I want to install a driver package without internet access and the installation fail. This I think it is due to it need internet to check for signature with Apple Server. The workaround is to disable System Integrity Protection, but I do not have the administrator password to disable it. How to install a driver and allow a driver to run without internet access and administrator account? This driver is develop by ourself but how to by pass the code signing and security check for others to use this driver on their Mac PC? Currently I am following https://developer.apple.com/documentation/systemextensions/ossystemextensionrequest/activationrequest(forextensionwithidentifier:queue:) to activate the system extension If the extension is inactive, the system may need to prompt the user for approval. Which others API can I use which do not need prompt user for approval? Beside in order to validate the code signing, it need to communicate with Apple server which required internet access. Any method to by pass this validation?

We have a Web server for Apple Pass and we received a complaint from a user because the Pass is being deleted every few days from the Apple Wallet App and the user had to reinstall the pass every time. Upon checking our server logs we found DELETE (unregister) requests that were not initiated by the user. Here are some (there are more) of those logs (I replaced some details with * for privacy): From July [29/Jul/2024:23:06:30 +0000] "DELETE /apple_wallet/v1/devices/****/registrations/pass.com..*/** HTTP/1.1" 200 31 "-" "passd/1.0 CFNetwork/1496.0.7 Darwin/23.5.0" From August [17/Aug/2024:22:51:33 +0000] "DELETE /apple_wallet/v1/devices/****/registrations/pass.com..*/** HTTP/1.1" 200 31 "-" "passd/1.0 CFNetwork/1498.700.2 Darwin/23.6.0" From September [08/Sep/2024:23:32:11 +0000] "DELETE /apple_wallet/v1/devices/****/registrations/pass.com...*/** HTTP/1.1" 200 31 "-" "passd/1.0 CFNetwork/1498.700.2 Darwin/23.6.0" Other information for this specific user/device: Phone 14 Pro Max - iOS 17.6 User has few other passes installed but none has disappeared only our issued pass. We are hoping to get some help from Apple to figure out why the DELETE request is being sent out to our server without being initiated by the user. I have already filed a ticket to Apple with Case-ID: 9315232 But I haven't gotten any feedback after a few weeks and some follow ups.

We’re trying to get Passkeys to work with iOS and macOS Catalyst. Apple fails to accept the associated domain, without giving a reason why. The JSON is correct and shows up on Apple’s CDN. We are stuck.

I am currently implementing an authentication function using ASWebAuthenticationSession to log in with my Instagram account. I set a custom scheme for the callbackURLScheme, but In the Instagram redirect URL I was told I can't use a custom scheme. What should I do with the callbackURLScheme of the ASWebAuthenticationSession in this case?

In the FAQ about Local Network, a lot of topics are covered but, unless I missed something, I didn't see the topic of MDMs being covered. [Q] Could the FAQ be updated to cover whether it is possible to grant this Local Network permission through a configuration profile? The answer, based on google searches and different forums, seems to be a negative. It seems a bit strange considering that this feature has been available on iOS for at least 3 years. Anyway, even if it is not possible, it would be useful to add in the FAQ that this is not possible.

Hi I am currently developping the "Sign in with apple" feature. We set up everything according to the documentation : https://developer.apple.com/help/account/configure-app-capabilities/configure-private-email-relay-service When trying to send an email from one of the registered communication emails (that is SPF and DKIM Authentication compliant) the emails are still ending up in the spam box. If it can help the received email address (that is hidden) is a gmail. I can not catch what is missing/wrong on our side.

I have read that iOS data protection ensures most of the files to be stored encrypted. However, I saw someone insisting (elcomsoft blog) very few files are not encrypted. Are app’s cache files or tmp files not stored encrypted? For example, are safari history.db file and cache files stored in the flash encrypted?

In our App, we store identity in keychain in a specific path var keychain: SecKeychain? let status = SecKeychainCreate(path, UInt32(password.count), password, false, nil, &keychain) guard status == errSecSuccess else { logger.error("Error in creating keychain: \(String(describing: SecCopyErrorMessageString(status, nil)))") throw KeychainError.keychainCreationError } Then later whenever process needs it. it open keychain, import it and uses it. status = SecPKCS12Import(identityData as CFData, [kSecImportExportPassphrase : password, kSecImportExportKeychain: keychain] as CFDictionary, &identityItems) authlog.info("Import status: \(status)") guard status == errSecSuccess else { authlog.error("Error in exporting identity : \(status) \(String(describing:SecCopyErrorMessageString(status, nil)))") throw ClientAuthError.identityFormationError } This worked well till sequoia beta 2. In Sequoia beta 3 and 4, this fails to import with error -25300 : The specified item could not be found in the keychain. one thing I noticed is import succeeds if the keychain is freshly created. when tried to reuse existing keychain it fails in import error. Is this a bug in beta or it any changes made in keychain level by Apple itself. Please help with the solution Log trace: [ 24-07-2024 12:39:15:192 ] [INFO] Challenge delegate received [ 24-07-2024 12:39:15:192 ] [INFO] Client authentication challenge [ 2024-07-24 12:39:15 ] [INFO] retcode of "/bin/chmod -R 777 "/Library/<path>/data/agent-resource"" ::: 0 [ 24-07-2024 12:39:15:237 ] [INFO] Opening keychain... [ 24-07-2024 12:39:15:240 ] [NOTICE] Keychain open status: -25294 [ 24-07-2024 12:39:15:241 ] [ERROR] Keychain error: Optional(The specified keychain could not be found.) [ 24-07-2024 12:39:15:241 ] [INFO] Creating keychain.. [ 24-07-2024 12:39:15:448 ] [INFO] Import status: 0 [ 24-07-2024 12:39:15:448 ] [INFO] Identity: <SecIdentity 0x7ff3ec1f7df0 [0x7ff85540e9a0]> [ 24-07-2024 12:39:15:448 ] [INFO] Credential sent [ 24-07-2024 12:39:15:581 ] [INFO] Upload request completed.. [ 24-07-2024 12:39:15:583 ] [INFO] Status code: 200 [ 25-07-2024 12:24:55:300 ] [INFO] Client authentication challenge [ 25-07-2024 12:24:55:300 ] [INFO] Opening keychain... [ 25-07-2024 12:24:55:305 ] [NOTICE] Keychain open status: 0 [ 25-07-2024 12:24:55:439 ] [INFO] Import status: -25300 [ 25-07-2024 12:24:55:440 ] [ERROR] Error in exporting identity : -25300 Optional(The specified item could not be found in the keychain.) [ 25-07-2024 12:24:55:440 ] [CRITICAL] Error in getting identity: identityFormationError [ 25-07-2024 12:24:55:441 ] [ERROR] Error in obtaining identity [ 25-07-2024 12:24:55:513 ] [INFO] Download request complete... [ 25-07-2024 12:24:55:515 ] [INFO] Status code: 200

Hello Apple ID support, When a user successfully login with Apple, the apple OAuth will produce a appleIdToken. From my understanding this token is best to not leave the user device. I have two sub-system that can take a appleIdToken and manages the token-refresh separately. In short: Apple -> appleIdToken sub-SystemA(appleIdToken) and sub-systemB(appleIdToken) sub-SystemA and sub-systemB has two separate token management/refresh The question: Is this allowed by the Apple identify server? Is the usecase of supplying appleIdToken to sub-SystemA and sub-systemB valid?

In the case of YellowFlow with In-App verification, I understand we have to configure the Launch URL (deep linking) in the PNO portal to open the app from Wallet and proceed with In-App Verification. How do we identify or retrieve information about the card the user tries to verify from the wallet when the app is opened through deep linking? I understand we can query for all secure passes and get the pass activation state to see if any of the passes require activation, How can I verify this is the card the user is trying to activate from the wallet app? What information can I receive from the PassKit SDK that I can send to the backend to identify, resolve, and activate the card?

I heard and read in reddit and GitHub about that UIDevice.current.identifierForVendor.uuidString is restricted according to privacy. Its better use DeviceCheck API or create my own UUID. So is it correct? If its so please can you share apple privacy update about this?

I'm currently implementing a function in SwiftUI to log in with my Instagram account. It's not working, I'm creating a Firebase Auth function and it comes back to the redirect URL. This may happen if browser sessionStorage is inaccessible or accidentally cleared. This may happen if browser sessionStorage is inaccessible or accidentally cleared. I get this error. I can't implement it. I have tried various methods, but all have failed. If anyone knows how to do this, please help. import SwiftUI import AuthenticationServices import FirebaseAuth struct InstagramLoginView: View { var body: some View { VStack { Text("Login with Instagram") // タイトル Button(action: { // ボタンが押された時にInstagramのログイン処理を開始 InstagramLoginHelper().startInstagramLogin() }) { Text("Login with Instagram") .padding() .background(Color.blue) .foregroundColor(.white) .cornerRadius(8) } } } } class InstagramLoginHelper: NSObject, ASWebAuthenticationPresentationContextProviding { func startInstagramLogin() { let clientID = "XXXXXXXXXXXX" let redirectURI = "https://XXXXXXXXXXX.firebaseapp.com/__/auth/handler" let authURL = "https://api.instagram.com/oauth/authorize?client_id=\(clientID)&amp;amp;redirect_uri=\(redirectURI)&amp;amp;scope=user_profile,user_media&amp;amp;response_type=code" let schem = "XXXXXXXXXXXX" if let url = URL(string: authURL) { let session = ASWebAuthenticationSession(url: url, callbackURLScheme: schem) { callbackURL, error in if let error = error { print("Error during authentication: \(error.localizedDescription)") return } if let callbackURL = callbackURL, let code = URLComponents(string: callbackURL.absoluteString)?.queryItems?.first(where: { $0.name == "code" })?.value { // 認証コードを使ってFirebaseでログインする self.loginWithInstagram(authCode: code) } } session.presentationContextProvider = self session.start() } } func loginWithInstagram(authCode: String) { // Firebaseのauthインスタンスを取得 let auth = Auth.auth() // InstagramのOAuthプロバイダを使用する let provider = OAuthProvider(providerID: "instagram.com") // Instagramの認証コードを使って、プロバイダの認証資格情報を生成 provider.getCredentialWith(nil) { credential, error in if let error = error { print("Error during authentication: \(error.localizedDescription)") return } if let credential = credential { // Firebaseにログイン auth.signIn(with: credential) { authResult, error in if let error = error { print("Error during Firebase authentication: \(error.localizedDescription)") } else { print("Successfully authenticated with Firebase.") } } } } } // ASWebAuthenticationPresentationContextProvidingの実装 func presentationAnchor(for session: ASWebAuthenticationSession) -&amp;gt; ASPresentationAnchor { return UIApplication.shared.windows.first { $0.isKeyWindow } ?? ASPresentationAnchor() } } #Preview { InstagramLoginView() }

Hello, I would like to secure the exchanges between my application and my webservices to make sure requests are only made by an authentic application. By searching the internet I discovered that App Attest from Device Check framework exists but it looks like there are some limitation about it : App Attest doesn't work on most App Extensions (like Share extension) We are limited by the requests count made to the App Attest webservice (only when generating the Apple certificate, one time by device / application). The problem is I need this security on my app extension because I have a Share extension sending e-mails. Do you have advice to secure the exchanges between my app and my webservices ?

Hello I have an app that uses the user's Device ID for tracking purposes. I have since removed all ads and tracking. I am now in a difficult position because I cannot turn off Device ID Tracking from App Privacy. The current app version has this on and contains the framework for turning it on. If I try to submit an app without Tracking, it gets rejected with the message "The app uses the AppTrackingTransparency framework, but we are unable to locate the App Tracking Transparency permission request when reviewed on iOS 18.0." So, I am now stuck. I cannot turn off Device Tracking in App Privacy because my app previously had tracking. I cannot remove the framework for Tracking because App Privacy has tracking on. How can I proceed to remove all tracking traces from my app? Jake

I am currently using the ability to log in with my Instagram account using ASWebAuthenticationSession and it is not working! I filled in the URL directly and there was no problem on the web, but when I run it in SwiftUI in Xcode, it doesn't work and Error: The operation couldn’t be completed. (com.apple.AuthenticationServices.WebAuthenticationSession error 2.) I get this error. I was told that I need a custom scheme to return to mobile, but the Instagram redirect URL says no custom scheme. What should I do? IDs and URLs are placed under assumption. I have no idea since this is my first implementation. Should I send the scheme URL from the website to mobile once using Django or something else? import SwiftUI import AuthenticationServices struct InstagramLoginView: View { @State private var authSession: ASWebAuthenticationSession? @State private var token: String = "" @State private var showAlert: Bool = false @State private var alertMessage: String = "" var body: some View { VStack { Text("Instagram Login") .font(.largeTitle) .padding() Button(action: { startInstagramLogin() }) { Text("Login with Instagram") .padding() .background(Color.blue) .foregroundColor(.white) .cornerRadius(10) } if !token.isEmpty { Text("Token: \(token)") .padding() } } .alert(isPresented: $showAlert) { Alert(title: Text("Error"), message: Text(alertMessage), dismissButton: .default(Text("OK"))) } } func startInstagramLogin() { let clientID = "XXXXXXXXXX" // Instagram client ID let redirectURI = "https://example.com" // Instagram Redirect URI guard let authURL = URL(string: "https://api.instagram.com/oauth/authorize?client_id=\(clientID)&amp;redirect_uri=\(redirectURI)&amp;scope=user_profile,user_media&amp;response_type=code") else { print("Invalid URL") return } authSession = ASWebAuthenticationSession(url: authURL, callbackURLScheme: "customscheme") { callbackURL, error in if let error = error { print("Error: \(error.localizedDescription)") return } guard let callbackURL = callbackURL else { print("Invalid callback URL") return } if let code = URLComponents(string: callbackURL.absoluteString)?.queryItems?.first(where: { $0.name == "code" })?.value { print("Authorization code: \(code)") getInstagramAccessToken(authCode: code) } } authSession?.start() } func getInstagramAccessToken(authCode: String) { let tokenURL = "https://api.instagram.com/oauth/access_token" var request = URLRequest(url: URL(string: tokenURL)!) request.httpMethod = "POST" let clientID = "XXXXXXXXXXXX" let clientSecret = "XXXXXXXXXXXXXX" // Instagram clientSecret let redirectURI = "https://example.com/" let params = "client_id=\(clientID)&amp;client_secret=\(clientSecret)&amp;grant_type=authorization_code&amp;redirect_uri=\(redirectURI)&amp;code=\(authCode)" request.httpBody = params.data(using: .utf8) request.setValue("application/x-www-form-urlencoded", forHTTPHeaderField: "Content-Type") URLSession.shared.dataTask(with: request) { data, response, error in if let error = error { print("Error: \(error.localizedDescription)") return } guard let data = data else { print("No data") return } if let jsonResponse = try? JSONSerialization.jsonObject(with: data, options: []) as? [String: Any], let accessToken = jsonResponse["access_token"] as? String { print("Access Token: \(accessToken)") // ここでアクセストークンを使用してInstagram APIにアクセスする } else { print("Failed to get access token") } }.resume() } } #Preview { InstagramLoginView() }

I've developed a Endpoint Security system extension, which will be installed in a container APP. I use XPC to send message from container APP to the ES client, it works fine. I have developed an Endpoint Security system extension that will be installed in a container app. I utilize XPC to send messages from the container app to the ES client, and it functions properly. However, when I attempt to send messages from the ES client to the container app, it always displays an error: 'Couldn’t communicate with a helper application.'. I have removed the sandbox capability of the container app and also employed the same app group for both the ES client and the container app. When an XPC client is connected, I use the following code in the ES client to establish two-way communication. - (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection { newConnection.exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(NXFileGuardXPCProtocol)]; NXFileGuardXPCService *xpcService = [NXFileGuardXPCService sharedInstance]; newConnection.exportedObject = xpcService; // To APP container client (As remote interface) newConnection.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(NXFileGuardXPCClientProtocol)]; [newConnection activate]; self.containerAPPConnection = newConnection; return YES; } But it always fails. How can I deal with this error?

Hey guys, I have recently started with developing an extension to support PSSO, I am at a very initial stage and trying out device registration. I am trying to fetch the registration token in my MDM profile but when running in debug mode I don't see the token , and also when I see the console log I see errors like error 14:44:00.465847+0530 AppSSODaemon Error Domain=com.apple.PlatformSSO Code=-1004 "no device configuration data to load" UserInfo={NSLocalizedDescription=no device configuration data to load} error 14:44:00.466434+0530 AppSSOAgent Error Domain=com.apple.PlatformSSO Code=-1004 "no device configuration" UserInfo={NSLocalizedDescription=no device configuration}, user default 14:44:00.466145+0530 AppSSODaemon -[PODaemonProcess deviceConfigurationForIdentifer:completion:] identifer = 96DBA2E4-6DB8-4937-85A8-69F7632B8717 on <private> error 14:44:00.466773+0530 SSO extension Error Domain=com.apple.PlatformSSO Code=-1001 "failed to retrieve SecKeyProxyEndpoint for key" UserInfo={NSLocalizedDescription=failed to retrieve SecKeyProxyEndpoint for key, NSUnderlyingError=0x14b608820 {Error Domain=com.apple.PlatformSSO Code=-1001 "Failed to receive key proxy endpoint." UserInfo={NSLocalizedDescription=Failed to receive key proxy endpoint.}}} I think due to some reason the PSSO process is not able to get the token from my configuration. And this is how my configuration profile looks like <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>ExtensionIdentifier</key> <string>com.test.PSSO.SSO-extension</string> <key>PayloadDisplayName</key> <string>ingle Sign-On Extensions</string> <key>PayloadIdentifier</key> <string>com.apple.extensiblesso.96DBA2E4-6DB8-4937-85A8-69F7632B8717</string> <key>PayloadType</key> <string>com.apple.extensiblesso</string> <key>PayloadUUID</key> <string>CDC67F3E-0687-4796-95B0-A61EF6F3F9A7</string> <key>PayloadVersion</key> <integer>1</integer> <key>TeamIdentifier</key> <string>my_team_identifier</string> <key>Type</key> <string>Redirect</string> <key>RegistrationToken</key> <string>dummy_token_123</string> <key>PlatformSSO</key> <dict> <key>AuthenticationMethod</key> <string>Password</string> <key>EnableAuthorization</key> <true/> <key>EnableCreateUserAtLogin</key> <true/> <key>NewUserAuthorizationMode</key> <string>Standard</string> <key>UseSharedDeviceKeys</key> <true/> <key>UserAuthorizationMode</key> <string>Standard</string> </dict> <key>URLs</key> <array> <string>my_url</string> </array> </dict> </array> <key>PayloadDisplayName</key> <string>SSOE</string> <key>PayloadIdentifier</key> <string>com.test.psso.configuration</string> <key>PayloadScope</key> <string>System</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>0DC6670F-F853-49CB-91B3-1C5ECB5D3F46</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>

Hello. I’m running the 18.3 beta on an 15 pro and have noticed the green camera indicator light turns on when I switch apps. I also am unable to use my flashlight until it turns off (usually a second or two). I’ve checked my privacy and access settings and nothing looks out of the norm. I’ve also closed all rubbing apps, but the issue continues.

Hi, I'm leveraging ASAuthorizationSecurityKeyPublicKeyCredentialProvider to authenticate users to an internal service using security keys or passkeys. I'm not using Sign in with Apple - registration is done in another internal service. We're using associated domains. This is on MacOS only. I'm wondering whether I can programatically determine whether the user has a passkey enrolled with our super-secret-internal-service.com domain already? The reason I'm asking is simply better UX - if the user doesn't have a passkey enrolled, I'd like to avoid offering them an option to use a platform authenticator and only offer them to tap their security key. We can assume that all users already have their security keys enrolled already. So something like the following: let securityKeyProvider = ASAuthorizationSecurityKeyPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId) let securityKeyRequest = securityKeyProvider.createCredentialAssertionRequest(challenge: options.challenge.data(using: .utf8) ?? Data()) let platformProvider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: options.rpId) let platformKeyRequest = platformProvider.createCredentialAssertionRequest(challenge: options.challenge.data(using: .utf8) ?? Data()) var authRequests: [ASAuthorizationRequest] = [securityKeyRequest] if (userHasPasskeyForDomain("super-secret-internal-service.com")) { // TODO how do I check this?? authRequests.append(platformKeyRequest) } let authController = ASAuthorizationController(authorizationRequests: [platformKeyRequest, securityKeyRequest]) Many thanks!

I have code where we're evaluating SSL certificates in sec_protocol_options_set_verify_block. We have the following code: let secTrust = sec_trust_copy_ref(trust).takeRetainedValue() isValidCertificate = SecTrustEvaluateWithError(secTrust, &amp;error) I'm getting the error that the maximum temporal validity period has been exceeded: Error Domain=NSOSStatusErrorDomain Code=-67901 "“server.com” certificate is not standards compliant" UserInfo={NSLocalizedDescription=“server.com” certificate is not standards compliant, NSUnderlyingError=0x300ddd350 {Error Domain=NSOSStatusErrorDomain Code=-67901 "Certificate 0 “server.com” has errors: Certificate exceeds maximum temporal validity period;" UserInfo={NSLocalizedDescription=Certificate 0 “server.com” has errors: Certificate exceeds maximum temporal validity period;}}} When I inspect the certificate, it's valid for 394 days (4/16/2024 through 5/15/2025) and other than being a wildcard certificate, should be fully trusted. I can't find any information about this specific error. Is Apple requiring SSL certs to be less than 398 days now? Which brings me to the second part - we're OK using this to workaround it var trustFailureExceptions: CFData? = SecTrustCopyExceptions(secTrust) SecTrustSetExceptions(secTrust, trustFailureExceptions) But I haven't found anyway to be able to inspect trustFailureExceptions to ensure it only is this specific error. I'm concerned that otherwise this is going to open up validity exceptions for any certificate problem, which is definitely not what I want to do.