Boot sequence with user applications starting before Launch daemons and even system extensions clearly represents a potential security risk. It is very clearly visible when using FileVault. In this case user needs to enter password, OS decrypts volume and then it can startup and launch processes, but very quickly opens user's Desktop and starts to open applications. The bigest problem is that for example Endpoint system extension, which defends computer from infections or Network system extension, which scans network traffic and defends against infected web pages, email, etc. cannot immediately block harmful content. PIDs of these processes are larger than for example Launch Daemons. It means that for example Mail could open very quickly and load new message before Network System extension is loaded and traffic captured and scanned. We see it especaily on new OS versions running on ARM where it can take up to 10-30 seconds to properly load everything to protect users. That happens when OS is setup with FileVault and user has many, many applications opened - Mail, Calendar, Safari with lots of tabs, Teams, Remote Desktop, etc, etc. When user reboots computer, we clearly see this delay in start up of critical processes that should protect users, especially in corporate environment. Bootup sequence should look something like this: System Extenisons Launch Daemons Launch Agents User applications Is there a way to setup this sequence of process start up? Thanks, Robert

That's right. Ideally we would mute the event. But simply checking a flag to determine that the file is sandboxed and handling it by es_respond_auth_result(client, message, ES_AUTH_RESULT_ALLOW, cache) would be sufficient. If it is a file our process running under root cannot access for scanning, then there is no reason to try opening it. When Installd unpacks app bundle into its sandbox, eventually it will move it into /Applications and it can be scanned there. The reason why we try to avoid opening files we cannot open is the fact that even the failure takes time. Even decision whther to use open() or access() has impact on how long the failure lasts. If the failure to open file takes 20ms, then for example an app with 50000 files could take 1000s or 16.6 minutes. Currently I'm strugling with determining whether to use access() or open() to check if the file can be accessed. There are cases where access() check is faster and cases where open() is faster (even if the result is failure) - it depends on various factors, like process has access to file, or doesn't have basic unix permissions or file is sandboxed. That's why I'm looking for ways to avoid unnecessary file system calls.

BTW does NSProvider.startSystemExtensionMode() need to be started from the main thread? Can it be started from a background thread that doesn't event use CFRunLoop, but a unix loop based on epoll? Does NSXPCListener has to be started from main thread?

Additional Info: The issue occurs only on ARM (Ventura and Monterey) not on Intel. XPC simply doesn't work after upgrading system extension on ARM. I tried to kill sysextd, nesessionmanager and other processes. Basically I'm trying to kill a process that manages XPC connections and info about processes and their signature validation (maybe it's somewhere deep in kernel and it's not possible to resolve it by this hack). It is possible that when trying to connect to XPC while starting our services in posinstall scirpt, installd hasn't quite yet completed and perhaps OS considers bundle signature not valid yet. Workaround is rebooting the machine, but we try to avoid that as much as possible. After reboot XPC works fine with upgraded system extension.

The same problem here. It only happens on ARM, haven't seen it on Intel. When replacing Network System Extension during installation in postinstall script we are hitting this issue at least 50% of the time. Isn't is possible that OS cannot correctly validate signatures of the extension or client app and that makes XPC listener kick off the client? We tried to do the following Disable network filter (not removing, just changing its state to avoid OS dialog that prompts user to allow network filter) calling launchctl stop NetworkExtension.com.company.feature.version... This stops the extenison while making registration and upgrade, we were hoping that later when enabling the network filter and extension would start with proper XPC listener that would accept connection from the client. It didn't help. Our Network Extension is not sandboxed yet. Could this help? But it works after reboot, so its only an issue right after upgrading extension.

I tried killing sysextd, nesessionmanager and other processes to reset XPC. Killing launchd was my other considerartion, but that's rather severe hack to overcome some bug in XPC initialization.

Perhaps this could help to fix XPC invalidation- add following to postinstall script: disable network filter stop network extension spctl -a -vv "${APP_PATH}" spctl -a -vv "/Applications/${PRODUCT_NAME}.app/Contents/Helpers/${MANAGER}.app" spctl -a -vv "/Applications/${PRODUCT_NAME}.app/Contents/Helpers/${MANAGER}.app/Contents/Library/SystemExtensions/com.company.feature.dev.systemextension" upgrade system extension enable network filter connect XPC client But it is possible that simply using sleep 30 before upgrading system extension would accomplish the same :-)

It would appear that the problem is solved if I add only following steps into preinstall script disable network filter stop network system extension After that installd replaces the bundle and system extensions in it, postinstall then runs our helper, which registers system extenison and starts the network filter (starts TransparentProxy/AppProxy). I guess stopping system extensions while the old bundle still exists, then replacing the bundle and upgrading system extension (basically it just registers new verison of the extension as the process is not running anymore) causes OS (launchd) to clear up XPC related caches.

I need to replace Subtitle and Audio icons by one icon which will combine Audio and Subtitles, then add a few other icons, for opening a list of channels so user could switch channel, opening EPG and other icons with specific actions. WWDC 2022 video didn't help me either https://developer.apple.com/videos/play/wwdc2022/10147/ BTW: Why I can only set metadata to display a few specific things, like title and subtitle and I cannot add any view I want, change position od "LIve" badge, etc. AVPlayerViewController.contentViewController property is readonly. I have to traverse view hierarchy and hierarchy of view controllers of AVPlayerViewController and hack those existing views, which is tricky, may not be reliable for future tvOS releases, may require more maintenance and use of #ifdef or #if available() or whatever. Isn't there a better approach? Here is an example:

Feedback number is FB13191404. I see that there might be someone else reporting this.

I'm seeing this on tvOS 17 real hardware when trying to load images using AVAssetImageGenerator.generateCGImageAsynchronously and I'm not getting any images from the asset. But it works on tvOS simulator.

Similar issue on tvOS 17.2 simulator, Xcode 15.1 (released version). Same problem was with Xcode 14.3.1 and tvOS 16.4 simulator. On tvOS 16.4 at least I can hear audio, but video is not rendering). It works correctly only with Xcode 15.0 or 15.1 and tvOS simulator 17.0 (both audio and video working). Although Xcode 15.1 and tvOS simulator 17.0 still has issue that video does not quite start correctly, it's only after setting new stream that it recovers. It looks like simulator 17.2 is broken somehow and also Xcode 15.1 and its SDK introduced a bug, which prevents correct audio setup shortly after starting app. Our app does not freeze, but video is not rendering and audio is not working in simulator (no problem on hardware). Using Macbook Pro M3 96GB RAM, MacOS Sonoma 14.2.1. AQMEIO.cpp:198 timed out after 15.000s (0 0); suspension count=0 (IOSuspensions: ) MEDeviceStreamClient.cpp:467 AQME Default-InputOutput: client stopping after failed start: <CA_UISoundClientBase@0x10983ae30>; running count now 0 CA_UISoundClient.cpp:293 CA_UISoundClientBase::StartPlaying: AddRunningClient failed (status = -66681). MEMixerChannel.cpp:1006 MEMixerChannel::EnableProcessor: failed to open processor type 0x705f6571 {OptimizedCabacDecoder::UpdateBitStreamPtr} bitstream parsing error!!!!!!!!!!!!!! {OptimizedCabacDecoder::EndSliceBody} bitstream parsing error!!!!!!!!!!!!!! MEMixerChannel.cpp:1006 MEMixerChannel::EnableProcessor: failed to open processor type 0x705f6571 {OptimizedCabacDecoder::UpdateBitStreamPtr} bitstream parsing error!!!!!!!!!!!!!! {OptimizedCabacDecoder::EndSliceBody} bitstream parsing error!!!!!!!!!!!!!! MEMixerChannel.cpp:1006 MEMixerChannel::EnableProcessor: failed to open processor type 0x705f6571 {OptimizedCabacDecoder::UpdateBitStreamPtr} bitstream parsing error!!!!!!!!!!!!!! {OptimizedCabacDecoder::EndSliceBody} bitstream parsing error!!!!!!!!!!!!!! MEMixerChannel.cpp:1006 MEMixerChannel::EnableProcessor: failed to open processor type 0x705f6571 AQMEIO.cpp:198 timed out after 15.000s (0 0); suspension count=0 (IOSuspensions: ) MEDeviceStreamClient.cpp:467 AQME Default-InputOutput: client stopping after failed start: <AudioQueueObject@0x10f18d400; Unknown figplayer; [3036]; play>; running count now 0

I would recommend using GameController framework and GCController class. I have implemented RemoteController class which detects Siri Remote (1st and 2nd generation), iOS Remote (tvOS remote controller on iPhone) and Nimbus+ and PS game controllers. GCController has the advantage of programmatically add such tweaks as handling arrows on old remote with touch pad in a similar way as on new remote with arrow buttons - user must press touch pad down on old remote to trigger arro press.

The same happens on tvOS 17.0. It looks like it could be caused by OS not being fast enough when deleting user data. Perhaps OS schedules the data removal and it takes time for it to take effect. I had similar problem, but removing the app, installing again and deleting again solved the problem. If it is necessary to remove app and do fresh install, it is better to suggest to users removing the app waiting for a minute or rebooting device and then do the install.

A few more suggestions: Orientation of Environments can be reset by holding the Crown button. If I want to see the other side in front of me I have to turn 180 degrees and hold down Crown to set this position. This way I can see for example the Moon environment and by looking up I see Earth. But this rotation of the environent always gets reset when starting it again. It would be actually nice to have the ability to rotate Environments and set any part to the front (at 0 degrees or 12 o'clock speaking in aviation terminology) without me rotating in the chair. There are 2 buttons, "Adjust immersion" on the left and "Adjust volume" on the right. It would be nice to have a third button left of "Level of Immersion" (that one should be kept in the center). The third button would rotate Environment scene, so I could choose what I'm going to see at 12 o'clock position. Next time I switch to that environemtn the system would remember this setting and load the environment rotated as I set it last time. It would be nice to be able to cast screen from Aple TV to Vision Pro. It may take some time for apps to make it to Vison Pro and developers might not do that for all their apps. It would be nice to cast that screen from Apple TV - it would be nice to expand favourite streaming app to a large screen in Vision Pro. The same would be nice with iOS. It works great with Mac. So at the moment I can play videos in full screen on Mac and connect to it with Vision Pro. I was thinking about building an app that could capture Apple TV screen, just like Quicktime does it, but it's not possible for security reasons. Perhaps we could persuade Apple to provide such feature. Of course there is nothing like native VisionOS app with full spatial support.