Hi, Please see TN3159: Migrating Sign in with Apple users for an app transfer for more information on the expected end-to-end app transfer and user migration flow. Additionally, if you'd like for the iCloud and App Store engineering teams to confirm if the errors are related to a revoked authorization to previous users accounts, please submit a report via Feedback Assistant and include the following information: Gathering required information for troubleshooting Sign in with Apple user migration To prevent sending sensitive JSON Web Tokens (JWTs) in plain text, you should create a report in Feedback Assistant to share the details requested below. Additionally, if I determine the error is caused by an internal issue in the operating system or Apple ID servers, the appropriate engineering teams have access to the same information and can communicate with you directly for more information, if needed. Please follow the instructions below to submit your feedback. For issues occurring with your user migration, ensure your feedback contains the following information: the primary App ID and Services ID the client secret for the transferring team (Team A) and the recipient team (Team B) the failing request(s), including all parameter values, and error responses (if applicable) the timestamp of when the issue was reproduced (optional) screenshots or videos of errors and unexpected behaviors (optional) Important: If providing a web service request, please ensure the client secret (JWT) has an extended expiration time (exp) of at least ten (10) business days, so I have enough time to diagnose the issue. Additionally, if your request requires access token or refresh tokens, please provide refresh tokens as they do not have a time-based expiration time; most access tokens have a maximum lifetime of one (1) hour, and will expire before I have a chance to look at the issue. Submitting your feedback Before you submit via Feedback Assistant, please confirm the requested information above (for your native app or web service) is included in your feedback. Failure to provide the requested information will only delay my investigation into the reported issue within your Sign in with Apple client. After your submission to Feedback Assistant is complete, please respond in your existing Developer Forums post with the Feedback ID. Once received, I can begin my investigation and determine if this issue is caused by an error within your client, a configuration issue within your developer account, or an underlying system bug. Cheers, Paris X Pinkney |  WWDR | DTS Engineer

I'm working on a Passkey Provider and I'm trying to limit my extension to already existing credentials added via ASCredentialIdentityStore. So if a browser calls navigator.credentials.get without any allowedCredentials, I want to reject that request and if navigator.credentails.get contain an allowedCredentials list, and the allowedCredentials are in my internal store, then I process the challenge. The problem I'm seeing is that allowedCredentials is empty whether I pass allowedCredentials to navigator.credentials.get or not. Is there any way to troubleshoot this?

我们的app从1.0版本一直在正常上架与更新，2.12版本添加相应的内购项目，更新了app展示图，在审核的过程中出现这个问题，一直没有解决，发了好多个邮件也一直没有回应，首先我们app没有收集用户数据，不知道如何获取用户同意，也不知道该如何向用户明确如何使用这些信息，我们开启vpn通道，只是为了加速网络，不知道如何解决这个问题，apple审核方面也没用给出明确解决方法，Guideline 5.4 - Legal - VPN Apps We noticed that the app does not obtain the user's consent before collecting user data. We noticed that the app does not sufficiently explain how the app or VPN service is using data collected from users. Next Steps To view and store information about users and the data they consume, you must make it clear to the user what data is being collected and how it will be used. Additionally, you must obtain the user's consent before the data is uploaded to your server. Mentioning this information in the app's Terms of Service or Privacy Policy is not sufficient. Support Reply to this message in your preferred language if you need assistance. If you need additional support, use the Contact Us module. Consult with fellow developers and Apple engineers on the Apple Developer Forums. Help improve the review process or identify a need for clarity in our policies by suggesting guideline changes. Request a 30-minute online meeting with an App Review expert to discuss the guidelines and best practices for a smooth review process.

I'm writing an app that uses on-device voice to text for recognising scientific terms. It works fine on my phone but now in beta my first tester cannot make it work. All the permission requests are working: p&s Mic and Speech Recognition are both now enabled on the target device where the user granted the app permission. Is there something else I'm missing? Incidentally, both my phone, the target phone and my XCode are fully up to date. Thanks.

On macOS OS updates/reboot, CryptoTokenKit extension doesn't get loaded automatically when the system boots back. It needs another reboot to get the extension loaded and working. After update: % security list-smartcards <No smart cards> .. and there is a crash for authorizationhosthelper.arm64 in keychain layer Thread 2 Crashed:: Dispatch queue: com.apple.security.keychain-cache-queue 0 libdispatch.dylib 0x18e2e499c dispatch_channel_cancel + 12 1 Security 0x1914ccfd0 invocation function for block in Security::KeychainCore::StorageManager::tickleKeychain(Security::KeychainCore::KeychainImpl*) + 44 2 libdispatch.dylib 0x18e2ce3e8 _dispatch_client_callout + 20 3 libdispatch.dylib 0x18e2d18ec _dispatch_continuation_pop + 600 4 libdispatch.dylib 0x18e2e57f0 _dispatch_source_latch_and_call + 420 5 libdispatch.dylib 0x18e2e43b4 _dispatch_source_invoke + 832 6 libdispatch.dylib 0x18e2d5898 _dispatch_lane_serial_drain + 368 7 libdispatch.dylib 0x18e2d6544 _dispatch_lane_invoke + 380 8 libdispatch.dylib 0x18e2e12d0 _dispatch_root_queue_drain_deferred_wlh + 288 9 libdispatch.dylib 0x18e2e0b44 _dispatch_workloop_worker_thread + 404 10 libsystem_pthread.dylib 0x18e47b00c _pthread_wqthread + 288 11 libsystem_pthread.dylib 0x18e479d28 start_wqthread + 8 Opening the parent app bundle as a Login item does not help. A reboot sometimes fixes it but this happens frequently and causes lot of enterprise endpoints not able to authenticate. After reboot: % security list-smartcards com.foo.tech.mac-device-check.SecureEnclaveTokenExtension:700D6B7E8943B529569D9CC81AC6F930 Please provide and prioritize a permanent fix/workaround for this issue. We have already reported this issue with crash and sysdiagnose logs in FB13622281 earlier this year.

This is an addended post referring to me getting bounced from Bank of America and account shut down and forced to firmware wipe etc my devices due to ‘account takeover’ from ‘malware’ as their crowdstrike or whatever prob read api or ip irregularity? They wouldn’t say, bye this happened to 4 other similar accounts in 6 months. I don’t use proxy or remote etc but the log below apparently reveals some kind of strange activity- I’m not smart enough to put it all together, much appreciated folks!!! terminusd-471.140.5 pid 674 built on Jun 29 2024 06:58:06, iphoneOS 21G80 "iPhone", packet logging disabled Companion link is currently enabled on this device 23:35:36.2420 : time of this status dump --------- NRD Local Device Database Status (0 devices) --------- --------- Director status --------- Name: Link Director Enabled: YES Fixed Interface mode: NO Thermal watcher registered: NO Thermal Pressure: Nominal SOCKS port: 62742 SOCKS server: (null) FD Usage: { NETPOLICY = 2; Total = 6; VNODE = 4; } Unlocked data protection: ClassA --------- Manager status --------- Name: Policy Session Manager Policy Session: { priority = control1 policies = {} } Installed policies: { "NRLinkDirector-Drop" = ( 1 ); } Name: Link Manager - Bluetooth LinkManager type: Bluetooth State: Ready [] Links: {( )} Pipes: {( )} Peripherals: (null) connectPeripheral invoked: (null) CentralMgr: (null) PeripheralMgr: (null) currentAdvertisementState: Idle currentAdvertisementRate: Default BT connection state: (null) Name: Link Manager - WiFi LinkManager type: WiFi State: Ready Links: {( )} WiFi Interface: en0 (index 22) AWDL Interface: (null) (index 0) WiFi Available: NO WiFi WoW Enabled: NO WiFi Client Type: 0 Local WiFi Endpoint: (null) Local WiFi Signature: (null) Remote WiFi Endpoints: { } Remote WiFi Signature: (null) Remote AWDL EndpointDict: { } Available IPv4 addresses: ( ) Available IPv6 addresses: ( ) Available AWDL addresses: ( ) Prefer WiFi asserts: 0 Cleared Prefer WiFi asserts: 0 ---- NRIKEv2Listener ---- IKEv2 Listener: (null) Registered links: (null) Orphaned Device Monitor Connections: {( )} Orphaned Device Preferences Connections: {( )} Ephemeral Device Connections: {( Sent from my iPhone

I keep getting these CAPTCHA messages with an I IP address and a site link and there are many files on my phone which I don’t understand As I try to navigate sites, I get a CAPTCHA message of different types. With IP addresses and URLs. IP address: 2a04:4e41:62::9ce7:d3c7 Time: 2024-08-23T06:27:11Z URL: https://www.google.com/search?q=com.apple.os.update-E308CACB9FB73322E7681CC9DAFA19CF788DA2672BFBE91158D3C85061851851%40%2Fdev%2Fdisk1s1+on+%2F+(apfs%2C+sealed%2C+local%2C+nosuid%2C+read-only%2C+journaled%2C+noatime)+devfs+on+%2Fdev+(devfs%2C+local%2C+nosuid%2C+nobrowse)+%2Fdev%2Fdisk1s6+on+%2Fprivate%2Fpreboot+(apfs%2C+local%2C+nosuid%2C+journaled%2C+noatime)+%2Fdev%2Fdisk1s3+on+%2Fprivate%2Fxarts+(apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+nobrowse)+%2Fdev%2Fdisk1s2+on+%2Fprivate%2Fvar+(apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+protect)+%2Fdev%2Fdisk1s4+on+%2Fprivate%2Fvar%2Fwireless%2Fbaseband_data+(apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+nobrowse)+%2Fdev%2Fdisk1s7+on+%2Fprivate%2Fvar%2FMobileSoftwareUpdate+(apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+nobrowse)+%2Fdev%2Fdisk1s5+on+%2Fprivate%2Fvar%2Fhardware+(apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+nobrowse)+%2Fdev%2Fdisk1s8+on+%2Fprivate%2Fvar%2Fmobile+ (apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+protect)&ie=UTF-8&oe=UTF-8&hl=en-us&client=safari q=com.apple.os.update-E308CACB9FB73322E7681CC9DAFA19CF788DA2672BFBE91158D3C85061851851%40%2Fdev%2Fdisk1s1+on+%2F+(apfs%2C+sealed%2C+local%2C+nosuid%2C+read-only%2C+journaled%2C+noatime)+devfs+on+%2Fdev+(devfs%2C+local%2C+nosuid%2C+nobrowse)+%2Fdev%2Fdisk1s 6+on+%2Fprivate%2Fpreboot+ (apfs%2C+local%2C+nosuid%2C+journaled%2C+noatime)+%2Fdev%2Fdisk1s3+on+%2Fprivate%2Fxarts+ (apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+nobrowse)+%2Fdev%2Fdisk1s2+on+%2Fprivate%2Fvar+ (apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+protect)+%2Fdev%2Fdisk1s4+on+%2Fprivate%2Fvar%2Fwireless%2Fbaseband_data+ (apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+nobrowse)+%2Fdev%2Fdisk1s7+on+%2Fprivate%2Fvar%2FMobileSoftwareUpdate+ (apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+nobrowse)+%2Fdev%2Fdisk1s5+on+%2Fprivate%2Fvar%2Fhardware+ (apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+nobrowse)+%2Fdev%2Fdisk1s8+on+%2Fprivate%2Fvar%2Fmobile+ (apfs%2C+local%2C+nodev%2C+nosuid%2C+journaled%2C+noatime%2C+protect)&ie=UTF-8&oe=UTF-8&hl=en-us&client=safari https://www.google.com/search?q=com.apple.os.update-E308CACB9FB73322E7681CC9DAFA19CF788DA2672BFBE91158D3C85061851851%40%2Fdev%2Fdisk1s1+on+%2F+ apfs%2C+sealed%2C+local%2C+nosuid%2C+read-only%2C+journaled%2C+noatime)+devfs+on+%2Fdev+(devfs%2C+local%2C+nosuid%2C+nobrowse)+%2Fdev%2Fdisk1s6+on+%2Fprivate%2Fpreboot

Similar to this thread. How do we go about testing or triggering the UI for this new iOS/macOS 18 API? https://developer.apple.com/documentation/authenticationservices/ascredentialproviderviewcontroller/prepareinterfaceforuserchoosingtexttoinsert() Thanks!

UITraitCollection.sceneCaptureState does not work when using iPhone mirroring on iOS 18 beta and MacOS sequoia beta. The path to reproducing this bug is as follows: Set the default language of macOS to Korean Change the default language setting in macOS to English Use the iPhone Mirroring app In situations like this, sceneCaptureState of UITraitCollection.current appears as inactive. This can lead to serious bugs and abuse in many applications listed on the App Store. UITraitCollection.current.sceneCaptureState

WireGuard Apple VPN Client App for macOS with System Extension to Distribute Outside App Store Checkout the source code of WireGuard Apple. https://github.com/WireGuard/wireguard-apple I have fixed several issues and now I can create and connect to the VPN. This source code uses the App Network Extension (appex) which can only be distributed on the App Store. But I don't want to distribute it via the App Store. I will distribute it outside the App Store. But for this, we need to sign the app with the Developer ID Application certificate and we also need to notarize it. So for this, the App Network Extension (appex) will not help. We need to use the System Extension Network Extension (sysex). So we need to make changes to the WireGuard Apple source code to be able to connect the VPN via the System Extension Network Extension (sysex), this means we need to migrate existing App Network Extension (appex) to System Extension Network Extension (sysex) in this source code. I am facing this challenge, that's why I am looking for a solution here. I have already done changes explained here https://forums.developer.apple.com/forums/thread/695550. Also done with changes for getting system extension permission and network extension permission. Real problem is, VPN client app is not getting connect to VPN and to fix this, we need to fix in WireGuard Apple Kit source code. Please help me to solve this problem.

Hi, I’ve had a a rough month with bank of america shuttering my online profile and account because of suspected Device Malware- account takeover it says, and I lost admin privileges to my primary email and Amazon account as well. Figured iOS was unbreachable. I’ve had some odd things happening- remotecloudiu or something caught and stopped in lockdown, and in MC meta showing mdm migration and hidden profiles. Device flickers and crash error 308 repeatedly shows. Avg 40 gb mobile data but last month showed 350 gb. Need some help with analytics or direction. Payload manifest: bplist00)_OrderedProfiles^HiddenProfiles i_8com.apple.ATT_NR_US.f7eb2f44-daOe-11eb-8349-f45c89abb0d9 mc meta: bplist00Ô_LastMDMMigratedBuild_LastMigratedBuild_&StopFilteringGrandfatheredRestrictions_ AllowedGrandfatheredRestrictionsU21G93Ñ possible unauth mdm? Sorry I’m clueless!!!

When using the Cape App, the Hidden Apps Folder Displaying In App Library. The folder should not be visited be when apps are hidden.

I'm running a launch agent in a CI node. The agent is responsible for launching CI build/test jobs. The agent, being the responsible process, has been granted kTCCServiceScreenCapture permission. With this in place I can run /usr/sbin/screencapture during CI test jobs, archiving the visual state of the CI machine if a test fails, which makes it easier to diagnose why the test failed. However with macOS 15 I get weekly/monthly notifications about the agent being able to record the screen. The general advice for this is that apps should migrate to ScreenCaptureKit, but I'm using a built in tool in macOS, /usr/sbin/screencapture, so how am I supposed to deal with that?

I would like to implement a feature in the prepareInterfaceForExtensionConfiguration function of the AutoFillCredentialProvider extension that returns to the main app. Since the extension prohibits the use of openURL from sharedApplication, can I use the openURL function of NSExtensionContext through UIResponder? Would this violate Apple’s regulations? private func openContainerApp() { let scheme = "momoshare://" let url: URL = URL(string: scheme)! let context = NSExtensionContext() context.open(url, completionHandler: nil) var responder = self as UIResponder? let selectorOpenURL = sel_registerName("openURL:") while (responder != nil) { if responder!.responds(to: selectorOpenURL) { responder!.perform(selectorOpenURL, with: url) break } responder = responder?.next } }

Hi, In our application, apple users have option to hide their email and continue with proxy email that apple provides to use our application feature. But we noticed that apple account created with gmail is having an issue where the email that we send from our apps is going to spam folder in gmail. All the other email domains used is working fine. Is anyone facing/faced this issue, please suggest a possible solution Thanks JM

Hello! I am storing an auth token and other details in the device keychain. I want to implement actionable push notifications that makes a network call using the stored auth token. The keychain settings I am using are a combination of: ksecattraccessiblewhenpasscodesetthisdeviceonly kSecAccessControlBiometryAny Whenever I try to access the auth token that is stored, it throws me an error saying "User Interaction required" Is there any way I can trigger a face-id check after clicking a push notification action so that I don't have to change the security settings? Or just use LAContext as soon as I receive a notification?

We are working on an application that allows to open and share encrypted containers. These containers can be protected by a variety of access types : most users choose to use password accesses, as those are easy to setup and don't require any supplementary enrollment done by the user. To enhance app functionnality, especially in managed environments, we would like to find a way to distribute more efficiently certificates that may be used to access the containers. Preliminary research led me to believe that something akin to what the Android Keystore does is not doable here : the general Keychain can't be accessed by applications, which can only access their own, specific "sub-keychain". https://developer.apple.com/library/archive/qa/qa1745/_index.html I was wondering if there were any plans to change that, especially in the case of managed environments managed by an MDM. If there is not, is there any way the identities supplied by an MDM can be supplied directly to a managed application's keychain ? Are there any recommended usages for this use case ?

Is it possible to fetch the user's latitude and longitude after the app has been manually terminated? If so, could you please provide a solution?

When a user swipes up to see the app switcher, I put a blocking view over my app so the data inside cannot be seen if you flick through the app switcher. I do this by checking if the scenePhase goes from .active to .inactive. If the app goes into the background, scenePhase == .background so I trigger something that would force the user to authenticate with Face ID/Touch ID when the app is next brought to the foreground or launched. However, this doesn't seem to work. The biometrics authentication is executed, but it just lets the user in without showing the Face ID animation. I put my finger over the sensors so it couldn't possibly be authenticating, but it just lets them in. Here's a quick set of logs: scenePhase == .inactive - User showed app switcher scenePhase == .background - User swiped up fully, went to Home Screen scenePhase == .inactive - User has tapped the app icon scenePhase == .active - App is now active authenticate() - Method called authenticate(), authenticateViaBiometrics() == true - User is going to be authenticated via Face ID // Face ID did not appear! success = true - Result of calling `context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics` means user was authenticated successfully error = nil - No error in the authentication policy authenticate(), success - Method finished, user was authenticated Here's the code: print("authenticate(), authenticateViaBiometrics() == true - User is going to be authenticated via Face ID") var error: NSError? guard context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: &error) else { // Handle permission denied or error print("authenticate(), no permission, or error") authenticated = false defaultsUpdateAuthenticated(false) defaultsUpdateAuthenticateViaBiometrics(false) return } context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, localizedReason: "Authenticate with biometrics") { (success, error) in DispatchQueue.main.async { print("success = \(success)") print("error = \(String(describing: error?.localizedDescription))") if(success) { print("authenticate(), success") authenticated = true } else { print("authenticate(), failure") authenticated = false } } } This happens with or without the DispatchQueue... call.

I downloaded the sample code given in: https://developer.apple.com/documentation/servicemanagement/updating-your-app-package-installer-to-use-the-new-service-management-api?language=objc Made necessary changes and I was able to install and test successfully. Next, I watched: https://developer.apple.com/videos/play/wwdc2023/10266/ I noted the example given at: 14:52 Example launchd plist constraint. Applied the KeepAlive, RunAtLoad and SpawnConstraints parameters to the sample code downloaded earlier. I got the log in the console and agent was not allowed: default 11:35:26.885483+0300 kernel AMFI: Launch Constraint Violation (enforcing), error info: c[5]p[1]m[1]e[0], (Constraint not matched) launching proc[vc: 10 pid: 19439]: /Library/Application Support/X/SMAppServiceSampleCode.app/Contents/Resources/SampleLaunchAgent, launch type 0, failure proc [vc: 10 pid: 19439]: /Library/Application Support/X/SMAppServiceSampleCode.app/Contents/Resources/SampleLaunchAgent Is SpawnConstraint not applicable for launch agents? Since launchd is the only parent process that can spawn the launch agent based on the plist, is the example given at 14:52 still valid?