Team-scoped keys introduce the ability to restrict your token authentication keys to either development or production environments. Topic-specific keys in addition to environment isolation allow you to associate each key with a specific Bundle ID streamlining key management. For detailed instructions on accessing these features, read our updated documentation on establishing a token-based connection to APNs.

I'm trying to understand the terminology around forward vs backward references in CloudKit. Say I have two record types: User LeaderboardScore (a score belongs to a user) The score record stores a user reference: score["user"] = CKRecord.Reference( recordID: userRecordID, action: .deleteSelf ) So: LeaderboardScore → User The user record does not store any references to scores From a data-model perspective: Is this considered a forward reference (child → parent)? Or a back reference, since the score is "pointing back" to its owner? My use case is having leaderboard in my app and so i have created a user table to store all the users and a score table for saving the scores of each user of the app.

Hi! My users have reported (and I have observed) a blank Live Activity where only a black capsule is shown in the dynamic island. When tapping that capsule, the app opens, but inside the capsule, nothing is shown. The Live Activity is created through the AlarmKit API like this: let identifier = UUID() Task { do { _ = try await AlarmManager.shared.schedule( id: identifier, configuration: .init( countdownDuration: countdownDuration, attributes: attributes, stopIntent: CancelTimerIntent(), secondaryIntent: RestartTimerIntent(), sound: Settings.shared.systemAlarmToneEnabled ? .default : .named(Settings.shared.alarmTone[.loop].filename) ) ) Log.debug("Alarm scheduled successfully: \(identifier.uuidString)") } catch { Log.error("Error scheduling alarm with id \(identifier.uuidString), error: \(error)") } } I've read some other forum posts where developers reported the same issue: https://developer.apple.com/forums/thread/807335 https://developer.apple.com/forums/thread/812006 I assume, it has something to do with state management. However, in my case, this only happens very rarely. I use the app on a daily basis and the issue with the blank live activity only occurs like once a month, so I cannot reproduce it. I also have some logic to resume an existing alarm or snooze: do { for alarm in try AlarmManager.shared.alarms { switch alarm.state { case .paused: try AlarmManager.shared.resume(id: alarm.id) case .alerting: try AlarmManager.shared.countdown(id: alarm.id) default: break } } } catch { Log.error("Error resuming alarm: \(error)") } Is there any way I can debug this issue properly? I have checked the Device Logs and the Console in Xcode and didn't find any hints. Only one log made me a little suspicious, but I read that this might happen occasionally and may be ignored: Couldn't read values in CFPrefsPlistSource<0x10ae0d080> (Domain: group.myappgroupidentifier User: kCFPreferencesAnyUser, ByHost: Yes, Container: (null), Contents Need Refresh: Yes): Using kCFPreferencesAnyUser with a container is only allowed for System Containers, detaching from cfprefsd Any ideas on how I could proceed to find the cause of this empty (apparently crashed) Live Activity?

I use MapKit and MKDirections for driving directions. The error "Directions Not Available" appears when the two points (A and B) are outside mainland China (e.g. Tokyo → Osaka). For routes inside China (e.g. Shanghai → Beijing), the same code works. let req = MKDirections.Request() req.source = MKMapItem(placemark: MKPlacemark(coordinate: origin)) req.destination = MKMapItem(placemark: MKPlacemark(coordinate: destination)) req.transportType = .automobile MKDirections(request: req).calculate { response, error in // Tokyo–Osaka (outside China): "Directions Not Available" // Shanghai–Beijing (inside China): works } Questions: Is MKDirections intended to support only routes within the device’s region (e.g. China)? When A/B are abroad, is "Directions Not Available" expected? Is this documented? For cross-country or overseas routes (e.g. Tokyo–Osaka), what is the recommended approach—third-party routing API + drawing on MapKit? Thanks.

I’m encountering a persistent issue with my Network Extension (specifically NEFilterDataProvider) and would really appreciate any insights. The extension generally works as expected, but after some time — especially after sleep/wake cycles or network changes — a global network outage occurs. During this state, no network traffic works: pings fail, browsers can’t load pages, etc. As soon as I stop the extension (by disabling it in System Preferences), the network immediately recovers. If I re-enable it, the outage returns instantly. I’ve also noticed that once this happens, the extension stops receiving callbacks like handleNewFlow(), and reinstalling the app or restarting the extension doesn’t help. The only thing that resolves the issue is rebooting the system. After reboot, the extension works fine again — until the problem reoccurs later. I asked AI about this behavior, and it suggested the possibility that the kernel might have marked the extension as untrusted, causing the system to intentionally block all network traffic as a safety mechanism. Has anyone experienced similar behavior with NEFilterDataProvider? Could there be a way to detect or prevent this state without rebooting? Is there any logging or diagnostic data I should collect when it happens again? Any guidance or pointers would be greatly appreciated. Thanks in advance!

Hi, I’m implementing ePassport reading in an iOS app using a third-party KYC identity verification SDK (the SDK handles the NFC logic internally). Before adding any specific AID, the NFC session would start normally and iOS showed the system popup asking the user to hold the passport near the device. However, the passport was never read , the session just stayed there with no progress or data returned. I then tried enabling the ICAO ePassport AID: A0000002471001 After adding this, the build failed with the following signing error: Provisioning profile "iOS Team Provisioning Profile: com.sandrotbilisi.DigitalCurrency" doesn't include the com.apple.developer.nfc.readersession.iso7816.select-identifiers entitlement. Has anyone encountered this behavior when working with ePassports? Do I need special entitlement approval from Apple for this AID? Thank you.

Hi, I’m building an iOS self accountability app using FamilyControls and DeviceActivity. I can show the user’s real Screen Time correctly inside a DeviceActivityReport extension on a real device, but I want to use that same daily total inside the main app for today’s log and leaderboard. What I’m stuck on is getting that value back into the app. I tried App Groups, shared UserDefaults, a shared file in the app group container, and CFPreferences, but the report still only works as a display and the main app never receives the total. Is there any Apple supported way to use the daily Screen Time total from a DeviceActivityReport extension inside the containing app, or is this intentionally display only? Thanks.

An app build is uploaded using Xcode 26.3 RC and fully validated/provisioned/processed at AppStoreConnect that shows build is Complete/Ready to Test Export compliance has been done Internal testers have been added to internal testing group Internal testers have accepted invite App is visible with all details in Test Flight on testers' iPhones (running 26.3 final) Internal testers tap App but Install button NEVER appears and testers get request for code to redeem app but invitation email does NOT include redeem code Testers cannot download and install app What is going on with TestFlight Apple?

Hi - Using storekit2 on ios26.2 and using presentOfferCodeRedeemSheet to allow users to leverage Offer Codes. The codes work (sandbox and production), however on the confirmation view that shows Redeem Special Offer, while my App Icon is properly displayed up top, the associated product subscription image is missing and I see a grey App Store image/icon instead. I do successfully see the associated subscription and pricing to the right. My subscription product images are already reviewed/approved and have been live for a number of weeks. I see this in Sandbox and Production (with a live customer sending me the phone screenshot). PS, my product icons/logos all show up successfully during normal checkout in sandbox/production, this only occurs on Offer Code Redemption views.

I have a driver extending IOUserUSBSerial and I want the device to show up as /dev/tty.mycustombasename-123 and /dev/cu. respectively. How can I achieve that?

I am testing my app in iOS 26.4 beta and emojis are rendering as squares with ? in the middle . I tested a very simple Text("👾") and I get the same results. It is working fine in 26.3.

I am writing a DriverKit driver for the first that uses the USBSerialDriverKit. The driver its purpose is to expose the device as serial interface (/dev/cu.tetra-pei0 or something like this). My problem: I don't see any logs from that driver in the console and I tried like 40 different approaches and checked everything. The last message I see is that the driver get successfully added to the system it is in the list of active and enabled system driver extensions but when I plug the device in none of my logs appear and it doesn't show up in ioreg. So without my driver the target device looks like this: +-o TETRA PEI interface@02120000 <class IOUSBHostDevice, id 0x10000297d, registered, matched, active, busy 0 (13 ms), retain 30> | { | "sessionID" = 268696051410 | "USBSpeed" = 3 | "UsbLinkSpeed" = 480000000 | "idProduct" = 36886 | "iManufacturer" = 1 | "bDeviceClass" = 0 | "IOPowerManagement" = {"PowerOverrideOn"=Yes,"DevicePowerState"=2,"CurrentPowerState"=2,"CapabilityFlags"=32768,"MaxPowerState"=2,"DriverPowerState"=0} | "bcdDevice" = 9238 | "bMaxPacketSize0" = 64 | "iProduct" = 2 | "iSerialNumber" = 0 | "bNumConfigurations" = 1 | "UsbDeviceSignature" = <ad0c16901624000000ff0000> | "USB Product Name" = "TETRA PEI interface" | "locationID" = 34734080 | "bDeviceSubClass" = 0 | "bcdUSB" = 512 | "USB Address" = 6 | "kUSBCurrentConfiguration" = 1 | "IOCFPlugInTypes" = {"9dc7b780-9ec0-11d4-a54f-000a27052861"="IOUSBHostFamily.kext/Contents/PlugIns/IOUSBLib.bundle"} | "UsbPowerSinkAllocation" = 500 | "bDeviceProtocol" = 0 | "USBPortType" = 0 | "IOServiceDEXTEntitlements" = (("com.apple.developer.driverkit.transport.usb")) | "USB Vendor Name" = "Motorola Solutions, Inc." | "Device Speed" = 2 | "idVendor" = 3245 | "kUSBProductString" = "TETRA PEI interface" | "kUSBAddress" = 6 | "kUSBVendorString" = "Motorola Solutions, Inc." | } | +-o AppleUSBHostCompositeDevice <class AppleUSBHostCompositeDevice, id 0x100002982, !registered, !matched, active, busy 0, retain 5> | { | "IOProbeScore" = 50000 | "CFBundleIdentifier" = "com.apple.driver.usb.AppleUSBHostCompositeDevice" | "IOProviderClass" = "IOUSBHostDevice" | "IOClass" = "AppleUSBHostCompositeDevice" | "IOPersonalityPublisher" = "com.apple.driver.usb.AppleUSBHostCompositeDevice" | "bDeviceSubClass" = 0 | "CFBundleIdentifierKernel" = "com.apple.driver.usb.AppleUSBHostCompositeDevice" | "IOMatchedAtBoot" = Yes | "IOMatchCategory" = "IODefaultMatchCategory" | "IOPrimaryDriverTerminateOptions" = Yes | "bDeviceClass" = 0 | } | +-o lghub_agent <class AppleUSBHostDeviceUserClient, id 0x100002983, !registered, !matched, active, busy 0, retain 7> | { | "IOUserClientCreator" = "pid 1438, lghub_agent" | "IOUserClientDefaultLocking" = Yes | } | +-o IOUSBHostInterface@0 <class IOUSBHostInterface, id 0x100002986, registered, matched, active, busy 0 (5 ms), retain 9> | | { | | "USBPortType" = 0 | | "IOCFPlugInTypes" = {"2d9786c6-9ef3-11d4-ad51-000a27052861"="IOUSBHostFamily.kext/Contents/PlugIns/IOUSBLib.bundle"} | | "USB Vendor Name" = "Motorola Solutions, Inc." | | "bcdDevice" = 9238 | | "USBSpeed" = 3 | | "idProduct" = 36886 | | "IOServiceDEXTEntitlements" = (("com.apple.developer.driverkit.transport.usb")) | | "bInterfaceSubClass" = 0 | | "bConfigurationValue" = 1 | | "locationID" = 34734080 | | "USB Product Name" = "TETRA PEI interface" | | "bInterfaceProtocol" = 0 | | "iInterface" = 0 | | "bAlternateSetting" = 0 | | "idVendor" = 3245 | | "bInterfaceNumber" = 0 | | "bInterfaceClass" = 255 | | "bNumEndpoints" = 2 | | } | | | +-o lghub_agent <class AppleUSBHostInterfaceUserClient, id 0x100002988, !registered, !matched, active, busy 0, retain 6> | { | "UsbUserClientBufferStatistics" = {"IOMemoryDescriptor"=0,"IOBufferMemoryDescriptor"=0,"IOSubMemoryDescriptor"=0} | "IOUserClientCreator" = "pid 1438, lghub_agent" | "UsbUserClientBufferAllocations" = {"Bytes"=0,"Descriptors"=0} | "IOUserClientDefaultLocking" = Yes | } | +-o IOUSBHostInterface@1 <class IOUSBHostInterface, id 0x100002987, registered, matched, active, busy 0 (5 ms), retain 9> | { | "USBPortType" = 0 | "IOCFPlugInTypes" = {"2d9786c6-9ef3-11d4-ad51-000a27052861"="IOUSBHostFamily.kext/Contents/PlugIns/IOUSBLib.bundle"} | "USB Vendor Name" = "Motorola Solutions, Inc." | "bcdDevice" = 9238 | "USBSpeed" = 3 | "idProduct" = 36886 | "IOServiceDEXTEntitlements" = (("com.apple.developer.driverkit.transport.usb")) | "bInterfaceSubClass" = 0 | "bConfigurationValue" = 1 | "locationID" = 34734080 | "USB Product Name" = "TETRA PEI interface" | "bInterfaceProtocol" = 0 | "iInterface" = 0 | "bAlternateSetting" = 0 | "idVendor" = 3245 | "bInterfaceNumber" = 1 | "bInterfaceClass" = 255 | "bNumEndpoints" = 2 | } | +-o lghub_agent <class AppleUSBHostInterfaceUserClient, id 0x10000298a, !registered, !matched, active, busy 0, retain 6> { "UsbUserClientBufferStatistics" = {"IOMemoryDescriptor"=0,"IOBufferMemoryDescriptor"=0,"IOSubMemoryDescriptor"=0} "IOUserClientCreator" = "pid 1438, lghub_agent" "UsbUserClientBufferAllocations" = {"Bytes"=0,"Descriptors"=0} "IOUserClientDefaultLocking" = Yes } more details in my comment.

Hi everyone, I’m having an issue with App Store Connect regarding the production release of my app. I submitted my app and contacted App Store Connect support because I haven’t received any verification or confirmation to proceed with the production release, but I still haven’t received any response. It has been over two weeks since I first contacted them. According to Apple’s documentation, support responses usually take around 48 hours, so I’m a bit concerned. My app is currently not moving forward to production, and I don’t see any clear indication of what is missing or if additional action is required from my side. I’ve checked App Store Connect notifications and my email (including spam), but there’s nothing. Has anyone experienced a similar situation recently? Is there a recommended way to escalate this issue (specific support category, phone call, or another process)? Any help or advice would be greatly appreciated. Thank you!

I have submitted a new update on February 9th and it's still waiting for review. I will go crazy. There is no way to reach developer support as well. Can someone suggest me what should I do? I emailed, I applied for expedit review but there is no follow up.

Hello Apple Support Team, We are seeing a production crash on iOS 26 devices that appears to originate from Apple system frameworks rather than application code. 1. Crash Details OS Version: iOS 26.x App built with: Xcode 16 Devices: Multiple models (not device-specific) Exception Type: SIGSEGV SEGV_ACCERR Fault Address: 0x0000000000000100 Crashed Thread: 4 (network background queue) Crash trace summary: Last Exception : 0 libobjc.A.dylib _objc_release_x8 + 8 1 libboringssl.dylib _nw_protocol_boringssl_deallocate_options + 92 2 Network 0x000000019695207c 0x00000001968dc000 + 483452 3 libswiftCore.dylib __swift_release_dealloc + 56 4 libswiftCore.dylib bool swift::RefCounts<swift::RefCountBitsT<(swift::RefCountInlinedness)1> >::doDecrementSlow<(swift::PerformDeinit)1>(swift::RefCountBitsT<(swift::RefCountInlinedness)1>, unsigned int) + 152 5 Network 0x0000000196951f6c 0x00000001968dc000 + 483180 6 Network 0x0000000196952000 0x00000001968dc000 + 483328 7 libswiftCore.dylib __swift_release_dealloc + 56 8 libswiftCore.dylib bool swift::RefCounts<swift::RefCountBitsT<(swift::RefCountInlinedness)1> >::doDecrementSlow<(swift::PerformDeinit)1>(swift::RefCountBitsT<(swift::RefCountInlinedness)1>, unsigned int) + 152 9 libswiftCore.dylib void multiPayloadEnumFN<&handleRefCountsDestroy>(swift::TargetMetadata<swift::InProcess> const*, swift::LayoutStringReader1&, unsigned long&, unsigned char*) + 248 10 libswiftCore.dylib swift::swift_cvw_arrayDestroy(swift::OpaqueValue*, unsigned long, unsigned long, swift::TargetMetadata<swift::InProcess> const*) + 1172 11 libswiftCore.dylib _$sSp12deinitialize5countSvSi_tF + 40 12 CollectionsInternal ___swift_instantiateGenericMetadata + 1236 13 CollectionsInternal ___swift_instantiateGenericMetadata + 388 14 CollectionsInternal ___swift_instantiateGenericMetadata + 1044 15 libswiftCore.dylib __swift_release_dealloc + 56 16 libswiftCore.dylib bool swift::RefCounts<swift::RefCountBitsT<(swift::RefCountInlinedness)1> >::doDecrementSlow<(swift::PerformDeinit)1>(swift::RefCountBitsT<(swift::RefCountInlinedness)1>, unsigned int) + 152 17 Network 0x000000019695f9fc 0x00000001968dc000 + 539132 18 Network 0x000000019695f9bc 0x00000001968dc000 + 539068 19 libswiftCore.dylib __swift_release_dealloc + 56 20 libswiftCore.dylib bool swift::RefCounts<swift::RefCountBitsT<(swift::RefCountInlinedness)1> >::doDecrementSlow<(swift::PerformDeinit)1>(swift::RefCountBitsT<(swift::RefCountInlinedness)1>, unsigned int) + 152 21 libswiftCore.dylib swift_cvw_destroyImpl(swift::OpaqueValue*, swift::TargetMetadata<swift::InProcess> const*) + 212 22 Network 0x0000000196def5d8 0x00000001968dc000 + 5322200 23 Network 0x0000000196ded130 0x00000001968dc000 + 5312816 24 libswiftCore.dylib __swift_release_dealloc + 56 25 libswiftCore.dylib bool swift::RefCounts<swift::RefCountBitsT<(swift::RefCountInlinedness)1> >::doDecrementSlow<(swift::PerformDeinit)1>(swift::RefCountBitsT<(swift::RefCountInlinedness)1>, unsigned int) + 152 26 Network 0x000000019695fde0 0x00000001968dc000 + 540128 27 libobjc.A.dylib object_cxxDestructFromClass(objc_object*, objc_class*) + 116 28 libobjc.A.dylib objc_destructInstance_nonnull_realized(objc_object*) + 76 29 libobjc.A.dylib __objc_rootDealloc + 72 30 Network 0x000000019695f99c 0x00000001968dc000 + 539036 31 Network 0x000000019695fae4 0x00000001968dc000 + 539364 32 Network 0x0000000196b078b8 0x00000001968dc000 + 2275512 33 libobjc.A.dylib object_cxxDestructFromClass(objc_object*, objc_class*) + 116 34 libobjc.A.dylib objc_destructInstance_nonnull_realized(objc_object*) + 76 35 libobjc.A.dylib __objc_rootDealloc + 72 36 Network 0x0000000196b07658 0x00000001968dc000 + 2274904 37 Network 0x00000001968e51d4 nw_queue_context_async_if_needed + 92 38 Network 0x0000000197686ea0 0x00000001968dc000 + 14331552 39 libswiftCore.dylib swift::swift_cvw_arrayDestroy(swift::OpaqueValue*, unsigned long, unsigned long, swift::TargetMetadata<swift::InProcess> const*) + 436 40 libswiftCore.dylib _$sSp12deinitialize5countSvSi_tF + 40 41 CollectionsInternal ___swift_instantiateGenericMetadata + 1236 42 CollectionsInternal ___swift_instantiateGenericMetadata + 388 43 CollectionsInternal ___swift_instantiateGenericMetadata + 1044 44 libswiftCore.dylib __swift_release_dealloc + 56 45 libswiftCore.dylib bool swift::RefCounts<swift::RefCountBitsT<(swift::RefCountInlinedness)1> >::doDecrementSlow<(swift::PerformDeinit)1>(swift::RefCountBitsT<(swift::RefCountInlinedness)1>, unsigned int) + 152 46 Network 0x000000019694a010 0x00000001968dc000 + 450576 47 libobjc.A.dylib object_cxxDestructFromClass(objc_object*, objc_class*) + 116 48 libobjc.A.dylib objc_destructInstance_nonnull_realized(objc_object*) + 76 49 libobjc.A.dylib __objc_rootDealloc + 72 50 Network 0x0000000196a330e0 0x00000001968dc000 + 1405152 51 Network 0x00000001974378e0 0x00000001968dc000 + 11909344 52 Network 0x0000000196a17178 0x00000001968dc000 + 1290616 53 libdispatch.dylib __dispatch_call_block_and_release + 32 54 libdispatch.dylib __dispatch_client_callout + 16 55 libdispatch.dylib _dispatch_workloop_invoke.cold.4 + 32 56 libdispatch.dylib __dispatch_workloop_invoke + 1980 57 libdispatch.dylib __dispatch_root_queue_drain_deferred_wlh + 292 58 libdispatch.dylib __dispatch_workloop_worker_thread + 692 59 libsystem_pthread.dylib __pthread_wqthread + 292 ------ Exception Type: SIGSEGV SEGV_ACCERR Exception Codes: fault addr: 0x0000000000000100 Crashed Thread: 4 2. Behavior & Context The crash occurs during normal HTTPS networking using standard URLSession (no direct usage of Network.framework nor boringssl APIs). It appears to be triggered during QUIC connection establishment or TLS fallback. The stack trace contains no application code frames — all symbols are from system libraries. The crash strongly indicates double-free, over-release, or dangling pointer inside nw_protocol_boringssl_options deallocation. 3. Questions for Apple Is this a known issue in iOS 26 within Network.framework / boringssl related to nw_protocol_boringssl_deallocate_options? What is the root cause of the over‑release / invalid objc_release in this path? Is there a workaround we can implement from the app side (e.g., disabling QUIC, adjusting TLS settings, or queue configuration)? Do you have a target iOS version or patch where this issue will be fixed? We can provide full crash logs and additional metrics upon request. 4. Additional Information Developed using Swift 5, with a deployment target of iOS 12+. Thank you for your support.

Dear Apple Developer Technical Support, I am currently developing a macOS network filtering solution using NetworkExtension with NEFilterDataProvider. During implementation of the handleOutboundData logic, we are using the following verdict: NEFilterNewFlowVerdict.filterDataVerdict( withFilterInbound: true, peekInboundBytes: InboundPeekBytes, filterOutbound: true, peekOutboundBytes: OutboundPeekBytes ) However, we have encountered an issue when SMB traffic is involved. When SMB protocol communication occurs, the network connection occasionally becomes unresponsive or appears to stall when peekOutboundBytes is set to a large value. Through testing, we observed the following behavior: On some systems, reducing the peekOutboundBytes value allows SMB communication to proceed normally. On other systems, even relatively small values can still cause the SMB connection to stall. This behavior appears inconsistent across different macOS environments. Because of this, we would like to clarify the following: Is there a documented or recommended maximum value for peekOutboundBytes when using NEFilterNewFlowVerdict.filterDataVerdict? Are there any internal limits or constraints within NetworkExtension that could cause SMB traffic to stall when the peek buffer size is too large? Are there best practices for selecting appropriate peekInboundBytes / peekOutboundBytes values when filtering high-throughput protocols such as SMB? If necessary, we can provide additional information such as macOS version, test environment details, and logs. Thank you for your assistance. Best regards, sangho

We began storing our users' appTransactionID as a quick lookup identifier for purchase history as it is back-dated and consistent between installs and can be signed by Apple. We've read through both the Storekit documentation and the app transfer documentation, but wanted to verify that a users appTransactionID remains consistent after an app has been transferred from one Apple developer account to another (assuming they have the proper shared secret info)? Basically, would the new developer team be seeing the same appTransactionID our current team sees for an existing user post-transfer?

We use AppShortcutsProvider with a parameterized App Shortcut. One of the entities has a dynamic display title (e.g. "Everyone is searching: {keyword}") that comes from UserDefaults and is returned in EntityQuery.suggestedEntities() and entities(for:). When we change the keyword and call updateAppShortcutParameters(), the Shortcuts app updates and shows the new title. In Spotlight (Siri Suggestions), the displayed title stays on the old value (e.g. still shows "Everyone is searching: 456" after we switched to "123"). On tap, the shortcut runs with the new value (123), so the execution is correct; only the displayed title in Spotlight is stale. Question: Is this expected? Is there any API or recommended approach to invalidate or refresh the Spotlight suggestion so the displayed title matches the current parameter, or should we avoid dynamic titles for the first suggestion for better UX?

I have several macOS applications that use CloudKit. I need to test and finds out what happens when the user signs out of their iCloud account. That's because the application may lose data after signing out and then signing in again. Every time I do that, it'll take 15, 20 minutes... I don't time it, but it takes quite a gigantic time to sign out as the spinner keeps rolling. Why does it take so long to just sign out? This sign out effect is untestable because it takes a long time to sign out of an iCloud account and then make changes to the code and then test again. In case you need to know, my system version is Sequoia 15.7.

aka MKLocalSearch.Request in Swift. Today my users reported that our address auto-complete functionality was returning strange results. We narrowed the issue down to pointOfInterestFilter being set. Sample code below: MKLocalSearchRequest *request = [[MKLocalSearchRequest alloc] init]; request.region = self.region; request.naturalLanguageQuery = addressString; request.resultTypes = MKLocalSearchResultTypeAddress; request.pointOfInterestFilter = [MKPointOfInterestFilter filterIncludingAllCategories]; That last line is the problem. When I stopped setting request.pointOfInterestFilter the MKLocalSearch started working as it always had. To further hammer home the point, with request.pointOfInterestFilter unset I set resultTypes to MKLocalSearchCompleterResultTypePointOfInterest (aka .pointOfInterest) and the issue returned. It seems Apple made a change on their backend recently such that pointOfInterestFilter now overrides resultTypes.

I'm building a macOS network monitor using NEFilterDataProvider as a system extension, distributed with Developer ID signing. On macOS 26.3 (Tahoe), sysextd consistently rejects the activation request with "no policy, cannot allow apps outside /Applications" — despite the app being in /Applications and passing every verification check. I'm aware of the known Xcode NE signing bug (r. 108838909) and have followed the manual signing process from Exporting a Developer ID Network Extension. I've also tried both xcodebuild build and xcodebuild archive workflows — identical failure. Environment macOS 26.3 (25D125), SIP enabled Xcode 26.3 (17C529) Hardware Apple M2 Pro Certificate Developer ID Application (issued Jan 30, 2026 — 27 days old) MDM/Profiles None installed Signing & Verification (all pass) $ spctl -a -vv /Applications/Chakshu.app /Applications/Chakshu.app: accepted source=Notarized Developer ID origin=Developer ID Application: ROBIN SHARMA (R65679C4F3) $ codesign --verify --deep --strict -vv /Applications/Chakshu.app /Applications/Chakshu.app: valid on disk /Applications/Chakshu.app: satisfies its Designated Requirement $ xcrun stapler validate /Applications/Chakshu.app The validate action worked! App signing: Authority=Developer ID Application: ROBIN SHARMA (R65679C4F3) Authority=Developer ID Certification Authority Authority=Apple Root CA TeamIdentifier=R65679C4F3 Runtime Version=26.2.0 Notarization Ticket=stapled App entitlements: com.apple.application-identifier = R65679C4F3.dev.indrasvat.chakshu com.apple.developer.team-identifier = R65679C4F3 com.apple.developer.system-extension.install = true com.apple.developer.networking.networkextension = [content-filter-provider-systemextension] keychain-access-groups = [R65679C4F3.*] Extension signing: Same Developer ID authority, same team, same timestamp. Extension entitlements match (minus system-extension.install). Developer ID provisioning profiles are embedded in both app and extension. What sysextd logs Captured Feb 26, 2026 from log stream --predicate 'process == "sysextd"': sysextd [com.apple.sx:XPC] client activation request for dev.indrasvat.chakshu.filter sysextd attempting to realize extension with identifier dev.indrasvat.chakshu.filter sysextd (Security) SecKeyVerifySignature ← pass (×2) sysextd (Security) SecTrustEvaluateIfNecessary ← pass (×2) sysextd [com.apple.xpc:connection] activating connection: name=com.apple.CodeSigningHelper sysextd [com.apple.xpc:connection] invalidated after the last release sysextd no policy, cannot allow apps outside /Applications sysextd [com.apple.sx:XPC] client connection invalidated Signature and trust evaluation pass. CodeSigningHelper completes. Then the policy check fails. The app receives OSSystemExtensionError code 4 (extensionNotFound). What I've tried and ruled out Build process: Approach Result xcodebuild build -configuration Release + manual re-sign Same failure xcodebuild archive + export from archive + manual re-sign (per thread/737894) Same failure Minimal hand-crafted Xcode project (no xcodegen, trivial code) Same failure Both workflows follow Quinn's process exactly: build with Apple Development → copy app → embed Developer ID provisioning profiles → re-sign inside-out (extension first, then app) with -systemextension suffix entitlements → notarize → staple → install to /Applications. System-level checks: Rebooting — no change Killing sysextd — no change Removing com.apple.quarantine xattr — no change chown root:wheel on app bundle — no change lsregister -r (reset Launch Services) — no change Waiting 27 days for certificate propagation — no change Reinstalling via Finder drag-to-Applications — no change No MDM or configuration profiles installed /Library/SystemExtensions/db.plist shows extensionPolicies: [] (empty) Key observation Pre-existing network extensions activated before macOS 26 work fine on this machine. For example, Tailscale's NEPacketTunnelProvider shows state: activated_enabled in the system extensions database — it was activated on a prior macOS version and is still running. Only new system extension activations fail. I've seen similar Tahoe-specific reports from LuLu (same NEFilterDataProvider type, Developer ID distribution): LuLu #825 LuLu #831 Questions Is this a known regression in macOS 26's sysextd policy evaluation for new Developer ID system extension activations? sysextd's policy check fails after all signature and trust evaluation succeeds. Is there a separate trust/policy path that sysextd consults beyond what spctl, codesign, and CodeSigningHelper verify? Is there anything else I should be checking? I have a sysdiagnose captured immediately after the failure, a minimal reproducer project, and full raw sysextd logs available on request.