TCC Permission Inheritance for Python Process Launched by Swift App in Enterprise Deployment We are developing an enterprise monitoring application that requires a hybrid Swift + Python architecture due to strict JAMF deployment restrictions. We must deploy a macOS application via ABM/App Store Connect, but our core monitoring logic is in a Python daemon. We need to understand the feasibility and best practices for TCC permission inheritance in this specific setup. Architecture Component Bundle ID Role Deployment Swift Launcher com.athena.AthenaSentry Requests TCC permissions, launches Python child process. Deployed via ABM/ASC. Python Daemon com.athena.AthenaSentry.Helper Core monitoring logic using sensitive APIs. Nested in Contents/Helpers/. Both bundles are signed with the same Developer ID and share the same Team ID. Required Permissions The Python daemon needs to access the following sensitive TCC-controlled services: Screen Recording (kTCCServiceScreenCapture) - for capturing screenshots. Input Monitoring (kTCCServiceListenEvent) - for keystroke/mouse monitoring. Accessibility (kTCCServiceAccessibility) - a prerequisite for Input Monitoring. Attempts & Workarounds We have attempted to resolve this using: Entitlement Inheritance: Added com.apple.security.inherit to the Helper's entitlements. Permission Proxy: Swift app maintains active event taps to try and "hold" the permissions for the child. Foreground Flow: Keeping the Swift app in the foreground during permission requests. Questions Is this architecture supported? Can a Swift parent app successfully request TCC permissions that a child process can then use? TCC Inheritance: What are the specific rules for TCC permission inheritance between parent/child processes in enterprise environment? What's the correct approach for this enterprise use case? Should we: Switch to a Single Swift App? (i.e., abandon the Python daemon and rewrite the core logic natively in Swift). Use XPC Services? (instead of launching the child process directly).

The question: Is there any chance that Apple will integrate Intune SDK into Apple apps such as Mail or Calendar, or create Siri-compatible Intune SDK-integrated versions of Mail and Calendar? The reason for the question: My team has been asked by VIPs in our company (e.g. execs and board members) if Siri can be used with Outlook, and the only way is through Shortcuts or by adding the Outlook account to Mail. Both of these options would violate our security policies for these reasons: Since our company policy and federal regulations don't permit us to allow access to company resources on non-MAM-protected apps, we can't allow our users to login to the Mail app and make full use of Siri, due to the lack of MAM controls for Mail and Calendar. We only allow users to transfer data between policy-managed apps which have integrated the Intune SDK allowing us to enforce DLP and other security measures. The only way to enable Shortcuts would be to disable these security measures.

We’re facing an issue when trying to install an enterprise-distributed iOS app on devices running iOS 18.5. During installation, we receive this error message: “This iOS app requires a newer version of iOS. You need to update this iPhone to iOS 26.0 to install this app.” However, in Xcode 26.0.1, our app’s minimum deployment target is explicitly set to iOS 17.6. After adding this step and the app result is unable to install the app on ios 18.5 and message getting as per the above quotes. Kindly help me out this issues.

Hi all,Our Account Holder has resigned the company and is not helpful in getting the account transferred.Can we somehow force update the account holder via Apple Support?Kind regards,Dieter

We have been using passthrough in screen capture since visionOS26 with broadcast upload extension which was working in visionOS2.2 but now with visionOS26 it doesn't update. It fails with Invalid Broadcast session started, after a few seconds of starting the broadcast session. Is there a bug filed for it? or is it a known bug for it?

Hello friends, I am trying to get an Apple developer account from Şanlıurfa, Türkiye. I have tried using different cards, but I am getting an error saying the card is not approved.

We have an enterprise app that was developed when the IT group in the U.S. had their own enterprise developer account and HQ in Europe had their own. App's were kept separate for whatever reason. Over the past few years all new app ids etc have been created in HQ account but the local US account still contains this one legacy app ID. The app it's associated with is distributed globally and on tens of thousands of devices. Is there a way to transfer the app id etc to from the local US dev account to the HQ owned global account. I know this is possible with App Store distributed app's but this is an enterprise app that is distributed to our corp owned devices through AirWatch.

I am trying to renew my Apple Developer Program enrollment, but my order has been cancelled six times without any explanation. My setup: macOS version: 26 Tahoe Apple Developer account region: Australia Device: US-manufactured MacBook Payment method: Australian credit card What happens: Every time I attempt to renew, the order is placed but then cancelled by Apple, with no reason given. What I’ve tried: Verified payment details Confirmed account region settings Retried multiple times with the same result Question: Has anyone faced a similar issue with Apple Developer Program enrollment renewal? Could the issue be related to region mismatch (account vs. device vs. payment)? What steps should I take to resolve this, or is there a specific Apple support channel that handles these cases?

I tried to create a new IOS provisioning profile and re-apply it to the app using Xcode to build it, but I got into trouble. The build is good, but it bounces when running the app. I would appreciate it if you could let me know what to do.

Hi, My client has already developed an ios app and they need an enterprise account to publish the app. What are the procedures to create enterprise account?

When an iOS 26.0 device is prepared in supervised mode, wifi connection screen is showing when the device is restarted. This wifi connect appears always on restart. I have tried using Apple Configurator GUI and Command line (cfgutil) command. In both cases, The behavior Wifi screen is showing up on restart for supervised mode. Cfgutil command: cfgutil -C {Certificate} -K {Key} prepare --supervised --name {NAME} --host-cert {Certificate} --skip-all Note: In non-supervised mode and other iOS, the wifi screen is not showing. Apple Configurator version: 2.18 iOS version: 26.0 Device model: iPhone 11 and above. Anyone else facing this issue? Any help is super appreciated.

Hello, I’m facing an issue while trying to add iOS devices to Apple Business Manager (ABM) using Apple Configurator during enrollment. When going through the setup process, the device fails to complete enrollment and times out. I’ve tried it multiple times. The device does appear in ABM during the process and I am able to assign it to different MDM servers but since the setup times out and fails, the device is automatically released. I have tried this with multiple iOS devices and it times out on every single one of them. Steps attempted: Factory reset and re-enrollment of the device Ensured network connectivity is stable and tested on multiple Wi-Fi networks Tried the following process using Apple Configurator on Mac (wired): Created a Wi-Fi profile in Configurator Connected the iPhone via cable and used Prepare (manual configuration) Used the “MDM server” placeholder and trusted anchors (as recommended) Linked the device to the ABM organization Skipped Setup Assistant steps Attached the Wi-Fi profile, then prepared and wiped the device Verified that the device should appear in ABM Attempted to assign the device to my MDM in ABM Despite these checks, the enrollment process times out. I’m attaching a screenshot of the error for reference. Could someone advise what might be causing this timeout or how I can further troubleshoot this? Any guidance would be greatly appreciated. Thanks in advance.

I am working on a project that requires access to the main camera on the Vision Pro. My main account holder applied for the necessary enterprise entitlement and we were approved and received the Enterprise.license file by email. I have added the Enterprise.license file to my project, and manually added the com.apple.developer.arkit.main-camera-access.allow entitlement to the entitlement file and set it to true since it was not available in the list when I tried to use the + Capability button in the Signing & Capabilites tab. I am getting an error: Provisioning profile "iOS Team Provisioning Profile: " doesn't include the com.apple.developer.arkit.main-camera-access.allow entitlement. I have checked the provisioning profile settings online, and there is no manual option for adding the main camera access entitlement, and it does not seem to be getting the approval from the license.

Hello, this may not be the correct place to ask this question so I apologize in advance if this is the case. I am currently running into two specifc issues while continuing to implement the app.managed configuration which are quite frustrating and I will detail them below Unlike MDM where an application could be "reinstalled", by sending an install application command down for the same app DM does not have a similar mechanism which causes some issues as (while inconsistent) devices do not always respect the configuration sent down, and will not begin downloading VPP applications. They can be seen in the configuration when checking under VPN & Device Management but they do not return on a status report, alternatively and app will "install" but will have a cloud symbol next to it requiring a download (which I believe would be impossible on supervised devices without apple accounts/have restricted apple accounts associated to them). These apps are also reported incorrectly, as they return a managed response while being inaccessible. Both of these issues are solved by removing and reinstall applications (occasionally). Is there any easier way to trigger a re-install or is this the only way to trigger this? The Version element that can be optionally sent down does not seem to work (or if it does, does so inconsistently). A device will very happily download the application initially with the version element present, though when we detect an updated external ID from the VPP program and send down an updated configuration devices behave unexpectedly. Some have ignored it, some have responded back that a download has begun (with no download taking place and the application clearly still being the initial installed version as can be see in the apps page) or it just works, but there is not consistency. I realize a new UpdateBehavior object has been added to possibly handle this, but it is only supported in iOS 26 and above and there are plenty of people who do not have phones that can upgrade that far. Are there alternative ways to enforce an application update other than uninstalling and reinstalling the application without the version (or will sending down a config without a version after one was originally pinned force it to update to latest?) Kind Regards

Dear Suman, Here is Volker, senior Advisor with Developer Support, and I am following up on your case. Thank you for your patience. For one or more reasons, your enrollment in the Apple Developer Program couldn't be completed. We can't continue with your enrollment at this time. You can still take advantage of great content using your Apple Account in Xcode to develop and test apps on your own device. Learn more about Xcode development. If you have any further questions or queries, please feel free to contact us. If you contact us by phone, please reference your case number 102654*******. Developer Support is available Monday to Friday, 8:00 AM through 5:00 PM (GMT+1). Kind regards, Volker Developer Support

I am a developer working on iOS apps. I would like to report an issue occurring in iOS 26 beta 2. Our company has Enterprise account, and we are developing apps. When we distribute these apps, and install them on a device running iOS 26 beta2, apps install successfully, but apps crashed immediately after being launched. MDM Install Application When I install the app via Xcode and trust it, apps will run. Launchd job spawn failed This issue does not occur on versions prior to iOS 26. I would like to know if this is a problem that will be resolved in future updates, or if it is a policy change.

On a supervised device running iOS 18 without any AirDrop restrictions applied, when a profile with allowListedAppBundleIDs restriction key is installed, the AirDrop sound plays. But still the accept prompt does not appear, making it impossible to accept files. The prompt works as expected on iOS 18 devices to which the allowListedAppBundleIDs restriction is not installed. This issue occurs only on supervised iOS 18 devices to which the allowListedAppBundleIDs restriction is being applied. Device must be in iOS 18 version > Install the (allowListedAppBundleIDs restriction) profile with the device > Try to AirDrop files to the managed device. The expected result is that the accept prompt must pop up but it does not appear. This issue is occurring irrespective of any Whitelisted bundle ID being added to the allowListedAppBundleIDs restriction profile. Have attached a few Whitelisted bundle ID here com.talentlms.talentlms.ios.beta, com.maxaccel.safetrack, com.manageengine.mdm.iosagent, com.apple.weather, com.apple.mobilenotes, gov.dot.phmsa.erg2, com.apple.calculator, com.manageengine.mdm.iosagent, com.apple.webapp, com.apple.CoreCDPUI.localSecretPrompt etc. Have raised a Feedback request (FB15709399) with sysdiagnose logs and a short video on the issue.

Hello, this may not be the correct place to ask this question so I apologize in advance if this is the case. We are currently having some issues when attempting to restore device back ups via iCloud that where previously enrolled to our MDM solution, as upon the restore no app data seems to be persisted over (we have tested restoring the backup on the same device and we have been able to have data persist between wipes) On the initial device we have ensured that the restrictions allowCloudKeychainSync allowManagedAppsCloudSync are set to true, and can see that the initial devices back up has the app data backed up, yet despite this data is not persisted when restoring from back up on a new device. On the device where the back up was initially done when restoring the applications are applied but indicated that they must be re-installed via our management console, once the app has been uninstalled and reinstalled the old data does show up, when applied to the new device our mdm solution pushes down the app.managed config but the device treats it as a new install. Could this possibly be due to us using Device Licensing when assigning apps? Or is it due to the intial device only performing a token update request when restoring and the new device going through the entire checkin proccess? Both devices are provisioned via DEP, and applications where assigned initially via VPP Any insight on this would be useful (For reference this is an MDM solution of our own making so we are attempting to sus out if there is a configuration issue we could be overlooking).

Hi, We are using the MSAL library to authenticate users, with SSO authentication implemented through the Microsoft Authenticator app. The problem is that once or twice a day, a prompt for forced authentication appears, indicating that silent token acquisition is failing and resulting in a requirement for forced authentication. Below are some of the logs: ================================================= 2025-08-28 11:00:05.034 [Info] [AppDelegate.swift:121] application(:didFinishLaunchingWithOptions:) > MSAL message: TID=751353 MSAL 1.8.1 iOS 18.5 [2025-08-28 10:00:05 - EC9D1457-2D70-4878-926F-553391EBC9D3] [MSAL] Silent flow finished. Result (null), error: -51115 error domain: MSIDErrorDomain 2025-08-28 11:00:05.034 [Info] [AppDelegate.swift:121] application(:didFinishLaunchingWithOptions:) > MSAL message: TID=751353 MSAL 1.8.1 iOS 18.5 [2025-08-28 10:00:05 - EC9D1457-2D70-4878-926F-553391EBC9D3] [MSAL] acquireTokenSilent returning with error: (MSALErrorDomain, -50002) Masked(not-null) ==================================================== We initially raised this issue with Microsoft, but according to them: In the app's logs, the single one failure it contains, was when the SSO extension returned the error com.apple.AuthenticationServices.AuthorizationError, -6000 during a silent call. This error code is generated by the system framework (Apple), not by our code. It indicates that the framework encountered an unexpected internal issue before or after calling the SSO extension. MSAL returning interaction_required to the client app is the most effective way to recover from this error (as you mention, after the user selects the account the app continues working as expected). Additionally, as you also mention, the interactive call is made by switching to Authenticator (not displaying a "window" without leaving Eva Lite app), which means MSAL is not able to use the SSO extension and is using the fallback to legacy authentication. The recommended next step is for the customer to request support directly from Apple as this is an issue on their side. Additionally, the customer can also try to update to the latest iOS, in case Apple has already fixed this issue. ============================================= STEPS TO REPRODUCE There is no such steps its just that this is an enterprise application which is getting used on managed devices[iPhone 14]. The device are managed using some intune policy. Platform and Version: iOS Development Environment: Xcode 15, macOS 13.6.1 Run-time Configuration: iOS 18 Please let me know if there are any solutions to resolve this problem. Thank you.

Did you got a similar letter ? " This letter serves as notice of termination of the Apple Developer Program License Agreement ...Pursuant to Section 3.2(f) of the ADP Agreement.." Fast forward, we are a corporation that spend over 1M on development for our app at apple store. Out of the blue we got this letter and our app was removed within the same day. No warning email prior, No appeal option afterwards. We were banned for a year. We tried to get at least a reply what we did wrong? So far no explanation. We suspect this is either: A campaign from our competitors, trashing our app with tons of neg/positive reviews. (If so, Why is so easy, for bad actors to manipulate Apple Algorithms and to destroy legit apps and why Apple allows it) ? Either someone else complained about our name or logo. (If so, Apple should ask for document, because we hold trademarks of our logos and names). Section 3.2(f) is very murky without clear language. Up to this day we don't know why our business was destroyed in 1 day ! As consequence of our ban, We are loosing legit advertisers like banks, and brands. We are looking forward for our day in court ! Discovery process will solve the mystery of our ban. The most scariest part of our situation, that might be your situation tomorrow, is the uncertainly in the future, that some bot might flag your app for removal and all your time and investment is gone within a day, without any explanation, and without the possibility to speak to a human. Millions of developers are paying $100 per year. This kind of money should be enough to pay at least, for human customer service, to serve the developers community properly. Did this happen to you too ?