I took notes during the "What's new in managing Apple Devices" session. If interested, please see the attached "Notes from session": Session Notes For the session video, please see the following link: https://developer.apple.com/wwdc22/10045

With iOS 14 devices we can see that Many MDM Commands Fails with error " Couldn’t communicate with a helper application." . This Error is more frequent in InstallApplication , InstallProfile command , but other MDM commads also face the same issue. I have attach sample response from some devices. We have seen this error in previous version of iOS but with iOS 14 these are very frequent. InstallApplication Errors <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=51075000000853127</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>1005</integer> <key>ErrorDomain</key> <string>DeviceManagement.error</string> <key>LocalizedDescription</key> <string>Could not install app.</string> </dict> <dict> <key>ErrorCode</key> <integer>4097</integer> <key>ErrorDomain</key> <string>NSCocoaErrorDomain</string> <key>LocalizedDescription</key> <string>Couldn’t communicate with a helper application.</string> </dict> </array> <key>Status</key> <string>Error</string> <key>UDID</key> <string>UDID-UDID</string> </dict> </plist> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=33783000002227119</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>4099</integer> <key>ErrorDomain</key> <string>NSCocoaErrorDomain</string> <key>LocalizedDescription</key> <string>Couldn’t communicate with a helper application.</string> </dict> </array> <key>Status</key> <string>Error</string> <key>UDID</key> <string>UDIDUDIDUDID</string> </dict> </plist> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>InstallApplication;Collection=51075000000853127</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>1005</integer> <key>ErrorDomain</key> <string>DeviceManagement.error</string> <key>LocalizedDescription</key> <string>Could not install app.</string> </dict> <dict> <key>ErrorCode</key> <integer>4097</integer> <key>ErrorDomain</key> <string>NSCocoaErrorDomain</string> <key>LocalizedDescription</key> <string>Couldn’t communicate with a helper application.</string> </dict> </array> <key>Status</key> <string>Error</string> <key>UDID</key> <string>UDID-UDID</string> </dict> </plist> InstallProfile Errors <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>SingletonRestriction</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>4099</integer> <key>ErrorDomain</key> <string>NSCocoaErrorDomain</string> <key>LocalizedDescription</key> <string>Couldn’t communicate with a helper application.</string> </dict> </array> <key>Status</key> <string>Error</string> <key>UDID</key> <string>UDIDUDID</string> </dict> </plist> AvailableOSUpdate Error <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>AvailableOSUpdates</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>12050</integer> <key>ErrorDomain</key> <string>MCMDMErrorDomain</string> <key>LocalizedDescription</key> <string>The attempt to check for an available update failed.</string> <key>USEnglishDescription</key> <string>The attempt to check for an available update failed.</string> </dict> <dict> <key>ErrorCode</key> <integer>2214</integer> <key>ErrorDomain</key> <string>DeviceManagement.error</string> <key>LocalizedDescription</key> <string>Scan failed.</string> </dict> <dict> <key>ErrorCode</key> <integer>4097</integer> <key>ErrorDomain</key> <string>NSCocoaErrorDomain</string> <key>LocalizedDescription</key> <string>Couldn’t communicate with a helper application.</string> </dict> </array> <key>Status</key> <string>Error</string> <key>UDID</key> <string>UDIDUDIDUDID</string> </dict> </plist> ClearPasscode <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CommandUUID</key> <string>ClearPasscode</string> <key>ErrorChain</key> <array> <dict> <key>ErrorCode</key> <integer>701</integer> <key>ErrorDomain</key> <string>DeviceManagement.error</string> <key>LocalizedDescription</key> <string>The device’s passcode cannot be cleared.</string> </dict> <dict> <key>ErrorCode</key> <integer>4097</integer> <key>ErrorDomain</key> <string>NSCocoaErrorDomain</string> <key>LocalizedDescription</key> <string>Couldn’t communicate with a helper application.</string> </dict> </array> <key>Status</key> <string>Error</string> <key>UDID</key> <string>UDIDUDIDUDID</string> </dict> </plist>

I would like to know on a mdm managed supervised device, how to force use Safari if a user has non-safari browser set as default. can enforcing safari for a domain or web clip be done? even shortcuts now, when using safari it opens whatever is set as default browser. Ironically if same simple shortcut of open URL with Chrome is created it opens with Chrome, regardless if default browser is set to firefox for example this default browser setting is great for personal use but cause issues now for corporate use for me anybody else figure this out? Also affects certificates for our managed devices

WWDC21 session 10123 shows a screen that implies the guardian instance of your app is able to select apps on your child's device to encourage or to control. In my experience with the API so far I can't see a way to do this. The API only seems to work on the child's phone. Here are my questions: Is there a suggested way to determine whether the app is running on a guardian device? The only way I can see is to attempt AuthorizationCenter.shared.requestAuthorization and check for an error value of .invalidAccountType. But it seems you could get that error for other reasons too. Is there a way to present FamilyActivityPicker on the guardian device but have it show apps on the child's phone? I don't see any thing in the API for selecting a child account to access with `FamilyActivityPicker', it seems to only show the phone's user's apps (or no apps if it's the guardian's phone). After retrieving app tokens from 'FamilyActivityPicker' is there a recommended way to present to the user in the UI? The WWDC session shows an app icon and app name (i.e. "Books" and "Solar System"), but my understanding is that info is hidden from the developer for privacy reasons. So I'm wondering if the example in the session is really feasible.

Hello, After pushing all our CA by mobileiron MDM on iphones and ipads, we noticed that internal website signed by our CA are not trusted, we followed your KB https://support.apple.com/en-in/HT210176 and https://support.apple.com/en-us/HT211025, however while installing all the chain in one file or one by one and pushing it as a certificates config by the MDM to concerned devices the cert alert still exist, same issue by installing the internal root CA directly on apple devices. Do you have any advice? Thanks.

MacOS ver. Monterey 12.1 https://developer.apple.com/documentation/devicemanagement/mdm A device management profile is transmitted to the device with reference to the above link. Both iOS and iPadOS devices operate normally in general enroll and DEP enroll. In MacOS, Enroll operates normally in Userchannels. This time, I purchased a MacMini device equipped with Apple Silicon and tried to test DEP registration, but an error occurs as follows. "unable to decrypt encrypted profile" Should Mac's DEP registration use a different payload profile method? Let me know if you know something to refer to. thank you.

Since 8.2p1 OpenSSH support for FIDO/U2F hardware authenticators, add "ed25519-sk" and "ecdsa-sk" key type. macOS Monterey 12.2 bundled OpenSSH (version: 8.6p1) doesn't include built-in security keys support, but it seems that user can specify middle ware library to use FIDO authenticator-hosted keys (see man ssh-add, man ssh_config and man ssh-agent). I try to implement FIDO security key provider library, but bundled ssh-agent seems don't try to load the implemented library and simply return with "unknown or unsupported key type": $ ssh-agent -d -P "/*" SSH_AUTH_SOCK=SOME_VALUE; export SSH_AUTH_SOCK; echo Agent pid SOME_VALUE; debug1: new_socket: type = SOCKET debug2: fd 3 setting O_NONBLOCK debug1: new_socket: type = CONNECTION debug3: fd 4 is O_NONBLOCK debug1: process_message: socket 1 (fd=4) type 25 debug2: process_add_identity: entering debug1: parse_key_constraint_extension: constraint ext sk-provider@openssh.com debug1: process_add_identity: add sk-ssh-ed25519@openssh.com SHA256:KEY_HASH "KEY_COMMENT" (life: 0) (confirm: 0) (provider: /path/to/libsk-libfido2.so) debug1: new_socket: type = CONNECTION debug3: fd 4 is O_NONBLOCK debug1: process_message: socket 1 (fd=4) type 11 debug2: process_request_identities: entering debug1: process_message: socket 1 (fd=4) type 13 debug1: process_sign_request2: entering Confirm user presence for key ED25519-SK SHA256:KEY_HASH process_sign_request2: sshkey_sign: unknown or unsupported key type User presence confirmed Manually install OpenSSH from third-party (such as MacPorts/Homebrew, or simply build it from source code) works, but third-party OpenSSH can't read passwords stored in Keychain. Is bundled OpenSSH disable hardware key support at build time? Advice most appreciated. Thank you!

The MAC device is a device that has been manually added to the Apple Business Manager. DEP profiles are normally installed in both iOS and iPadOS. Profile descript error occurs only when attempting DEP of MacOS. (If you look at the picture, a decryption error occurs in the remote device registration step.) I asked Apple's customer center about this problem,  and it is said that it is caused by the lack of a key called "automatic registration on the MDM server" The key cannot be found in the Apple official document related to the profile below. https://developer.apple.com/documentation/devicemanagement/mdm/ Information received during DEP enroll of Macmini using Apple silicon. {    'LANGUAGE': 'en_US',    'PRODUCT': 'Macmini 9,1',    'SERIAL': 'CXXXXXXXXXXV',    'UDID': '0XXXXX27-XXXX-XXXX-XXXX-XZXXXXXXXXX',    'VERSION': '21C52' } Information received during DEP enroll of iPAD {    'LANGUAGE': 'en_US',    'PRODUCT': 'iPad5,4',    'SERIAL': 'DXXXXXXXXXXQ',    'UDID': '9aXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX6d',    'VERSION': '19C63' } Profile to be transmitted to the device (same as MacOS, iOS, IPadOS) {    'AccessRights': 8191,    'CheckInURL': 'https://apm.xxxxx.com/checkin',    'CheckOutWhenRemoved': True,    'IdentityCertificateUUID': '00000000-0000-0000-0000-000000000000',    'PayloadDescription': 'MDM Profile',    'PayloadDisplayName': 'MDM',    'PayloadIdentifier': 'com.xxxxx.xxxxxxx.mdm',    'PayloadOrganization': 'MDM provider',    'PayloadType': 'com.apple.mdm',    'PayloadUUID': '00000000-0000-0000-0000-000000000000',    'PayloadVersion': 1,    'PromptUserToAllowBootstrapTokenForAuthentication': True,   'ServerCapabilities': ['com.apple.mdm.per-user-connections','com.apple.mdm.bootstraptoken'],    'ServerURL': 'https://apm.xxxxx.com/server',    'SignMessage': False,    'Topic': 'com.apple.mgmt.External.206bfa63-f76a-4381-9e50-6f74241d14d9' }  Because it uses the same profile structure, it is not understood that iOS/iPadOS operates normally and errors occur only in MacOS. If there is anything that can help me, please let me know. Thank you.

Apple prompted users to explicitly test SCEP workflows after the Ventura upgrade. The Apple MacOS 13 Beta 1 Release Notes should cover the changes, but we didn't find any more details. Did Apple release any more information on what was changed? We are currently unable to complete the SCEP workflow on Ventura 13.0 22A380. Up to macOS Monterey the workflow works without any problems. The workflow fails while parsing the PKCSReq response (Diagram #5) with the following error: CertificateService [502:Cert_PI:SCEP:&lt;0xf94c&gt;] Calling SecSCEPVerifyReply()... CertificateService SecCMSMessageSecurityShim is disabled (via feature flags) CertificateService [502:Cert_PI:SCEP:&lt;0xf94c&gt;] SecSCEPVerifyReply() returned 0 certs Error: (null) CertificateService [502:Cert_PI:SCEP:&lt;0xf94c&gt;] SCEP response verification failure details (PKCSReq): CertificateService [502:Cert_PI:SCEP:&lt;0xf94c&gt;] ParseErrorCode : -25293 CertificateService [502:Cert_PI:SCEP:&lt;0xf94c&gt;] ResponseLength : 4961 CertificateService [502:Cert_PI:SCEP:&lt;0xf94c&gt;] ParseErrorText : Failed to verify signed data CertificateService [502:Cert_PI:SCEP:&lt;0xf94c&gt;] Attrs attributes: (null) CertificateService [ERROR] [502:Cert_PI:SCEP:&lt;0xf94c&gt;] SCEP response failed to verify ==&gt; (null) CertificateService [502:Cert_PI:&lt;0xf94c&gt;] &lt;OUTERROR&gt; Failed to verify get certificate response &lt;MDM-SCEP:15002&gt; CertificateService [ERROR] [502:Cert_PI:SCEP:&lt;0xf94c&gt;] [CE] Certificate request failed ==&gt; Failed to verify get certificate response &lt;MDM-SCEP:15002&gt;

The iphone info: OsVersion: iOS 15 Device model: iphone 12 Steps: Install the MDM profile on the iphone. The server pushes the command to install the webclip profile through MDM (the profile is set to not be manually removable). After installing the webclip profile, the webclip icon will appear on the Home Screen of the phone screen. When the webclip is no longer used, remove the webclip profile through MDM. The problem occurs in step 4, the webclip profile is deleted, but the webclip icon still exists on the home screen of the mobile phone, and cannot be removed by tools such as Apple Configurator2. So what causes this phenomenon and how to fix?

** Hi Community,** We have been testing on using oauth2 for User Enrollment.Where as per doc provided we have supplied the method, authorization-url, token-url, redirect-url, client-id in the 401 response from MDM Server Authorization Request As mentioned the apple client performed authorization request by adding state, login_hint to the Authorization-url and the params mentioned above and successfully received the authorization code after the user makes a login with the IDP. <<<<< Request GET /oauth2/authorization?response_type=code &client_id=XXXXXXXXXX &redirect_uri=apple-remotemanagement-user-login:/oauth2/redirection &state=XXXXXXXXXX &login_hint=useroa@example.com HTTP/1.1 Host: mdmserver.example.com ------- MULTIPLE REQUESTS BETWEEN CLIENT Server ---------- >>>>> Response HTTP/1.1 308 Permanent Redirect Content-Length: 0 Location: apple-remotemanagement-user-login:/oauth2/redirection ?code=XXXXXXXXXX&state=XXXXXXXXXX . Token Request Using the code received from authorization server apple client performs this step to get the access_token and refresh_token.I am using a authorization server created by default in my Okta domain and this step fails. <<<<< Request POST /oauth2/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 195 grant_type=authorization_code &code=XXXXXXXXXXXX &redirect_uri=apple-remotemanagement-user-login:/oauth2/redirection &client_id=XXXXXXXXXX >>>>> Response HTTP/2 401 Unauthorized Content-Type: application/json { "error": "invalid_client", "error_description": "Client authentication failed. Either the client or the client credentials are invalid." } When debugged this issue, As per Okta's doc https://developer.okta.com/docs/guides/implement-grant-type/authcode/main/#exchange-the-code-for-tokens The client must specify Their credentials in Authorization header as Authorization : Basic <client_id>:<client_secret> in order to get the access_token And Also as per RFC-6749 https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3 The Confidential Clients must specify their client_id, client_secret provided by the authorization server to receive the access_tokens. May I know how to overcome this issue or did I missed any steps that may include the Authorization header Thanks in Advance,.

We are reading from an Apple API - https://gdmf.apple.com/v2/pmv that we got from: https://developer.apple.com/business/documentation/MDM-Protocol-Reference.pdf With rapid security updates coming in, We can see the 16.4.1 (a) update out via Settings > Software Update. It appears the Apple’s API response has recently been updated with an additional parameter called “ProductVersionExtra” as shown below. Can someone from Apple please validate that these changes are reliable so we can update the JSON parsing logic at our end?

Our app uses Cordova with a Cordova Local Webserver plugin. This plugin uses the url http://localhost: with a randomly chosen port. Some of the devices that our app runs on are MDM configured and have Content Filters enabled which only allows a finite list of website URLs to be accessed. This configuration has always worked in the past. Starting with the release of iPadOS 16.5, our app now hangs because the content filters are now preventing access to http://localhost. We've tried adding http://localhost, plus any derivative of that URL (i.e. http://localhost:, http://localhost:*, etc.) to the Allowed Website list, but this does not help. Wondering if anyone else has encountered this issue.

Hello there. We have an endpoint security service that consists of a command-line tool and a client app that bundles a network extension (the command-line tool runs as a daemon via Launch Services and communicates with the extension via XPC). It works when installed manually under all OS versions, and under MacOS 12.x (Monterey) and earlier when provisioned via MDM. However, beginning with some version of 13.x (Ventura), MDM provisioning is insufficient. The daemon is unable to connect to the extension via XPC. Under "Full Disk Access" in System Pref^H^H^H^HSettings, an entry for our component appears but the switch is off. Turning the switch on manually at this point does not change the situation; the daemon apparently remains unable to talk to the extension. It seems as though some additional entitlement or declaration is now needed in the MDM mobileconfig to make things work under 13.x and above, but after trying a multitude of combinations, I'm at a loss. Any hints?

Hi From the video, Safari will pop up a banner for these enabled app extension, which can let user set per-site option, when upgrade to Safari17(MacOS14). Such as following: For enterprise, there are too many users install app extensions. We want to set these by management tools. We have following questions: For upgrade users, Is there any way or tools to disable this banner or grant "ALLOW" for user automatically? Such as MDM tools. For fresh install user, is there any way to grant per-site permission automatically by MDM tools or others? Thanks. Best wishes eric_wang_mac

Hi Apple Team, We are excited by looking on the new updates introduced in WWDC23. In a Session named "Do More With Managed Apple IDs" Where There is Sign In Policy Introduced For Managed Apple IDs Any Device Managed Devices Only Supervised Devices Only And as a MDM Vendor We need to Support GetToken CheckIn Request to Support Sign In Policy Managed Devices Only, Supervised Devices Only and have some doubts regarding this. When the Policy is Set To Managed Device Only and we don't have DEP Tokens Registered by Customer with us.How could we able generate the JWT Signed Token with the necessary serverUUID. In case 1) Even though if I have DEP Token with me How could I choose the necessary serverUUID If the device had managed by MDM through Profile Based Enrollments. Can you please provide with appropriate solution to overcome this

Hi Apple IT Developer Team, In what format should the GetToken response be returned? The session explains "The JSON Web Token should be signed by the MDM server's private key.", but it seems vague to me. A sample response would be appreciated.

Hi Team, I am testing federated authentication of Google Workspace with Apple Business Manager (ABM). After successfully configuring the Google Workspace domain in the ABM admin account and syncing it, we attempted to enroll a device using automated device enrollment and login with the Google Workspace account as the managed Apple ID. However, during enrollment, the system asked to create a new user, even though the username was replicated from the Google account, and prompted to enter a new password. Could someone please explain why this is happening? and aiming to enable a seamless login without user creation or password generation.

I'm a beginner in swift. Ways I tried: Tried adding a command line tool DNC observer to call a function when any screen sharing notification triggers, but later came to know that screen sharing doesn’t give any notifications. import OSLog import Foundation os_log("TecMFA:: Starting screen sharing finder.") let dnc = DistributedNotificationCenter.default() dnc.addObserver( forName: .init("com.apple.screensharing.server"), // tried many notification names like com.apple.screensharing.curtain etc. object: nil, queue: .main ) { notification in os_log("TecMFA:: Started screen sharing deamon.") } dispatchMain() Created a server using vapor as following //configure.swift import Vapor func routes(_ app: Application) throws { // Define a route to handle POST requests to "/login" app.post("login") { req -> HTTPStatus in // Read the username and password from the request body guard let loginData = try? req.content.decode(LoginData.self) else { // Failed to parse request body or invalid data return .badRequest } let username = loginData.username let password = loginData.password print(username) print(password) // Do something with the username and password print("Received login request with username: \(username) and password: \(password)") // Return a success response return .ok } } // Define a struct to represent the request body data struct LoginData: Content { let username: String let password: String } // routes.swift import Vapor import Foundation func getLocalIPAddress() -> String? { let task = Process() task.launchPath = "/usr/sbin/ipconfig" task.arguments = ["getifaddr", "en0"] // Use "en0" for Wi-Fi, "en1" for Ethernet let pipe = Pipe() task.standardOutput = pipe task.launch() let data = pipe.fileHandleForReading.readDataToEndOfFile() let output = String(data: data, encoding: .utf8)?.trimmingCharacters(in: .whitespacesAndNewlines) return output } // Called before your application initializes. public func configure(_ app: Application) throws { // Register routes try routes(app) // Get the local IP address guard let localIPAddress = getLocalIPAddress() else { fatalError("Unable to get the local IP address.") } // Update the server configuration to bind to the local IP address and desired port app.http.server.configuration.hostname = localIPAddress app.http.server.configuration.port = 8080 } It didn't work when same port numbers. I tried using different port numbers but the request comes through port 5900, so 8080 cannot access it, so it didn't work either. Any corrections and suggestions are welcome.

During the "What’s new in managing Apple devices" session, you provided information about the "Not Now" option during Mac ABM Enrollment. We observed that this option was functional when enrolling a Mac through ABM using the "profiles renew -type enrollment" command. However, when attempting to enroll a Mac by erasing it through ABM, we couldn't find the "Not Now" option. Could you please confirm whether the "Not Now" option is intended to be available when enrolling a Mac by erasing it through ABM? Your clarification on this matter would be greatly appreciated.

I’m looking for a way to programmatically check whether the MDM profile installed on a managed Mac computer is removable or not. The PayloadRemovalDisallowed attribute, that can be verified via any of the following: system_profiler SPConfigurationProfileDataType sudo profiles show -type configuration sudo /usr/libexec/mdmclient QueryInstalledProfiles to name a few, appears to be just as irrelevant for MDM profile itself, as it is for other payloads, since „as of macOS 10.15, users can never remove MDM profiles, not even the admin”. MDM profile has very often that attribute set to false (i.e. removal allowed) even if — thanks to ADE configuration — in practice the profile is not removable. The unremovable status is also nowhere to be found in either: sudo profiles status -t enrollment or sudo /usr/libexec/mdmclient QuerySecurityInfo A few migrations between MDMs ago, that my team’s done for Customers, I’ve relied on the value of the key IsMDMUnremovable, that can be read from /var/db/ConfigurationProfiles/Settings/.cloudConfigRecordFound file and also matches the output of sudo profiles show -t enrollment. Unfortunately, half–way through that one particular migration I’ve learned the hard way that this record cannot be relied on, frankly, specifically in any migration scenarios, as it does not represent the local profile attribute 🙄. There was a small percentage of devices that refreshed their enrollment record automatically prior to migration, but after reassignement — without anyone running profiles renew — and had a unremovable status reported even though the MDM profile installed at the time was actually still removable. As of now I haven’t yet managed any other way to reliably verify that status for currently installed MDM profile. The only definite solution that comes to my mind is looking for return code 101 when attempting to remove MDM profile with profiles remove, but this is of no use for me in our migration solution. I need to verify that status long before attempting to remove the profile, while for computers with removable profile such method would wipe one immediately. With no other options left, I would very much appreciate help with identifying the proper method of verifying unremovable status of currently installed MDM profie via command line. If not CLI, maybe it is possible to get using Swift? If it is, maybe it would be possible via JXA then? If not, maybe Objective-C — precompiled binary to do just this one check would still be better than no viable option at all 🤷‍♂️.