I have a question regarding /etc/pf.conf. If I use this rule, rdr pass on bridge100 inet proto tcp from 192.168.2.104 to any port {80, 443, 8883} -> 127.0.0.1 port 8080 all other traffic on bridge100 will not function properly, even the traffic that is not destined for 192.168.2.104. Additionally, the hotspot generated through bridge100 will also become unavailable. Even if I comment out this rule and run sudo pfctl -e -f /etc/pf.conf, the problem still persists. The situation will only return to normal when I restart my Mac. my macos:15.3.2 my /etc/pf.conf # scrub-anchor "com.apple/*" nat-anchor "com.apple/*" rdr-anchor "com.apple/*" rdr pass on bridge100 inet proto tcp from 192.168.2.104 to any port {80, 443, 8883} -> 127.0.0.1 port 8080 dummynet-anchor "com.apple/*" anchor "com.apple/*" load anchor "com.apple" from "/etc/pf.anchors/com.apple"

Hi there, I'm trying to build a MacOS VPN application from scratch. My VPN application is slightly from normal ones, It will include an authentication token and underlying process information (pid, application path etc.) in each connection made to the VPN gateway. Consider it a poor man's zerotrust implementation. NetworkExtension and PacketTunnel is a must, thus to retrieve process information via audit tokens. However, I'm unable to find any working examples that can be built on MacOS 15.X. I tried to open an TSI case but didn't receive anything useful. Anyone?

I am working on a macos application that uses NetworkExtension and works fine in the debug environment. However, when I use the Release package, I am always prompted that my description file does not contain NetworkExtension. I am sure that my description file does contain NetworkExtension. How to solve this problem

I have an option in my app to set the URL Handler for smb or switch it back to Finder. But using my code below it always give me a -10819 error. Which is a generic kLSNotRegisteredErr, even those the documentation shows "Not currently used." func setDefaultHandler(bundleID: String) { DebugLogger.shared.log("Attempting to set \(bundleID) as default handler for SMB URLs") // Post Sonoma macOS requires user interaction to change default handlers // We'll register our app and then guide the user to System Settings // For our app, register it with Launch Services if bundleID != "com.apple.finder" { if let appBundleURL = Bundle.main.bundleURL as CFURL? { let registerResult = LSRegisterURL(appBundleURL, true) DebugLogger.shared.log("LSRegisterURL result: [\(appBundleURL)]\(registerResult)") } } // Check current handler using modern API let testSMBURL = URL(string: "smb://example.com")! if let handlerURL = NSWorkspace.shared.urlForApplication(toOpen: testSMBURL) { DebugLogger.shared.log("Current default handler is: \(handlerURL)") // Try to get the bundle ID from the URL var currentHandlerBundleID = "" if let bundle = Bundle(url: handlerURL) { if let handlerBundleID = bundle.bundleIdentifier { currentHandlerBundleID = handlerBundleID DebugLogger.shared.log("Current default handler bundle ID: \(handlerBundleID)") } } // Check if the current handler is already what we want let alreadySet = currentHandlerBundleID == bundleID DebugLogger.shared.log("Handler is already set correctly: \(alreadySet)") if alreadySet { let alert = NSAlert() alert.messageText = "Default Handler Status" alert.informativeText = "\(bundleID == "com.apple.finder" ? "Finder" : "LGN") is already set as the default handler for SMB URLs." alert.addButton(withTitle: "OK") alert.runModal() } else { // Guide the user to System Settings to change the handler promptToSetDefaultHandler(bundleID == "com.apple.finder" ? "Finder" : "LGN") } } else { DebugLogger.shared.log("Could not determine current handler") promptToSetDefaultHandler(bundleID == "com.apple.finder" ? "Finder" : "LGN") } }

Hi. I'm trying to learn macOS app development. i'm trying to run unix commands: func execute(_ command: String) throws -> String { let process = Process() let pipe = Pipe() process.executableURL = URL(fileURLWithPath: "/bin/bash") process.arguments = ["-c", command] process.standardOutput = pipe // process.standardError try process.run() process.waitUntilExit() guard let data = try pipe.fileHandleForReading.readToEnd() else { throw CommandError.readError } guard let output = String(data: data, encoding: .utf8) else { throw CommandError.invalidData } process.waitUntilExit() guard process.terminationStatus == 0 else { throw CommandError.commandFailed(output) } return output } when try to run "pgrep" in sandbox mode ON, i get: sysmon request failed with error: sysmond service not found error. if i turn it off it works. i don't know what to do. anyone can help me out?

Can be reproduced with a shared iPad setup (https://support.apple.com/de-de/guide/deployment/dep9a34c2ba2/web) and the example app provided by Apple (https://developer.apple.com/documentation/fileprovider/synchronizing-files-using-file-provider-extensions). The issue is that when using the File Provider extension implemented with 'NSFileProviderReplicatedExtension', the content of the share does not display in the iPadOS Files app. The 'NSFileProviderEnumerating.enumerator' function is invoked, but none of the functions of the returned 'NSFileProviderEnumerator' are executed: neither 'currentSyncAnchor', 'enumerateChanges', nor 'enumerateItems'. Instead, the 'NSFileProviderEnumerator' is immediately invalidated. This issue can be reproduced with iPadOS 18.3 and a shared iPad setup. Maybe i missing some additional steps/ settings in my extension to work properly on Shared iPads. Created also a post on the feedbackassistent: FB16587660 (NSFileProviderReplicatedExtension does not work in Shared iPad setup) Steps to reproduce: iPad with a Shared iPad profile Enroll the iPad and log in as a Guest user Turn on developer mode Install the example app from Apple (as mentioned above) Add some test files to the FruitBasket storage Add this FruitBasket domain to the FruitBasket-iOS app You may need to provide "Privacy - Local Network Usage Description" in the Info.plist of the FruitBasket-iOS example app to be able to find local FruitBasket storage. Check in the Files app to see that the FruitBasket share is empty -> The expected behavior is that the FruitBasket share should contain the test files added previously. (This works fine without a shared iPad setup).

What is the version policy for the Apple Pay SDK Javascript ? The documentation refers to this link : https://applepay.cdn-apple.com/jsapi/1.latest/apple-pay-sdk.js The future updates will overrride the file on that link ? Is there a way to be notified of any changes ? We are using a previous version named v1 : https://applepay.cdn-apple.com/jsapi/v1/apple-pay-sdk.js What are the risks not using changing to the lastesdt link ? Thank you for your help.

In my case, when two functions that start each Live Activity(not connected each other) are performed in LiveActivityIntent's perform(), it seems that only one will start. (It's the same to start independently with two Task{}) And, set one to 'opensIntent' and separate it by opening another LiveActivityIntent, the result is same. Also, every time I tap the Intent directly in the shortcut app, one activity will end within a matter of seconds, even if there are two for a while. But, If openAppWhenRun to true, it seem to works without any problems. I would appreciate it if you could give me a tip to fix this problem.

In the main app, is there a way to distinguish whether the application:didFinishLaunchingWithOptions: method is triggered by the user manually clicking the app icon, or whether it is automatically triggered by the system after Live Activities receives a remote message notification?

In context of entitlements that are applicable on macos platform, I was discussing in another thread about the com.apple.security.cs.allow-unsigned-executable-memory and the com.apple.security.cs.allow-jit entitlements in a hardened runtime https://developer.apple.com/forums/thread/775520?answerId=827440022#827440022 In that thread it was noted that: The hardened runtime enables a bunch of additional security checks. None of them are related to networking. Some of them are very important to a Java VM author, most notably the com.apple.security.cs.allow-jit -> com.apple.security.cs.allow-unsigned-executable-memory -> com.apple.security.cs.disable-executable-page-protection cascade. My advice on that front: This sequence is a trade off between increasing programmer convenience and decreasing security. com.apple.security.cs.allow-jit is the most secure, but requires extra work in your code. Only set one of these entitlements, because each is a superset of its predecessor. com.apple.security.cs.disable-executable-page-protection is rarely useful. Indeed, on Apple silicon [1] it’s the same as com.apple.security.cs.allow-unsigned-executable-memory. If you want to investigate moving from com.apple.security.cs.allow-unsigned-executable-memory to com.apple.security.cs.allow-jit, lemme know because there are a bunch of additional resources on that topic. What that tells me is that com.apple.security.cs.allow-jit is the recommended entitlement that retains enough security and yet provides the necessary programmer convenience for applications. In the OpenJDK project we use both com.apple.security.cs.allow-unsigned-executable-memory and com.apple.security.cs.allow-jit entitlements for the executables shipped in the JDK (for example java). I was told in that other thread that it might be possible to just use the com.apple.security.cs.allow-unsigned-executable-memory, but there are some additional details to consider. I'm starting this thread to understand what those details are.

I am using cloudkit to save users high scores in a public database. The preference over using Game Center is because of simplicity and works really well for what I want to achieve. I simply want to let users know their global position. Because of data privacy laws the app asks the user for their permission to submit their score each time they get a new high score. However, I have noticed that CKRecords under 'created' and 'modified' in addition to UTC time and date also contain creatorUserRecordID. Could this be a privacy issue? Can you extract any personal information from this? Can this be used to track back to the user? Is it linked to CKUserIdentity which I understand does contain personal information, although as I understand you need users consent to get this information. Under creatorUserRecordID it says... "Every user of the app has a unique user record that is empty by default. Apps can add data to the user record on behalf of the user, but don’t store sensitive data in it" Currently I simply ask the user if they are happy to submit their score. But do I need to point out that it also stores a creatorUserRecordID? Obviously I don't want to do this if it is not needed as the user will 1) Probably not understand what a creatorUserRecordID is and 2) It makes the question complicated and will likely make most people refuse to submit their score. If it is a privacy issue, is there anyway to stop a CKRecord creating this ID and simply save a score? All I need is a list of scores so the app can determine their current position. If creatorUserRecordID does not contain any personal details and cannot be tracked back to the user please let me know, so I can be reassured that my current set up is fine and I am not causing any privacy issues! This post did seem to indicate you may possibly be able to fetch personal details?? https://stackoverflow.com/questions/55782166/how-do-i-fetch-any-info-about-user-that-modified-ckrecord

I am working on a software where we want to add the feature to share the whole database with the other user. Database is iCloud combined with coredata. The other user(s) should be able to edit /delete and even create new objects in the share. I did this with this code witch directly from sample code let participants = try await ckConainer.fetchParticipants(matching: [lookupInfo], into: selectedStore) for participant in participants { participant.permission = .readWrite participant.role = .privateUser share.addParticipant(participant) } try await ckConainer.persistUpdatedShare(share, in: selectedStore) the other user gets invited and I can see this in iCloud database that the other user is invited with status invited. but the other user never gets a mail or something to accept and join the share. How does the other needs to accept the invitation ?

We use Boost ***** (1.86.0) for WebSockets in an iOS application using a self-signed certificate. The ***** WebSocket client works fine on iOS 18.1 and every other OS (Windows, Android, Linux, etc...) but not iOS 18.3.1 and possibly versions before 18.3.1 but later than iOS 18.1. Has anyone else ran into this issue and how did you resolve? What could have changed after iOS 18.1 that would prevent a WSS Websocket from connecting that works fine on iOS 18.1?

This is an ongoing issue that I haven't been able to solve: I am querying different types of HealthKit data over the past year. While this works fine for HRV, it hangs for some users when I'm trying to get heart rate data. Here's the relevant query func initialRead(from startDate: Date) async throws -> [HKSample] { let endDate = anchorStart let interval: TimeInterval = .days(7) var currentStartDate = startDate var currentEndDate = Date(timeInterval: interval, since: currentStartDate) var samples: [HKSample] = [] while currentStartDate <= endDate { let datePredicate = SampleType.datePredicate(start: currentStartDate, end: currentEndDate) let predicate = NSCompoundPredicate(andPredicateWithSubpredicates: [datePredicate,HKQuery.predicateForObjects(withMetadataKey: HKMetadataKeyHeartRateMotionContext, allowedValues: [HKHeartRateMotionContext.sedentary])]) do { let result = try await withCheckedThrowingContinuation { continuation in let completionQuery = HKSampleQuery(sampleType: HKQuantityType.heartRate, predicate: predicate, limit: HKObjectQueryNoLimit, sortDescriptors: [.init(key: HKSampleSortIdentifierStartDate, ascending: true)]) { query, samples, error in if let samples { continuation.resume(returning: samples) } else { if let error { continuation.resume(throwing: error) } else { continuation.resume(returning: []) } } } healthStore.execute(completionQuery) } samples = samples.merge(from: result) } catch { Logger.general.error("Reading failed for dates \(currentStartDate) to \(currentEndDate): \(error)") } currentStartDate = currentEndDate currentEndDate = Date(timeInterval: interval, since: currentStartDate) } return samples } extension HKSampleType { static func datePredicate( start:Date?, end:Date?) -> NSPredicate { HKQuery.predicateForSamples(withStart: start, end:end, options: .strictStartDate) } } For reference, I expect about 1000 sedentary samples per week. Basically what happens for these users is when they start reading the HR data, the app hangs. They start each read manually via a special TestFlight build with buttons for starting the different data type readings. Any advice on how to proceed with this bug would be great since it only affects some users. I am able to create test builds for this audience to test different options. One theory is the motion context predicate is screwing something up. If any apple dev can enlighten me how to narrow down the issue, that would be great.

Is there a way using Swift, to detect if iMessage is turned on, on the user's device? We have a need to warn a user if they have iMessage on (to boring to explain why) and would like to pop up a notice, if it's detected to be on.

I have a question regarding /etc/pf.conf. If I use this rule, rdr pass on bridge100 inet proto tcp from 192.168.2.104 to any port {80, 443, 8883} -> 127.0.0.1 port 8080 all other traffic on bridge100 will not function properly, even the traffic that is not destined for 192.168.2.104. Additionally, the hotspot generated through bridge100 will also become unavailable. Even if I comment out this rule and run sudo pfctl -e -f /etc/pf.conf, the problem still persists. The situation will only return to normal when I restart my Mac. my macos:15.3.2 my /etc/pf.conf # scrub-anchor "com.apple/*" nat-anchor "com.apple/*" rdr-anchor "com.apple/*" rdr pass on bridge100 inet proto tcp from 192.168.2.104 to any port {80, 443, 8883} -> 127.0.0.1 port 8080 dummynet-anchor "com.apple/*" anchor "com.apple/*" load anchor "com.apple" from "/etc/pf.anchors/com.apple"

Hi Here is my problem. I have a large number of portrait pictures in my adobe lightroom catalogue which I need to email to the subjects of the portraits. These peoples names and email addresses are stored in my pictures metadata and I am able to export the pictures with accompanying text or CSV files containing the names &amp; addresses. What I want to do is export the pictures in bulk and automagically create and send individual emails for each picture, preferably with the persons name in the salutation at the start of the email. I have done some googling trying to find a solution to this. I think that I need to use automator. (The lightroom option of mailing directly from within the programme isn't going to do the job, each mail would need to be addressed and written by hand each time). I have been playing around with it, but can see no way to populate the email address field or add the attachment. Can anyone help me out, with even just the basic outline, of how this would be achieved please?

It seems like find my mac is able to fetch the device location even if the device is in locked state. Why can’t other apps do the same.

We are developing an iPad app which also needs to control apple TV. is there any lead for it, any sdk/library available for quick and easy integration.

LSSetDefaultHandlerForURLScheme is flagged as deprecated, but it isn't clear to me (very much not a frequent macOS developer) what the alternative is. Can anyone point me in the right direction? Thanks.