In the WWDC 2021 session Mitigate fraud with App Attest and DeviceCheck it is said that:
App Attest is supported on devices that have a Secure Enclave, but there are cases, such as app extensions, where isSupported will still return false.
The documentation shows that the following Macs have a Secure Enclave:
- MacBook Pro computers with Touch Bar (2016 and 2017) that contain the Apple T1 Chip
- Intel-based Mac computers that contain the Apple T2 Security Chip
- Mac computers with Apple silicon
I'm using a 2018 15" MacBook Pro containing a T2 Security Chip for testing, however, DCAppAttestService.shared.isSupported always returns false in native macOS or Catalyst apps. DCDevice.current.isSupported also returns false.
The documentation for DCAppAttestService shows availability on "macOS 11.0+" and "Mac Catalyst 14.0+". It appears to have been added in the macOS 11.3 SDK included in Xcode 12.5. DCDevice shows availability on "macOS 10.15+" and "Mac Catalyst 13.0+". Although both APIs are available on the listed OSes, I only ever see isSupported == false.
Are App Attest or DeviceCheck functional on any Macs? If so:
- Are there more specific Macs that support the feature (e.g., Apple Silicon Macs only)?
- Are there any additional steps that need to be taken to use them (e.g., changes to entitlements, provisioning profiles or distribution through the Mac App Store)?
- In native macOS apps, it doesn't actually appear to be possible to add the App Attest capability in Xcode under "Signing & Capabilities".
If not, I think it would be good to update the documentation with this limitation since I'd expect them to work based on the availability being "macOS 10.15+" or "macOS 11.0+" for DeviceCheck and App Attest, respectively. I imagine most others would make the same assumptions.