diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index ff7f3903a..de4603e00 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -2,8 +2,7 @@ name: Continuous Delivery
 on:
   push:
     branches:
-      - master
-      - cloud
+      - main
 
 # Cancel old workflow runs if new code is pushed
 concurrency:
diff --git a/.github/workflows/elixir.yml b/.github/workflows/elixir.yml
index 69e9a6da1..968252d25 100644
--- a/.github/workflows/elixir.yml
+++ b/.github/workflows/elixir.yml
@@ -184,7 +184,7 @@ jobs:
       MIX_ENV: dev
       POSTGRES_HOST: localhost
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      MASTER_BRANCH: cloud
+      MASTER_BRANCH: main
     services:
       postgres:
         image: postgres:15
diff --git a/.github/workflows/kotlin.yml b/.github/workflows/kotlin.yml
index 4cfc25356..7efff5cdf 100644
--- a/.github/workflows/kotlin.yml
+++ b/.github/workflows/kotlin.yml
@@ -23,7 +23,7 @@ jobs:
     steps:
       - uses: release-drafter/release-drafter@v5
         with:
-          commitish: cloud
+          commitish: main
         id: release_drafter
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/rust-pass-checks.yml b/.github/workflows/rust-pass-checks.yml
index 67832e93d..30356fe3f 100644
--- a/.github/workflows/rust-pass-checks.yml
+++ b/.github/workflows/rust-pass-checks.yml
@@ -33,10 +33,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - run: 'echo "No build required"'
-  rust_build-apple:
-    runs-on: ubuntu-latest
-    steps:
-      - run: 'echo "No build required"'
   rust_cross-compile-relay: # cross is separate from test because cross-compiling yields different artifacts and we cannot reuse the cache.
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
index a1feb880b..dfbe53e2d 100644
--- a/.github/workflows/rust.yml
+++ b/.github/workflows/rust.yml
@@ -26,7 +26,7 @@ jobs:
     steps:
       - uses: release-drafter/release-drafter@v5
         with:
-          commitish: cloud
+          commitish: main
         id: release_drafter
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -55,7 +55,7 @@ jobs:
           workspaces: ./rust
           key: v2
           prefix-key: rust-${{ matrix.runs-on }}
-          save-if: ${{ github.ref == 'refs/heads/cloud' }}
+          save-if: ${{ github.ref == 'refs/heads/main' }}
 
       # TODO: Building *ring* from git requires us to install additional tools;
       # once we're not using a forked *ring* these 2 steps can be removed.
diff --git a/.github/workflows/swift-pass-checks.yml b/.github/workflows/swift-pass-checks.yml
index 02873a0d9..50ec8fcb8 100644
--- a/.github/workflows/swift-pass-checks.yml
+++ b/.github/workflows/swift-pass-checks.yml
@@ -18,6 +18,13 @@ jobs:
     steps:
       - run: 'echo "No build required"'
   swift_build:
+    strategy:
+      matrix:
+        target:
+          - sdk: macosx
+            platform: macOS
+          - sdk: iphoneos
+            platform: iOS
     runs-on: ubuntu-latest
     steps:
       - run: 'echo "No build required"'
diff --git a/.github/workflows/swift.yml b/.github/workflows/swift.yml
index 387948cde..4f6cd8602 100644
--- a/.github/workflows/swift.yml
+++ b/.github/workflows/swift.yml
@@ -23,12 +23,21 @@ jobs:
     steps:
       - uses: release-drafter/release-drafter@v5
         with:
-          commitish: cloud
+          commitish: main
         id: release_drafter
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   swift_build:
+    strategy:
+      matrix:
+        target:
+          - sdk: macosx
+            platform: macOS
+            destination: platform=macOS
+          - sdk: iphoneos
+            platform: iOS
+            destination: generic/platform=iOS
     runs-on: macos-latest
     permissions:
       contents: read
@@ -43,27 +52,24 @@ jobs:
       - uses: Swatinem/rust-cache@v2
         with:
           workspaces: ./rust
-          prefix-key: rust-${{ matrix.runs-on }}
-          save-if: ${{ github.ref == 'refs/heads/cloud' }}
+          save-if: ${{ github.ref == 'refs/heads/main' }}
       - name: Update toolchain
         run: rustup show
       - uses: actions/cache@v3
         with:
-          path: apple/.build
-          key: ${{ runner.os }}-spm-${{ hashFiles('**/Package.resolved') }}
+          path: ~/Library/Developer/Xcode/DerivedData/**/SourcePackages/checkouts
+          key: ${{ matrix.target.platform }}-spm-${{ hashFiles('**/Package.resolved') }}
           restore-keys: |
-            ${{ runner.os }}-spm-
+            ${{ matrix.target.platform }}-spm-
       - name: Select Xcode
         uses: maxim-lobanov/setup-xcode@v1
         with:
           xcode-version: latest-stable
-      - name: Build app for macOS
+      - name: Build app
+        env:
+          ONLY_ACTIVE_ARCH: no
+
         working-directory: ./swift/apple
         run: |
-          cp Firezone/xcconfig/Developer.xcconfig.ci-macOS Firezone/xcconfig/Developer.xcconfig
-          xcodebuild archive -scheme Firezone -sdk macosx -destination 'platform=macOS' CODE_SIGNING_ALLOWED=NO
-      - name: Build app for iOS
-        working-directory: ./swift/apple
-        run: |
-          cp Firezone/xcconfig/Developer.xcconfig.ci-iOS Firezone/xcconfig/Developer.xcconfig
-          xcodebuild archive -scheme Firezone -sdk iphoneos -destination 'generic/platform=iOS' CODE_SIGNING_ALLOWED=NO
+          cp Firezone/xcconfig/Developer.xcconfig.ci-${{ matrix.target.platform }} Firezone/xcconfig/Developer.xcconfig
+          xcodebuild archive -configuration Release -scheme Firezone -sdk ${{ matrix.target.sdk }} -destination '${{ matrix.target.destination }}' CODE_SIGNING_ALLOWED=NO
diff --git a/rust/connlib/clients/apple/build-rust.sh b/rust/connlib/clients/apple/build-rust.sh
index ad2681264..fd6172603 100755
--- a/rust/connlib/clients/apple/build-rust.sh
+++ b/rust/connlib/clients/apple/build-rust.sh
@@ -26,6 +26,16 @@ export INCLUDE_PATH="${base_dir}/usr/include"
 export CFLAGS="-L ${LIBRARY_PATH} -I ${INCLUDE_PATH} -Qunused-arguments"
 export RUSTFLAGS="-C link-arg=-F$base_dir/System/Library/Frameworks"
 
+# Borrowed from https://github.com/signalapp/libsignal/commit/02899cac643a14b2ced7c058cc15a836a2165b6d
+# Thanks to @francesca64 for the fix
+if [[ -n "${DEVELOPER_SDK_DIR:-}" ]]; then
+  # Assume we're in Xcode, which means we're probably cross-compiling.
+  # In this case, we need to add an extra library search path for build scripts and proc-macros,
+  # which run on the host instead of the target.
+  # (macOS Big Sur does not have linkable libraries in /usr/lib/.)
+  export LIBRARY_PATH="${DEVELOPER_SDK_DIR}/MacOSX.sdk/usr/lib:${LIBRARY_PATH:-}"
+fi
+
 TARGETS=()
 if [[ "$PLATFORM_NAME" = "macosx" ]]; then
     if [[ $CONFIGURATION == "Release" ]] || [[ -z "$NATIVE_ARCH" ]]; then
@@ -89,6 +99,6 @@ fi
 for target in "${TARGETS[@]}"
 do
   set -x
-  cargo build --target $target $FEATURE_ARGS $CONFIGURATION_ARGS
+  cargo build --target=$target $FEATURE_ARGS $CONFIGURATION_ARGS
   set +x
 done