We have filed feedback - FB19729313. Thank you for your attention to this request. We appreciate your consideration.

[quote='891544022, Apple Staff, /thread/831690?answerId=891544022#891544022'] Thanks for the additional detail. Is the goal for these devices to only be allowed to join managed Wi-Fi networks, similar to the current iOS-only restriction forceWiFiToAllowedNetworksOnly ? [/quote] Yes, our goal is to provide functionality similar to forceWiFiToAllowedNetworksOnly. Since we are developing a cross-platform device management solution, it would be highly beneficial for our customers to be able to configure and enforce Wi-Fi network restrictions for all managed devices from a single management platform, rather than using platform-specific configurations.

We've described our scenarios in FB22874828. Thank you!

I think you can rely on the corresponding Endpoint Security notification event that arrives right after the auth event. In particular, for an unlink operation, you should look at the corresponding es_message_t where action_type is ES_ACTION_TYPE_NOTIFY and action.notify.result_type is ES_RESULT_TYPE_AUTH. In that message, action.auth.result will tell you whether the operation was allowed, and you should check that it is ES_AUTH_RESULT_ALLOW.

Thank you for the suggestion. We have already submitted feedback through Feedback Assistant (FB13452950). We are posting here to seek additional guidance on any supported solutions, recommended approaches, or future platform direction for enterprise security products that need to monitor when third-party applications create listening network sockets.

Thank you for the suggestion. We have already submitted feedback through Feedback Assistant (FB10287547). We are posting here to seek additional guidance on any supported solutions, recommended approaches, or future platform direction for enterprise security products that need to manage camera access authorization (or at least notifications).

It turns out that these limits for Network Extension allow one application to impact the performance of others. A misbehaving application can open more than 512 long-lived connections and, when an NETransparentProxyProvider is active, effectively block network connectivity for other applications.

[quote='891420022, Apple Staff, /thread/831690?answerId=891420022#891420022'] Details on why the SSID is required and other kinds of network resource availability checks can't be used would be especially helpful. [/quote] Enterprise customers are requesting functionality to control Wi-Fi usage in order to restrict devices to only specific Wi-Fi networks.

Hi! You can find info about USB support in the latest WWDC26 session.

It seems that VZVirtualMachine.state is a KVO property. So you can add an observer and get notifications when the virtual machine state changes.

I've created a feedback FB22967193.

Hi! I believe that the key is tied to your app via its App ID entitlement. I’ve never really looked into the details, but the research that I did do confirmed that there’s no supported way to serialise a key in one app and deserialise it another. From my testing, that does not appear to be the case for keys created with: let privateKey = try SecureEnclave.P256.KeyAgreement.PrivateKey(/*default params*/) Having "dataRepresentation" of the privateKey another process can use it for sign/decrypt — even when that second process is signed with a different Team ID, or is unsigned entirely. The process that originally creates the key is properly signed with my Team ID and has the keychain-access-groups entitlement. SIP is also enabled. Based on these experiments, it seems that SecureEnclave keys are not intrinsically bound to the originating app or signing identity, and isolation from other apps may be enforced primarily through Keychain access controls.

Thank you for your response! [quote='814302022, DTS Engineer, /thread/768708?answerId=814302022#814302022'] We don't currently have any mechanism (tool or API) that allows snapshot reversion [/quote] I know that there is a fs_snapshot_* family of functions, and according to its manual "To revert the filesystem to a previous snapshot, the fs_snapshot_revert() can be used". This function is only available to apps/tools that have both the com.apple.developer.vfs.snapshot and the com.apple.private.apfs.revert-to-snapshot entitlements enabled. The latter seems to be available only to Apple itself. So why does the fs_snapshot_revert() function exist if it is not available to third-party developers and is not used by Apple in their tools? By the way, I have disabled SIP and AMFI and tried calling fs_snapshot_revert(), and it worked as expected for me!

Hello! Thank you very much for your response! We greatly appreciate the chance to discuss Apple's technologies with their engineers! [quote='798218022, DTS Engineer, /thread/760964?answerId=798218022#798218022'] If you run a tool from Terminal, then Terminal is considered the responsible code and, as a system app, it’s not subject to local network privacy. [/quote] I have conducted more experiments and have attached the new results to FB14581221 (bundled_as_cli_term). If you run the bundled application for the first time through the terminal, a prompt will appear for the Terminal.app. This is not the case for me, but the results of the experiment don't match your expectations: [quote='798218022, DTS Engineer, /thread/760964?answerId=798218022#798218022'] If you run an executable as a launchd daemon, it runs as root and local network privacy does not apply to code running as root. [/quote] Here my experiments also show different results - if the bundled application is launched as a launchd daemon, the prompt will appear, even though the app runs with root privileges (see "bundled_as_daemon" in the attachments for FB14581221): The latter scenario has an impact on the user experience of my application and I would like to prepare carefully for changes in the macOS. It would be helpful if you could provide information about the expected outcomes of the scenarios mentioned.

There's a new SCSIPeripheralsDriverKit framework in macOS Ventura. But I can't mach my simple dext with any attached device. There's no info about required entitlements and values of IOKitPersonalities in the docs.