I'm trying to create an "Extensible Enterprise SSO" extension as described in the Introducing Extensible Enterprise SSO tech talk.
My SSO extension works fine, but I want to be able to access the camera (via AVFoundation) from within the SSO extension.
According to this thread (which I can't seem to be able to reply to) - it should be possible to access the camera from within an SSO extension, however this doesn't work for me.
When I try to access the camera, I get the permission dialog, but after accepting, the camera preview is empty and no camera frames are produced.
I don't get any errors/warnings in the logs, but it immediately fires AVCaptureSession.wasInterruptedNotification notification with AVCaptureSessionInterruptionReasonKey = 1 which corresponds to videoDeviceNotAvailableInBackground.
However, the SSO extension view controller is clearly not in the background, so is this a bug - or are there special rules for requesting camera permission in an SSO extension? The same camera access works fine in the host app, just not inside the extension.
Interestingly, accessing the camera in a WKWebView using various webcam test pages, doesn't work either.
All of these tests have been on iPadOS 18.
Prioritize user privacy and data security in your app. Discuss best practices for data handling, user consent, and security measures to protect user information.
Post
Replies
Boosts
Views
Activity
When I tried to launch my application from non-gui process (from launch daemon) NSworkspace openApplicationAtURL failed if I tried to run it when my device on the login screen.
Everything is working if someone logged in, but on the login screen I have the error
The application “TestApp” could not be launched because a miscellaneous error occurred. with code 256
NSWorkspace* workspace = [NSWorkspace sharedWorkspace];
NSWorkspaceOpenConfiguration* config = [NSWorkspaceOpenConfiguration configuration];
config.createsNewApplicationInstance = YES;
config.activates = NO;
config.promptsUserIfNeeded = NO;
config.addsToRecentItems = NO;
[workspace openApplicationAtURL: appURL
configuration: config
completionHandler:^(NSRunningApplication *app, NSError *error)
{
}];
Sometimes after the third try it works, sometimes not at all.
I try to use "open" command, it works on MacOS Sequoia, but not working for operating systems below, I see this error
The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x600002998120 {Error Domain=OSLaunchdErrorDomain Code=125 "Domain does not support specified action" UserInfo={NSLocalizedFailureReason=Domain does not support specified action}}}
All these problems occur only on the login screen. I'm developing screen share utility, so I need somehow to launch my application on the login screen.
Could someone please help me understand what is recommended way to launch application on the login screen?
I would like to be able to reset an user password through some automated scripts, would need help regarding that.
Hi all,
I found an issue by chance where, when we copy an .app bundle (a large one), Gatekeeper can choose to try to scan the app before the file copying finishes (without the app having been launched). This of course fails, and then the app can't open because "it's damaged", even though spctl and codesign checks of the completed copied app come out fine. Then Gatekeeper remembers this setting forever, not rescanning the app.
I'm wondering if anyone else has seen this happen and if so, if there's a best practice for keeping Gatekeeper's hands off until the copy is done?
I imagine copying into a folder not named .app, then renaming it might work, or maybe saving the plist or main binary copy until last, although both require a more complex copy operation.
Maybe there's a more elegant way?
Thanks!
Hi,
I have a certificate, how can I display the certificate content in my Mac app just like Keychain Access app does. Can I popup the certificate content dialog just like Keychain Access app?
I try to send apdu command via smartcard with Cryptotokenkit on IOS application but got some error
in debug log
[smartcard] slot refused to allocate exclusive session for the card
"error domain=cryptotokenkit code=-2 "(null)""
for my code please see below code
// connect to the card
mngr?.getSlot(withName: slotName, reply: {
(slot:TKSmartCardSlot?) in
let card = slot?.makeSmartCard()
if card != nil {
// begin session
card?.beginSession{
( success:Bool,error:Error?) in
if success {
// Send 1st APDU
card?.send(ins: 0x84, p1: 0x00, p2: 0x00,le:8){
(data:Data?,sw:UInt16,error:Error?) in
if error != nil {
print("sendIns error:",error!)
}else{
print("Response:",data!,String(sw,radix: 16))
//String(format: "%02X", data! as CVarArg)
}
}
}else{
print("Session error:",error!)
}
}
}else{
print("No card found")
}
})
So i'm not sure what i do wrong on this
Hi Guys I try to use smart card reader with my ipad project and after trying to make init session with the card got error from cryptotokenkit
Message from debug log :
[smartcard] slot refused to allocate exclusive session for the card
"Session error: Error Domain=CryptoTokenKit Code=-2 "(null)""
// connect to the card
mngr?.getSlot(withName: slotName, reply: {
(slot:TKSmartCardSlot?) in
let card = slot?.makeSmartCard()
if card != nil {
// begin session
card?.beginSession{
( success:Bool,error:Error?) in
if success {
// Send 1st APDU
card?.send(ins: 0x84, p1: 0x00, p2: 0x00,le:8){
(data:Data?,sw:UInt16,error:Error?) in
if error != nil {
print("sendIns error:",error!)
}else{
print("Response:",data!,String(sw,radix: 16))
//String(format: "%02X", data! as CVarArg)
}
}
}else{
print("Session error:",error!)
}
}
}else{
print("No card found")
}
})
In the YouTube video
WWDC24: Meet AccessorySetupKit | Apple
two apps are demonstrated to showcase the functionality of AccessorySetupKit. Does anyone know where I can find the source code for these demo apps?
Firstly, I want to keep my GUI app available for download on the Mac App Store, which means I need to provide the Endpoint Security functionality in some other executable, such as a daemon.
I'm going to use a User Agent for user-aware background processing.
Instead of the typical use of adding an Endpoint Security system extension to a macOS app, could I instead add the sysex to my User Agent bundle?
I like the benefits of coupling the sysex to the client that will interact with it, and this would also allow me to not have to worry about managing a daemon. I could simply provide the User Agent in a downloadable installer signed with my Developer ID certificate.
Hi,
I’m currently working on an app that uses a third-party SDK to perform smart card authentication via PKCS#11 APIs. Specifically, the app interacts with the smart card to retrieve certificates, detect the card reader, and perform encryption and decryption operations on provided data.
I’m wondering if it's possible to replace the PKCS#11 APIs and the third-party SDK with Apple's CryptoTokenKit framework. Does CryptoTokenKit provide equivalent functionality for smart card authentication, certificate management, and encryption/decryption operations?
Additionally, I’ve come across the following CryptoTokenKit documentation:
CryptoTokenKit API - TKSmartCardSlotManager Could you provide an example code or any guidance on how to implement this functionality using CryptoTokenKit, particularly for interacting with smart cards, managing certificates, and performing cryptographic operations?
Thank you for your assistance.
I am working on a personal use app, to transcribe audio files. I have over 1000 Voice Memos of ideas for a dog training app and book, recorded while... walking dogs, of course.
I seem to not have the built in transcription option, either because Sonoma doesn't support it or my region doesn't, but I have learned a lot of Swift building an app that works great fort files in a folder in Documents.
I have also found the path to to all the Voice Memo recordings. But when I try to read the contents of the folder to build the queue for transcription I get The file “Recordings” couldn’t be opened because you don’t have permission to view it.
I expected this to be locked down, and some searching brought me to this and I have added Access User Selected Files (Read Only) = YES to the entitlements file, but I am not seeing where in the TARGETS editor I would assign com.apple.security.files.user-selected.read-only. If I add it as a key under info I don't get a popup to select, either in Xcode or when running the app. If I try to add that key to the entitlements file it doesn't allow for selection either.
I am sure I am just missing something in the documentation, likely as a result of being an Xcode & Swift noob. So, if I CAN do this and I am just missing something, can someone point the way? And if a folder inside another app is just verboten, manually copying those files to a documents folder for processing won't be the end of the world.
I am getting issue on my application that my device is jailbroken security message I updated my device 18.2 what the solution
Our product uses the “Sign in with Apple” feature, and now we need to transfer it to Apple. After reading the documentation, I still have questions and would like to get answers.
Q1:Transfer App: After the receiving team receives the App, is the unique identifier obtained by the client App program login the original one? Or is it newly generated? If it is newly generated, from what point in time will it be newly generated?
Q2:Transfer App: Is there any validity period for the transfer identifier? About how long? What will happen after the transfer identifier is expired?
Q3:When does the transfer identifier (transfer identifier) start to be generated, when the transfer request is initiated or when the transfer is completed, and when I get the transfer identifier, can I directly exchange it for the receiving team's unique identifier?
Looking forward to a reply, thanks!
Hello,
It seems that an App Store version App uses a default sandbox configuration. However, my app contains multiple binaries, and I would like to apply additional sandbox restrictions to a specific binary.
Is it possible to set different sandbox rules for different binaries within the same app?
Thank you for your help!
I have a sdk which reads and writes data to keychain everything works fine on local machine. But on testflight it can not read the data it previously wrote. every time app starts it tries to read but fails.
I have other apps they works fine with the same sdk and same code on testflight and local. There is keychain access groups in entitlement file. the reason is not entitlement file. Any ideas?
We get a "The application "Finder" does not have permission to open "(null)“" error message in macOS 15.1 when trying to open unsigned applications.
Is this a known bug in macOS 15.1 ? If so any indications of whether it will be fixed in the future.
In macOS 15.0.1 the workaround for launching unsigned applications still worked.
Hey,
There are two apps, App A and App B.
Both apps do not have Sign in with Apple configured currently, so there are no Sign in with Apple users to transfer. I want to configure this for both apps.
App A is on developer team A.
App B is on developer team B.
They are not on the same developer accounts.
It is my understanding that both accounts need to be on the same developer team/account to get the same unique identifiers (e.g. sub id and private relay email address) for privacy reasons.
Desired Behavior:
When a single user logs into either app A or app B with the newly exposed Sign in with Apple functionality, I need apple to return me the same unique identifiers (e.g. sub and email), so that I can uniquely identify the same user across app A and app B.
How can I do this without ANY customer impact.
I've encountered an issue with the keychain on macOS 15.0.1.
When an admin account changes the password for a non-admin local account, the system should prompt to unlock the login keychain at the next login, giving the user an opportunity to update the keychain password. However, when I attempted to change a local account password using an admin account through system configuration on macOS 15.0.1, the system did not show such a prompt. Instead, it directly created a new login keychain. In the keychain directory, I could see that the old keychain had been renamed to login_rename_X.keychain-db. Additionally, this operation caused the Touch ID and passwords saved in the keychain to be cleared.
Does anyone know how to handle this issue so that the local account is prompted to update the keychain password during login?
We recently transferred our app from one developer account to a new one, internally. We're trying to transfer our sign in with apple users, but have hit a snag on the first step.
I'm following the instructions here to "Obtain the user access token": https://developer.apple.com/documentation/sign_in_with_apple/transferring_your_apps_and_users_to_another_team
This is my request as created in postman:
curl --location 'https://appleid.apple.com/auth/token/'
--form 'grant_type="client_credentials"'
--form 'scope="user.migration"'
--form 'client_id="com.XXXXX"'
--form 'client_secret="XXXXX"'
No matter what I try, I always receive invalid_client.
I've uploaded example JWTs in FB15648650.
We noticed a change in the page Adding a privacy manifest to your app or third-party SDK that adds a deadline of November 12 past which invalid manifests will not be allowed in store submissions.
Does this mean we can no longer use old versions of third-party SDKs which lack a manifest? (The ones that were allowed because we had already shipped with them.)