I want to modify my security policy from the startup security utility. When I try so to modify the options: • Allow user management of kernel extensions from identified developers or • Allow remote management of kernel extensions and automatic software updates I get: The operation couldn’t be completed. (SDErrorDomain error 104.) Trying to install UAD Arrow and need to change the security policy. Any help will be appreciated.

When we transfer app A to app B, if we transfer the app but don't migrate the user to app B, will the user's previous tokens from app A be invalid? Is this failure real-time or will there be a buffer period to transfer users? If it is a live failure, we want to transfer some users during the transferation process to prevent accidents, and then test them. Is there a way to test it?

We have integrated Login with the Apple ID feature in our iOS App. Whenever a user tries to sign in with Apple ID from within our app, after authorizing the login process we get this error "Something went wrong". This happens with some iPhones whereas some users work fine without such an issue. At the same time the login with Apple ID in the same app works with some iPhone users without any issue. This is quite a strange problem and we cannot trace the root cause, if anyone has faced the same issue. Please do let me know.

I need to integrate BLE (Bluetooth Low Energy) functionality into an authorization plugin. Specifically, I want to use a beacon to send a notification to the user if the app is not running or has been killed. However, I’ve encountered a significant limitation: Core Bluetooth is not permitted to be used within authorization plugins, whereas the Multipeer Connectivity framework operates without issue which use WiFi. This has led me to a few questions: What are the fundamental differences in entitlements or restrictions between Core Bluetooth and the Multipeer Connectivity(WiFi) framework that could explain why Core Bluetooth is disallowed in authorization plugins? Are there specific technical or security concerns associated with Core Bluetooth that prevent its use in these contexts, while the Multipeer Connectivity framework is allowed? Given that Google’s Nearby Connections API can work within authorization plugins, could there be any similar approaches or best practices for implementing BLE functionality in scenarios involving authorization plugins? For reference, you can check Google’s Nearby Connections API here: Google Nearby Connections - https://developers.google.com/nearby/connections/swift/get-started Any insights or suggestions on how to overcome this limitation or alternative approaches to achieve the desired functionality would be greatly appreciated. Thank you in advance for your help!

Hi, we looking for direct API to detect another apps who sharing screen , because for security reason (banking app) - our app not want to be shared, some hackers use remote desktop solution to stole money, we checked few existing solutions but there are no solution to checking for apps who sharing screen (only), how to resolve that issue? ps a) isCapture/scenCaptureState - is more general api and have newest iOS version requirements b) checking for open scheme used by another apps(LSApplicationQueriesSchemes) - is dedicated for own apps, and require known name of all schemes used by sharing apps. What is direct solution to resolve that issue?

Hello, I developed a file provider extension that can access files from multiple locations. With the new macOS Sequoia I cannot access files from volumes, here is the error from Console: Refusing TCCAccessRequest for service kTCCServiceSystemPolicyRemovableVolumes from extension Sub:{com.app.ext}Resp:{TCCDProcess: identifier=com.app.ext-Driver, pid=26706, auid=501, euid=501, binary_path.... Driver}, extension point disallows prompting I added "Privacy - Removable Volumes Usage Description" values for both the main app and extension Info.plist, I click Allow on the alert, but still I receive this error message. Any solution? Thank you.

Hi, im trying to make a Platform single sign-on app for my Idp, and I have tried online to try and find some code/ a demo app for this I cannot find anything for the Mac OS Side, there is someone who's created the server, but no info for that on what the Mac extension should do. I have tired implementing the 2 function to required, but to no luck. After reading what I think is all of the document I'm still really confused as to how this is all supposed to work. I have got to the stage where it create the popup that says you need to authenticated with your idp but cannot work out the bugs for the rest of it. manly im getting an issue in the console that says no login config for (username) and im not sure what im doing wrong.

Hi, we are looking for a solution to install an extension to Microsoft PowerPoint app in a way that's compatible with the new macOS 15 behavior for Group Containers content. PowerPoint extensions Microsoft PowerPoint can be extended by PowerPoint Add-in (.ppam) files. These files must be installed in the app's container at this location: ~/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Add-Ins.localized/ The PPAM file must be also registered in the MicrosoftRegistrationDB.reg file which is a sqlite database stored at this location: ~/Library/Group Containers/UBF8T346G9.Office/MicrosoftRegistrationDB.reg These locations can be access by non-sandboxed app on macOS 14 and earlier. Slido integration Our Slido app for macOS is distributed outside the Mac App Store, it is not sandboxed and it signed and notarized. The Slido app will install the PPAM file to the documented location and register it in the database. This installation did not require additional user approval on macOS 14 and older. With changes to macOS 15, a new permissions dialog is shown with this text: "Slido" would like to access data from other apps. This will allow Slido to integrate with Microsoft PowerPoint app. [Don't Allow] [Allow] We understand this is a security feature, yet we would like to make the experience for customers much better. As users are able to save PPAM files to the location by themselves without additional permissions, they expect the Slido app would be able to do so as well when run in the user context. Slido installs its files to this location: ~/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Add-Ins.localized/SlidoAddin.localized/ Can we obtain com.apple.security.temporary-exception.files.home-relative-path.read-write to the SlidoAddin.localized folder? Even when we are different TeamID? Can we obtain a user permission which will be persisted so next time the Slido app can verify its files and uninstall them without further prompts? By having access to the SlidoAddin.localized folder our app would not be able to access any other data in Microsoft PowerPoint. We understand accessing the MicrosoftRegistrationDB.reg file is more sensitive and getting exception to access it would not be feasible. But we are trying to find out our options to make the experience seamless as that's what is expected by our customers on Apple platform. I am thankfully for any guidance and constructive feedback. Jozef, Tech Leader at Slido integrations team

The last 12 months or longer have been a hacked life nightmare. Today I discovered multiple blacklists inc a level 2 threat blacklist from Apple engineering. I am a victim not a hacker, I have found malware on my MacBook (spyware), refusal of service notifications from google inc the hackers address which I tracked to Amsterdam, blackmail threats, retaliation and death threats but no help from anyone inc police and government or Apple and this potentially effects many Apple users. Please Apple tell me why I was blacklisted and investigate the spyware incident so I can get my life back. Any suggestions welcome.

Hello, If a user allows access to, for example, Removable Volumes (TCC permission) to the main app, does these permissions will be inherited by a bundled Finder Extension from the main app? More specific, I have an app that bundles a Finder Extension and both the main app and the bundled extension need access to Removable Volumes. Only the main app can request it, since the main app is the only that can prompt the user. If the user allows, will the bundled extension also receive the permissions? If not, is there any workaround? Regards.

Hi, I have a question regarding data protection in ios 7. Qustion 1 : if the passcode is turned off, and data protection is disabled, in this case, will the files in nand flash still be encrypted? Or will it just disable all hardware encryption and all the files in nand flash will be decrypted and stored in plain text? The security paper says even the NSFileProtectionNone class has some level of hardware encryption, but my question is if someone disable the passcode and disable the data protection, will the newly created file still be encrypted using UID key so the chiping-off the nand flash and reading off the nand directly does not work due to encryption even though the passcode is disabled and data protection is not active? Question 2 : if they are still encrypted, do the files in the storage have the data protection NSFileProtectionNone class if the passcode is disabled and data protection is inactive?

Hi Apple Developers, I'm facing an issue that call to https://appleid.apple.com/auth/token and it raised an error: invalid_client There is my URL that i'm getting a code: "https://www.facebook.com/v20.0/dialog/oauth?client_id=526484129769843&redirect_uri=https://abc.example-api.ss-ss.com/api/v1/accounts/facebook/callback&response_type=code&scope=email I'm using Key Id and Private Key in the file AuthKey_K5HK3H23KZ.p8 to generate to a Client Secret, Client ID is abc.example-api.ss-ss.com (It is the service id) and the code that i give at the above request. When i'm call to exchange access token, the error is showed My project is writing by dotnet core. I dont know why the client should be invalid. Can anyone help me please?

Hello Apple We have been facing lot of SSL issues when we are connecting to iOS devices with OS 17.5.1, 7.6.1 and 18. Need more clarification on the latest parameters to be used on the server side like -> TLS Version and Cipher Suites Please do update us on the above. Error message-> "An SSL error has occurred and a secure connection to the server cannot be made."

Hi Team, I am trying to explore ESF events specifically generated by cloudsync extensions built on File Provider framework. Brief: I have high-level understanding of how various cloud vendors have provided their extensions to sync data from cloud/remote storage to local filesystem (and vice-versa). e.g.iCloudDriveFileProvider (icloud), DFSFileProviderExtension (google drive). There are 2 ESF AUTH events for file provider I can see namely: ES_EVENT_TYPE_AUTH_FILE_PROVIDER_MATERIALIZE , ES_EVENT_TYPE_AUTH_FILE_PROVIDER_UPDATE. and respectively their NOTIFY events. Observation: Observed that these events are generally triggered by fileproviderd process during download scenario i.e. syncing files from cloud/remote storage to local file system. i.e. 'materialize' for new file creation and 'update' for updating existing file. Question/Problem: Is there a correct way to find which cloud provider has triggered this download event? i.e. weather it is iCloudDriveFileProvider or DFSFileProviderExtension (there is this instigator field in Materialize event struct, but could not find similar for Update event. Are there similar ESF events for upload scenario? (I have fair understanding of how file-to-upload is copied to temp location and then uploaded by respective extensions to remote storage, but then they work with original files clone created in their temp location, so the AUTH events generated by this extension will wont reveal the original file name even if I am able to get the Fileprovider name) To Summarize: Basically I am looking for ESF event that will be triggered during upload scenario that can also let me know original file name as well the cloudprovider extension process name. As of now 'fileproviderd' process name is obtained from filesystem ESF events like AUTH_OPEN etc.

I'm using the SwiftUI .fileImporter() modifier to present a file open panel to the user, and then I access the returned file URL using String(contentsOf:encoding:). Then I get an error, "The file “order_history.csv” couldn’t be opened because you don’t have permission to view it." The thing is, my app (recently created in Xcode 16.1 beta from macOS template) has the User Selected File entitlement set to "Read Only." It should allow reading such a file, should it not?

I am successfully generating apple_sso_session_url by using apple clientId, which is opening apple login window and asking for email and password and after that it is calling my redirectSuccessUrl and passing code to redirectSuccessUrl. I am successfully using that code and other params of apple like keyId, key(p8 file path) and team id by using those params I am able to successfully generate apple client secret export const generateClientSecret = (): string => { const privateKey = fs.readFileSync(process.env.APPLE_PRIVATE_KEY_PATH as string, 'utf8'); const claims = { iss: process.env.APPLE_TEAM_ID, iat: Math.floor(Date.now() / 1000), exp: Math.floor(Date.now() / 1000) + 15777000, // 6 months aud: 'appstoreconnect-v1', sub: process.env.APPLE_CLIENT_ID, }; return jwt.sign(claims, privateKey, { algorithm: 'ES256', keyid: process.env.APPLE_KEY_ID, }); }; after that using same clientId, redirectUrl and apple_client_secret when i am calling apple api for getting token we are getting error invalid_client. const clientSecret = generateClientSecret(); const response = await axios.post('https://appleid.apple.com/auth/token', null, { params: { client_id: process.env.APPLE_CLIENT_ID, client_secret: clientSecret, code: body.code, grant_type: 'authorization_code', redirect_uri: process.env.APPLE_SSO_REDIRECT_URL, }, headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, });

Hi everyone, I’m developing an game with in-app purchases, designed for a a mixed audience(could be used by kids under 13). I understand that Apple’s Family Sharing has built-in consent mechanisms, like “Ask to Buy,” which helps manage purchases for kids. However, I’m unsure how to handle cases where Family Sharing is not set up or is disabled. Key Concerns: Kids Without Family Sharing: It’s possible for kids to have Apple IDs that are not part of Family Sharing, either because the feature is disabled, set up incorrectly, or the child is using an independent account due to an incorrect birthdate. This raises questions about whether relying solely on Apple’s built-in protections is sufficient. Is It Enough to Rely on Apple’s Systems?: Apple’s systems do a great job of managing consent when Family Sharing is in place, but I’m concerned about compliance in cases where kids are not covered by these protections. I want to ensure that my app remains compliant with COPPA and other relevant regulations, especially for users not covered by Family Sharing, without adding unnecessary layers for those who are correctly set up. Looking forward to your insights and recommendations! Thanks in advance!

I have implemented basic Sign in with Apple functionality to my app. When the app is launched, the user will be presented with a Continue with Apple view, where they can authenticate. Once signed in, they will return to a view that reads "Hello, [User's Name]". However, I cannot seem to figure out why the email and name return nil after authentication. For example, when authentication is successful, the HelloView simply reads "Hello, " with no name. I have it setup so that the users name and email are saved to AppStorage variables, and then inserted into a Profile class with SwiftData. import AuthenticationServices import SwiftData import SwiftUI struct ContentView: View { @Environment(\.colorScheme) var colorScheme @Environment(\.modelContext) var modelContext @AppStorage("email") var email: String = "" @AppStorage("firstName") var firstName: String = "" @AppStorage("lastName") var lastName: String = "" @AppStorage("userID") var userID: String = "" @Query var userProfile: [Profile] private var isSignedIn: Bool { !userID.isEmpty } var body: some View { VStack { if !isSignedIn { SignInView() } else { HomeView() } } } } struct SignInView: View { @Environment(\.colorScheme) var colorScheme @Environment(\.modelContext) var modelContext @AppStorage("email") var email: String = "" @AppStorage("firstName") var firstName: String = "" @AppStorage("lastName") var lastName: String = "" @AppStorage("userID") var userID: String = "" @Query var userProfile: [Profile] var body: some View { NavigationStack { Spacer() SignInWithAppleButton(.continue) { request in request.requestedScopes = [.email, .fullName] } onCompletion: { result in switch result { case .success(let auth): switch auth.credential { case let credential as ASAuthorizationAppleIDCredential: // User ID let userID = credential.user // User Info let email = credential.email print(email!) let firstName = credential.fullName?.givenName print(firstName!) let lastName = credential.fullName?.familyName print(lastName!) self.email = email ?? "" self.userID = userID self.firstName = firstName ?? "" self.lastName = lastName ?? "" createProfile() default: break } case .failure(let error): print("Error signing in with Apple: \(error.localizedDescription)") } } .signInWithAppleButtonStyle(colorScheme == .dark ? .white : .black) .frame(height: 50) .padding() .cornerRadius(12) .navigationTitle("[App Name]") } } func createProfile() { let newProfile = Profile(firstName: firstName, lastName: lastName, email: email, userID: userID) modelContext.insert(newProfile) } } This is how I have my HomeView setup: import SwiftData import SwiftUI struct HomeView: View { @Environment(\.modelContext) var modelContext @Query var user: [Profile] var body: some View { ForEach(user) { user in Text("Hello, \(user.firstName)") } } } #Preview { HomeView() } And here's the Profile class: import Foundation import SwiftData @Model class Profile { var firstName: String var lastName: String var email: String var userID: String init(firstName: String, lastName: String, email: String, userID: String) { self.firstName = firstName self.lastName = lastName self.email = email self.userID = userID } }

We have a developer-id application which includes a LaunchAgent, couple of LaunchDaemon and a system extension. We want to store our secure data in keychain that can read by any of our processes or at least by LaunchDaemons. We would also prefer for our data to not be visible to users, not be accessible to other processes and we did not want to use system keychain because of our prior experience where one of our app data on update corrupted the system keychain for one customer. Therefore, we have decided to create our own keychain file and store our data there. However, we noticed that SecKeychainCreate and related file based keychain APIs are deprecated. This led me to below threads: https://developer.apple.com/forums/thread/685546 https://developer.apple.com/forums/thread/712875 https://developer.apple.com/forums/thread/696431 And now I am confused. It is suggested that we should use data protection based keychain because file based keychains are on path to deprecation. However, it is also noted that data protection keychains do not work with LaunchDaemons. So which keychain is the right choice for our requirements? Also, One tricky aspect of this is that the SecItem API supports both keychain implementations I do not see any option to use file based keychain using SecItem API. How can I create a new keychain file at a given path and add data in it using SecItem APIs? Can someone please elaborate on this with example?

I exported the pkcs12 file which contains the Apple Distribution Certificate with the Private Key on macOS 14 Sonoma with no password. I was able to import the same on different macOS 14 Sonoma machines as follows: security import \ apple-distribution-hrk.p12 \ -k /Users/hrk/Library/Keychains/non-default.keychain-db \ -f pkcs12 \ -P "" \ -A But when upgraded to macOS 15 Sequoia, running the above command gives me the following error: security: SecKeychainItemImport: The user name or passphrase you entered is not correct. Workaround: I didn't have the Private Key of the original macOS 14 Sonoma from which the pkcs12 file was exported. So, I had to create the new Certificate by uploading the Certificate Signing Request, download the .cer file, import it, and then export the pkcs12 file with some password. Then I was able to import the pkcs12 file with the password. Question Can somebody point to the official documentation that refers to this Breaking Change? Or is this the bug in macOS 15 Sequoia?