Hello, I am working on a cross-platform application where IPC between a LaunchDaemon and a LaunchAgent is implemented via Unix domain sockets. On macOS, the socket path length is restricted to 104 characters. What is the Apple-recommended directory for these sockets to ensure the path remains under the limit while allowing a non-sandboxed agent to communicate with a root daemon? Standard paths like $TMPDIR are often too long for this purpose. Thank you in advance!

Hello, I need to develop a Network Extension (Transparent Proxy) that sends data to the host application for analysis. Network Extension - XPC client Host application - XPC service I am trying to implement it with XPC. However, when attempting to connect, I see the following error in the system logs on client side. [0x1015a2050] failed to do a bootstrap look-up: xpc_error=[3: No such process] I assume the problem occurs because the Network Extension cannot find the registered XPC service. On the service side, I see the following message in the logs: 2026-02-24 13:15:36.419345+0300 localhost fgstnehost[58884]: (libxpc.dylib) [com.apple.xpc:connection] [0x100bdee70] activating connection: mach=true listener=true peer=false name=TEAM_ID.group.app_id.netfilter.xpc Entitlements Network Extension: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>app-proxy-provider-systemextension</string> </array> <key>com.apple.security.application-groups</key> <array> <string>TEAM_ID.group.app_id.netfilter</string> </array> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.xpc.mach-lookup.global-name</key> <array> <string>TEAM_ID.group.app_id.netfilter.xpc</string> </array> </dict> </plist> Entitlements host application: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>app-proxy-provider-systemextension</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>TEAM_ID.group.app_id.netfilter</string> </array> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.xpc.mach-service.name</key> <array> <string>TEAM_ID.group.app_id.netfilter.xpc</string> </array> </dict> </plist> Server.m @interface XPCServer () @property (nonatomic, strong) NSXPCListener *listener; @end @implementation XPCServer - (instancetype) init { self = [super init]; if (self != nil) { _listener = [[NSXPCListener alloc] initWithMachServiceName: XPC_SERVICE_ID]; _listener.delegate = self; } return self; } - (void) start { [self.listener resume]; } - (BOOL) listener:(NSXPCListener *) listener shouldAcceptNewConnection:(NSXPCConnection *) newConnection { return YES; } @end Client.m @interface XPCClient () @property (nonatomic, strong) NSXPCConnection *connection; @end @implementation XPCClient - (void) connect { self.connection = [[NSXPCConnection alloc] initWithMachServiceName: XPC_SERVICE_ID options: NSXPCConnectionPrivileged]; self.connection.invalidationHandler = ^{ [[OSLogger sharedInstance] error: "XPCClient: connection can not be formed or the connection has terminated and may not be re-established"]; }; self.connection.interruptionHandler = ^{ [[OSLogger sharedInstance] error: "XPCClient: the remote process exits or crashes"]; }; [self.connection resume]; } @end What could be the root cause of this issue? Are there any recommendations for implementing IPC between a Network Extension and aß Host Application? Thank you in advance.

Hello, I am working on a cross‑platform application that uses libiconv to convert strings to/from Unicode. I need to modify the existing code for compatibility with macOS. However, the call to iconv() fails with an unclear errno value (92) when using "WCHAR_T": std::wstring ConvertToWchar(const std::string& iconvCodeSet, const std::string_view str) { iconv_t conv = iconv_open("WCHAR_T//TRANSLIT", iconvCodeSet.c_str()); if (conv == (iconv_t)-1) { std::cerr << "iconv_open() failed" << std::endl; return {}; } std::wstring out(str.size(), L'\0'); auto inPtr = (char*)str.data(); size_t inSize = str.size(); auto outPtr = (char*)out.data(); size_t outSize = out.size() * sizeof(wchar_t); if (iconv(conv, &inPtr, &inSize, &outPtr, &outSize) == (size_t)-1) { std::cerr << "iconv() failed. errno = " << errno << std::endl; return {}; } if (iconv(conv, nullptr, &inSize, &outPtr, &outSize) == (size_t)-1) { std::cerr << "iconv() failed. errno = " << errno << std::endl; return {}; } iconv_close(conv); return out; } int main() { std::string str1((const char*)u8"ΟΔΥΣΣΕΥΣ"); std::wstring str2 = ConvertToWchar("UTF-8", str1); if (str2.empty()) return 1; std::cout << "converted" << std::endl; return 0; } Using "UTF-32" works fine, but "WCHAR_T//TRANSLIT" fails. What is the recommended way to convert wchar_t strings using libiconv? Why does the conversion fail with "WCHAR_T//TRANSLIT"? Thank you in advance!

Hello, In a launched agent, I need to call into a third‑party library that may occasionally hang. At present, these calls are made from a separate thread, but if the thread hangs it cannot be terminated (pthread_cancel/pthread_kill are ineffective). Would Apple recommend isolating this functionality in a separate process that can be force‑terminated if it becomes unresponsive, or is there a preferred approach for handling such cases in launched agents? Can I use the system call fork() in launched agent? Thank you in advance!

Hello, The customer requires transparent data encryption within their DLP system. All data on external storage must be encrypted and decrypted transparently. How can the data stream (read/write) be controlled? Are there any recommended way? Thank you in advance!

Hello, As part of developing a DLP system, the microphone and speakers should be blocked. My solution involves muting devices by changing the property kAudioDevicePropertyMute. However, this solution allows the user to unmute the device, and the app must implement a property listener to mute the device again. The problem is that muting takes some time and the device is temporarily unmuted. Admittedly, it takes less than a second, but nevertheless, it appears insecure. Is there an Apple-recommended approach to implement such blocking more securely? Maybe some solution which is based on IOKit. Thank you in advance, Pavel

Hello, The application I'm working on must report new hardware connections. To retrieve connected displays information and monitor new connections, I'm using the "Core Graphics" framework (see recommendation https://developer.apple.com/forums/thread/779945). The monitoring logic relies on a callback function which invokes when the local display configuration changes(kCGDisplayAddFlag/kCGDisplayRemoveFlag). #import <Cocoa/Cocoa.h> static void displayChanged(CGDirectDisplayID displayID, CGDisplayChangeSummaryFlags flags, void *userInfo) { uint32_t vendor = CGDisplayVendorNumber(displayID); if (flags & kCGDisplayAddFlag) { if (vendor == kDisplayVendorIDUnknown) { NSLog(@"I/O Kit cannot identify the monitor. kDisplayVendorIDUnknown. displayId = %u", displayID); return; } NSLog(@"%u connected. vendor(%u)", displayID, vendor); } if (flags & kCGDisplayRemoveFlag) { NSLog(@"%u disconnected", displayID); } } int main(int argc, const char * argv[]) { @autoreleasepool { CGDisplayRegisterReconfigurationCallback(displayChanged, NULL); NSApplicationLoad(); CFRunLoopRun(); } return 0; } The test environment is a Mac mini with an external display connected via HDMI. Everything works correctly until the system enters sleep mode. Upon wakeup, the app reports two displays: the first with vendor ID kDisplayVendorIDUnknown and the second with the expected vendor ID. Why does Core Graphics report two connections during wakeup? Is there any way to avoid this? Thank you in advance.

Hello, My app (daemon) time to time need to know list of GUI login sessions. According to the recommendation, I am using getutxent(). https://developer.apple.com/library/archive/qa/qa1133/_index.html However, I have faced with unclear behaviour in case of running "Migration Assistant". It can be re-created without my app. Steps to recreate: login as 'user #1' start "Migration Assistant" quit "Migration Assistant" new login prompt will be opened login as 'user #2' In spite the session of 'user #1' is closed, the command line tool "who", which gathers information from /var/run/utmpx, reports opened sessions of 'user #1'. Is it bug or feature? Thank you in advance!

Hello, I am working on a script to update an application which bundle ID changed. Only the bundle ID was modified; all other aspects remain unchanged. This application requires access to "Screen & System Audio Recording" permissions, which are currently granted to the old bundle ID. The script performs the following steps: launchctl bootout gui/$(id -u) /Library/LaunchAgents/com.my_agent_1.plist pkgutil --forget com.my_agent_1 tccutil reset All com.my_agent_1 rm /Library/LaunchAgents/com.my_agent_1.plist rm -rf </path/to/com_my_agent_1> installer -dumplog -allowUntrusted -pkg </path/to/com_my_agent_2.pkg> -target / ... When running steps #1-6 without a restart between steps #5 and #6, the old bundle ID (com.my_agent_1) remains visible in TCC.db (verified via SQL queries). Looks like this is the reason why "com.my_agent_2" is not automatically added to the permission list (requiring manual add). Moreover, "tccutil reset All com.my_agent_1" does not work anymore, the error: tccutil: No such bundle identifier "com.my_agent_1": The operation couldn’t be completed. (OSStatus error -10814.) Is there any way to completely clear the "Privacy & Security" permissions without requiring a system restart? Thank you a lot for your help in advance!

Hello, As part of developing a DLP system, I need to block input devices upon detection of data leakage. Could you advise if it's possible to temporarily disable the built-in keyboard and camera? Thank you in advance, Pavel

Hello, I'm trying to get a list of all network devices (device audit for DLP system). CFMutableDictionaryRef matchingDictionary = IOServiceMatching(kIONetworkControllerClass); if (matchingDictionary == nullptr) { std::cerr << "IOServiceMatching() returned empty matching dictionary" << std::endl; return 1; } io_iterator_t iter; if (kern_return_t kr = IOServiceGetMatchingServices(kIOMasterPortDefault, matchingDictionary, &iter); kr != KERN_SUCCESS) { std::cerr << "IOServiceGetMatchingServices() failed" << std::endl; return 1; } io_service_t networkController; while ((networkController = IOIteratorNext(iter)) != IO_OBJECT_NULL) { std::cout << "network device: "; if (CFDataRef cfIOMACAddress = (CFDataRef) IORegistryEntryCreateCFProperty(networkController, CFSTR(kIOMACAddress), kCFAllocatorDefault, kNilOptions); cfIOMACAddress != nullptr) { std::vector<uint8_t> data(CFDataGetLength(cfIOMACAddress)); CFDataGetBytes(cfIOMACAddress, CFRangeMake(0, data.size()), data.data()); std::cout << std::hex << std::setfill('0') << std::setw(2) << (short)data[0] << ":" << std::hex << std::setfill('0') << std::setw(2) << (short) data[1] << ":" << std::hex << std::setfill('0') << std::setw(2) << (short) data[2] << ":" << std::hex << std::setfill('0') << std::setw(2) << (short) data[3] << ":" << std::hex << std::setfill('0') << std::setw(2) << (short) data[4] << ":" << std::hex << std::setfill('0') << std::setw(2) << (short) data[5]; CFRelease(cfIOMACAddress); } std::cout << std::endl; IOObjectRelease(networkController); } IOObjectRelease(iter); The Wi-Fi controller shows up in I/O Registry Explorer, but IOServiceGetMatchingServices() does not return any information about it. Any way to retrieve Wi-Fi controller info in daemon code? Thank you in advance!

Hello, I am working on a daemon which collects information about disk space usage on macOS. APFS has quite complex structure and there is a challenge to get detailed info. My application must provide disk usage by APFS containers. Are there any recommended way to get space usage by particular APFS volume? Are there any recommended way to get free space on particular APFS container? Are there any recommended way to enumerate APFS containers and volumes? I am using Disk Arbitration to get APFS info. However, I get restricted info about space usage because I get get disk usage for mounted volumes only. Are there any public API (daemon-safe) which allows to easily get disk space usage on macOS? Thank you in advance, Pavel

Hello, I am trying to get space which is consumed by APFS volume. The call getattrlist() works fine on macOS 15 (Apple silicon). However, it returns EINVAL on macOS 11.7.10 (Intel) if ATTR_VOL_SPACEUSED is defined. struct VolAttrBuf { u_int32_t length; off_t spaceUsed; } __attribute__((aligned(4), packed)); int64_t GetVolumeSpaceUsed(const std::string& mountPath) { struct attrlist attrList; std::memset(&attrList, 0, sizeof(attrList)); attrList.bitmapcount = ATTR_BIT_MAP_COUNT; attrList.volattr = ATTR_VOL_INFO | ATTR_VOL_SPACEUSED; VolAttrBuf attrBuf; if (getattrlist(mountPath.c_str(), &attrList, &attrBuf, sizeof(attrBuf), 0) || attrBuf.length > sizeof(attrBuf)) { std::cout << "getattrlist() failed with errno (" << errno << ")" << std::endl; return -1; } return attrBuf.spaceUsed; } Is it bug or ATTR_VOL_SPACEUSED is unsupported on macOS 11? Are there any other way to get space which is used on an APFS volume? (C++) Thank you in advance, Pavel

Hello, What is the best and Apple recommended way to get display name and its vendor information? The CoreGraphics framework provides ModelNumber and VendorNumber only. Looks like IOKit does not provide any documented way at all. Are there any daemon safe way to get such information? Thank you in advance, Pavel

Hello Dev, The App, which I am working on, uses fcopyfile() to copy file from external storage (USB, thunderbolt) to internal disk. Looks like this call provides the best performance. fcopyfile(from, to, nullptr, COPYFILE_DATA); I need to be sure the data is copied after the call. Are there any necessity to synchronize a file's state with that on disk the data? (e.g. call fsync()) Thank you in advance! Pavel