Hello community we have been using an Endpoint Security client within a system extension for quite a while now. After some users updated macOS to Sonoma, we got complaints about slower performance when using MS Office on Mac. The product features work as expected, and our system extension is loaded and delivers events. Upon inspection of the log files, we found the following (but not on all machines): [com.apple.TCC:access] Failed to create LSApplicationRecord for file:///Library/SystemExtensions/0062566E-9869-4CC4-A666-F641F5C011CD/com.sophos.endpoint.scanextension.systemextension/: 'The operation couldn’t be completed. (OSStatus error -10811.)' and [com.apple.TCC:access] -[TCCDAccessIdentity staticCode]: static code for: identifier com.sophos.endpoint.scanextension, type: 0: 0x7fb63da318c0 at /Library/SystemExtensions/0062566E-9869-4CC4-A666-F641F5C011CD/com.sophos.endpoint.scanextension.systemextension for almost each event delivered. We are using XPC from the system extension to a non-priviliged daemon process to process file content. A feedback has already been filed: FB13174804 An additional code-level support was returnd woithout any explanation. Signing checks of the system extension and the containing app (daemon) on Sonoma turn up without any errros. Any idea, whats going on here? Frank Fenn Sophos Inc.

We noticed that your app collects information about the user’s friends, contacts, or other third-party persons without the knowledge or consent of those parties. Specifically, the app allows users to enter an IMEI from an iOS device and obtain information. The App Store is designed to be a safe and trusted place for users to discover apps and apps on the App Store are held to a high standard for privacy, security, and content. Next Steps To resolve this issue, please remove any features that collect personal third-party user data from your app. i have a problem with that , but in my app I asked user accpect with Terms of Use & Privacy Policy for use onwer Serial or IMEI for main content ! but app review always Reject my project pls help me , tks a lot for erevyone have a nice day !

Hi there, I'm trying to do a raw signature but the SecKeyRawSign is deprecated, so I am wondering if there is any way to do it using SecKeyCreateSignature, and EC key and the kSecKeyAlgorithmECDSASignatureMessageX962SHA256 algo. I've noticed that this method applies a hash before signing the data, and I want to avoid that. Is that possible? If not, what other options do i have? Thanks in advance.

Hi, I have a query regarding the inclusion of the privacy manifest. Particularly, these SDKs are not maintained by their respective vendors or the community. Do we have any existing procedures or guidelines in place to tackle such scenarios? or is it possible to represent these SDKs from the app privacy manifest? Thanks.

Hello We have a react native iOS app and we are having issues with password autofill. We have read some documentation on "associated domains" but cant find anything specific to our issue. We don't currently have a website with login. Is that necessary to utilize password auto fill? Thanks for any help

Hello, is it possible to interact with a nearby device through Bluetooth LE, from the authorization plugin? Currently, I have: a plugin bundle, registered with the authorization mechanisms; a daemon that I have set up to contain all the business logic added the com.apple.security.device.bluetooth entitlement to the daemon package, to allow Bluetooth communication; registered the daemon through LaunchDaemons so that it is managed by launchd And I'm using XPC to communicate between the plugin and the daemon. When I send the request to the daemon to scan for peripherals, I get a TCC error: 0xd5a Error 0x23e5 161 0 tccd: [com.apple.TCC:access] Refusing TCCAccessRequest for service kTCCServiceBluetoothAlways from client Sub:{...} in background session The above error seems to suggest that I can't grant the bluetooth permission from the daemon itself, is there a recommended way to grant permissions before running it? And if granted, would I be able to utilize the framework successfully from the logon screen? Other options I have tried: Invoking the framework directly from the plugin, which failed. Probably because the Security agent process isn't entitled to communicate via Bluetooth and that it would require changing the host process entitlements plist, which I don't have access to? 🤔 Attempting to use a launch agent in lieu of a daemon, with proper entitlement, but that didn't work either. Probably because launch agents are loaded after the user has successfully logged in and I was invoking it before? 🤔 And lastly, I looked into the possibility of utilizing Privacy Preference MDM payload to grant access, but it seems like the MDM options do not include Bluetooth support. Is there any other way to accomplish this? Thank you!

Hello everybody. I have a pack of UI tests for the Biometrics authentication. And in the beginning of each test I need there to be no permissions for Biometrics (granted or denied). I found the resetAuthorizationStatus(for:) method that allows resetting everything except Biometrics :( Is there any way I can reset this permission without deleting the whole app in tearDown()?

hello, I want to use the latest addition in security i.e., passkeys across apple ecosystem. I have 2 iPhones (D1 and D2) I have created passkey from D1 for some RP (eg. walmart.com) D1 has a screen-lock using index-finger. The passkey is successfully stored in my iCloudKeyChain Now I go to D2 The screen-lock in D2 is made up of middle-finger. I configure my iCloudKeyChain on D2 using same apple-id If I want to bring the same passkey on D2 that I stored from D1 in iCloudKeyChain , am I required to provide screen unlock finger-print of D1 i.e., index-finger ?? Thanks.

I need to control and shield apps with a set period. For example, I need to set 20 minutes limit. And when I use the device more than 20 minutes in a row, than block all apps for some period (to have a rest for the eyes)

**We noticed that your app collects information from various public sources to build individual profiles, which is not appropriate for the App Store. Next Steps To resolve this issue, please remove any feature that attempts to build individual profiles based on collected public data. ** I do not understand what information that I collect from various public sources to build individual profiles My app takes the image from user and process it to extract facial features and compare other faces in the app database also the user can create an account if he wants to post a missing report and I ask to input the name and gender and date of birth and other information of missing person and all of this I explain in app review But I still face this replay what to do ?

A website visitor used iCloud Private Relay to send a hate crime email through our web form. What options do we have to prevent this from happening and/or to find out who this person is?

Hello, Let's imagine an application (Application A) which launch another application (Application B). These applications are bundle apps. What happens if Application B tries to read a file in current user's Documents folder ? TCC will check if the application is allowed to access to Documents folder. But will it check this right for application A or application B (or both ?) I have tried to run an application from Terminal. My terminal is authorized to access to Documents folder. And i am surprised because TCC did not asked me to allow the application itself. It seems TCC is looking for parent process rights. Can you confirm ? Thanks

Here's the scenario： I have two processes on my computer, named A and B. Both processes are monitored by the ESF, and both processes monitor the same ESF events, such as ES_EVENT_TYPE_AUTH_EXEC and ES_EVENT_TYPE_AUTH_OPEN. If processes A and B run at the same time, will event conflict occur? In ESF event processing, is there any way to achieve full event listening and keep cpu usage low

I have an iPhone with iOS 16.7.2, Microsoft Windows 11 23H2 and iCloud app for windows 14.2 and when I select option to turn on Advance Data Protection, it requested me to download iCloud for Windows latest version but there's not higher version that 14.2. I needed to delete profiles from my iPhone and then, I could activate data protection on but now, I can't access to iCloud app from Windows PC. Is there another way?

I have a question about the privacy manifest file (PrivacyInfo.xcprivacy). If the third party SDK used in our app is not updated (or the repository is read-only and not permanently updated), can we include the description for the third party SDK in the privacy manifest file of our app?

Hello, I have integrated Sign In with Apple into my Swift App. Now I'd like to add Sign In with Apple into my website. I followed the instructions at https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/configuring_your_webpage_for_sign_in_with_apple and resulted in an html page: <html> <head> <meta name="appleid-signin-client-id" content="colourworker.SPAD"> <meta name="appleid-signin-scope" content="name email"> <meta name="appleid-signin-redirect-uri" content="https://colourworker.com/apps/photofolia/applesignedin.html"> <meta name="appleid-signin-state" content="init"> <meta name="appleid-signin-nonce" content="NONCE"> <meta name="appleid-signin-use-popup" content="true"> </head> <body> <h1>Sign in with Apple</h1> <div id="appleid-signin" data-color="black" data-border="true" data-type="sign in"></div> <script type="text/javascript" src="https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js"></script> </head> </html> I have added https://colourworker.com/apps/photofolia/applesignedin.html to the list of Return URLs at https://developer.apple.com/account/resources/identifiers/serviceId/edit/ZSM7Q3SMVH. But when clicking on the Sign In With Apple button I get the following error: "invalid_request Invalid client id or web redirect url." Any ideas of what I'm doing wrong?

Hey, I am experiencing this bug where I ask the device activity report for data within a date range, in daily segments. the device report receives the truncated date range: some date 23:00 -> some other date 23:00. however the async data list returns date ranges of the sort: 22:00 -> 22:00 (of the next day). and sometimes it returns 22:00 -> 23:00 (of the same day), but then the data contained in that range is still relative to tne entire day since the total screen time is greater than an hour. I think that the way date intervals are treated by the device activity report extension contains bugs and is not consistent. Is anyone experiencing similar bugs?

The Endpoint Security provides the ES_EVENT_TYPE_AUTH_OPEN event, I can specify that the process intercepts the open specified file es_respond_flags_result(client, msg, 0x0, true);. However, WeChat (the chat app) intercepts the specified file the first time it is sent, and the second time it can be sent successfully, and the peer end can receive the file. I can confirm that es_respond_flags_result(client, msg, 0x0, true); is called. So, which auth event should I use? Thx!

We recently shipped option to sign up/in using passkeys. Everything was working as expected and we didn't have any issues with passing app store review process. Recently, when submitting new build with not passkey related updates, we got rejected due to the error, which apple reviewer faced during passkey creation. From our logs we can see that issue is about Associated Domains and webcredentials configuration: The operation couldn’t be completed. Application with identifier X is not associated with domain Y. The thing is that it is configured properly. AASA file is returned properly both from our server and from apple's CDN. Feature is 100% working on all our testing devices and we never got this error reported from any user. The only issue about that is received from reviewer device, which is iPad Air 5th generation on iOS 17.1.1 I was trying to reproduce the error in many ways, but I wasn't able to. Is it possible that the error is faced only by apple reviewers due to some specific environment setup they use? Or maybe TestFlight installs manage AASA files checking in some different way? I found something about that in one thread on apple developer forum: https://developer.apple.com/forums/thread/108339 but not sure if it can be related. Any help/guidance will be very appreciated, thanks!

It appears that for a successful registration of a passkey to a relying party using passkey autofill provider, the BE BS bits/flags in the attestation response need to be set to true. Please refer FLAGS byte of authData field part of attestationObject mentioned here - https://www.w3.org/TR/webauthn-2/#sctn-attestation. If those flags are set to false, the RP rejects saying - "The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-considerations-client." What are the implications of having those flags set to true? Does it make the generated passkey syncable across devices using same apple id? If yes, is there at all anyway possible by which a generated passkey can be made device bound, basically can be generated and used only on a single iPhone/iOS device? Also, is there a plan to ever make those flags to be set to false in a future iOS release? Also, what does it mean in the credential provider popup where it says - "Available where is installed." in the below screenshot?