Hello, As part of developing a DLP system, I need to block input devices upon detection of data leakage. Could you advise if it's possible to temporarily disable the built-in keyboard and camera? Thank you in advance, Pavel

We have a Network Extension system extension implementing NEFilterPacketProvider to inspect all incoming and outgoing network traffic. We also want to monitor socket-level events such as connect(), bind(), and similar, by leveraging the Endpoint Security framework. Does this require developing a separate system extension for Endpoint Security? Additionally, what is the recommended approach for sharing context and data between the Network Extension and the Endpoint Security extensions?

We are seeing a kernel panic in nfsd when using vagrant synced folders. The issue started with macOS 15.4 and still occurs with macOS 15.5. It’s 100% reproducible when bringing up a new vagrant environment. The kernel panic does not occur when using smb instead of nfs. https://developer.hashicorp.com/vagrant/docs/synced-folders/nfs Other people have reported a similar issue when using nfs with Docker. https://github.com/docker/for-mac/issues/7664 I filed this under FB17853906. I spoke with an engineer at the Apps & Services WWDC lab and they recommended I post here to make sure the bug gets looked at and routed to the correct team.

Hi and help needed! I updated my iPhone 16 Pro max to iOs 26. When I go to the software update section, the beta developer tab is gone, and it says "Unable to check for update" I reset my network settings and restarted the device. No change. Any help would be appreciated.

How do I gain access to the com.apple.developer.nearby-interaction entitlement for third-party accessory use with Qorvo DWM3001CDK? I've read the documentation but it is not available in Xcode Capabilities. What is the approval process?

Hi We have a non-replicated Files Provider extension on iOS that creates multiple domains. I've noticed that iOS typically creates one process per domain, so I would assume that each process is meant to handle one domain. However, in practice, is seems that calls for any domain can occur in any process. I'm wondering whether there is supposed to be a mapping, implying there might be something wrong with the code, or whether we shouldn't make assumptions about domain:process mapping. Thanks for any info you can provide.

I have an app that needs to seize USB devices, in particular it needs the USBInterfaceOpenSeize call to succeed. I've got a provisioning profile with this entitlement, I've added this plus this entitlement to my app but the USBInterfaceOpenSeize still fails. Am I correct in thinking this is the correct/only entitlement I need for this? If so how do I check if I'm using the profile/entitlements correctly? The call succeeds if I run the application as root which makes me think it's a permissions issue. Thanks.

since macOS 15.5 and iOS 18.5 bridged matter devices have isBridged set to false and the respective bridge device has an empty uniqueIdentifiersForBridgedAccessories list. before these updates both were set as expected. i also noticed that the bridged matter devices include all endpoints for all bridged devices. not only the ones for themselves.

Crash observed on brought app to foreground with exit reason (namespace: 3 code: 0x2) - OS_REASON_CODESIGNING App was being idle and then the user brought an application to foreground, on being app transition observed app crash. 2025-04-23 19:16:26.795985 +0530 launchd exited with exit reason (namespace: 3 code: 0x2) - OS_REASON_CODESIGNING, ran for 1801880ms default Exception Type: EXC_BAD_ACCESS (SIGKILL) Exception Subtype: KERN_PROTECTION_FAILURE at 0x0000006d6f632e74 Exception Codes: 0x0000000000000002, 0x0000006d6f632e74 VM Region Info: 0x6d6f632e74 is in 0x1000000000-0x7000000000; bytes after start: 401300729460 bytes before end: 11016130955 REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL commpage (reserved) fc0000000-1000000000 [ 1.0G] ---/--- SM=NUL reserved VM address space (unallocated) ---> GPU Carveout (reserved) 1000000000-7000000000 [384.0G] ---/--- SM=NUL reserved VM address space (unallocated) UNUSED SPACE AT END Termination Reason: CODESIGNING 2 Invalid Page Attached the crash stack file and sysdiagnose file here https://feedbackassistant.apple.com/feedback/17723296

One of our x64 AVX code tests we have fails when run on ARM The test results say: ------------------------------------------------------------------------------- AVX Stacking, Entropy One image ------------------------------------------------------------------------------- /Users/amonra/.vs/DSS/DeepSkyStackerTest/AvxStackingTest.cpp:381 ............................................................................... /Users/amonra/.vs/DSS/DeepSkyStackerTest/AvxStackingTest.cpp:416: FAILED: REQUIRE( avxEntropy.getRedEntropyLayer()[10] == 1.0f ) with expansion: 0.99993f == 1.0f The test code: TEST_CASE("AVX Stacking, Entropy", "[AVX][Stacking][Entropy]") { SECTION("One image") { constexpr int W = 61; constexpr int H = 37; typedef float T; DSSRect rect(0, 0, W, H); // left, top, right, bottom std::shared_ptr<CMemoryBitmap> pTempBitmap = std::make_shared<CGrayBitmapT<T>>(); REQUIRE(pTempBitmap->Init(W, H) == true); std::shared_ptr<CMemoryBitmap> pBitmap = std::make_shared<CGrayBitmapT<T>>(); REQUIRE(pBitmap->Init(W, H) == true); auto* pGray = dynamic_cast<CGrayBitmapT<T>*>(pBitmap.get()); for (int i = 0; i < W * H; ++i) pGray->m_vPixels[i] = 100.0f; std::shared_ptr<CMemoryBitmap> pEntropyCoverage = std::make_shared<CGrayBitmapT<float>>(); REQUIRE(pEntropyCoverage->Init(W, H) == true); TestEntropyInfo entropyInfo; entropyInfo.Init(pTempBitmap, 10, nullptr); AvxEntropy avxEntropy(*pTempBitmap, entropyInfo, pEntropyCoverage.get()); CPixelTransform pixTransform; CTaskInfo taskInfo; // Determines if method is ENTROPY or not. taskInfo.SetMethod(MBP_ENTROPYAVERAGE, 2, 5); CBackgroundCalibration backgroundCalib; backgroundCalib.SetMode(BCM_NONE, BCI_LINEAR, RBCM_MAXIMUM); AvxStacking avxStacking(0, H, *pBitmap, *pTempBitmap, rect, avxEntropy); REQUIRE(avxStacking.stack(pixTransform, taskInfo, backgroundCalib, std::shared_ptr<CMemoryBitmap>{}, 1) == 0); for (int i = 0; i < 10; ++i) REQUIRE(avxEntropy.getRedEntropyLayer()[i] == Approx(1.0f).epsilon(1e-4f)); REQUIRE(avxEntropy.getRedEntropyLayer()[10] == 1.0f); The test passes when run on x64 hardware. The full code for the AvxStacking class is a bit large to post inline. Sadly the attach file option won't let me attach cpp files D.

I want to get ios app memory and cpu usage in testflight by some apis, but I'm not sure if these apis are available on testflight, Can some one help me? methods: static func currentUsage() -> UInt64? { let availableMemory = os_proc_available_memory() print("Available memory: \(availableMemory / 1024 / 1024) MB") let physicalMemory = ProcessInfo.processInfo.physicalMemory print("Available memory: \(physicalMemory / 1024 / 1024) MB") var info = task_vm_info_data_t() var count = mach_msg_type_number_t(MemoryLayout<task_vm_info>.size / MemoryLayout<integer_t>.size) let result = withUnsafeMutablePointer(to: &info) { $0.withMemoryRebound(to: integer_t.self, capacity: Int(count)) { task_info(mach_task_self_, task_flavor_t(TASK_VM_INFO), $0, &count) } } guard result == KERN_SUCCESS else { return nil } return info.phys_footprint } static func currentUsage(since lastSampleTime: CFAbsoluteTime) -> Double? { var threadList: thread_act_array_t? var threadCount = mach_msg_type_number_t(0) guard task_threads(mach_task_self_, &threadList, &threadCount) == KERN_SUCCESS, let threadList = threadList else { return nil } defer { vm_deallocate(mach_task_self_, vm_address_t(bitPattern: threadList), vm_size_t(threadCount * UInt32(MemoryLayout<thread_act_t>.size))) } var totalUserTime: Double = 0 var totalSystemTime: Double = 0 for i in 0..<Int(threadCount) { var threadInfo = thread_basic_info() var count = mach_msg_type_number_t(THREAD_INFO_MAX) let result = withUnsafeMutablePointer(to: &threadInfo) { $0.withMemoryRebound(to: integer_t.self, capacity: Int(count)) { thread_info(threadList[i], thread_flavor_t(THREAD_BASIC_INFO), $0, &count) } } guard result == KERN_SUCCESS else { continue } if threadInfo.flags & TH_FLAGS_IDLE == 0 { totalUserTime += Double(threadInfo.user_time.seconds) + Double(threadInfo.user_time.microseconds) / 1_000_000.0 totalSystemTime += Double(threadInfo.system_time.seconds) + Double(threadInfo.system_time.microseconds) / 1_000_000.0 } } let totalCPUTime = totalUserTime + totalSystemTime let timeInterval = CFAbsoluteTimeGetCurrent() - lastSampleTime let cpuCount = Double(ProcessInfo.processInfo.activeProcessorCount) return totalCPUTime / timeInterval * 100.0 / cpuCount }

The online documentation for fs_snapshot_create, which is on a website which apparently I'm not allowed to link to on this forum, mentions that some entitlement is necessary, but doesn't specify which one. Searching online I found someone mentioning com.apple.developer.vfs.snapshot, but when adding this to my entitlement file and building my Xcode project, I get the error Provisioning profile "Mac Team Provisioning Profile: com.example.myApp" doesn't include the com.apple.developer.vfs.snapshot entitlement. Searching some more online, I found someone mentioning that one has to request this entitlement from DTS. Is this true? I couldn't find any official documentation. I actually want to make a snapshot of a user-selected directory so that my app can sync it to another volume while avoiding that the user makes changes during the sync process that would make the copy inconsistent. Would fs_snapshot_create be faster than traversing the chosen directory and creating clones of each nested file with filecopy and the flag COPYFILE_CLONE? Although I have the impression that only fs_snapshot_create could make a truly consistent snapshot.

I wonder how one would use IOBluetoothHandsFree APIs to interact from macOS app with a bluetooth device that implements bluetooth hands free profile. My current observation is as follows: IOBluetoothDevice object representing the device correctly identifies it as a hands free device, i.e.: there is a proper record in services array, that matches the kBluetoothSDPUUID16ServiceClassHandsFree uuid, the IOBluetoothDevice handsFreeDevice property returns 1 Attempt to create IOBluetoothHandsFreeDevice using IOBluetoothDevice as described above (i.e. [[IOBluetoothHandsFreeDevice alloc] initWithDevice: myIOBluetoothDeviceThatHasHandsFreeDevicePropertySetTo1 delegate: self]) results in the following output in debugger console: SRS-XB20 is not a hands free device but trying anyways. Subsequent call to connect on an object constructed as above results in the following stream of messages: API MISUSE: <CBClassicPeer: 0x1442447b0 6D801974-5457-9ECE-0A9B-8343EC4F60AA, SRS-XB20, connected, Paired, b8:d5:0b:03:62:70, devType: 19, PID: 0x1582, VID: 0x0039> Invalid RFCOMM CID -[IOBluetoothRFCOMMChannel setupRFCOMMChannelForDevice] No channel <IOBluetoothRFCOMMChannel: 0x600003e5de00 SRS-XB20, b8-d5-0b-03-62-70, CID: 0, UUID: 110F > AddInstanceForFactory: No factory registered for id <CFUUID 0x600000b5e3e0> F8BB1C28-BAE8-11D6-9C31-00039315CD46 -[IOBluetoothRFCOMMChannel setupRFCOMMChannelForDevice] No channel <IOBluetoothRFCOMMChannel: 0x600003e5de00 SRS-XB20, b8-d5-0b-03-62-70, CID: 0, UUID: 110F > API MISUSE: <CBClassicPeer: 0x1442447b0 6D801974-5457-9ECE-0A9B-8343EC4F60AA, SRS-XB20, connected, Paired, b8:d5:0b:03:62:70, devType: 19, PID: 0x1582, VID: 0x0039> Invalid RFCOMM CID Note that this device's handsFreeServiceRecord looks as follows: ServiceName: Hands-free unit RFCOMM ChannelID: 1 Attributes: { 0 = "uint32(65539)"; 256 = "string(Hands-free unit)"; 9 = "{ { uuid32(00 00 11 1e), uint32(262) } }"; 785 = "uint32(63)"; 1 = "uuid32(00 00 11 1e)"; 6 = "{ uint32(25966), uint32(106), uint32(256) }"; 4 = "{ { uuid32(00 00 01 00) }, { uuid32(00 00 00 03), uint32(1) } }"; } and explicit attempt to open RFCOMM channel no 1 ends like this: WARNING: Unknown error: 911 Failed to open RFCOMM channel -[IOBluetoothRFCOMMChannel setupRFCOMMChannelForDevice] No channel <IOBluetoothRFCOMMChannel: 0x6000002036c0 SRS-XB20, b8-d5-0b-03-62-70, CID: 1, UUID: 111E > AddInstanceForFactory: No factory registered for id <CFUUID 0x600003719260> F8BB1C28-BAE8-11D6-9C31-00039315CD46 -[IOBluetoothRFCOMMChannel waitforChanneOpen] CID:1 - timed out waiting to open -[IOBluetoothDevice openRFCOMMChannelSync:withChannelID:delegate:] CID:1 error -536870212 call returned: -536870212

In the FileProvider framework, most of the functions (such as fetchPartialContentsForItemWithIdentifier, fetchContentsForItemWithIdentifier etc.) are expected to return an NSProgress object. In a case where an error is encountered before the function returns the NSProgress object, is it allowed to invoke the completionHandler with an error prior to returning the NSProgress object to the File Provider framework?

I'm not sure if I have found a bug with iOS or if it's just unexpected behavior with my implementation. I have a gomobile library that sets up a local http server. It needs to be able to write to temporary storage. If I use the shared library from my main apps process it can write to the file manager.default temporary storage. while Xcode is running a debug session I can use that same process from my file provider replicated extension and it works fine. However I realized running my file provider extension where it starts the gomobile shared library directly instead of first from my app the library fails to write anything to the file provider manager default temporary storage or the file provider manager for my file provider domain temporary storage or even the app group library. it is odd, because I have a swift URL extension that confirms the temporary storage can be written to from swift. I have monitored console logs for fileproviderd, my file extension and have tried writing data to a log file. nothing seems to catch exactly what causes the file provider extension to crash and restart. I also cannot keep the shared gomobile server running in the background on iOS even if I were to force the user to "authenticate" with the main app first. Im pretty sure the file provider extension needs to run the gomobile library for it to work right. I'm wondering if something may be wrong with the iOS sandbox that could be preventing the file provider extension to let a c based gomobile shared library from accessing the temporary storage. Any guidance for further things to try would be greatly appreciated. I have tried every avenue I can think of. I cannot run just the appex itself on either my m4 pro MacBook or my iPhone so attaching the debugger has been tricky and I don't see much in the way of useful logs in console app either just a swarm of noise. Im fairly confident it's an issue to writing to temporary storage from the gomobile c library and not much else. App was working great on macOS designed for iPad which just seemed rather ironic that an iOS code base runs better on macOS than it was able to on my iPhone 16 pro max. Like im all for the sandbox I just wish it didn't treat c level gomobile libraries different than it treats the swift code itself.

I've searched around the internet and could not find a clear answer. I have a swift command line tool that needs to run automatically when the Mac mini M4 is started up without a user login and continue running forever. However, the command line tool and the data it uses are located on an external disk due to the size of the data. The service specified by a launchd plist located in /Library/LaunchDaemons tries to start up but fails because it cannot immediately find the command line tool. Which is because the external disk is not mounted when launchd tries to start the service when the Mac is booting. The service runs fine when bootstrapped after the disk is mounted. The first error is "No such file or directory, error 0x6f - Invalid or missing Program/ProgramArguments" and the service is put in the "penalty box". Is there any way for the service to get out of the "penalty box"? What is the best approach to make the launchd service wait for a specific external disk to mount? Some options for waiting seem to be: Use "WatchPaths" in the launchd plist, but the man page says this is unreliable. This makes one wonder what is the purpose of this option? Use "StartOnMount in the launchd plist", but this will run the command line tool every time any disk is mounted. This is not desired. Of course, I could move the command line tool to the startup disk, but then the tool would fail because the data is not available. This could be remedied by modifying the command line tool to wait for the external disk, but it would be polling, which seems inefficient. I could also add a delay, but that seems error prone because there is no assurance that the delay is long enough. When looking at the system plists, there seem to be a lot of options that are not directly mentioned in the man page for launchd.plist and have little to no documentation that I could find. Maybe there is something I am missing here? In the end, I would just like to make sure the launchd service waits for the specific disk to be available before starting the service. Any ideas how best to do that?

I've gotten to the point where I can use the mount(8) command line tool and the -t option to mount a file system using my FSKit file system extension, in which case I can see a process for my extension launch, probe, and perform the other necessary actions. However, when plugging in my USB flash drive or trying to mount with diskutil mount, the file system does not mount: $ diskutil mount disk20s3 Volume on disk20s3 failed to mount If you think the volume is supported but damaged, try the "readOnly" option $ diskutil mount readOnly disk20s3 Volume on disk20s3 failed to mount If you think the volume is supported but damaged, try the "readOnly" option Initially I thought it would be enough to just implement probeExtension(resource:replyHandler:) and the system would handle the rest, but this doesn't seem to be the case. Even a trivial implementation that always returns .usable doesn't cause the system to use my FSModule, even though I've enabled my extension in System Settings > General > Login Items & Extensions > File System Extensions. From looking at some of the open source msdos and Disk Arb code, it seems like my app extension needs to list FSMediaTypes to probe. I eventually tried putting this in my Info.plist of the app extension: <key>FSMediaTypes</key> <dict> <key>EBD0A0A2-B9E5-4433-87C0-68B6B72699C7</key> <dict> <key>FSMediaProperties</key> <dict> <key>Content Hint</key> <string>EBD0A0A2-B9E5-4433-87C0-68B6B72699C7</string> <key>Leaf</key> <true/> </dict> </dict> <key>0FC63DAF-8483-4772-8E79-3D69D8477DE4</key> <dict> <key>FSMediaProperties</key> <dict> <key>Content Hint</key> <string>0FC63DAF-8483-4772-8E79-3D69D8477DE4</string> <key>Leaf</key> <true/> </dict> </dict> <key>Whole</key> <dict> <key>FSMediaProperties</key> <dict> <key>Leaf</key> <true/> <key>Whole</key> <true/> </dict> </dict> <key>ext4</key> <dict> <key>FSMediaProperties</key> <dict> <key>Content Hint</key> <string>ext4</string> <key>Leaf</key> <true/> </dict> </dict> </dict> </plist> (For reference, the partition represented by disk20s3 has a Content Hint of 0FC63DAF-8483-4772-8E79-3D69D8477DE4 and Leaf is True which I verified using IORegistryExplorer.app from the Xcode additional tools.) Looking in Console it does appear now that the system is trying to use my module (ExtendFS_fskit) to probe when I plug in my USB drive, but I never see a process for my extension actually launch when trying to attach to it from Xcode by name (unlike when I use mount(8), where I can do this). However I do see a Can't find the extension for <private> error which I'm not sure is related but does sound like the system can't find the extension for some reason. The below messages are when filtering for "FSKit": default 19:14:53.455826-0400 diskarbitrationd probed disk, id = /dev/disk20s3, with ExtendFS_fskit, ongoing. default 19:14:53.456038-0400 fskitd Incomming connection, entitled 1 default 19:14:53.456064-0400 fskitd [0x7d4172e40] activating connection: mach=false listener=false peer=true name=com.apple.filesystems.fskitd.peer[350].0x7d4172e40 default 19:14:53.456123-0400 fskitd Hello FSClient! entitlement yes default 19:14:53.455902-0400 diskarbitrationd [0x7461d8dc0] activating connection: mach=true listener=false peer=false name=com.apple.filesystems.fskitd default 19:14:53.456151-0400 diskarbitrationd Setting remote protocol to all XPC default 19:14:53.456398-0400 fskitd About to get current agent for 501 default 19:14:53.457185-0400 diskarbitrationd probed disk, id = /dev/disk20s3, with ExtendFS_fskit, failure. error 19:14:53.456963-0400 fskitd -[fskitdXPCServer applyResource:targetBundle:instanceID:initiatorAuditToken:authorizingAuditToken:isProbe:usingBlock:]: Can't find the extension for <private> (I only see these messages after plugging my USB drive in. When running diskutil mount, I see no messages in the console when filtering by FSKit, diskarbitrationd, or ExtendFS afterward. It just fails.) Is there a step I'm missing to get this to work, or would this be an FSKit bug/current limitation?

In my app the user can select a source folder to be synced with a destination folder. The sync can also happen in response to a change in the source folder detected with FSEventStreamCreate. If the user unzips an archive in the source folder and the sync process begins before the unzip operation has completed, the sync can fail because of a "Permission denied" error. I assume this is related to the posix permissions of the extracted folder being 420 during the unzip operation and (in my case) 511 afterwards. Is there a way to detect than an unzip operation is in progress and wait until it has completed? I thought that using NSFileCoordinator would solve this issue, but unfortunately it's not the case. Since an unzip operation can last any amount of time, it's not ideal to just delay a sync by a fixed number of seconds and let the user deal with any error if the unzip operation takes longer. let openPanel = NSOpenPanel() openPanel.canChooseDirectories = true if openPanel.runModal() == .cancel { return } let url = openPanel.urls[0].appendingPathComponent("extracted", isDirectory: false) var error: NSError? NSFileCoordinator(filePresenter: nil).coordinate(readingItemAt: url, error: &error) { url in do { print(try FileManager.default.attributesOfItem(atPath: url.path).sorted(by: { $0.key.rawValue < $1.key.rawValue }).map({ ($0.key.rawValue, $0.value) })) try FileManager.default.contentsOfDirectory(at: url, includingPropertiesForKeys: nil) } catch { print(error) } } if let error = error { print("file coordinator error:", error) }

We have a iOS VoIP application which is deployed via MDM solution. Until iOS 17.7.1 everything is working fine. The calls stopped working from iOS 18 onwards. When we investigated the issue, the api setsockopt is returning (54) Connection reset by peer. We believe there might be some issue in iOS 18 because there is a test done with same MDM solution + same server + same iOS VoIP application where this issue is not seen. Kindly help and let us know if any more details are required from us.

Hi, I encounter problems after updating macOS to Sequoia 15.5 with plugins loaded with dlopen and dlsym. $ file /Applications/com.gsequencer.GSequencer.app/Contents/Plugins/ladspa/cmt.dylib /Applications/com.gsequencer.GSequencer.app/Contents/Plugins/ladspa/cmt.dylib: Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit bundle x86_64] [arm64:Mach-O 64-bit bundle arm64] /Applications/com.gsequencer.GSequencer.app/Contents/Plugins/ladspa/cmt.dylib (for architecture x86_64): Mach-O 64-bit bundle x86_64 /Applications/com.gsequencer.GSequencer.app/Contents/Plugins/ladspa/cmt.dylib (for architecture arm64): Mach-O 64-bit bundle arm64 I am currently investigating what goes wrong. My application runs in a sandboxed environment.