You made my day. Thanks!

Thanks, that's very clear and helpful! The context for my question is like I'm building a our own credential provider with device/enterprise attestation. Given App Attest is main-app-only on macOS and keys can't be proxied to the extension, I do have two quick follow-ups: Is it reasonable to use App Attest in the main app at enrollment purely to attest the integrity of the whole app bundle even with other extensions? Is that the intended pattern, or does App Attest's RP_ID binding make the app-level attestation not meaningfully cover the extension? Since we still need attestation, can I use the ManagedApp framework on macOS 27 — provisioning an identity via com.apple.configuration.app.managed → ACME — and would that key be hardware-bound (Secure Enclave)? I also post that question in a different thread earlier: https://developer.apple.com/forums/thread/831160 Thanks!