While attempting to read a user’s daily step history spanning backward to the last 7 days, a small but consistent subset of users encounter Error Code 3 with the underlying error description: Error Code 3 "Unable to invalidate interval: no data source available." When this error occurs, we are entirely unable to read their step history. We have received ~10 direct user reports of this within the last couple of weeks.

Hi, We are able to successfully perform in-app provisioning and add cards to the native wallet. However, we are unable to retrieve the existing card status from the wallet. Even when the card is already added to the device or Apple Watch, the status is always returning as false for both. Could you please let us know if there are any additional configurations, entitlements, or issuer onboarding steps required to retrieve the existing card status from Apple Wallet?

Hello, I am working on a network security and DLP (Data Loss Prevention) solution. A core requirement of our architecture is the ability to modify network traffic payloads in-flight (e.g., stripping sensitive data or altering packets). So, the only way to implement this is via the NETransparentProxyProvider which allows us to handle, evaluate, and modify network flows (NEAppProxyFlow). However, because this is such a powerful mechanism, my primary goal is to ensure the absolute stability of the operating system. I want to minimize the risk of interfering with core Apple services. When evaluating a flow, I have access to NEFlowMetaData, specifically properties like sourceAppUniqueIdentifier and sourceAppAuditToken. Could you please assist me with the following questions: Is there a recommended list of Apple system Application IDs (Bundle IDs) or executable names that should be strictly bypassed (ignored) by the Network Extension to maintain system integrity? Since system daemons can change between OS releases, are there any programmatic best practices or specific rules to dynamically identify core OS traffic that must not be intercepted? Are there any specific network ports or protocols that Apple strongly recommends excluding from NENetworkRule matches at the proxy provider configuration level to ensure daemons like apsd or mDNSResponder function correctly? Thank you in advance.

Hello, I'm evaluating possibility to use virtualization to setup on-permise parallel testing system for a product I work on. My compatibility range is wide, i.e. it would cover macOS 12 - 26, so any testcase needs to be executed on at least 5 different OS versions (and introducing any parallization to the test execution would mean I deal with higher number of VMs). As far as I understand, there is a constraint in Apple Software License, that limits number of OS VM installations per one physical system to 2 (section 2.B.(iii)) in case of OS downloaded from the Internet or through App Store. Clearly these days a single high-end Mac hardware could sustain more than 2 VMs running in parallel. The license also mentions it is also possible to be in a volume or maintenance license program and then the terms of this program apply instead. So I wonder how do people normally deal with the above limitation? What is the path I need to follow if I want to be able to run more than "2 additional copies or instances of" macOS on my VMs?

Hello, with macOS' and iOS' recent updates (26.4.x), Handoff in my app appears to have become dysfunctional, as I receive the following message in the logs: getContinuationStreamsWithCompletionHandler(), inputStream=(null) outputStream=(null) error=Error Domain=NSPOSIXErrorDomain Code=94 "Bad message" UserInfo={NSLocalizedDescription=Could not set up internal streams} It ONLY works: From a Mac with 15.x to other Macs or iOS devices (on 26.4.x). All other combinations (see below) do NOT work: iOS (26.4.x) > iOS (26.4.x) iOS (26.4.x) > Mac (26.4.x) iOS (26.4.x) > Mac (15.x) Mac (26.4.x) > iOS (26.4.x) The Handoff prompt is shown in the Dock on Mac, in the app switcher on iOS, and in the Dock on iPadOS, but once I click/press it, I get the continuationStreams error. Now, is it my app, or the OS? Thank you kindly, – Matthias

I'm trying to update the iCloud data handling in our app, and I'm running into an issue with a particular file on one particular device. This file never downloads & I haven't been able to pinpoint what's off about it. Right now we just have 2 iCloud accounts & a handful of devices, so I haven't been able to narrow it down yet, but in most cases, all the cloud files download as expected. However, whether or not the file eventually downloads, the NSURLUbiquitousItemDownloadRequestedKey key seems to be completely useless. For the following code: NSError *error = nil; BOOL success = [[NSFileManager defaultManager] startDownloadingUbiquitousItemAtURL:self.fileURL error:&error]; if (!success) { NSLog(@"error downloading %@ : %@", self.fileURL, error); } else { NSDictionary *resourceValues = [self.fileURL resourceValuesForKeys:@[NSURLUbiquitousItemDownloadRequestedKey, NSURLUbiquitousItemIsDownloadingKey, NSURLUbiquitousItemDownloadingErrorKey, NSURLUbiquitousItemDownloadingStatusKey] error:&error]; if (!error) { NSString *downloadStatus = resourceValues[NSURLUbiquitousItemDownloadingStatusKey]; bool downloadRequested = [resourceValues[NSURLUbiquitousItemDownloadRequestedKey] boolValue]; NSLog(@"download requested: %d", downloadRequested); } // ... } downloadRequested is always false, regardless of whether or not the cloud file eventually downloads. I have 2 questions: is there a way to actually check if a download has been requested for a file? what could be preventing this file from downloading? -startDownloadingUbiquitousItemAtURL:error: doesn't report an error, NSURLUbiquitousItemDownloadingErrorKey is always nil, and no error is reported in the NSMetadataQuery observer.

Hello, I have followed the instructions in https://developer.apple.com/documentation/backgroundassets to setup background asset to work on the iPhone. I am able to confirm successfully test the asset packs locally on the iPhone. However, when I try to run the my test code on the Mac (Designed for iPad), I get this error. BackgroundAssets/AssetPackManager.swift:206: Fatal error: The app couldn’t be validated: The bundle’s info dictionary lacks a string value for the key “BAAppGroupID”. Is this feature not supported on the Mac?

I’m investigating Core Data lightweight migration behavior with SQLite and ran into a performance issue. Scenario: Model V1: EntityA has one fetchIndex Model V2: EntityA adds a new optional attribute timestamp (Integer 64), with no changes to existing attributes or fetchIndex definitions From a SQLite perspective, this change should be handled by a simple: ALTER TABLE ZENTITYA ADD COLUMN ZTIMESTAMP INTEGER But I observe that Core Data rebuilds the existing index, which becomes a significant performance issue for large databases. CoreData: sql: DROP INDEX IF EXISTS Z_EntityA_id CoreData: sql: ALTER TABLE ZENTITYA ADD COLUMN ZTIMESTAMP INTEGER CoreData: sql: CREATE INDEX IF NOT EXISTS Z_EntityA_byID ON ZENTITYA Question: Is there any way to avoid or bypass index rebuilding for this kind of schema changes?

Hello Everyone, Like probably several other Enterprise customers and more, we have been bitten by a bug with regards to VPN and Endpoint Security and the new M5 / M5 Pro SoCs shipping in the latest MacBook devices. I have raised the following feedback IDFB22753954 (which itself references an internal issue I believe, if we need to mark it as a dupe: 172793638 ). The technical sequence leading to the crash is as follows I believe: The macOS system process neagent successfully initializes the GlobalProtect network extension. The GP Network extension transitions from an 'inactive' state to a 'running' state. As network traffic begins flowing through the extension, a critical flaw in the macOS kernel's memory allocation (specifically related to the Apple Network Extension framework) is triggered. This memory management failure at the kernel level results in a kernel panic at an unpredictable point during packet processing. Because this is a core operating system vulnerability, any third-party application or security solution that leverages Apple's Network Extension framework is susceptible to these crashes. This has been confirmed across multiple vendors within the cybersecurity industry from what I understand. Crashes_M5Pro_1.txt Thank you in advance for your help! Kind Regards, Goffredo

CloudKit CKRecordZone Deletion Issue Problem: CloudKit record zones deleted via CKDatabase.modifyRecordZones(deleting:) or CKModifyRecordZonesOperation are successfully removed but then reappear. I suspect they are automatically reinstated by CloudKit sync, despite successful deletion confirmation. Environment: SwiftData with CloudKit integration Custom CloudKit zones created for legacy zone-based sharing Observed Behavior: Create custom zone (e.g., "TestZone1") via CKDatabase.modifyRecordZones(saving:) Copy records to zone for sharing purposes Delete zone using any CloudKit deletion API - returns success, no errors Immediate verification: Zone is gone from database.allRecordZones() After SwiftData/CloudKit sync or app restart: Zone reappears Reproduction: Tested with three different deletion methods - all exhibit same behaviour: modifyRecordZones(deleting:) async API CKModifyRecordZonesOperation (fire-and-forget) CKModifyRecordZonesOperation with result callbacks Zone deletion succeeds, change tokens (used to track updates to shared records) cleaned up But zones are restored presumably by CloudKit background sync Expected: Deleted zones should remain deleted Actual: Zones are reinstated, creating orphaned zones

I'm hitting a kernel-side rejection on IOServiceOpen from a host app against my DEXT's IOUserService, before any code in my DEXT's NewUserClient runs. DEXT activation and USB matching succeed; only the user-client connection fails. What works DEXT activates and shows as [activated enabled] in systemextensionsctl list. DEXT matches IOUSBHostInterface for the target device and Start() runs to completion. Inside Start(), CopyInterface() returns successfully and CopyPipe() for the expected endpoints all succeed. Host app receives the matching notification for the DEXT's IOUserService and calls IOServiceOpen(service, mach_task_self(), 0, &connect). What fails IOServiceOpen returns kIOReturnError (0xE00002BC). My DEXT's NewUserClient override is never reached — verified by the absence of any breadcrumb log and by stepping through under lldb (no entry on the DEXT side). This reproduces both with: The original com.apple.developer.driverkit.userclient-access entitlement listing the host bundle ID. The dev fallback com.apple.developer.driverkit.allow-any-userclient-access = true on host + DEXT. (Background: the App ID portal has the bundle-ID list for userclient-access stored as a single newline-joined string instead of separate array entries — see Support Thread 822652 — so I've been using allow-any-userclient-access = true for now. The IOServiceOpen failure persists either way.) Diagnostics I can't get I'd like to confirm the kernel-side rejection reason, but DEXT os_log output is suppressed in Console and: sudo log config --process <dext-pid> --mode "level:debug" log: Unable to set mode for pid <dext-pid> I've tried by PID and by subsystem; both refuse. SIP is in its default state. Any pointer to the correct invocation (or a Configuration Profile to enable DriverKit verbose logging) would unblock me. Environment macOS 26.3.1 (build 25D2128) Xcode 26.3 (build 17C529) Host app: AppKit, sandboxed, Mac App Store distribution DEXT: matches IOUSBHostInterface on idVendor: 0x1452 (DNP) and (pending capability approval) 0x1343 (Citizen) Entitlements on host: com.apple.developer.driverkit, com.apple.developer.driverkit.userclient-access (or allow-any-userclient-access = true for dev) Entitlements on DEXT: com.apple.developer.driverkit, com.apple.developer.driverkit.transport.usb, com.apple.developer.driverkit.allow-any-userclient-access for dev Questions Is IOServiceOpen → kIOReturnError before NewUserClient always an entitlement/sandbox check failure, or are there other kernel-side reasons (matching score, IOService class hierarchy mismatch) that produce the same generic code? What's the correct way to enable DEXT os_log capture so I can see the rejection reason? Is there a known interaction between a malformed userclient-access array on the App ID (Forums Thread 822652) and the kernel's user-client authorization path that would persist even after switching to allow-any-userclient-access = true? Sample profiles, codesign output, and the exact matching dictionary available on request. Thanks.

Hello everyone, I am migrating a legacy KEXT to a DriverKit (DEXT) architecture. While the DEXT itself is working correctly, I am completely blocked by a code signing issue when trying to establish the UserClient connection from our SwiftUI management app. Project Goal & Status: Our DEXT (com.accusys.Acxxx.driver) activates successfully (systemextensionsctl list confirms [activated enabled]). The core functionality is working (diskutil list shows the corresponding disk device node). The Core Problem: The userclient-access Signing Error To allow the app to connect to the DEXT, the com.apple.developer.driverkit.userclient-access entitlement is required in the app's .entitlements file. However, as soon as this entitlement is added, the build fails. Both automatic and manual signing fail with the same error: `Provisioning profile ... doesn't match the entitlements file's value for the ... userclient-access entitlement.` This build failure prevents the generation of an .app bundle, making it impossible to inspect the final entitlements with codesign. What We've Confirmed: The necessary capabilities (like DriverKit Communicates with Drivers) are visible and enabled for our App ID on the developer portal. The issue persists on a clean system state and on the latest macOS Sequoia 15.7.1. Our Research and Hypothesis: We have reviewed the official documentation "Diagnosing issues with entitlements" (TN3125). According to the documentation, a "doesn't match" error implies a discrepancy between the entitlements file and the provisioning profile. Given that we have tried both automatic and manual profiles (after enabling the capability online), our hypothesis is that the provisioning profile generation process on Apple's backend is not correctly including the approved userclient-access entitlement into the profile file itself. The build fails because Xcode correctly detects this discrepancy. Our Questions: Did we misunderstand a step in the process, or is the issue not with the entitlement request at all? Alternatively, are there any other modifications we can make to successfully connect our App to the DEXT and trigger NewUserClient? Thank you for any guidance.

Hey . So i'm building a screentime app whereby users can add an accountability partner who will be able to see their total screentime.(no app breakdowns included) . This will require me to send the data to firebase realtime database and retrieve for the accountability partner to see. Problem is , I've literally tried everything but the screentime still shows 0m on the accountabiliy partner's end. I need the data to be displayed rounded down to the nearest 0.5 e.g 1hr43mins ->1.5hrs+ ,2.0hrs+ ,3.5hrs+ , meaning it only moves when a threshold is crossed by the user. (this is to save database costs). Anyway i'd really appreciate if someone could help me out here. Thanks

Our backup app runs as a LaunchDaemon, has APFS-snapshot entitlement, and attempts to read and back up dataless files/directories by calling setiopolicy_np(IOPOL_TYPE_VFS_MATERIALIZE_DATALESS_FILES, IOPOL_SCOPE_THREAD, IOPOL_MATERIALIZE_DATALESS_FILES_ON) before reading files/directories. This worked for a while but lately has been producing many ETIMEDOUT errors for our users, especially for iCloud files but sometimes for FileProvider files e.g. Dropbox. We've attempted to wait up to 5 minutes and retry, but the ETIMEDOUT error persists. In many cases the errors stop hours or days later. Some users report that clicking the icon in the Finder and telling the Finder to "download" the file/directory (for iCloud files) successfully downloads the file data, and then backups proceed without error. Why is the user able to easily materialize dataless files but our app isn't? What is the correct approach for backing up these files/directories? What APIs can we use to determine the actual issue with a given dataless file/directory that's giving us a read error?

I requested "DirverKit UserClient Access" Entitlement, But I Distribute App failed. I don't know the reason. I think when I request "DirverKit UserClient Access" I make a mistake. I fill in two Bundle ids in the "Request a System Extension or DriverKit Entitlement" form's "UserClient Bundle IDs" item. The reason is when I Add "DirverKit UserClient Access" Capability in the project of Xcode. The .entitlements file is like this: <string>com.turing.TuringTouch com.turing.TuringTouch.TouchDriver</string> But in "Signing" of Xcode's "Bundle Identifier" can fill in only on "Identifier" therefore they do not match. So I can't Distribute App. I reapply "DirverKit UserClient Access" Entitlement. But decline. The result is "decline". Please help me. Please tell me, how should can I do now? Thank you very much.

Hello, I submitted a request for Family Controls (Distribution) approval, and it has now been over 12 days without any update on the status. I understand that review times can vary, but I wanted to check if this delay is expected or if there’s anything I might need to do on my end to help move the process forward. Could anyone from the Apple team or the community provide insight into: Typical processing times for Family Controls distribution requests Whether delays beyond a few days are common Any steps I should take to follow up or expedite the review For reference: Status: Submitted Submission time: April 29, 2026 Any guidance would be greatly appreciated. Thank you!

Hi, I have a problem with watchOS widget configuration intents. It turns out that watchOS is unable to load text for localization keys. This is how I set configuration parameter in WidgetConfigurationIntent: @Parameter( title: LocalizedStringResource( "watchWidgetConfig.showSymbols", defaultValue: "Symbole", table: "WidgetLocalizable", bundle: widgetBundle ), default: true ) var showSymbols: Bool Unfortunately, on a device always the defaultValue is used. I tried everything and nothing works. What's weird, it correctly works on watchOS simulator and if you configure widgets in iOS "Watch" app. On real Apple Watch, the "defaultValue" is displayed. I'm not sure if it's important but both: the Swift file with WidgetConfigurationIntent and WidgetLocalizable.xcstring are included in two targets: Watch Widget Extension and Watch App. I tried so far: All variants of LocalizableStringResource init. With/without "table", with/without "bundle". Previously I had texts in Localizable.strings, I migrated it to WidgetLocalizable.xcstrings and it didn't work either. Setting only one target for WidgetLocalizable.xcstring and WidgetConfigurationIntent. I checked inside xcarchive to see if WidgetLocalizable.xcstring is copied correctly. Seems like watchOS bug, but I would be happy to know if someone figured out any workaround. Xcode: Version 26.4 (17E192) iOS 26.4.1 watchOS 26.4 I already created a ticket: FB22509406

We are seeing a CloudKit private database failure for this specific container: iCloud.com.matrixqlc.photodiet.sync Failure pattern: accountStatus succeeds in some cases ensure/create custom zone succeeds but record/database-level operations consistently fail with: CKErrorDomain code = 15 CKInternalErrorDomain code = 2000 HTTP 500 Failing operations include: allRecordZones() databaseChanges(since:nil) allSubscriptions() fetch record zone metadata save record fetch record query records What makes this unusual is that the issue follows the container, not the app. On the same physical device, same Apple ID, same developer team: PhotoDiet + iCloud.com.matrixqlc.photodiet.sync => fails RepaymentCalculator + iCloud.com.matrixqlc.photodiet.sync => fails PhotoDiet + iCloud.com.matrixqlc.repaymentcalculator.sync2 => succeeds RepaymentCalculator + iCloud.com.matrixqlc.repaymentcalculator.sync2 => succeeds So this does not currently look like: app-specific entitlement/provisioning issues device/account issues CloudKit API misuse in one app record schema or app business logic issues It currently looks like the container iCloud.com.matrixqlc.photodiet.sync itself may be in a bad backend state. Sample request identifiers: RequestUUID: C8403047-0037-4D36-A7A7-CF3C83584A42 RequestUUID: 04437D9D-115E-45F5-87B5-A8CD146AE705 RequestUUID: C924B620-BAEE-403D-B944-151ADCF3419F RequestUUID: A54E79E1-6037-4533-BA09-18FBC436851C RequestUUID: 3EFD8913-3781-47CF-A48C-B651BF38EA50 RequestUUID: 2677A991-40B3-42AB-9CE5-3C4F1288EE08 Feedback Assistant ID: FB22539748 Has anyone seen a container-specific CloudKit private database failure like this, where multiple apps under the same team can access one container normally but consistently fail on another container with CKError 15 / HTTP 500?

Hello, I'm experiencing a bug on iOS 26.5 RC1/RC2 where the Blood Pressure option is silently excluded from the HealthKit permission dialog (when requesting HKQuantityTypeIdentifierBloodPressureSystolic and HKQuantityTypeIdentifierBloodPressureDiastolic). This does not reproduce on iOS 26.4.2 or earlier. What happens: When BP types are requested alone, a blank white modal slides up and immediately dismisses — no permission UI is shown. When BP is requested alongside other types, a normal dialog appears for those other types, but Blood Pressure is simply absent from the list. The completion handler returns success = YES, error = nil in both cases, but BP permission is never granted. The result: Settings → Privacy & Security → Health → [app] shows Blood Pressure as requested but not granted getRequestStatusForAuthorizationToShareTypes for the BP types keeps returning ShouldRequest indefinitely HealthKit queries for BP samples return no data Workaround: Manually toggling Blood Pressure to ON in Settings → Privacy & Security → Health → [app name] fixes everything - queries work, notifications fire, and getRequestStatusForAuthorizationToShareTypes correctly returns HKAuthorizationRequestStatusUnnecessary. Environment: Confirmed broken: iOS 26.5 RC1 (23F75) and RC2 (23F77), iPhone 11; iOS 26.5 RC1 (23F73), simulator Confirmed working: iOS 26.4.2 (device), iOS 26.4.1 (simulator) Feedback filed as FB22735935.

Hey! App is approved for Advanced Commerce API and have generic product id (Consumable) for digital items purchasing. Uncertain on ho to test flow of pending purchase changing it's status to failed. As by docs BE side handling creating jws for purchase (also creates order to keep track of which items user bought) app with signed jws initiate purchase via product.purchase (send data for advancedCommercialData in options). If product purchase returns status .pending (still no transaction created) I notify BE that for that item (using item SKU) user has pending status for purchase, so that when user attempts to buy this exact item we do not create order duplicate. So the first question - do we need to check if user already made an attempt to buy this item and if item purchasing is pending decline another attempt of buying it? If user sends several requests to buy item under similar SKU for advanced commerce api do all of them will be charged or only one (does apple check SKU value when making a purchase of consumable product via advanced commerce api)? Another question is how to test purchase returns pending status for consumable item via advanced commerce api and then for that item (by SKU) changes status from pending to success? How to know (and eventually) test that after purchase of item via advanced commerce api firstly returns .pending status and then changes to .failure? I want to prevent users from trying to create order duplicates for single item, so when product purchase returns pending status I sent to BE id of item and order for this item on BE side will be marked as pending. So if user tries to buy this exact item once more and status of order on BE still .pending no new purchase will be initiated. So I need to know when purchase changes it's status to failed and then delete pending order on BE side, so that user will have an ability to initiate purchase for this item once more. How to tell whether .pending status for item changes to failed, will I be able in case of failed gather SKU that I previously passed in advancedCommercialData)?