We are using Apple's PSSO to federate device login to out own IdP. We have developed our own extension app and deployed it using MDM. Things works fine but there are 2 issues that we are trying to get to the root cause - On some devices after restarting we see an error message on the logic screen saying "The registration for this device is invalid and must be repaired" And other error message is "SmartCard configuration is invalid for this account" For the 1st we have figured out that this happens when the registration doesn't happen fully and the key is not tied to the user so when the disk needs to be decrypted at the FileVault screen the issue is raised. For the "SmartCard configuration is invalid for this account" issue also one aspect is invalid registration but there has been other instances as well where the devices were registered completely but then also the the above error was raised. We verified the registration being completed by checking if the SmartCard is visible in the System Report containing the key. Has anyone seen the above issues and any possible resolution around it?

The header documentation for the (deprecated) LAContext.evaluatedPolicyDomainState property contains the following: @warning Please note that the value returned by this property can change exceptionally between major OS versions even if the state of biometry has not changed. I noticed that the documentation for the new LAContext.domainState property does not contain a similar warning. I also found this related thread from 2016/17. Is the domainState property not susceptible to changes between major OS versions? Or is this generally not an issue anymore?

Hi Team, How can we fetch the macOS password requirement(for setting a new password) that are inforce during login for users? Is there a way to get this info in swift programming?

We are using SecPKCS12Import C API in our application to import a self seigned public key certificate. We tried to run the application for the first time on Tahoe and it failed with OSStatus -26275 error. The release notes didn't mention any deprecation or change in the API as per https://developer.apple.com/documentation/macos-release-notes/macos-26-release-notes. Are we missing anything? There are no other changes done to our application.

I have a custom NSWindow that I want to exclude from screen capture by setting its sharing state to kCGWindowSharingStateSharingNone. The goal is to prevent this window from appearing in the content captured by ScreenCaptureKit. [window setSharingType:NSWindowSharingType::NSWindowSharingNone]; However, on macOS 15.4+ (Sequoia), the window is still captured by ScreenCaptureKit and appears in the shared content. Does anyone know if kCGWindowSharingStateSharingNone is still effective with ScreenCaptureKit on macOS 15.4 and later?

Hi Forum, We’re building a security-focused SDK for iOS that includes SIM Binding and SIM Swap detection to help prevent fraud and unauthorised device access, particularly in the context of banking and fintech apps. We understand that iOS limits access to SIM-level data, and that previously available APIs (such as those in CoreTelephony, now deprecated from iOS 16 onwards) provide only limited support for these use cases. We have a few questions and would appreciate any guidance from the community or Apple engineers: Q1. Are there any best practices or Apple-recommended approaches for binding a SIM to a device or user account? Q2. Is there a reliable way to detect a SIM swap when the app is not running (e.g., via system callback, entitlement, or background mechanism)? Q3. Are fields like GID1, GID2, or ICCID accessible through any public APIs or entitlements (such as com.apple.coretelephony.IdentityAccess)? If so, what is the process to request access? Q4. For dual SIM and eSIM scenarios, is there a documented approach to identify which SIM is active or whether a SIM slot has changed? Q5. In a banking or regulated environment, is it possible for an app vendor (e.g., a bank) to acquire certain entitlements from Apple and securely expose that information to a security SDK like ours? What would be the compliant or recommended way to structure such a partnership? Thanks in advance for any insights!

Hi, We came accross with 2 devices, iPhone 12 and iphone16 pro. the both have same device code. Both the devices have same apple id and belongs to same user I had understanding that device codes are unique to device. How this can happen? Any remediation? Thanks, Veena

I'd like to implement unit tests that exercise keys made available via a persistent token interface. However, when attempting to list available tokens by passing kSecAttrAccessGroupToken as the kSecAttrAccessGroup to SecItemCopyMatching from a unit test, -34018 is returned. It succeeds without the kSecAttrAccessGroup, which makes sense given the unit test binary does not have com.apple.token Keychain Group. The Xcode UI indicates "Capabilities are not supported" for the unit test binary when attempting to add a Keychain Sharing capability to enable use of persistent tokens. This feels like a dead end but begs the question is there any way to implement unit tests to exercise a persistent token interface? It seems like the only path may be write unit tests that drive an independent app that handles the interactions with the persistent token.

Hello everyone, I've noticed some unusual behavior while debugging my application on the iOS 26 beta. My standard testing process relies on the App Tracking Transparency (ATT) authorization status being reset whenever I uninstall and reinstall my app. This is crucial for me to test the permission flow. However, on the current beta, I've observed the following: 1 I installed my app on a device running the iOS 26 beta for the first time. The ATTrackingManager.requestTrackingAuthorization dialog appeared as expected. 2 I completely uninstalled the application. 3 I then reinstalled the app. Unexpected Result: The tracking permission dialog did not appear. And more importantly, the device's advertisingIdentifier appears to have remained unchanged. This is highly unusual, as the IDFA is expected to be reset with a fresh app installation. My question: Is this an intentional change, and is there a fundamental shift in how the operating system handles the persistence of the IDFA or the authorization status? Or could this be a bug in the iOS 26 beta? Any information or confirmation on this behavior would be greatly appreciated.

Hello, We recently implemented SSL pinning in our iOS app (Objective-C) using the common approach of embedding the server certificate (.cer) in the app bundle and comparing it in URLSession:didReceiveChallenge:. This worked fine initially, but when our backend team updated the server certificate (same domain, new cert from CA), the app immediately started failing because the bundled certificate no longer matched. We’d like to avoid shipping and updating our app every time the server’s certificate changes. Instead, we are looking for the Apple-recommended / correct approach to implement SSL pinning without embedding the actual certificate file in the app bundle. Specifically: . Is there a supported way to implement pinning based on the public key hash or SPKI hash (like sha256/... pins) rather than the full certificate? . How can this be safely implemented using NSURLSession / SecTrustEvaluate (iOS 15+ APIs, considering that SecTrustGetCertificateAtIndex is deprecated)? . Are there Apple-endorsed best practices for handling certificate rotation while still maintaining strong pinning? Any guidance or code samples would be greatly appreciated. We want to make sure we are following best practices and not relying on brittle implementations. Thanks in advance!

Hi all, I’m building a password manager app for iOS. The app implements an ASCredentialProviderExtension and has the entitlement com.apple.developer.authentication-services.autofill-credential-provider. From a UX perspective, I’d like to help users enable my app under: Settings → General → AutoFill & Passwords What I’ve observed: Calling UIApplication.openSettingsURLString only opens my app’s own Settings page, not the AutoFill list. Some apps (e.g. Google Authenticator) appear to redirect users directly into the AutoFill Passwords & Passkeys screen when you tap “Enable AutoFill.” 1Password goes even further: when you tap “Enable” in 1Password App, it shows a system pop-up, prompts for Face ID, and then enables 1Password as the AutoFill provider without the user ever leaving the app. Questions: Is there a public API or entitlement that allows apps to deep-link users directly to the AutoFill Passwords & Passkeys screen? Is there a supported API to programmatically request that my app be enabled as an AutoFill provider (similar to what 1Password seems to achieve)? If not, what is the recommended approach for guiding users through this flow? Thanks in advance!

Hi, Our App relies on a keychain to store certificates and key-value pairs. However, when we upgraded from an older XCode 15.2 (1 year old) app version to a newer version XCode 16.2 (with identical keychain-groups entitlement), we found that the newer ipa cannot see the older keychain group anymore... We tried Testflight builds, but limited to only generating newer versions, we tried using the older App's code, cast as a newer App version, and then upgraded to the newer code (with an even newer app version!). Surprisingly we were able to see the older keychain group. So it seems that there's something different between the packaging/profile of the older (1 year) and newer (current) App versions that seems to cause the new version to not see the old keychainGroup... Any ideas?

Cannot find developer mode in iPhone 16. Please help me resolve this

I’m implementing Passkey registration on iOS using ASAuthorizationPlatformPublicKeyCredentialProvider. On the server side, I’m using a WebAuthn library that throws the error UnexpectedRPIDHash: Unexpected RP ID hash during verifyRegistrationResponse(). Domain: pebblepath.link (publicly routable, valid SSL certificate, no warnings in Safari) Associated Domains in Xcode**: webcredentials:pebblepath.link AASA file: { "applinks": { "apps": [] }, "webcredentials": { "apps": [ "H33XH8JMV6.com.reactivex.pebblepath" ] } } Xcode Configuration: Team ID: H33XH8JMV6 Bundle ID: com.reactivex.pebblepath Associated Domains: webcredentials:pebblepath.link Logs: iOS clientDataJSON shows "origin": "https://pebblepath.link". Server logs confirm expectedOrigin = "https://pebblepath.link" and expectedRPID = "pebblepath.link". Despite this, the server library still errors out: finishRegistration error: UnexpectedRPIDHash. I’ve verified that: The domain has a valid CA-signed SSL cert (no Safari warnings). The AASA file is reachable at https://pebblepath.link/.well-known/apple-app-site-association. The app’s entitlements match H33XH8JMV6.com.reactivex.pebblepath. I’ve removed old passkeys from Settings → Passwords on the device and retried fresh. I’m testing on a real device with iOS 16+; I am using a Development provisioning profile, but that shouldn’t cause an RP ID mismatch as long as the domain is valid. Every log indicates that the domain and origin match exactly, but the WebAuthn library still throws UnexpectedRPIDHash, implying iOS is embedding a different (or unrecognized) RP ID hash in the credential. Has anyone else encountered this with iOS passkeys and a valid domain/AASA setup? Is there an extra step needed to ensure iOS recognizes the domain for passkey registration? Any guidance or insights would be greatly appreciated!

Hello, Is there any way to detect if the iOS screen is currently being shared via FaceTime or iPhone Mirroring? Our application relies on this information to help ensure that users are not accessing it from one location while physically being in another.

First, I do not publish my application to the AppStore, but I need to customize a sandbox environment. It seems that sandbox-exec cannot configure entitlements, so I have used some other APIs, such as sandbox_compile_entitlements and sandbox_apply_container. When encountering the entitlement "com.apple.security.files.user-selected.read-only", I am unsure how to correctly write sandbox profile to implement this. Can anyone help me?

Hi team, if I log into my app on Safari and try to enroll/challenge MFA security key option, I will be able to see this pop-up that gives me the option to pick either passkeys or external security keys However, my team member who's using the same version of safari, can only see the external security key option Why is this?

I was basically saving items into the Keychain with the following query dictionary: let query: [String: Any] = [ kSecClass as String: kSecClassGenericPassword, kSecAttrAccount as String: key, kSecValueData as String: value, kSecAttrAccessible as String: kSecAttrAccessibleAfterFirstUnlock ] Where key is a String value and value is a Data that used to be a String. I was getting the following error: code: -25299 description: The specified item already exists in the keychain After a lot of digging in I saw that I needed to add kSecAttrService to the dictionary and after that it all started working. The service value is a String value. let query: [String: Any] = [ kSecClass as String: kSecClassGenericPassword, kSecAttrService as String: service, kSecAttrAccount as String: key, kSecValueData as String: value, kSecAttrAccessible as String: kSecAttrAccessibleAfterFirstUnlock ] These were the articles that suggested adding the kSecAttrService parameter: https://stackoverflow.com/a/11672200 https://stackoverflow.com/a/58233542 But in the same code base I found that other developers were saving using a dictionary similar to the one I first provided and it works: var query: [String : Any] = [ kSecClass as String : kSecClassGenericPassword as String, kSecAttrAccount as String : key, kSecValueData as String : data ] I don't know how to explain why my first implementation didn't work even though it was similar to what was already in the code base but the second approach worked well. Regardless of the query dictionary, this is how I'm saving things: static func save(value: Data, key: String, service: String) -> KeyChainOperationStatus { logInfo("Save Value - started, key: \(key), service: \(service)") let query: [String: Any] = [ kSecClass as String: kSecClassGenericPassword, kSecAttrService as String: service, kSecAttrAccount as String: key, kSecValueData as String: value, kSecAttrAccessible as String: kSecAttrAccessibleAfterFirstUnlock ] // Remove any existing key let cleanUpStatus = SecItemDelete(query as CFDictionary) let cleanUpStatusDescription = SecCopyErrorMessageString(cleanUpStatus, nil)?.asString ?? "__cleanup_status_unavailable" logInfo("Save Value - cleanup status: \(cleanUpStatus), description: \(cleanUpStatusDescription)") guard cleanUpStatus == errSecSuccess || cleanUpStatus == errSecItemNotFound else { logError("Save Value - Failed cleaning up KeyChain") return .cleanupFailed(code: cleanUpStatus) } // Add the new key let saveStatus = SecItemAdd(query as CFDictionary, nil) let saveStatusDescription = SecCopyErrorMessageString(saveStatus, nil)?.asString ?? "__save_status_unavailable" logInfo("Save Value - save status [\(saveStatus)] : \(saveStatusDescription)") guard saveStatus == errSecSuccess else { logError("Save Value - Failed saving new value into KeyChain") return .savingFailed(code: saveStatus) } return .successs }

In response to inquiries from users, we have confirmed the following phenomenon. If you select "Private email address" in the flow of new user registration with Apple ID, you will not receive the verification code email when performing two-factor authentication. ■User impact If you use your Apple ID to link an external account without making your email address public, you will not receive the authentication code during two-factor authentication and will not be able to proceed. The date and time of the impact is currently unknown. ◎Impact 1: New registration If you select "Private email address" in the flow of registering a new user with Apple ID, the verification code will not be received during two-factor authentication and registration will not be completed. ◎Impact 2: Login of existing account When two-factor authentication is required for an existing account registered with Apple ID set to "Private email address," the verification code is not received and the user cannot log in. →If you have not registered a login method other than Apple ID for the relevant account, there is no other way to log in. ■About workarounds ・I thought that I could avoid this issue by canceling the private setting of my Apple ID, but I was unable to do so. →There is currently no workaround found for existing users who are experiencing this issue. ・However, the scope of influence is limited. ■Cause investigation status Premise: For an Apple ID whose email address is not made public, the two-factor authentication authentication code email follows the following route. ①CDC/GIGYA miraiz-persol.jp (SendGrid) Apple's email server (relay server to hide the user's real email address) User mailbox →Since '1' are working, the problem seems to have occurred after the connection from ② or ③. (At this stage, we cannot determine who is at fault: the user, MIRAIZ, or Apple. We are currently investigating.) ◎Hypothesis ・Is there something wrong with Apple's mail server? ・Is it not delivered because the user's mailbox is full? ■Questions, research, and responses we would like to receive Please check the following two points and reply. 1st point As shown in the attached image, there seems to be no problem with the SPF settings. Is it possible to check to see if any errors have occurred with Apple's mail server? 2nd point Are there any cases where you still can't receive emails even if you deactivate your Apple ID? I would like to know if there are any patterns in which emails are not being delivered in terms of past inquiries or overall specifications

Hey all, Question for the masses.... Does the Yubikey authentication have a OS dependency and it only works with a stable, public OS? Does Azure/Okta/Yubikey beta OS26? My CEO installed iPadOS 26 on his iPad and was not able to authenticate via Yubikey into our company environment. I ran the same scenario on my iPad using iPadOS 26 and I had the same results. Downgrading to iPAdOS doesn't pose these issues. I'm assuming something isn't fine-tuned yet?