I worked around this by running the command line app using launchctl asuser 501 xxx

I went to my system settings, Network/VPN & Filters. Looks like this: Disabling GlobalProtect made Safari work again.

I have the exact same problem just today after updating to the latest 26.5 Beta. Chrome works though. Using Feedback assistant on the same Mac fails as it can't connect either - hangs when authenticating.

My OS is 26.5

The installation script has to update an endpoint security extension, so it first copies a signed app with the extension embedded in it and then executes that app and suspends security checks until the main app is installed. Then it runs the main app as a command line tool. The first app that updates the security extension is then removed. The two steps are needed because the endpoint security extension prevents modifying the main app. When the main app acts in "install" mode, it configures a daemon and an agent. It configures a security agent plugin and updates authorization db to use it. The main app and security agent plugin communicate with the daemon using XPC. A managed policy is installed that gives the app and the endpoint security extension full disk access.

Yes. The app is run as a command line tool with an argument telling it to perform an install. That causes the calls with SMAppService.

More on how pairing works. I assume that CoreBluetooth would require a pairing for each characteristic as two apps could configure their own characteristic. However that assumption is probably incorrect. If pairing is only done at the peripheral level, then it would make sense that my code receives the Encryption is insufficient error. However, the correct error from the peripheral end would be lnsufficient Authentication (I have seen this error in my code as well) I am no expert on Bluetooth pairing but it would seem that there should be a mechanism to pair on a characteristic basis in order for CoreBluetooth to support different apps providing GATT for the same Mac.

All the above steps have been done. Everything works when the characteristic does not have the notifyEncryptionRequired property. This works when run as an app or as a launch agent. When using notifyEncryptionRequired running as an app causes the central to receive the Encryption is insufficient. This also happens when run as a launch agent.

Since my original post, I have a gui launch agent now that acts as a bluetooth peripheral. While it doesn't present a window, it does present a system menu bar item. I have added the AssociatedBundleIdentifiers in my plists used by my SMAppService.agent call. My launch agent advertises a service with a characteristic that uses notifyEncryptionRequired. After these changes, my iPhone app still gets this error when calling setNotifyValue: Error Domain=CBATTErrorDomain Code=15 "Encryption is insufficient." The error is reported in the didUpdateNotificationStateFor delegate callback.

I don't set LimitLoadToSessionType. My launch agent is not a GUI app. I'm thinking that may be an issue.

I have the same issue with macOS 26. Not sure about earlier OS versions. You may consider using a short form UUID instead (four hex bytes) from the private range if possible. Otherwise, you would need to add a read characteristic for the central to query the name.

I think this is just how macOS 15 and 26 work. I hadn't noticed it in the past because my view completely covered the earlier view on macOS 15. It doesn't quite cover it on os 26. Not a bug. The earlier mechanism is HYPR. Not sure why its UI stays up.

This is a statement about how SFAuthorizationPluginView works with multiple mechanisms: The first mechanism displays its view and later sets its result. The view continues to display. Then the other mechanism displays its view over the top of the first view. (The first mechanism was not developed by me.) Question: How can a mechanism take down its own view? Is this supposed to happen automatically after the mechanism sets its result?

I have resolved my issue, but I want to confirm that if multiple mechanisms use SFAuthorizationPluginView then multiple views will appear when unlocking the screen.

It appears that Tahoe handles multiple mechanisms that display UI differently that previous OS versions.