I have a macOS app in production, supporting all macOS versions since 10.15 (Catalina) thru Sequoia. One aspect of the app's functionality is to screen capture the entire screen, including all windows. Starting with Sequoia, my users are receiving a scary system alert saying: "SomeApp" is requesting to bypass the system private window picker and directly access your screen and audio. This will allow SomeApp to record your screen and system audio, including personal or sensitive information that may be visible or audible. I have several questions and concerns about this alert. First of all, as a developer, this is frustrating, as I am using documented, long-standing system APIs, and made no change to my code to cause this warning. Second, nothing in my app records audio in any fashion, and yet the user is made to think I am trying to furtively bypass security controls to record audio, which is absolutely false. The alert seems to be due to the screen capture feature, which is one of the main features of the app, which the user explicitly requests and grants permission for. But to get to the point of the question: is there any definitive documentation anywhere describing exactly which API's trigger this alert? I can't find first-party information from Apple, so I'm kind of guessing in the dark. Searching the internet for all the info I can find (mostly from blog posts of developers and beta-testers), it seemed like the culprit in my code was probably a call to CGWindowListCreateImage, so I spent some time forking the code paths in my app (since I still support back to 10.15) to use the more modern ScreenCaptureKit APIs on systems that support it. But the alert is still appearing, despite not calling into that API at all. Is there a way of calling the modern ScreenCaptureKit APIs that also triggers this alert? As an example, I'm using a snippet like this to get the shareable displays I need do { try await SCShareableContent.excludingDesktopWindows( false, onScreenWindowsOnly: false ) return true } catch { return false } is it possible that this code is triggering the alert because I'm not excluding desktop windows and asking for all windows? to sum up, I (and I'm guessing others) could really use some definitive guidelines on exactly which APIs trigger this alert, so that we can migrate and avoid them if possible. can anyone provide any guidance on this? Thanks in advance!

We have been using the LAContext's evaluation policy for the past couple of years without any major issues. However, since last week (September 26), we have seen a spike in error events, indicating: json Copy code { "NSDebugDescription": "Caller is not running foreground.", "NSLocalizedDescription": "User interaction required." } We haven't made any code changes in the last couple of months. Is there any update regarding local authentication from Apple's side?

I've developed a Endpoint Security system extension, which will be installed in a container APP. I use XPC to send message from container APP to the ES client, it works fine. I have developed an Endpoint Security system extension that will be installed in a container app. I utilize XPC to send messages from the container app to the ES client, and it functions properly. However, when I attempt to send messages from the ES client to the container app, it always displays an error: 'Couldn’t communicate with a helper application.'. I have removed the sandbox capability of the container app and also employed the same app group for both the ES client and the container app. When an XPC client is connected, I use the following code in the ES client to establish two-way communication. - (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection { newConnection.exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(NXFileGuardXPCProtocol)]; NXFileGuardXPCService *xpcService = [NXFileGuardXPCService sharedInstance]; newConnection.exportedObject = xpcService; // To APP container client (As remote interface) newConnection.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(NXFileGuardXPCClientProtocol)]; [newConnection activate]; self.containerAPPConnection = newConnection; return YES; } But it always fails. How can I deal with this error?

Is it possible for two Apple devices to have serial numbers that are consecutive or differ by only one character?

I see that all of my passwords moved from both login and iCloud keychains to Passwords app. The API that worked SecItemCopyMatching now returns -25300 aka not found. What's the API to access passwords in Sequoia ?

Hi all, I am in the process of preparing for an app transfer, and have sign-in with apple enabled. I have read the documentation thoroughly and multiple times, yet there are a few things I'd like to have a confirmation about, before taking the leap and risking that some users might experience any issues. If I understand correctly, after the migration if a user performs a sign-in with Apple, they will send an access_token that differs from the one they were sending when the app was assigned to the old team. In case I didn't take any action that means that my system would think this was a new user given the access_token has never been seen before, and therefore it will create a new user. Is that correct? Ok, so if that assumption is correct, I'd like to have a confirmation also of the way I intend to fix this, since we're doing an internal transfer and the database is going to be the same. I would get a TransferID for all users in my database that have used sign-in with Apple (I have already done that for one of my test users, successfully). After that, I will start the transfer, and accept it from the other team. Once that is done, I will call the migrationinfo endpoint from the other team, getting all the new access_tokens related to the transfer ids. With that information, I will update my databse, adding a relation from the new access token from team B that points to the same user as the access token that was given by team A, and I know which one it is because of the TransferID. Does that make sense? Would it work? I'm not a fan of messing with the login logic (having a look at transfer_ids, looking for matches, and so on), especially because there doesn't seem to be a way to test this. I believe the only risk is that a user might login after the app has been transferred but before I can upload the new access token to the database, but we can handle these (few, hopefully even zero cases) via ticketing. These are the resources I have read so far: https://developer.apple.com/documentation/technotes/tn3159-migrating-sign-in-with-apple-users-for-an-app-transfer#Preparing-to-migrate-users-for-an-app-transfer https://developer.apple.com/documentation/sign_in_with_apple/transferring_your_apps_and_users_to_another_team#3546291 https://developer.apple.com/documentation/sign_in_with_apple/bringing_new_apps_and_users_into_your_team My last question is: how can I test this before going live? Do I really have to just implement changes/update the DB and then go live, hoping that it will all work? Can't I do some sandbox transfer or anything like that? Even just creating like a "clone" of my app and transferring this one would be a huge boost for the confidence of this big leap. Thanks in advance.

When tapping on "password" in the accessory view above the keyboard, no password manger is opened. The keyboard just closes and re-opens. I have made sure a password exists and is available to be used. I have replicated this within my own app, but also from within the Settings app on the simulator (see attached gif) so I am confident it is not a coding issue on my side. I have replicated it on both iOS 17 and iOS 18 I am using Xcode Version 16.0 (16A242d) I am running macOS Sonoma Version 14.7 (23H124) I am fairly confident I have not experienced this when working on another clients app. I was using Xcode 15 for that so not sure if this is something introduced with Xcode 16.

when I performAutoFillAssistedRequests ,my keyboard cannot show passkeys that could choose,and nothing callback.i don't know the error reason.but I could request successfully by authController.performRequests.

Hi , I did The MFA(2FA) of Email OTP For MacOS Login Screen using, Authorization Plugin, Using This git hub project. It is working For Login Screen , Im trying to Add The Same plugin for LockScreen but it is not working at lock Screen , Below is the reffrense theard For The issue , https://developer.apple.com/forums/thread/127614, please Share The Code that should Present the NSwindow at Screen Saver (Lock Screen) MacOS .

Hello, I'll describe an issue I just reported as FB15286954, hoping to see your thoughts on it / what might've gone wrong. Earlier today, I created an account for a website on my iPhone running the release version of iOS 18.0 using Safari, then added 2FA via the Passwords app. I logged in, checked that it works, then closed Safari and did something else (not much on my phone). In the meantime the phone shut down due to low battery. When I charge it again, and open the Passwords app, I come to find out that the verification codes for this website are gone… What could've gone wrong? I was prompted by the website to save a code to check that 2FA was properly configured, so I think I saved it properly in the app (by the way, the password was still there, properly saved). I assume there was a syncing error between iCloud and my iPhone due to low battery? Is there any way to recover the verification codes? I'll try to reclaim the account through the website's support channels, but I'm wondering if I could still retrieve it somehow.

Installed Charles Certificate in my iPad having iOS 18 Previously after installing certificate in old iOS version user was getting trust option automatically in Certificate Trust Setting Now There is no option to trust any certificate

I'm currently exploring Apple's Auth-Plugin extension and have modified the authdb to log in to a Mac device without using the default login password. Specifically,I am replacing builtin:authenticate,privileged with a custom privileged mechanism that authenticates the user and grants desktop access based on our custom logic. However, this approach does not unlock the user's Keychain. Since I'm bypassing the login password, the Keychain remains locked. I'm considering whether a certificate-based persistent token could be used to unlock the Keychain. Is this approach recommended, or is there a more suitable solution, such as using CryptoTokenKit or another available API?

I would like to ask how to resolve the issue in iOS 18 where installed root certificates or self-created certificates do not appear in the Certificate Trust Settings (Enable Full Trust for Root Certificates) list. I tried downloading a certificate from Apple’s official site (https://www.apple.com/certificateauthority/), but it also did not show up in the list for me to enable. Has anyone else encountered a similar problem? Thank you!

Hello, I am using the prf extension for passkeys that is available since ios 18 and macos15. I am using a fixed, hardcoded prf input when creating or geting the credentials. After creating a passkey, i try to get the credentials and retrieve the prf output, which works great, but i am getting different prf outputs for the same credential and same prf input used in the following scenarios: Logging in directly (platform authenticator) on my macbook/iphone/ipad i get "prf output X" consistently for the 3 devices When i use my iphone/ipad to scan the qr code on my macbook (cross-platform authenticator) i get "prf output Y" consistently with both my ipad and iphone. Is this intended? Is there a way to get deterministic prf output for both platform and cross-platform auth attachements while using the same credential and prf input?

We are using performRequestsWithOptions to enable passkey on ios app. [authController performRequestsWithOptions:ASAuthorizationControllerRequestOptionPreferImmediatelyAvailableCredentials]; Based on apple doc, this will "Tells the authorization controller to prefer credentials that are immediately available on the local device.", and fail silently if there are no credentials available. However, in recent testing, we identified that on one device, we are seeing QR code popping up even though there's no credential on the device. Question is this a bug on the OS system? If this is a bug, what are the causes that will trigger this condition? Is there a recommendation to mitigate the issue? Should we move to the new api? Thank you.

Hi team, I'm trying to test facid enroll the faceid via simulator [i have injected the command in driver.executeScript option and i have notice in logs enrollment has changed. coreauthd: (DaemonUtils) [com.apple.LocalAuthentication:Server,Biometry] BK notification received: com.apple.BiometricKit.enrollmentChanged in further logs noticed Biometricsupport.framework is missing in xcode file locations logs for your reference " lstat of /Library/Developer/CoreSimulator/Volumes/iOS_21F79/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS 17.5.simruntime/Contents/Resources/RuntimeRoot/System/Library/PrivateFrameworks/BiometricSupport.framework/Info.plist failed: No such file or directory)" any thoughts on missing library? I have tried Faceid and Authorize apple pay in UI also i dont see any action triggered. later i have identified not sure is that because of the Biometric framework missing in the xcode folder.

Hi, First of all I want to state that I've read and re-read these 3 links and I think they don't explain or solve my question below: Transferring your apps and users to another team Bringing new apps and users into your team TN3159 So I have to transfer one of my apps that uses "Sign in with " from one AppStore account to another one. I also want to migrate any user with an open session so that no sessions are lost. I also have a clear idea on how to generate transfer ids and also how to retrieve new credentials (sub and email) for the migrated users. So what's my question then? Well let's imagine I have a transfer id for each and every user, and also want to initiate the app transfer process: What happens with a user who was authenticated using Sign in with Apple, during that period of time in which the app has finished transferring but the users haven't been migrated yet? Are the old account credentials still valid? (Maybe during that 60-day period time?) Once I have migrated the app but haven't yet migrated users, can I safely migrate one user to test and validate the process; or is there any way to test it in a sandbox-like environment? Now I execute a script that generates new credentials (sub and email) for every user with a transfer id; and update these values in my backend database: Do I have to do anything else? Do I need to perform this request from the app client even when I have updated my servers information already? Is there any other remaining detail or tip to perform a smooth user migration? Thanks,

Hi, I am able to fetch the challenge form server and then successfully generate the AttestationObject. When I am sending the AttestationObject to AttestationResult API along with ClientJsonData and CredentialsID as well as few more params. The server side implementation is somehow unable to proceed for registration (Server side unable to validate the AttestationObject). We are getting response from server side "errorMessage":"FID024E The system couldn't find the attestation request." Can you please help us to proceed AttestationObject and how we can successfully register a user?

My device has open passkeys , in setting app. when I performAutoFillAssistedRequests,callback performRequests ASAuthorizationError(rawValue: 1001)".at same time,authController.performRequests could request successfully

My device has open passkeys , in setting app. when I performAutoFillAssistedRequests,callback performRequests ASAuthorizationError(rawValue: 1001)".at same time,authController.performRequests could request successfully