We provide software that our customers deploy on their employee work computers to secure sensitive data. We have a daemon which could connect to an on-premise web-server for certain functionality. In Mac OS 15 beta we see that there is a local network access permission dialog that comes up sometimes, and it requires a permission to be provided under the Privacy & Security section of the system preferences. We have seen the local network access permission would pop up only when both Server and Client are residing in the same private network range (eg 172.16.x.x. in our case.) When the same server is accessed from a Sequoia machine over a VPN from external network, the local network access permission does NOT pop up. But note in this case, the Sequoia machine has an IP in the 10.x.y.z range, whereas the server is at 172.16.x.y. We have the following questions: In our setup with Macs connecting to a web-server, what conditions can trigger the local network prompt? In particular, do both the client and server need to be in the same private subnet range for the prompt to be shown? Is it possible that a user at home, working on a Sequoia machine, connecting over VPN to an on-prem server, would trigger this prompt? If so, we would submit this is not expected, as a VPN is not really a local network. Is there an MDM way of automatically providing the permission, so that the prompt is suppressed? In general, is there a programmatic way of providing this permission during installation ? if yes how can we do it. How do we stop users from disabling the permission incase the user has admin rights?

I have implemented a standard GKLeaderboard in my app. The leaderboard includes the player's avatar, display name, and the score. I only use functionality provided by GameKit without any custom server functionality. I don't even have an own server. Still, my app got rejected with the following notice: We noticed that your app does not obtain the user's consent prior to uploading users' scores to a global leaderboard. To collect personal data with your app, you must make it clear to the user that their personal data will be uploaded to your server. What should I do here? Do I really have to obtain user's consent before uploading his score to Game Center?

I'm running a launch agent in a CI node. The agent is responsible for launching CI build/test jobs. The agent, being the responsible process, has been granted kTCCServiceScreenCapture permission. With this in place I can run /usr/sbin/screencapture during CI test jobs, archiving the visual state of the CI machine if a test fails, which makes it easier to diagnose why the test failed. However with macOS 15 I get weekly/monthly notifications about the agent being able to record the screen. The general advice for this is that apps should migrate to ScreenCaptureKit, but I'm using a built in tool in macOS, /usr/sbin/screencapture, so how am I supposed to deal with that?

It does not seem to be stored in the system or user TCC database? Having a way to programatically grant the permission to a given app without user interaction, for example when automatically provisioning a CI node for macOS testing (with SIP disabled, so full disk access available), would be nice. Filed as FB14878596

I've been working a lot with the FamilyControls API and App Shield recently but have encountered a problem with no documentation. I used the FamilyActivitySelection to select the app store to shield(This is just for testing), and then printed out the application token: 1wfY¸êB ò S« öi #×(É?âðw ù/jQ ¿ J ïE¢? ·¿ º<Òd?ý r7¥Ãn N átJ¹ÿ85B_{VAF fC8. ,,¸¯3 T7F ±õü; ¹?v@¯ô Ä \-õ# Ò I know the application token is a Codable object so I was wondering, How do I create an application token using the Token<Application> initializer init(from: any Decoder) throws Creates a new instance by decoding from the given decoder. Using the above data? Do I have to encode first in order to decode it? For reference, the code I tried to use is: newValue.applicationTokens.encode(to: JSONEncoder) if let encoded = try? JSONEncoder().encode(newValue.applicationTokens) { data = encoded print(String(data: data, encoding: .utf8)!) } if let app = try? JSONDecoder().decode(Token<Application>.self, from: data) { let token = Application(token: app) print(token) } else { print("didn't work") } But it prints didn't work every time. What should I do differently?

I know, for secure reason, apple forbidden app the ability to get clipboard data in background. But in some case, for example, i use appium to e2e testing my real device. And I could't get clipboard from webdriver. Because it's running background! So, it's there any way to get clipboard from webdriver? It bothers me.

Currently if the app is hidden and locked behind face id even though the notifications are not displayed but the Notification Service Extension still wakes up for the notification. Is it the expected behaviour ? Or should we expect the NSE would not be used as well when the app is hidden.

According to this Apple page, if you make any money from your apps in the EU you have to provide your email address, phone number and address, and they will be displayed on your App Store page for all and sundry to see, use, and likely, abuse. I don't want anyone and everyone to know those details; they are private. I thought Apple was all about privacy? I understand they have to adhere to the DSA, but Apple hasn't raised a single objection to this. Apple has consistently said that not sharing a user's email address with a developer is a part of being in the App Store, i.e. Spotify can't contact someone who downloaded their app; but a user can now contact the developer? I barely make any money from my apps - not even enough to cover the annual developer program fee - but I keep developing to stay current. I cannot afford a PO Box or business address and phone number to shield me from this, so I'm likely to remove my apps from the EU market. You might think I'm being overly-cautious, or having a knee-jerk reaction, but these are my personal, private details, and they should not be available publicly just because I barely clear £1.50 a month from my apps.

MacBook Air black screen

When using wkwebview to load a web page for audio and video calls in iPhone and Mac apps, the permission box will pop up every time after reconstruction of wkwebview, affecting the user's use, is there any way to make the permission pop-up box only pop up for the first time, like app permision pop-up window,instead of popping up every time. If you have previously authorized the permission, even after the app is restarted, do not pop up the permission prompt box in the webview.

Hello, I have been testing my app with iOS 18 beta and noticing an issue with the triggering of Local Network privacy prompt. My app uses this permission to make a request to a local network address. Prior to iOS upgrade to 18 beta, the privacy prompt used to get triggered upon making the request and only after tapping on 'Allow', the subsequent requests used to succeed. If the user turned off the toggle for 'Local Network' in the app settings, then this functionality used to break as expected. Issues observed with 18 beta: The privacy prompt is not getting triggered upon making the request to local network and the request is succeeding. The app already seems to have this access granted but I do not see the permission toggle in the app settings. Upon device restart, the prompt got triggered but even on disallowing the access (tapping Don't Allow), the app is able to make requests to the local network. The permission toggle appears in the app settings, but its state does not impact the app's functionality. Has something changes in this flow? Can someone please help with what might be causing this behaviour?

While analyzing iCloud Private Relay traffic using my App's content filter (based on NEFilterDataProvider), I noticed a couple of items that piqued my curiosity and wanted to see if I could get more information here. Namely, when accessing a HTTP site via iCloud Private Relay, there is an initial flow established to UDP port 80 and an unspecified IPv6 address (i.e, '::'). This seemed odd for a few reasons: IPv6 is disabled on the system and the site I'm connecting with only has an IPv4 address. Also, the unspecified IPv6 address seems strange in general. In the documentation, iCloud Private Relay claims to only use UDP port 443 [1][2]. Could you provide more clarity on how this works in the background? Would it also be possible to confirm whether UDP port 80 should be included in any filtering logic concerning iCloud Private Relay? Note: in case this isn't the general behavior for iCloud Private Relay, I wanted to further clarify that this is the behavior I've seen in Safari 17 on Sonoma and Sequoia, when accessing websites via HTTP, with Safari's "Use advanced tracking and fingerprinting protection" enabled. Thanks! [1] https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay [2] https://support.apple.com/en-ca/101555

with the same issue. https://developer.apple.com/forums/thread/100501 I am running xucitest framework, for e2e testing. And webdriver app is running background, so it could't get clipboard while my tested app in running in front. I could't switch app to get clipboard, because it will refresh my app. Is there any way to allow clipboard permission with webdriver ?

On a personal level, I use 6 trusted apps that utilize screen and system audio recording and I expect that when I allow them to do so, that I am not prompted weekly or upon every startup. On a professional level, it's just bad for developers when there is simply no work around to this. Apple, please add an "always allow" option in the prompt. Thank you. https://9to5mac.com/2024/08/06/macos-sequoia-screen-recording-privacy-prompt/

In my app im able to get the live heart rate when app is in foreground. When app is in background/ locked condition live heart rate is not fetched. How to get live heart rate frequently.

In my application, I need to load the html5 code downloaded to the local computer through the https server embedded in the application. These local html5 codes are small programs developed by some front-end developers. My https server will only load these small programs locally, so I use a self-signed certificate. The code to access the small program is like this: "https://localhost:12345/MiniAppA", ""https://localhost:12345/MiniAppB". ，My applet container will use different certificate verification rules based on the domain name. I want to know if this technical form will be rejected by AppStore reviewers? - (void)webView:(WKWebView *)webView didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition disposition, NSURLCredential * _Nullable credential))completionHandler { if ([challenge.protectionSpace.host isEqualToString:@"localhost"]) { NSURLCredential *credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]; completionHandler(NSURLSessionAuthChallengeUseCredential, credential); } else { completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil); } }

Hello, I am developing a health tracking app that includes a feature to calculate heart rate zones. To accurately determine these zones, it is necessary for users to input their date of birth. As a result, after a successful login, the app prompts users to enter their birthday, and this step is mandatory as the information is crucial for calculating heart rate zones tailored to specific age groups. I would like to inquire if this requirement to input the birthday upon login complies with Apple's policies. Additionally, I seek advice on any potential solutions or best practices to address this requirement while adhering to Apple's guidelines. Thanks so much,

As mentioned in https://developer.apple.com/forums//thread/759955 I was having trouble on macOS 15 with a launch agent accessing local network resources, even if the local network permission dialog pops up, and Settings app visually claims the app has permission granted. The following was logged: nehelper +[NEProcessInfo copyUUIDsForExecutable:]_block_invoke: failed to get UUIDs for /Users/foo/my-binary It turned out that the problem was caused by the default golang toolchain not producing a LC_UUID load command, which seems to be critical for the network privacy subsystem to determine whether the binary is allowed access or not. The issue has been reported upstream here: https://github.com/golang/go/issues/68678 To work around this I added -ldflags="-linkmode=external" when building the go binary, so that the system linker (which does add LC_UUID) is invoked.

If I encrypt user data with Apple's newly released homomorphic encryption package and send it to servers I control for analysis, how would that affect the privacy label for that app? E.g. If my app collected usage data plus identifiers, then sent it for collection and analysis, would I be allowed to say that we don't collect information linked to the user? Does it also automatically exclude the relevant fields from the "Data used to track you" section? Is it possible to make even things that were once considered inextricably tied to a user identity (e.g. purchases in an in-app marketplace) something not linked, according to Apple's rules? How would I prove to Apple that the relevant information is indeed homomorphically encrypted?

Hello, is there any plan to add a new service type for Privacy Preferences Policy Control profile to allow apps deployed via MDM on Organization owned devices to access local network without prompting end user on Sequoia ? This would be very welcome, especially in education world where students are good at finding on how to block the tools they are supposed to use. I created FB14540495 for reference. Thanks !