Hello, I am browsing with Safari. A website asks me to access my microphone (it is a Safari prompt dialog, not a system dialog). I am answering "yes, you can access to my microphone". Everything works fine, my microphone is allowed. Now, i am going to macOS system settings, in "Privacy & Security" section. I open "Microphone" sub section: And i don't see any entry for Safari. My question is ... Why ? Safari is accessing to my microphone at this moment and i don't see any grant information about this in system settings... Maybe apple allows his own softwares but this is not good for security... I hope it is not the same behaviour for full disk access grant... Thanks

We provide software that our customers deploy on their employee work computers to secure sensitive data. We have a daemon which could connect to an on-premise web-server for certain functionality. In Mac OS 15 beta we see that there is a local network access permission dialog that comes up sometimes, and it requires a permission to be provided under the Privacy & Security section of the system preferences. We have seen the local network access permission would pop up only when both Server and Client are residing in the same private network range (eg 172.16.x.x. in our case.) When the same server is accessed from a Sequoia machine over a VPN from external network, the local network access permission does NOT pop up. But note in this case, the Sequoia machine has an IP in the 10.x.y.z range, whereas the server is at 172.16.x.y. We have the following questions: In our setup with Macs connecting to a web-server, what conditions can trigger the local network prompt? In particular, do both the client and server need to be in the same private subnet range for the prompt to be shown? Is it possible that a user at home, working on a Sequoia machine, connecting over VPN to an on-prem server, would trigger this prompt? If so, we would submit this is not expected, as a VPN is not really a local network. Is there an MDM way of automatically providing the permission, so that the prompt is suppressed? In general, is there a programmatic way of providing this permission during installation ? if yes how can we do it. How do we stop users from disabling the permission incase the user has admin rights?

I'm having trouble opening files residing on a custom filesystem implemented as a kext via sandboxed apps. Preview.app is one such example. The app launches, but it won't display file contents. In system log files I'm seeing entries related to com.apple.foundation.filecoordination:claims with no error messages to indicate a possible reason why file contents aren't being displayed. Non-sandboxed apps, such as GoogleChrome.app do not exhibit such behaviour. The kext is unsigned and running in an environment with SIP disabled and Security Mode reduced to Permissive. What is required for a 3rd party filesystem kext to integrate with sandboxed apps? Any pointers and/or assistance would be greatly appreciated.

Hi, my app ScreenFloat can capture screenshots and record the screen (along with system- and microphone audio). It does this in an XPC service. On macOS Sequoia b1-3, recording does not work anymore (although permissions are granted to the app in System Preferences > Privacy & Security). Instead, I keep getting an error that my XPC service can access this computer's screen and audio. (of course, that's the point!) First of all, the screen is locked when the warning appears, clicks anywhere on the screen are not recognized. I have to hit Escape (or wait about a minute, at which point it resolves itself), to be able to click anywhere. Clicking on Continue To Allow doesn't do anything, either. The warning just re-appears every time. Do I need to add a new entitlement to my main app or the XPC service, or any new NSUsage strings to the InfoPlist.strings? How can I resolve this? Thank you, Matthias

We are not seeing any traffic from iOS to App-Proxy extension. We have a Safari domains specified in the per App App Proxy VPN configuration which is pushed to our device. When we tap on the safari and start loading one of these domains, safari will not load any websites with these domains. But if we load any other websites with any other domain, the websites are loaded properly. But the same behavior works fine and app receives traffic on iOS 17.5.1 and older iOS versions. The issue is observed only on iOS 18 Beta versions.

On Xcode 15.4, LAContext.biometryType had an @available attribute of visionOS 1.0. However, in Xcode 16, the @available attribute for biometryType was changed to a visionOS 2.0 minimum requirement, preventing the app from building if the minimum deployment target is earlier than visionOS 2.0. This was the attribute on Xcode 15.4: This is the attribute on Xcode 16: Feedback ID: FB13824190

Hi, I am currently trying to develop an authorization plugin using SFAuthorizationPluginView. My objective is to display a webView to the user for authentication purposes. I have based my work on the updated NameandPassword example : https://github.com/antoinebell/NameAndPassword. I have seen that the header for the SFAuthorizationPluginView class exists in Swift. However, I have not found any implementation examples of an authorization plugin in Swift. I have attempted to implement this on my own but am encountering difficulties displaying my embedded view within a ViewController. Is it possible to create an authorization plug-in in Swift ?

I've been trying to use Keychain from a Daemon for some time now. In the end, I managed to have the System Keychain work for my application and I moved to work on other parts. I finally went back to dealing with Keychain, but the code I wrote before stopped working. Even the application I wrote to test things out stopped working for me, and now it gives the The authorization was denied. error. To give more perspective into what I am doing, I am running a Sandboxed Launch Daemon wrapped in an App-like structure. I register it from my main app via SMAppService API. I also have a System Extension. My test app was structured in the same way and I used the following code to put a new key into the System Keychain and get its reference: var err: Unmanaged<CFError>? let access = SecAccessCreateWithOwnerAndACL(getuid(), getgid(), UInt32(kSecUseOnlyUID | kSecHonorRoot), nil, &err) if let err = err { log.error("Failed to create SecAccess: \(err.takeUnretainedValue().localizedDescription)") } let request = [ kSecClass: kSecClassGenericPassword, kSecAttrService: service, kSecAttrAccount: account, kSecValueData: passwordData, kSecAttrAccess: access as Any, kSecAttrSynchronizable: false, kSecUseDataProtectionKeychain: false, kSecReturnPersistentRef: true, ] as [String: Any] var result: CFTypeRef? let status = SecItemAdd(request as CFDictionary, &result) The goal of this was to share some secrets with a System Extension. The code above worked for me some time ago and I was able to use the System Keychain from my sandboxed daemon. Am I missing something again? Did something change in the meantime? Or did I do something last time that I haven't noticed? Should I cut my losses and avoid Keychain since Apple will not support it anyway?

We are having a daemon which could connect to a on premise server for certain functionality. In Mac OS 15 beta we see that there is a local network access permission dialog when coming up and it requires a permission to be provided under privacy&security section of the system preferences. Now we have also observed following behaviour also in local network access. The local network access permission would pop up only when both Server and Client are residing in the same network say (172.16.x.x.) in our case. The same server when accessed using a machine which is connected to the server using a VPN from external network "local network access permission does not pop up". We have following queries for the above observations. Is there an MDM way of providing the permission ? How do we stop users from disabling the permission incase the user has admin rights? Is there a programatic way of providing this permission during installation ? if yes how can we do it. Another general question would be like does it really need a local network access permission this case ? how to navigate this as all most every other enterprise app might be facing this issue.

The pidversion of a process with the same pid can increase during its lifetime. Which events, other than exec calls, can cause this increase in the pidversion? In other words, to what Endpoint Security events, other than fork, exec and exit, do I have to subscribe to get a process's complete and traceable pidversion history?

Hey guys, first time posting here. I've been working on a common library that is shared across multiple apps. The purpose of it is to store data in the keychain (with the kSecAttrAccessibleAfterFirstUnlock flag) and that data should be available to be read by any app in the group. Everything works in normal use cases, like, user switches from an app to another, the data is there and read. But there are some edge cases reported by some devices that the data is not there when being read (via push notification) when the device is locked. Note that this not something that happens 100% of the time. Here's my write/read/delete code (it's quite objective-c code) : // // Internal methods // - (NSDictionary *)read:(NSString *)key forGroup:(NSString *)groupId { NSMutableDictionary *query = [self queryData:groupId]; query[(__bridge id)kSecAttrAccount] = key; query[(__bridge id)kSecReturnData] = (__bridge id)kCFBooleanTrue; CFDataRef resultData = NULL; OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef*)&resultData); NSDictionary *value; if (status == noErr) { value = [NSKeyedUnarchiver unarchiveObjectWithData:(__bridge NSData*)resultData]; } return value; } - (BOOL)write:(NSDictionary *)value forKey:(NSString *)key forGroup:(NSString *)groupId { NSMutableDictionary *query = [self queryData:groupId]; query[(__bridge id)kSecAttrAccount] = key; query[(__bridge id)kSecMatchLimit] = (__bridge id)kSecMatchLimitOne; NSData *data = [NSKeyedArchiver archivedDataWithRootObject: value]; OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, NULL); if (status == noErr){ query[(__bridge id)kSecMatchLimit] = nil; NSDictionary *update = @{ (__bridge id)kSecValueData: data, (__bridge id)kSecAttrAccessible:(__bridge id) kSecAttrAccessibleAfterFirstUnlock }; status = SecItemUpdate((__bridge CFDictionaryRef)query, (__bridge CFDictionaryRef)update); if (status != noErr){ return false; } } else { query[(__bridge id)kSecValueData] = data; query[(__bridge id)kSecMatchLimit] = nil; query[(__bridge id)kSecAttrAccessible] = (__bridge id) kSecAttrAccessibleAfterFirstUnlock; status = SecItemAdd((__bridge CFDictionaryRef)query, NULL); if (status != noErr){ return false; } } return true; } - (BOOL)delete:(NSString *)key forGroup:(NSString *)groupId { NSMutableDictionary *query = [self queryData:groupId]; query[(__bridge id)kSecAttrAccount] = key; query[(__bridge id)kSecReturnData] = (__bridge id)kCFBooleanTrue; OSStatus status = SecItemDelete((__bridge CFDictionaryRef)query); return (status == noErr); } - (BOOL)deleteAll:(NSString *)groupId { NSMutableDictionary *query = [self queryData:groupId]; OSStatus status = SecItemDelete((__bridge CFDictionaryRef)query); return (status == noErr); } - (NSArray *)readAll:(NSString *)groupId { NSMutableDictionary *query = [self queryData:groupId]; query[(__bridge id)kSecReturnData] = (__bridge id)kCFBooleanTrue; query[(__bridge id)kSecMatchLimit] = (__bridge id)kSecMatchLimitAll; query[(__bridge id)kSecReturnAttributes] = (__bridge id)kCFBooleanTrue; CFArrayRef resultData = NULL; OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, (CFTypeRef*)&resultData); if (status == noErr) { NSArray *keychainItems = (__bridge NSArray*)resultData; NSMutableArray *items = [NSMutableArray new]; for (NSDictionary *item in keychainItems){ // NSString *key = item[(__bridge NSString *)kSecAttrAccount]; NSDictionary *value = [NSKeyedUnarchiver unarchiveObjectWithData: item[(__bridge NSString *) kSecValueData]]; [items addObject: value]; } return [items copy]; } return @[]; } - (NSMutableDictionary *)queryData:(NSString *)groupId { NSMutableDictionary *query = [NSMutableDictionary new]; query[(__bridge id)kSecClass] = (__bridge id)kSecClassGenericPassword; query[(__bridge id)kSecAttrService] = KEYCHAIN_SERVICE; #if !TARGET_OS_SIMULATOR if (groupId) { query[(__bridge id)kSecAttrAccessGroup] = groupId; // Check if data exists for 'app groups' // - no data found -> we go for 'keychain groups' // - data found -> continue using 'app groups' OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, NULL); if (status != errSecSuccess) { query[(__bridge id)kSecAttrAccessGroup] = [NSString stringWithFormat:@"XXXXXXXX.%@", groupId]; } } #endif return query; } code-block Is there something I'm doing wrong?

1 ??? (libsystem_kernel.dylib + 5744) [0x1e1b30670] 1 <on behalf of UNKNOWN [6698] (originated by UNKNOWN [6698]), Kernel mode> Binary Images: 0x1049e0000 - 0x1049fbfff com.apple.intelligenceplatform.IntelligencePlatformComputeService 1.0 (123.9.0.1) /System/Library/PrivateFrameworks/IntelligencePlatformCompute.framework/XPCServices/Intelli

I'm having several issues with managing certificates in the default keychain using swift on macOS. I have a self containd command line test program with hardcoded pem format cert and private key. I can convert both pem formats to der via openssl. Issue 1, For Certificate: I can create a certificate and add it to the keychain. I am not able to find or delete the certificate after I add it. Issue 2, For the key: I can create the key but when I try to add it to the keychain I get "A required entitlement isn't present." In our actual app, I can add certs but can't find them (success but cert returned does not match). I can add keys and find them. All using similar code to my test app, so I decided to write the test and got stuck. I don't see any special entitlements for keychain access in our app. Looking for answers on issue 1 and issue 2. I have a self contained public github project here as it won't let me attach a zip: https://github.com/alfieeisenberg/cgcertmgr It won't let me attach a zip of the project or my source. In both cases below I tried with just labels, just tags, and both with same results. Here is how I'm trying to add keys: func addPrivateKeyToKeychain(privateKey: SecKey, label: String) -&gt; Bool { let addQuery: [NSString: Any] = [ kSecClass: kSecClassKey, kSecAttrKeyClass: kSecAttrKeyClassPrivate, kSecAttrLabel: label, kSecAttrApplicationTag: label, kSecValueRef: privateKey ] let status = SecItemAdd(addQuery as CFDictionary, nil) if status != errSecSuccess { if status == errSecDuplicateItem { print("\(#function): \(#line), Key already exists: errSecDuplicateItem") } print("\(#function): \(#line), status: \(status) \(SecCopyErrorMessageString(status, nil) as String? ?? "Unknown error")") } return status == errSecSuccess } Here is adding certs: func addCertificateToKeychain(certificate: SecCertificate, label: String) -&gt; Bool { let addQuery: [NSString: Any] = [ kSecClass: kSecClassCertificate, kSecAttrLabel: label, kSecAttrApplicationTag: label, kSecValueRef: certificate ] let status = SecItemAdd(addQuery as CFDictionary, nil) if status != errSecSuccess { print("\(#function): \(#line), status: \(status) \(SecCopyErrorMessageString(status, nil) as String? ?? "Unknown error")") } return status == errSecSuccess } And finding a cert: func findCertificateInKeychain(label: String) -&gt; SecCertificate? { let query: [NSString: Any] = [ kSecClass: kSecClassCertificate, kSecAttrLabel: label, kSecAttrApplicationTag: label, kSecReturnRef: kCFBooleanTrue!, kSecMatchLimit: kSecMatchLimitOne ] var item: CFTypeRef? let status = SecItemCopyMatching(query as CFDictionary, &amp;item) print("\(#function): \(#line), status: \(status)") if status != errSecSuccess { print("\(#function): \(#line), status: \(status) \(SecCopyErrorMessageString(status, nil) as String? ?? "Unknown error")") } guard status == errSecSuccess, let certificate = item else { print("\(#function): \(#line), Certificate not found") return nil } return (certificate as! SecCertificate) } Output: ===Trying Certs=== tryCerts(pemCertificate:): 338, Certificate added: true findCertificateInKeychain(label:): 272, status: -25300 findCertificateInKeychain(label:): 274, status: -25300 The specified item could not be found in the keychain. findCertificateInKeychain(label:): 277, Certificate not found tryCerts(pemCertificate:): 340, Certificate found: nil deleteCertificateFromKeychain(label:): 314, status: -25300 The specified item could not be found in the keychain. tryCerts(pemCertificate:): 342, Certificate deleted: false ===Trying Keys=== addPrivateKeyToKeychain(privateKey:label:): 256, status: -34018 A required entitlement isn't present. Program ended with exit code: 0

The list of common 3rd party SDKs that require a privacy list here: https://developer.apple.com/support/third-party-SDK-requirements/ References a "hermes" SDK. There is some ambiguity about whether this references Facebook/meta's hermes JS engine: https://github.com/facebook/hermes Or Imgur's Hermes notification system: https://github.com/Imgur/Hermes A representative from Meta claims that Apple is referring to Imgur's library, despite the branding using a capital H and Apple's list using a lowercase h (see here: https://github.com/react-native-community/discussions-and-proposals/discussions/776). Can someone from Apple please confirm which SDK is concerned ? We wish to avoid app rejections. Thank you

When users hide their email via Apple's private relay email server, our emails are sent to spam on GMail. When I look at these emails on GMail, I see the following message: "Why is this message in spam? Lots of messages from privaterelay.appleid.com were identified as spam in the past." Our emails do not go to spam when sent without Apple Private Relay. It sounds like we're being lumped together with bad actors. Is there a way to avoid this?

I have an app at work that supports Sign In With Apple so that users can create accounts and have their data synced to servers. A couple of years ago one of the users created an account using Sign In With Apple, choosing to use Hide My Email as well (so that their email that the app received looks like *****@privaterelay.appleid.com). The legacy in-house backend of the app unfortunately uses email addresses as user identifiers with the unlucky assumption that emails remain the same. The app doesn't offer users the ability to change email addresses. The user in question recently reported that since very recently they are no longer able to use the app. It turns out that their Sign In With Apple email address for my app had changed at some point. They shared an iPhone screenshot of their Sign In With Apple settings for the app. The screenshot says that they created an account for this app two years ago, but the email address in the "This app received" field is different to one that they initially signed up with, and it's also a Hide My Email address. It's important to note that this app was also transferred between developer accounts about a year ago, and since then this user, including thousands of other users didn't have issues using Sign In With Apple. So my main question is: in what scenario it's possible for the email associated with a Sign In With Apple account for an app to change without creating a new account?

Hi, We are getting error while fetching data from the keychain. Error code : "-25308" Error message : "User interaction is not allowed." This is happening in our Production app and many users are facing this issue. This issue is coming randomly for random users. Its working fine but suddenly we are getting this error randomly. We have tried to add delay when keychain is giving error randomly to minimise the issue but it is not fixing our issue and What could be the reason of this issue Can we have dedicated support for this? Thank You.

Hello Quinn “The Eskimo!”, I am trying to customize the mac os login screen. The initial thing I want to do is to add a link or a button on login screen, tapping which should open a web page. As suggested by you on different forums, I opened a DTS ticket and received the starter project for the same. Now the problem is, the starter project is crashing with following log, arguments: mechanism -1 will get arguments mechanism 2 will get arguments mechanism -1 did get arguments none mechanism -1 will get LAContext mechanism 2 will get LA context QAuthHostSimulator/QAuthHostEngineCallbackHelper.swift:144: Fatal error Could you please help me resolve this issue. Thanks.

When the user opens the "Save As" dialog, the Open and Save Panel Service will be launched by the system. Now I want to monitor the "Save As" operation in a user program, so is there an Endpoint Security event that I can use to monitor when the Open and Save Panel Service is launched? I've tested the ES_EVENT_TYPE_AUTH_EXEC event, but it did not work.

One of our apps contains an agent that is launched at login using a plist in /Library/LaunchAgents. Now the question came up if I can make sure this agent is only launched by the system and cannot be launched by a user or another application. I wonder if this can be done using launch constraints. I played a bit with responsible application constraints but I couldn't make it work. Either the agent didn't launch at all or it could also be launched by just double-clicking on it in Finder. I wonder whether this is even possible. Thanks.