Hi, First of all I want to state that I've read and re-read these 3 links and I think they don't explain or solve my question below: Transferring your apps and users to another team Bringing new apps and users into your team TN3159 So I have to transfer one of my apps that uses "Sign in with " from one AppStore account to another one. I also want to migrate any user with an open session so that no sessions are lost. I also have a clear idea on how to generate transfer ids and also how to retrieve new credentials (sub and email) for the migrated users. So what's my question then? Well let's imagine I have a transfer id for each and every user, and also want to initiate the app transfer process: What happens with a user who was authenticated using Sign in with Apple, during that period of time in which the app has finished transferring but the users haven't been migrated yet? Are the old account credentials still valid? (Maybe during that 60-day period time?) Once I have migrated the app but haven't yet migrated users, can I safely migrate one user to test and validate the process; or is there any way to test it in a sandbox-like environment? Now I execute a script that generates new credentials (sub and email) for every user with a transfer id; and update these values in my backend database: Do I have to do anything else? Do I need to perform this request from the app client even when I have updated my servers information already? Is there any other remaining detail or tip to perform a smooth user migration? Thanks,

Hi, I am able to fetch the challenge form server and then successfully generate the AttestationObject. When I am sending the AttestationObject to AttestationResult API along with ClientJsonData and CredentialsID as well as few more params. The server side implementation is somehow unable to proceed for registration (Server side unable to validate the AttestationObject). We are getting response from server side "errorMessage":"FID024E The system couldn't find the attestation request." Can you please help us to proceed AttestationObject and how we can successfully register a user?

My device has open passkeys , in setting app. when I performAutoFillAssistedRequests,callback performRequests ASAuthorizationError(rawValue: 1001)".at same time,authController.performRequests could request successfully

My device has open passkeys , in setting app. when I performAutoFillAssistedRequests,callback performRequests ASAuthorizationError(rawValue: 1001)".at same time,authController.performRequests could request successfully

After upgrade mac os , then authorizationdb will be reset. I attempt to execute the following command was unsuccessful % security authorizationdb write com.apple.trust-settings.admin allow NO (-60005)

Hello everyone, We have a SDK in which we use keychain to store some data. The customers who integrate our SDK in their app are able to delete our data by using SecItemDelete on kSecClass. Is their any way we can protect the SDK's data from getting delete by the host app or use something only accessible to SDK only ? Thanks

Hi Team, In previous macOS version, We were using this link to open system extension permission page programmatically for our swift app. x-apple.systempreferences:com.apple.preference.security?General In macos 15 (Sequoia), this pane is moved to system settings-> general->login Items and extensions->end point security extensions which is a modal/popup. Can you please share what should be link to open exact this popup for asking permissions.It appears when you click on i button against end point security extensions Based on apple script I could find following link but it opens login item & extensions pane, I want the next popup as above screenshot. "x-apple.systempreferences:com.apple.LoginItems-Settings.extension?extensionItems™

NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “domain” which could put your confidential information at risk., _kCFStreamErrorDomainKey=3, Xcode: 15.4 simulator iOS version: 17.5 in Info.plist I have this NSAppTransportSecurity NSAllowsArbitraryLoads Note: The server certificate valid.

NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFNetworkCFStreamSSLErrorOriginalValue=-9807, kCFStreamPropertySSLPeerCertificates=(     "<cert(0x10b811400) s: api.gevernova.com i: GE External Issuing CA 202409200901>",     "<cert(0x10b811c00) s: GE External Issuing CA 202409200901 i: GE External Intermediate CA 2.1>",     "<cert(0x10b832e00) s: GE External Intermediate CA 2.1 i: GE External Root CA 2.1>" ), _kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x600003308d20>, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “domain” which could put your confidential information at risk., _kCFStreamErrorDomainKey=3, Xcode: 15.4 simulator iOS version: 17.5 in Info.plist I have this NSAppTransportSecurity NSAllowsArbitraryLoads Note: The server certificate valid.

I'm encountering an issue after upgrading to macOS Sequoia when trying to import a PKCS12 certificate. The following code, which worked fine on previous macOS versions, now returns an error code -25293 (errSecAuthFailed): NSDictionary *options = @{(__bridge id)kSecImportExportPassphrase: @""}; CFArrayRef items = NULL; OSStatus status = SecPKCS12Import((__bridge CFDataRef)pkcs12Data, (__bridge CFDictionaryRef)options, &amp;items); The same build, using the same certificate and import process, works perfectly on earlier versions of macOS. Has anyone else experienced this issue or found a workaround for certificate imports on macOS Sequoia?

I have been facing an issue with my face ID and i am not able to change anything because i have turned on the Stolen Device Protection. What is reason behind not working Face ID? and How can i resolve it?

Hi everyone, I am trying to implement 'Sign-in with Apple' to my website using nextauth verion 4.24.5 on next.js version 14.2.7. I set up the Apple ID and generated the Apple secret. The Apple ID is set to the service ID. Whenever I try and sign in on the site using Apple, (after submitting my username and password on the redirected appleid.com page), nextauth returns this error: [next-auth][error][OAUTH_CALLBACK_ERROR] https://next-auth.js.org/errors#oauth_callback_error id_token not present in TokenSet { error: TypeError: id_token not present in TokenSet { name: 'OAuthCallbackError', code: undefined }, providerId: 'apple', message: 'id_token not present in TokenSet' } This occurs even after specifying openid in the scope, setting the checks to pkce, setting the checks to state, setting idToken to true, and other changes to the config. I have used the AppleProvider from nextauth and my own custom provider and got the same result. The nextauth GoogleProvider works just fine so I know nextauth is set up properly. Do you know how I can fix this? my apple nextauth apple provider config: const customAppleProvider = { id: "apple", name: "Apple", type: "oauth", wellKnown: "https://appleid.apple.com/.well-known/openid-configuration", authorization: { params: { scope: "name email openid", response_mode: "form_post" }, }, state: true, checks: ["pkce"], idToken: true, clientId: process.env.APPLE_ID, clientSecret: process.env.APPLE_SECRET, profile(profile) { return { id: profile.sub, name: profile.name, email: profile.email, image: null, } }, };

I exported the pkcs12 file which contains the Apple Distribution Certificate with the Private Key on macOS 14 Sonoma with no password. I was able to import the same on different macOS 14 Sonoma machines as follows: security import \ apple-distribution-hrk.p12 \ -k /Users/hrk/Library/Keychains/non-default.keychain-db \ -f pkcs12 \ -P "" \ -A But when upgraded to macOS 15 Sequoia, running the above command gives me the following error: security: SecKeychainItemImport: The user name or passphrase you entered is not correct. Workaround: I didn't have the Private Key of the original macOS 14 Sonoma from which the pkcs12 file was exported. So, I had to create the new Certificate by uploading the Certificate Signing Request, download the .cer file, import it, and then export the pkcs12 file with some password. Then I was able to import the pkcs12 file with the password. Question Can somebody point to the official documentation that refers to this Breaking Change? Or is this the bug in macOS 15 Sequoia?

We have a developer-id application which includes a LaunchAgent, couple of LaunchDaemon and a system extension. We want to store our secure data in keychain that can read by any of our processes or at least by LaunchDaemons. We would also prefer for our data to not be visible to users, not be accessible to other processes and we did not want to use system keychain because of our prior experience where one of our app data on update corrupted the system keychain for one customer. Therefore, we have decided to create our own keychain file and store our data there. However, we noticed that SecKeychainCreate and related file based keychain APIs are deprecated. This led me to below threads: https://developer.apple.com/forums/thread/685546 https://developer.apple.com/forums/thread/712875 https://developer.apple.com/forums/thread/696431 And now I am confused. It is suggested that we should use data protection based keychain because file based keychains are on path to deprecation. However, it is also noted that data protection keychains do not work with LaunchDaemons. So which keychain is the right choice for our requirements? Also, One tricky aspect of this is that the SecItem API supports both keychain implementations I do not see any option to use file based keychain using SecItem API. How can I create a new keychain file at a given path and add data in it using SecItem APIs? Can someone please elaborate on this with example?

I have implemented basic Sign in with Apple functionality to my app. When the app is launched, the user will be presented with a Continue with Apple view, where they can authenticate. Once signed in, they will return to a view that reads "Hello, [User's Name]". However, I cannot seem to figure out why the email and name return nil after authentication. For example, when authentication is successful, the HelloView simply reads "Hello, " with no name. I have it setup so that the users name and email are saved to AppStorage variables, and then inserted into a Profile class with SwiftData. import AuthenticationServices import SwiftData import SwiftUI struct ContentView: View { @Environment(\.colorScheme) var colorScheme @Environment(\.modelContext) var modelContext @AppStorage("email") var email: String = "" @AppStorage("firstName") var firstName: String = "" @AppStorage("lastName") var lastName: String = "" @AppStorage("userID") var userID: String = "" @Query var userProfile: [Profile] private var isSignedIn: Bool { !userID.isEmpty } var body: some View { VStack { if !isSignedIn { SignInView() } else { HomeView() } } } } struct SignInView: View { @Environment(\.colorScheme) var colorScheme @Environment(\.modelContext) var modelContext @AppStorage("email") var email: String = "" @AppStorage("firstName") var firstName: String = "" @AppStorage("lastName") var lastName: String = "" @AppStorage("userID") var userID: String = "" @Query var userProfile: [Profile] var body: some View { NavigationStack { Spacer() SignInWithAppleButton(.continue) { request in request.requestedScopes = [.email, .fullName] } onCompletion: { result in switch result { case .success(let auth): switch auth.credential { case let credential as ASAuthorizationAppleIDCredential: // User ID let userID = credential.user // User Info let email = credential.email print(email!) let firstName = credential.fullName?.givenName print(firstName!) let lastName = credential.fullName?.familyName print(lastName!) self.email = email ?? "" self.userID = userID self.firstName = firstName ?? "" self.lastName = lastName ?? "" createProfile() default: break } case .failure(let error): print("Error signing in with Apple: \(error.localizedDescription)") } } .signInWithAppleButtonStyle(colorScheme == .dark ? .white : .black) .frame(height: 50) .padding() .cornerRadius(12) .navigationTitle("[App Name]") } } func createProfile() { let newProfile = Profile(firstName: firstName, lastName: lastName, email: email, userID: userID) modelContext.insert(newProfile) } } This is how I have my HomeView setup: import SwiftData import SwiftUI struct HomeView: View { @Environment(\.modelContext) var modelContext @Query var user: [Profile] var body: some View { ForEach(user) { user in Text("Hello, \(user.firstName)") } } } #Preview { HomeView() } And here's the Profile class: import Foundation import SwiftData @Model class Profile { var firstName: String var lastName: String var email: String var userID: String init(firstName: String, lastName: String, email: String, userID: String) { self.firstName = firstName self.lastName = lastName self.email = email self.userID = userID } }

Hi everyone, I’m developing an game with in-app purchases, designed for a a mixed audience(could be used by kids under 13). I understand that Apple’s Family Sharing has built-in consent mechanisms, like “Ask to Buy,” which helps manage purchases for kids. However, I’m unsure how to handle cases where Family Sharing is not set up or is disabled. Key Concerns: Kids Without Family Sharing: It’s possible for kids to have Apple IDs that are not part of Family Sharing, either because the feature is disabled, set up incorrectly, or the child is using an independent account due to an incorrect birthdate. This raises questions about whether relying solely on Apple’s built-in protections is sufficient. Is It Enough to Rely on Apple’s Systems?: Apple’s systems do a great job of managing consent when Family Sharing is in place, but I’m concerned about compliance in cases where kids are not covered by these protections. I want to ensure that my app remains compliant with COPPA and other relevant regulations, especially for users not covered by Family Sharing, without adding unnecessary layers for those who are correctly set up. Looking forward to your insights and recommendations! Thanks in advance!

I am successfully generating apple_sso_session_url by using apple clientId, which is opening apple login window and asking for email and password and after that it is calling my redirectSuccessUrl and passing code to redirectSuccessUrl. I am successfully using that code and other params of apple like keyId, key(p8 file path) and team id by using those params I am able to successfully generate apple client secret export const generateClientSecret = (): string => { const privateKey = fs.readFileSync(process.env.APPLE_PRIVATE_KEY_PATH as string, 'utf8'); const claims = { iss: process.env.APPLE_TEAM_ID, iat: Math.floor(Date.now() / 1000), exp: Math.floor(Date.now() / 1000) + 15777000, // 6 months aud: 'appstoreconnect-v1', sub: process.env.APPLE_CLIENT_ID, }; return jwt.sign(claims, privateKey, { algorithm: 'ES256', keyid: process.env.APPLE_KEY_ID, }); }; after that using same clientId, redirectUrl and apple_client_secret when i am calling apple api for getting token we are getting error invalid_client. const clientSecret = generateClientSecret(); const response = await axios.post('https://appleid.apple.com/auth/token', null, { params: { client_id: process.env.APPLE_CLIENT_ID, client_secret: clientSecret, code: body.code, grant_type: 'authorization_code', redirect_uri: process.env.APPLE_SSO_REDIRECT_URL, }, headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, });

I'm using the SwiftUI .fileImporter() modifier to present a file open panel to the user, and then I access the returned file URL using String(contentsOf:encoding:). Then I get an error, "The file “order_history.csv” couldn’t be opened because you don’t have permission to view it." The thing is, my app (recently created in Xcode 16.1 beta from macOS template) has the User Selected File entitlement set to "Read Only." It should allow reading such a file, should it not?

Hi Team, I am trying to explore ESF events specifically generated by cloudsync extensions built on File Provider framework. Brief: I have high-level understanding of how various cloud vendors have provided their extensions to sync data from cloud/remote storage to local filesystem (and vice-versa). e.g.iCloudDriveFileProvider (icloud), DFSFileProviderExtension (google drive). There are 2 ESF AUTH events for file provider I can see namely: ES_EVENT_TYPE_AUTH_FILE_PROVIDER_MATERIALIZE , ES_EVENT_TYPE_AUTH_FILE_PROVIDER_UPDATE. and respectively their NOTIFY events. Observation: Observed that these events are generally triggered by fileproviderd process during download scenario i.e. syncing files from cloud/remote storage to local file system. i.e. 'materialize' for new file creation and 'update' for updating existing file. Question/Problem: Is there a correct way to find which cloud provider has triggered this download event? i.e. weather it is iCloudDriveFileProvider or DFSFileProviderExtension (there is this instigator field in Materialize event struct, but could not find similar for Update event. Are there similar ESF events for upload scenario? (I have fair understanding of how file-to-upload is copied to temp location and then uploaded by respective extensions to remote storage, but then they work with original files clone created in their temp location, so the AUTH events generated by this extension will wont reveal the original file name even if I am able to get the Fileprovider name) To Summarize: Basically I am looking for ESF event that will be triggered during upload scenario that can also let me know original file name as well the cloudprovider extension process name. As of now 'fileproviderd' process name is obtained from filesystem ESF events like AUTH_OPEN etc.

Hello Apple We have been facing lot of SSL issues when we are connecting to iOS devices with OS 17.5.1, 7.6.1 and 18. Need more clarification on the latest parameters to be used on the server side like -&gt; TLS Version and Cipher Suites Please do update us on the above. Error message-&gt; "An SSL error has occurred and a secure connection to the server cannot be made."