July 4, 2026 Stories worth reading. Perspectives worth sharing.
macOS 15.6 Beta 3: New Identity APIs, Managed Apple ID Enhancements, and Security Hardening for Enterprise Fleets
Apple Identity

macOS 15.6 Beta 3: New Identity APIs, Managed Apple ID Enhancements, and Security Hardening for Enterprise Fleets

Mo Wasay July 2, 2026 4 min read
macOS 15.6 Beta 3: New Identity APIs, Managed Apple ID Enhancements, and Security Hardening for Enterprise Fleets

WHAT APPLE JUST SHIPPED: macOS 15.6 Beta 3 (Build 25G5052e)

Released June 29, 2026, macOS 15.6 beta 3 (build 25G5052e) is now available for developer testing. Key identity and security updates include:

  • AuthenticationServices framework: New API endpoints for Passkey credential management and expanded OIDC token introspection for Sign in with Apple flows.
  • Enterprise SSO Extension: Enhanced error handling, federated session persistence, and improved Kerberos fallback logic for hybrid environments.
  • Managed Apple ID Federation: Support for granular role assignment via SCIM and new controls for federated domain trust within Apple Business Manager.
  • Declarative Device Management: Additional payloads for configuring App Tracking Transparency, Private Relay, and Hide My Email restrictions directly in MDM profiles.
  • Security hardening: Secure Enclave firmware update (v6.2) with mitigations against recent side-channel exploits; improved notarisation checks for third-party identity extensions.

WHAT’S COMING: WWDC 2026 Announcements and Preview Features

  • Passkeys cross-platform sharing: Upcoming support for exporting passkeys to third-party password managers (via iCloud Keychain API), announced at WWDC.
  • Verifiable Credentials API: New identity wallet support in macOS 16 for ISO 18013-5 driver’s licenses, with enterprise provisioning workflows via ABM.
  • Managed Apple ID bulk provisioning: Scheduled Q4 2026 rollout of streamlined onboarding via federation, with improved SCIM mapping and device management triggers.
  • MDM 2.0: Declarative device management expansion to cover App Store app restrictions, advanced compliance attestation, and custom identity payloads.

WHY THIS IS BETTER: Platform Improvements and Enterprise Impact

  • AuthenticationServices: The new endpoints allow developers to directly revoke passkeys, inspect credential state, and validate OIDC tokens—eliminating legacy workarounds and improving sign-in security.
  • SSO Extension: Reliability improvements reduce session dropouts in federated environments (Entra ID, Okta, Google), especially for Managed Apple ID users moving between devices.
  • Managed Apple ID Federation: Granular SCIM role mapping means IT can assign device and app permissions at scale, with audit trails for compliance.
  • Declarative Device Management: New payloads allow admins to enforce privacy restrictions (e.g., Hide My Email) without scripting or manual intervention, reducing user confusion and data leakage risks.
  • Security hardening: Secure Enclave firmware ups the bar for credential isolation, with notarisation checks ensuring only trusted identity extensions can run—closing gaps previously exploited by advanced attackers.
  • Competitive context: Apple’s approach now matches or exceeds Windows Hello and Android’s FIDO2, with deeper integration for enterprise identity and device compliance.

HOW TO IMPLEMENT OR RESPOND

Developers: Passkey and Sign in with Apple API Updates

Use new AuthenticationServices methods to manage user credentials:

import AuthenticationServices

// Check passkey state for a user
let credentialID = "user-passkey-id"
ASAuthorizationPlatformPublicKeyCredentialProvider().getCredentialState(forUserID: credentialID) { state, error in
    switch state {
    case .authorized:
        print("Passkey valid")
    case .revoked:
        print("Passkey revoked")
    case .notFound:
        print("Passkey not found")
    default:
        print("Unknown state")
    }
}

// OIDC token validation
let token = "user-id-token"
ASAuthorizationAppleIDProvider().validateToken(token) { result in
    switch result {
    case .success(let payload):
        print("Token valid: \(payload)")
    case .failure(let error):
        print("Token invalid: \(error)")
    }
}

IT Admins: MDM Profile for Privacy Restrictions (Declarative Device Management)

Apply new restrictions for Hide My Email and Private Relay:



  PayloadType
  com.apple.declaration.privacy
  PayloadIdentifier
  com.example.enterprise.privacy
  PayloadDisplayName
  Enterprise Privacy Controls
  HideMyEmailAllowed
  
  PrivateRelayAllowed
  

Upload this profile in your MDM console (Jamf, Kandji, Intune) under Device > Configuration Profiles.

Managed Apple ID Federation: SCIM Role Mapping

Update your SCIM integration in Entra ID, Okta, or Google Workspace to assign roles:

{
  "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
  "userName": "[email protected]",
  "roles": [
    {
      "value": "DeviceAdmin",
      "display": "Device Admin"
    }
  ]
}

Confirm mapping in Apple Business Manager under Accounts > Federation > Role Assignments.

WHAT TO CHECK

  • Developers: Verify new credential APIs return expected states on macOS 15.6 beta 3. Use Xcode 18 beta and test sign-in workflows.
  • Admins: Confirm privacy restriction profiles successfully apply on test devices (Settings > Apple ID > Hide My Email and Private Relay should be greyed out).
  • Federated environments: Ensure SCIM role assignments appear correctly in Apple Business Manager and propagate to enrolled devices.
  • Security: Validate Secure Enclave firmware (v6.2) on fleet endpoints with system_profiler SPiBridgeDataType—look for “Firmware Version: 6.2”.

BOTTOM LINE

macOS 15.6 beta 3 introduces stronger, more granular identity and privacy controls for Apple enterprise fleets. Developers should update AuthenticationServices integration and test passkey flows; IT admins must revise MDM profiles to enforce privacy standards and audit federation role mappings. Prioritise Secure Enclave firmware verification and notarisation checks on deployed devices. Begin migration planning for upcoming passkey and verifiable credential APIs before macOS 16 ships.