Xcode 26.6 Ships: New AuthenticationServices APIs, Passkey Enhancements, and MDM Security Updates for iOS 18/macOS 15

What Apple Just Shipped: Xcode 26.6 and Platform Updates
Apple released Xcode 26.6 (build 17F113) alongside developer betas of iOS 18.0, macOS 15.0 (Sequoia), and associated platforms. This release is pivotal for enterprise and developer teams integrating Apple identity and authentication:
- AuthenticationServices Framework: New APIs for Passkey enrollment, Sign in with Apple improvements, and expanded credential management.
- MDM Protocol: Enhanced device management payloads, stricter enforcement for Managed Apple IDs, and improved declarative device management.
- Secure Enclave/LocalAuthentication: Expanded biometric support, with performance and security upgrades for Face ID/Touch ID on iOS 18/macOS 15.
Version Requirements
- Xcode 26.6 required for building and signing iOS 18/macOS 15 apps.
- AuthenticationServices enhancements require iOS 18.0+, macOS 15.0+, watchOS 11.0+, tvOS 18.0+.
- MDM payload updates apply to devices enrolled in Apple Business Manager or School Manager running iOS 18/macOS 15.
What’s Coming: WWDC 2024 Announcements and Beta Features
- Passkey Sharing Across Managed Apple ID Accounts: Announced at WWDC24, iCloud Keychain will allow enterprise users to share passkeys securely within federated domains (Entra ID, Okta, Google Workspace).
- Sign in with Apple for Device Enrollment: Beta support for device enrollment flows using Sign in with Apple, streamlining onboarding for BYOD scenarios.
- Declarative Device Management (DDM) Expansion: More granular endpoint compliance checks, policy enforcement, and new restriction payloads via MDM.
- Digital Credentials in Wallet: Extended API for ISO 18013-5 driver’s license and verifiable credentials, now accessible for enterprise use cases.
Developers and admins should begin testing these features on the latest betas to ensure readiness for fall 2024 production deployment.
Why This Is Better: Concrete Improvements
- AuthenticationServices API: Previous versions lacked granular Passkey management and device-linked credential lifecycle control. iOS 18/macOS 15 enable finer control and compliance-driven workflows.
- MDM Security: Declarative device management now supports real-time enforcement of password/passkey policies and device compliance attestation, a limitation in iOS 17/macOS 14.
- Federated Managed Apple IDs: Improved SCIM integration and support for multi-domain federations (Entra ID, Okta) allow organizations to manage Apple identity at scale.
- Biometric Security: LocalAuthentication enhancements reduce spoofing risk and improve latency, outperforming Android’s biometric APIs in both speed and hardware isolation.
These updates directly address enterprise security gaps, regulatory requirements (SOC2, ISO 27001), and developer workflow friction.
How to Implement or Respond
For Developers: Sign in with Apple and Passkey APIs
To integrate enhanced Passkey enrollment with AuthenticationServices:
import AuthenticationServices
// New in iOS 18/macOS 15: Passkey enrollment for managed accounts
let passkeyRequest = ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest()
passkeyRequest.domain = "your-enterprise-domain.com"
passkeyRequest.userVerificationPreference = .required
let authController = ASAuthorizationController(authorizationRequests: [passkeyRequest])
authController.delegate = self
authController.performRequests()
// Delegate: Handle Passkey creation and storage
func authorizationController(_ controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) {
if let credential = authorization.credential as? ASAuthorizationPlatformPublicKeyCredentialRegistration {
// Store credential, sync with iCloud Keychain
print("Passkey registered: \(credential.credentialID)")
}
}
For server-side Sign in with Apple token validation (OIDC):
// Validate Apple ID token on backend
POST /token
Authorization: Bearer <apple-id-token>
// Use Apple public key endpoint to verify JWT signature
https://appleid.apple.com/auth/keys
For Admins: MDM and Managed Apple ID Security
Apply stricter device compliance policies using updated mobileconfig XML:
<payload>
<dict>
<key>PayloadType</key>
<string>com.apple.configurationprofile</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PasscodePolicy</key>
<dict>
<key>minimumLength</key>
<integer>12</integer>
<key>requirePasskey</key>
<true/>
<key>deviceComplianceAttestation</key>
<true/>
</dict>
</dict>
</payload>
Enable federated Managed Apple ID with Entra ID/Okta:
- In Apple Business Manager, navigate to Settings > Accounts > Federation.
- Select Microsoft Entra ID or Okta, follow the guided SSO setup.
- Verify SCIM endpoint connectivity for automated identity provisioning.
What to Check: Verification Steps
- Developer: Test Passkey creation and authentication flows on iOS 18/macOS 15 simulator and physical devices. Confirm credential sync in iCloud Keychain.
- Admin: Audit device compliance in MDM console. Confirm new restriction payloads are enforced and visible in Device Details > Compliance in Jamf, Kandji, or Intune.
- Federation: In Apple Business Manager, verify that Managed Apple IDs are auto-provisioned via SCIM and authenticate successfully using Entra ID/Okta SSO.
Bottom Line: Recommendations
- Developers: Upgrade to Xcode 26.6 and refactor authentication flows to leverage new Passkey and Sign in with Apple APIs. Test against iOS 18/macOS 15 betas now.
- Admins: Review and update MDM compliance policies for stricter password/passkey requirements and enable federated Managed Apple ID provisioning.
- Security Teams: Audit LocalAuthentication and Secure Enclave usage. Validate endpoint security posture using new declarative device management features.
Adopt these platform enhancements now to minimize security gaps, streamline identity workflows, and ensure enterprise readiness for Apple’s fall 2024 releases.