Our service is using Apple device check api to prevent fraud happening. https://developer.apple.com/documentation/devicecheck/accessing-and-modifying-per-device-data But there is SSL connection timeout happen from June 1st. /app $ curl --connect-timeout 5 -v https://api.devicecheck.apple.com Trying 17.33.193.105:443... Connected to api.devicecheck.apple.com (17.33.193.105) port 443 (#0) ALPN, offering h2 ALPN, offering http/1.1 successfully set certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none TLSv1.3 (OUT), TLS handshake, Client hello (1): SSL connection timeout Closing connection 0 curl: (28) SSL connection timeout Does apply add access limitation for specific ips?

Hello all, I'm looking for clarification on the functionality of Full Disk Access (FDA) in macOS. To illustrate my case, consider the following simple example program: #include <stdio.h> #include <string.h> #include <errno.h> int main(void) { const char *filePath = "/Library/Preferences/com.apple.TimeMachine.plist"; // Try to open the file FILE *file = fopen(filePath, "r"); if (file == NULL) { // If there is an error opening the file, print the error and exit printf("Error opening file %s: %s\n", filePath, strerror(errno)); return 1; } fclose(file); // If we reached here, the file was successfully opened printf("File %s opened successfully\n", filePath); return 0; } When this program is built and executed in Terminal.app with Terminal having FDA, the file opens successfully. Conversely, when FDA is revoked from Terminal and granted to the program, an error occurs due to insufficient privileges. Interestingly, building and executing the program within Xcode, without Xcode having FDA, but granting FDA to the resulting binary (either debug or release), allows the file to open successfully. Which is what I would expect for the above case as well. Running the same binary (with FDA enabled), which runs successfully within Xcode, in Terminal yields an error message. So, I have the following questions based on these observations: Why does the program access the file successfully when run from within Xcode, despite Xcode lacking FDA? Why does the program fail to access the file when run from Terminal without FDA, even though the program itself has FDA? What is the precise relationship between a parent process and its child process concerning FDA? These tests were conducted on macOS 14.5 with Xcode 15.4. Thanks in advance!

Hello, I have some questions. I need to use Signin in with apple with private email relay service When last week. Suddenly Apple Login didn't work on Web and I check my Service IDS on apple developer page, i got this message Depending on your product, you may need to configure multiple components for Sign in with Apple – From registering domains for Web Authentication to providing email sources to communicate with your users through the Private Email Relay service. I register my domain and email on Configure Sign in with Apple for Email Communication I use AWS Route53 and AWS SES(Simple Email Service) This is my DNS record of DKIM, SPF, MX ● DKIM record : sig1._domainkey.metapocket.io value : sig1.dkim.example.com.at.icloudmailadmin.com. ● SPF value : "v=spf1 include:icloud.com ~all" ● MX value &gt; 10 mx02.mail.icloud.com 10 mx01.mail.icloud.com Some wrong on my configuration of DNS ? I register on 5days ago, but status if failed now And how long does take of verification? My web service is error now

With the ScreenTime API Apple talks a lot about their focus on privacy and the data not leaving the device. Does that mean there would be a problem with an app where the users ScreenTime data is shared to a custom backend? Could this potentially cause an app to be rejected from the AppStore?

Is there a Description key for an app to explain why it's requesting Accessibility permissions?

[quote='751689021, Vlobe42, /thread/751689, /profile/Vlobe42'] this is an email I have sent to Apple with no luck: Dear Apple Developer Support Team, I am writing to seek urgent assistance with a persistent issue I have been encountering with Xcode. For several months now, every time I connect my iPhone to Xcode for development purposes, it automatically overwrites the user data of my apps with an old, seemingly random container. This issue is severely impacting my ability to continue development, as I cannot test new changes effectively. This occurs since a few months in every iOS and Xcode/macOS Version. I tried it with different Apps and Devices. Sometimes the entire Container (Documents) gets read only access so no new data can be created or changed by the user. I frequently used the replace container feature on Xcode so maybe this has something to do with it. This problem persists despite numerous attempts to resolve it on my end. I am at a critical point in my development timeline, and it is crucial for me to resolve this as soon as possible. Could you please advise on the next steps I should take to address this issue? If there are any logs or further information you require, I am more than willing to provide them. Thank you for your attention to this matter. I look forward to your prompt response and hope for a resolution soon. Best regards, Victor Lobe [/quote]

I am trying to access the CMAltimeter class, and I keep getting the error Domain=CMErrorDomain Code=105. I know that indicates my app does not have permissions for motion and fitness. All the documentation I can find mentions the need to add NSMotionUsageDescription to Info.plist. However, I have done that, and it does not help. I am using Xcode 15. It seems that whenever I go to look up how to get permissions to something, the information on the web seems to be outdated, and Apple seems to move stuff around. I have found I can add the entry to Info.plist by using the Info.plist editor and selecting "Privacy - Motion Usage Description", but that does not help. I also notice that when I info tab on my build target, there is a "Privacy - Motion Usage Description" there also. If I add the entry there, it takes out out of my Info.plist, and makes an entry in the project's project.pbxproj file named INFOPLIST_KEY_NSMotionUsageDescription. Regardless of which of those I use, I still do not the 105 error. I'm sure I'm missing something more, but I can't find it anywhere. There was mention of a "Health and Fitness" in the signing capabilities, but I could not find anything listed there in Xcode 15

Feedback Ticket: FB13812251 Problem Statement: We are currently facing internet connectivity issue with our VPN application where we try to disconnect the VPN from the Packet Tunnel Network Extension using - (void)cancelTunnelWithError:(nullable NSError *)error. Which API to use to disconnect the VPN from Packet Tunnel as VPN app is not running such that device retains its internet connectivity as soon as VPN disconnects. Configuration: We have configured PacketTunnelProvider with the following settings: (NETunnelProviderManager *)tunnelProvider.protocolConfiguration.includeAllNetworks = YES; (NETunnelProviderManager *)tunnelProvider.protocolConfiguration.excludeLocalNetworks = NO; (NETunnelProviderManager *)tunnelProvider.protocolConfiguration.enforceRoutes = NO; These settings are applied from the VPN app and allow us to successfully establish a VPN connection, with all traffic being routed through the tunnel as expected.We are setting above properties to address local net attack. Issue we are facing: However, we encounter a problem when we attempt to disconnect the VPN from. When we call the following method from PacketTunnel network extension: (void)cancelTunnelWithError:(nullable NSError *)error Upon calling this method, the VPN disconnects as expected, but the device loses all internet connectivity and is unable to access any resources. This is not the desired behavior. Observation : Interestingly, when we call the following method from the app side. The VPN disconnects and the device retains its internet connectivity. [enabledConfig.connection stopVPNTunnel]; We would like to achieve the same behavior when disconnecting the VPN from the Network Extension. So we are looking for an API that could be called from NE without causing any internet connectivity issue. Any guidance on how to resolve this issue would be greatly appreciated.

When I send a build in Xcode the process occurs normally, but a few minutes later I receive an e-mail saying: "ITMS-90683: Missing purpose string in Info.plist - Your app’s code references one or more APIs that access sensitive user data, or the app has one or more entitlements that permit such access. The Info.plist file for the “***.app” bundle should contain a NSMicrophoneUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. If you’re using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required." So the problem is the description of the use of the microphone, right? As the attached image shows that I have already done this process, and I continue to receive this error. Even when I remove the part of the avfoundation code that uses the microphone to try to submit the build, the error continues to be returned to me

Our product includes a sudo plugin so we can apply user-defined policies to manage privileged access to command line programs. We’ve been getting reports where the plugin sometimes doesn't get invoked and the sudo command falls back to its default behavior. This seems to only be happening intermittently, but when the issue does occur, this message appears in the Console: Library Validation failed: Rejecting '/usr/local/libexec/sudo/<our_plugin>.so' (Team ID: <OURTEAMID>, platform: no) for process 'sudo(<pid>)’ (Team ID: N/A, platform: yes), reason: mapping process is a platform binary, but mapped file is not I recall a previous discussion of this message (that I can’t locate now), which explained that although the host process has library validation disabled, the code flow raises an error anyway, so that the host process can detect it and bypass the validation to load the plugin. It looks like that's what sudo is doing: it has the private entitlement com.apple.private.security.clear-library-validation and makes the appropriate system call when the plugin initially fails to load [1] — but apparently this isn't working reliably for our sudo plugin. We’ve observed that restarting the Mac generally resolves the issue, at least for a while. This resembles the “classic symptom of a code signing oddity” where the signature is cached and the Mach-O image is rewritten rather than replaced (as documented in Updating Mac Software). But our software uses an Installer package for updates as well as initial installation, and the Installer is documented as not having this issue, so I believe the problem lies somewhere else. I’m running out of ideas; are there any other avenues I should investigate? Thanks for any help. [1] This is described in an article called "About com.apple.private.security.clear-library-validation"; I can't link to it directly from the developer forums, but it can easily be found by searching for the title.

I am creating a new macOS application that requires access to files outside of the sandbox. It needs to be docked in a silent state and packaged using the Electron Builder application. I have configured the relevant permissions as com.apple.security.memory-exception.files.absolute path.read-only, It can be accessed normally in the local version of mas dev. The configuration parameters are as follows: <key>com.apple.security.temporary-exception.files.absolute-path.read-only</key> <array> <string>/Volumes/NO NAME/</string> <string>/Volumes/NO NAME 1/</string> <string>/Volumes/NO NAME 2/</string> </array> But during the review period of the app store, some people said it was not of legal value. The following is the original statement: Your application is not properly sandboxed, or it contains one or more rights with invalid values. Before resubmitting the new binary file, please review the included rights and sandbox documentation and resolve this issue. com.apple.security.temporary-exception.files.absolute-path.read-only True If there is a com.apple.security.memory-exception.files.absolute path.read-only authorization, will the app store accept it? What do I need to do to access it?

I have two AppleID's. I use one with my Apple Developer account and the other is my primary AppleID that I mainly use for everything else. In the past, I have used them on separate MacBooks, but I am now trying to consolidate everything onto one MacBook. I have created a Passkey for my Apple.com store account and that works well. However, when I try to log into an Apple developer related site (e.g. developer.apple.com), it initially offers to use my personal Passkey with an option to use a different AppleID. When I select "use a different AppleID" and select my developer AppleID, it only allows me to log in with a password or with a QR code using a Passkey on a different device. Is it possible to set up a Passkey for my Apple developer account on the same MacBook that already has a passkey set up for my Apple store account? If so, what is the process to create it. If it helps, both of my AppleID's are members of the same Family. Thanks.

I have two AppleID's. I use one with my Apple developer account and the other is my primary AppleID that I mainly use for everything else. In the past, I have used them on separate MacBooks, but I am now trying to consolidate everything onto one MacBook. I have created a Passkey for my Apple.com store account and that works well. However, when I try to log into an Apple developer related site (e.g. developer.apple.com), it initially offers to use my personal Passkey with an option to use different AppleID. When I select "use a different AppleID" and select my developer AppleID, it only offers to allow me to log in with a password or with a QR code using a Passkey on a different device. Is it possible to set up a Passkey for my Apple developer account on the same MacBook that already has a Passkey set up for my Apple Store account? If so, what is the process to create it? If it helps, both of my AppleID's are members of the same Family. Thanks.

Hello, I run a website that's using FIDO for user logins. A lot of our users set up their device-bound passkeys back when they were on iOS 15. Now that they're moving to iOS 16, I'm trying to figure out what happens with those passkeys. Here's my question: When these users upgrade to iOS 16 and start using other devices, how does iOS handle their existing passkeys? Do they see both the old device-bound and the new synced passkeys in the UI, or does it somehow merge them? This might not be an issue in the latest iOS 17, but I'm interested in knowing if it could occur in earlier versions like iOS 16. I'm aiming to make this transition to synced passkeys as smooth as possible for my users and just want to make sure I understand the UX changes that come with iOS 16. Thanks!

When the user updates the system to 17.5.1 and our application crashes, and then debugs with xcode, it is found that NSMotionUsageDescription permission is required. This confuses us because we do not have access to this API Searching for APIs Execute grep - r CMMotionActivityManager under the application folder There are no records Non iOS 17.5.1 No relevant reports available How can we delve deeper into which API is causing it

我们正在创建一个新的 macOS 应用程序，该应用程序需要访问沙盒之外的文件。它需要以静默状态停靠并使用 Electron Builder 应用程序进行打包。我已将相关权限配置为 com.apple.security.memory-exception.files.absolute path.read-only ， 它可以在 mas dev 的本地版本中正常访问。配置参数如下： com.apple.security.temporary-exception.files.absolute-path.read-only /Volumes/NO NAME/ /Volumes/NO NAME 1/ <字符串>/卷/无名称 2/</字符串> </阵列> 但在应用商店审查期间，有人说它不是法律价值。以下为声明原文： 您的应用未正确实现沙盒，或者它包含一个或多个具有无效值的权利。在重新提交新的二进制文件之前，请查看包含的权利和沙盒文档并解决此问题。 com.apple.security.temporary-exception.files.absolute-path.read-only True 如果存在 com.apple.security.memory-exception.files.absolute path.read-only 授权，应用商店会接受它吗？我需要做些什么才能访问它？

Hi, Any AppAuth users here? I have implemented a generic support for OpenID Connect using the AppAuth framework for my apps. I have used the easy way of fetching the configuration document from the IDP and let that control the connection. Now I have a IDP that say that we must use client_secret_jwt, and they will not allow anything else. But in the config document they list all available auth methods like this: "token_endpoint_auth_methods_supported" = ( "client_secret_basic", "client_secret_jwt", "client_secret_post", "private_key_jwt") So my client uses the client_secret_basic and later gets rejected. Since I've not used the req auth method. The reason is that they want to phase out the use of _basic and _post, but they have some legacy system they must support. I haven't found anything documented about the logic behind what auth method AppAuth uses, but my guess it starts at the top of the list and uses the first one suggested? Is there a way for me to force AppAuth to only use client_secret_jwt regardless of what the config document say? If anyone know a better forum to ask this, please let me know!

(Skippable) Backstory: I have an app that customers initially install by: Going to our website in a browser, downloading a (notarized) disk image, mounting it, opening the (Developer ID-signed) installer package therein, and following the prompts to completion. Once installed, this app has a button you can click that will check for updates and possibly install them. When you click this button: Our app contacts an HTTPS API on our servers to see if there is an update If there is an update, the API responds with a download URL to the aforementioned notarized disk image, and the SHA-512 hash of the disk image Our app downloads the disk image, and verifies the SHA-512 hash of the download Our app mounts the DMG Our app uses /usr/sbin/pkgutil --check-signature (although I do hope to switch to SecStaticCodeCheckValidity() in the future) to verify that the OS thinks that the installer package is properly signed, and also that the organization unit on the leaf certificate for the code signing key used to sign the installer is exactly equal to our Apple Team ID Our app uses /usr/sbin/installer -package ... -volinfo to verify that the installer package thinks it can install onto the host Our app uses /usr/sbin/installer -package ... -target / to install the software update For 98%+ of our users, this update process works great. For a tiny portion of users, we're seeing that hdiutil reports that it failed to attach the disk image. For the even tinier portion of users from whom we have obtained debug logs, one of the errors we've seen is "not recognized"; however, I don't know if that's the most common error, due to the small sample size. Before I get much further, I think it's prudent to acknowledge that the above system we're using today is pushing a decade old now, and it's probably wise to verify the foundations. So... For a Developer-ID-signed macOS app that is distributed outside the Mac App Store using an installer package, what is the "best" container/packaging system for an automated system to obtain and consume the installer package with the goal of a user-initiated self-update? For example: Notarized disk image (and failures to attach the image need to be bug reports to Apple) Just the installer package (If I understand correctly, this is bad because it bypasses the automatic propagation (normally performed by macOS) of the DMG's notary ticket to the pkg, right?) Something else? Secondly, what are some common developer mistakes to avoid? For example, these come to mind: When saving the DMG to disk, explicitly enable quarantine on the DMG, so that macOS runs appropriate security checks as intended (is this correct?) When running the installer package, do not use low-level tools (like cp) to copy the pkg out of the DMG, because macOS won't be able to automatically find the notary ticket when the pkg is installed (is this correct?) Anything else? Additional context: We currently support macOS 10.13+, but we will soon support only macOS 10.15+. Thank you!

I have the following situation: My SwiftUI App for macOS is using App Sandbox and is currently configured for read/write access for all the locations selectable in XCode I have added a file selector using a button and NSOpenPanel() to let the user select a folder containing a database file, to which I successfully get permissions using URL.bookmarkData() and URL.startAccessingSecurityScopedResource() I then try to read file paths from the database file and open those but I instantly get a permission error without a permission dialog/prompt appearing In my test I am using paths to files in my iCloud Drive folder I added all file/folder related usage string entries to the Info.plist for testing I think this is weird, since I can paste one of those file:// URLs from the database into a (non-Safari) browser and it shows the native permission dialog/prompt before downloading the file as expected. Is there any usage string that's not shown in the Info.plist Dropdown in XCode that I need to add to my app in order for this to work?

we got this very confusing reply from apple review; Hello, Thank you for additional information. Regarding Guideline 3.2.1(viii) - Business - Other Business Model Issues - Acceptable Your app provides loan services but does not meet all the requirements for apps providing these services. See below for additional information. These requirements give App Store users confidence that apps offering financial services are qualified to provide these services and will responsibly manage their data. Next Steps It would be appropriate to make the following changes to comply with the App Store requirements: The verified email domains associated with your Apple Developer Program account must match domains for the submitting company or partnered financial institution. We look forward to reviewing your resubmitted app. Best regards, App Review But Our company name is Worldmox Business, S.A.P.I. de C.V., SOFOM, E.N.R. Our official website is https://www.worldmoxbusiness.tech and the domain we are using is worldmoxbusiness.tech Under "user and access" we only have one user who's domain is also worldmoxbusiness.tech In our app Description, all the mail we used are under domian name worldmoxbusiness.tech So I'm very confused that what is "verified email domains" and what is "match"? The Apple Review Team wouldn't answer any of my questions, what they did is give me lots of policy urls which are impossible to locate useful information, why submitting an app on App Store Connect is so hard?