I'm working on a Passkey Provider and I'm trying to limit my extension to already existing credentials added via ASCredentialIdentityStore. So if a browser calls navigator.credentials.get without any allowedCredentials, I want to reject that request and if navigator.credentails.get contain an allowedCredentials list, and the allowedCredentials are in my internal store, then I process the challenge. The problem I'm seeing is that allowedCredentials is empty whether I pass allowedCredentials to navigator.credentials.get or not. Is there any way to troubleshoot this?

I'm working on an app that uses NSURLSession to perform a network call from inside a Notification Content Extension, and we're seeing some inconsistent behavior. When the user selects one of the actions offered in the notification, a network request is triggered to finalize the action selection. But we're seeing in some cases that the network request fails. Sometimes it will error out with "The network connection was lost" and sometimes "The request timed out" but there are no network issues so it seems like the failure isn't quite accurate. I'm wondering if there are known issues with using NSURLSession from inside a Notification Content Extension that could cause intermittent problems.

I've created two simple mac apps that both are configured with the same keychain access group. I tried inserting a keychain record from App A and then reading it from App B. When App B requests the keychain entry, I get a system prompt saying "App B wants to use your confidential information stored in <redacted> in your keychain." and I have to enter my password to approve the request. My understanding was that setting keychain access groups would obviate the need for a system prompt. Is that an incorrect assumption? Or is there something mis-configured here? Any pointers or advice would be appreciated. Thanks.

I'm trying to write a two process system (client and daemon) and I would like both to be able to access NEVPNManager's shared manager and get access to the same VPN configuration. Is that possible with NEVPNManager? Will using app groups or some other entitlement allow this sharing of profiles and vpn state information?

I'm working on building a custom Packet Tunnel Provider and I'm running into a group of related problems surrounding how DNS appears to be handled. If I don't specify dnsSettings in my NEPacketTunnelNetworkSettings then nothing resolves and the tunnel is useless. So I tried setting a specific DNS resolver; that solves the problem of DNS resolution and the tunnel works, but those DNS requests are sent outside the tunnel and I don't see a way to enforce them going through the tunnel. This is a problem as plain text DNS requests are a big information leak. I next tried to set the dnsSettings to an NEDNSOverHTTPSSettings object pointing to cloudflare's public DoH server. That doesn't appear to work. No DNS requests are seen over the wire, but nothing resolves so it's just as useless as the original state. Is there something I'm missing here w/r/t DNS setting on packet tunnel providers?

Apple has announced a change to TLS certificate trust rules: https://support.apple.com/en-us/HT211025Will these rules affect the certificates used for authenticating IPSec certificates when connecting to a server using NEVPNManager as well? Will connections to those servers fail as well?