
} catch {
print("Decryption failed with error: \(error.localizedDescription)")
reject("decryption_error", "Decryption failed with error: \(error.localizedDescription)", nil)
}
I don't see any certificates or CAs in the Passwords application, so now what?
I'm seeing some odd behavior which may be a bug. I've broken it down to a least common denominator to reproduce it. But maybe I'm doing something wrong.
I am opening a file read-write. I'm then mapping the file read-only and private:
void* pointer = mmap(NULL, 17, PROT_READ, MAP_FILE | MAP_PRIVATE, fd, 0);
I then unmap the memory and close the file. After the close, eslogger shows me this:
{"close":{"modified":false,[...],"was_mapped_writable":false}}
Which makes sense.
I then change the mmap statement to:
void* pointer = mmap(NULL, 17, PROT_READ, MAP_FILE | MAP_SHARED, fd, 0);
I run the new code and and the close looks like:
{"close":{"modified":false, [....], "was_mapped_writable":true}}
Which also makes sense.
I then run the original again (ie, with MAP_PRIVATE vs. MAP_SHARED) and the close looks like:
{"close":{"modified":false,"was_mapped_writable":true,[...]}
Which doesn't appear to be correct.
Now if I just open and close the file (again, read-write) and don't mmap anything the close still shows:
{"close":{ [...], "was_mapped_writable":true,"modified":false}}
And the same is true if I open the file read-only.
It will remain that way until I delete the file. If I recreate the file and try again, everything is good until I map it MAP_SHARED.
I tried this with macOS 13.6.7 and macOS 15.0.1.
Option 1: Kurz und prägnant
"Hilfe in jeder Situation! Unsere App alarmiert schnell und unkompliziert die Rettungskräfte. Egal wo du bist, wir helfen dir in Notfällen."
Option 2: Detaillierter
"Schnelle Hilfe für alle! Mit unserer App hast du rund um die Uhr einen zuverlässigen Helfer an deiner Seite. Ob du selbst in Not bist oder Zeugen eines Unfalls werden – mit nur einem Klick alarmierst du die Rettungskräfte und erhältst wichtige Informationen. Funktioniert für iOS und Android."
Option 3: Fokus auf die Zielgruppe "Alle"
"Für jeden ein Lebensretter! Egal, ob jung oder alt, sportlich oder weniger beweglich – unsere App ist für alle gedacht, die in einer Notlage schnell Hilfe benötigen. Einfach, intuitiv und immer für dich da."
Option 4: Betonung der Notfallfunktion
"Dein persönlicher Notfallhelfer! In kritischen Situationen zählt jede Sekunde. Unsere App sorgt dafür, dass die Rettungskräfte schnellstmöglich bei dir sind. Perfekt für unterwegs, zu Hause oder am Arbeitsplatz."
Option 5: Hervorhebung der Plattformunabhängigkeit
"Hilfe ohne Grenzen! Unsere App ist für iOS und Android Geräte verfügbar und sorgt dafür, dass du immer und überall Hilfe bekommst. Egal, welches Smartphone du hast, wir sind für dich da."
Möchtest du, dass ich einen Text entwerfe, der alle deine Punkte vereint? Oder hast du weitere Wünsche oder Vorstellungen?
Hi all.
So, I built the platform SSO extension on a demo server I created and everything ran smoothly. I get the tokens at the end of the process.
Now, I want to use the tokens when I trigger my SSO extension in my domain from Safari.
I trigger my domain, get into the beginAuthorization method, get the request.loginManager?.ssoTokens and then want to return them to Safari by calling the request.complete method.
But, no matter what complete method I call (complete(httpResponse: HTTPURLResponse, httpBody: Data?) or complete(httpAuthorizationHeaders: [String : String]) where I insert the Bearer token into the Authorization header, it will not drill down to Safari or my server. The headers I try to send back are not moving from the extension to Safari.
Some knows why its happening?
Thank you for any help or suggestion.
I currently do FaceID validation in my apps but it looks like Apple is offering FaceID ad the App level. Does this mean we still need to or can code for it in iOS 18 apps? Right now I've been working on migrating to iOS 18 using beta but my swift code just returns an "unknown error". From a developer perspective I can't find any examples or guidance on how handle FaceID currently in iOS 18 or going forward.
Anyone have any insights or resources.
This is the code that used to work but now under iOS 18 returns the error. Maybe the simulator and swift have not caught up but I don't think so given that it's been two beta release that I know of where this has not worked.
class biometric {
class func authenticateUser() async -> (Bool, Error?) {
let context = LAContext()
var error: NSError?
if context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: &error) {
let biometryType = context.biometryType
var reason = "Authenticate with \(biometryType)"
if biometryType == .faceID {
reason = "Authenticate with Face ID"
} else if biometryType == .touchID {
reason = "Authenticate with Touch ID"
}
do {
let success = try await context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, localizedReason: reason)
LogEvent.print(module: "Authentication.biometric.authenticateUser", message: "Biometric authentication. success: \"\(success)\".")
return (success, nil)
} catch let evaluationError as LAError {
LogEvent.print(module: "Authentication.biometric.authenticateUser", message: "Biometric authentication failed. evaluationError: \"\(evaluationError.localizedDescription)\"")
handleEvaluationError(evaluationError)
I do get past the .canEvaluatePolicy but fail on the .evaluatePolicy
Hi,
I'm currently in the middle of debugging between my macOS and server for implementing Platform SSO.
As part of the debug process, I sometimes want to restart the whole process, which means to get into the beginDeviceRegisteration method again.
I noticed that even if I push the Repair button in the user (under settings) it will go again and again into the beginUserRegistration, but it will not go again to the device registration.
Is there an option to reset the Platform SSO device registration? (already tried Repair, remove MDM profile of the PSSO etc.)
I added a password to Keychain using Swift on macOS.
All works well, and I can see it
using Keychain Access, it is stored under iCloud -> Passwords.
How can I see this password on the Passwords App. Is there something I need to do, maybe in Swift, to have this password in the Passwords App, not just in Keychain Access
Note, I have turn on iCloud Keychain on my Mac: https://support.apple.com/en-us/109016
I've made a simple command line app that requires Screen recording permission.
When I ran it from Xcode, it prompts for a permission and once I allowed it from the settings, it runs well.
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <CoreGraphics/CGDisplayStream.h>
int main() {
printf("# Start #\n");
if (CGPreflightScreenCaptureAccess()) {
printf("# Permitted.\n");
} else {
printf("# Not permitted.\n");
if (CGRequestScreenCaptureAccess() == false) {
printf("# CGRequestScreenCaptureAccess() returning false\n");
}
}
size_t output_width = 1280;
size_t output_height = 720;
dispatch_queue_t dq = dispatch_queue_create("com.domain.screengrabber", DISPATCH_QUEUE_SERIAL);
CGError err;
CGDisplayStreamRef sref = CGDisplayStreamCreateWithDispatchQueue(
1,
output_width,
output_height,
'BGRA',
NULL,
dq,
^(
CGDisplayStreamFrameStatus status,
uint64_t time,
IOSurfaceRef frame,
CGDisplayStreamUpdateRef ref
) {
printf("Got frame: %llu, FrameStatus:%d \n", time, status);
}
);
err = CGDisplayStreamStart(sref);
if (kCGErrorSuccess != err) {
printf("Error: failed to start streaming the display. %d\n", err);
exit(EXIT_FAILURE);
}
while (true) {
usleep(1e5);
}
CGDisplayStreamStop(sref);
printf("\n\n");
return 0;
}
Now I want to execute this from terminal, so I went to the build folder and
typed the app name.
cd /Users/klee/Library/Developer/Xcode/DerivedData/ScreenStreamTest-ezddqbkzhndhakadslymnvpowtig/Build/Products/Debug
./ScreenStreamTest
But I am getting following output without any prompt for permission.
# Start #
# Not permitted.
# CGRequestScreenCaptureAccess() returning false
Error: failed to start streaming the display. 1001
Is there a something I need to consider for this type of command line app?
I am trying to finish my very first app. I went to save the PN key file and my computer shut off. I went to Certificates, Identifiers, and profiles and it says that I have reached the maximum allowed. I dont know what to do. I cant do anything with my app this is so stupid how could they make it so something like this was even possible. I am totally screwed. Please help me!
When I reboot my iPhone 14 pro with Live Activity started, KeyChain information disappears.
So there is a problem that I have to sign-in again when I enter the app.
There is no problem rebooting the iPhone without Live Activity.
iOS17 didn't have this problem.
When I reboot my iPhone 14 pro with Live Activity started, Keychase information disappears.
So there is a problem that I have to sign-in again when I enter the app.
There is no problem rebooting the iPhone without Live Activity.
iOS17 didn't have this problem.
Hi, team.
So, I'm working on reading certificates from the keychain that have been stored or saved by other apps into it.
I understand that kSecAttrAccessGroupToken allows us to achieve that.
It is a requirement to use com.apple.token group in the entitlements file.
Having done that, I cannot store SecSertificates into the keychain, and into the security group. I can do it without the security group, but after adding in the dictionary the kSecAttrAccessGroup: kSecAttrAccessGroupToken, I can no longer add certificates.
I get the famous -34018. No entitlement found.
However, when I try to read certificates in the same access group, I do not get a -34018 error back. I instead get a -25300, which I understand means no keychain item was found in this access group.
How can this be happening?
Reading, the entitlement works, writing does not.
Here are my queries:
For adding:
let addQuery = [
kSecClass: kSecClassCertificate,
kSecValueRef: secCertificate as Any,
kSecAttrLabel: certificateName,
kSecAttrAccessGroup: kSecAttrAccessGroupToken
] as [CFString: Any]
let status = SecItemAdd(addQuery as CFDictionary, nil)
For reading:
var item: CFTypeRef?
let query = [
kSecClass: kSecClassCertificate,
kSecMatchLimit: kSecMatchLimitAll,
kSecReturnRef: kCFBooleanTrue as Any,
kSecAttrAccessGroup: kSecAttrAccessGroupToken
] as [CFString: Any]
let status = SecItemCopyMatching(query as CFDictionary, &item)
Hi,
I am currently trying to develop an authorization plugin using SFAuthorizationPluginView. My objective is to display a webView to the user for authentication purposes. I have based my work on the updated NameandPassword example : https://github.com/antoinebell/NameAndPassword.
I have seen that the header for the SFAuthorizationPluginView class exists in Swift. However, I have not found any implementation examples of an authorization plugin in Swift. I have attempted to implement this on my own but am encountering difficulties displaying my embedded view within a ViewController.
Is it possible to create an authorization plug-in in Swift ?
Under iOS 18.0.1, I can't do any development that uses HTTPS, because I can't authorize my generated certificates on my phone. This was not a problem in the past.
Normally you AirDrop a root certificate authority to your phone, install the "profile" for it, and then trust it in Settings / General / About / Certificate Trust Authority. Then you can connect to another server on your network that's using the accompanying certificates.
But after sucessfully installing two profiles on my phone, neither shows up in Certificate Trust Authority. Anybody else seeing this?
This problem, in combo with this one (which prevents running on my Mac as an iPad app) has completely halted my project.
I've found reports of this problem that blamed an empty "common name" field in the certs, but that field is populated in both of these.
Trusted execution is a generic name for a Gatekeeper and other technologies that aim to protect users from malicious code.
General:
DevForums tag: Gatekeeper
Developer > Signing Mac Software with Developer ID
Apple Platform Security support document
Safely open apps on your Mac support article
Hardened Runtime document
WWDC 2022 Session 10096 What’s new in privacy covers some important Gatekeeper changes in macOS 13 (starting at 04: 32), most notably app bundle protection
WWDC 2023 Session 10053 What’s new in privacy covers an important change in macOS 14 (starting at 17:46), namely, app container protection
WWDC 2024 Session 10123 What’s new in privacy covers an important change in macOS 15 (starting at 12:23), namely, app group container protection
Updates to runtime protection in macOS Sequoia news post
Testing a Notarised Product DevForums post
Resolving Trusted Execution Problems DevForums post
App Translocation Notes DevForums post
Most trusted execution problems are caused by code signing or notarisation issues. See Code Signing Resources and Notarisation Resources.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Dear Apple Team,
I hope this message finds you well.
Recently, while exploring Apple’s open-source resources, I came across some files that appear to contain sensitive information, including private keys. I wanted to reach out to clarify whether these files are intentionally made publicly available or if they might be exposed due to a potential misconfiguration.
Understanding the nature of these files is important, and I would appreciate any guidance you can provide regarding their accessibility and any necessary steps that should be taken to address this matter.
Thank you for your attention to this issue. I look forward to your response.
Good day. As part of a business unit separation, we are required to have our product with a different name, bundle IDs and certificates than our current configuration.
The product contains network extensions and requires Full Disk Access. We distribute this product to our customers who either support MDM or not.
I know from previous experience that a product can be transferred to a different account, which is something we could do only for some parts of our product (only a couple of Bundle IDs).
My question is what's the best way to do this. I can imagine that having a scripted scenario where the other business unit's product is removed from customers and ours is installed, in a different folder.
The main issue I can foresee is that because our architecture uses several network extensions that are installed as plugins (bad design I know), we would be asking the users for authorisation, again, to use those extensions, plus full disk access.
What options do I have?
I'm attempting to make an alternative to the MS Company Portal app.
We are looking to implement PSSO in our organization and are not satisfied with the features that Company Portal offers. One example of this is, we don't like what the password reset workflow looks like. We'd like to make it so the reset process is more fluid. Additionally, we want to report the status of the service more readily (not requiring clicking so far into System Settings to locate it). These are just a couple examples of what we're not thrilled with...
In light of this, my desire is to create another app, that includes a PSSO extension that is able to connect to Entra. I have scoured the internet, developer portal, and macadmin forum... and have failed to find a comprehensive guide for helping me through this.
Currently Using:
IDP: Entra
Language: SwiftUI
Frameworks: MSAL and KeychainAccess
Any help would be great... a comprehensive guide would be AMAZING!