General: DevForums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained DevForums post --deep Considered Harmful DevForums post Don’t Run App Store Distribution-Signed Code DevForums post Resolving errSecInternalComponent errors during code signing DevForums post Finding a Capability’s Distribution Restrictions DevForums post Signing code with a hardware-based code-signing identity DevForums post Mac code signing: DevForums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding Nonstandard Code Structures in a Bundle documentation Embedding a Command-Line Tool in a Sandboxed App documentation Signing a Daemon with a Restricted Entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example DevForums post The Care and Feeding of Developer ID DevForums post TestFlight, Provisioning Profiles, and the Mac App Store DevForums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

A few weeks ago, I submitted a request for the Family Controls & Personal Device Usage Entitlement to enable my app to access the Managed Settings and Device Activity frameworks in the Screen Time API. The app is nearly complete, with the only remaining component being the Family Controls capability. As of now, I haven’t received a response regarding the request. I’m wondering if anyone else has experienced a similar situation or can provide insight into the following: • How long does it typically take to receive feedback on this type of entitlement request? • Is there a way to check if a request is still active and under review? • Is a finished website required for the entitlement to be granted? Any information or guidance would be greatly appreciated!

I am working on a project that requires access to the main camera on the Vision Pro. My main account holder applied for the necessary enterprise entitlement and we were approved and received the Enterprise.license file by email. I have added the Enterprise.license file to my project, and manually added the com.apple.developer.arkit.main-camera-access.allow entitlement to the entitlement file and set it to true since it was not available in the list when I tried to use the + Capability button in the Signing & Capabilites tab. I am getting an error: Provisioning profile "iOS Team Provisioning Profile: " doesn't include the com.apple.developer.arkit.main-camera-access.allow entitlement. I have checked the provisioning profile settings online, and there is no manual option for adding the main camera access entitlement, and it does not seem to be getting the approval from the license.

Hello, I'm developing an iOS app in Flutter, but I'm having trouble enabling Background Mode. I added the following configuration to Info.plist and Runner.entitlements: <key>UIBackgroundModes</key> <array> <string>processing</string> <string>fetch</string> <string>location</string> </array> However, the Background Mode option doesn't appear in my App ID to be enabled. And the build fails with the message: Provisioning profile "Ready Response ios_app_store ..." doesn't include the UIBackgroundModes entitlement. How can I enable this option in my App ID? Note: I'm using Android Studio and publishing through Codemagic.

Hi, I need to import a trusted certificate to the system keychain without prompting the user. I’m importing the certificate with this command line: sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" <certificate> that running from the post install script of my PKG. I'm running the PKG from my daemon service. The certificate is imported to the keychain but it's not trusted. This is the error that i'm getting: sectrustsettingssettrustsettings: the authorization was denied since no user interaction was possible. What is the right why for doing it? Thanks

I am developing an app that will utilize the Family Controls capability to use the DeviceActivity API. I understand that I need to request access to the Family Controls entitlement before releasing the app, but I am nowhere near that stage. I want to be able to test the Family Controls/Device Activity APIs while developing the app in debug mode, but I don't have the ability to add the Family Controls capability to my app. When I go to add it, it doesn't show up in the available options of capabilities to add. Do I need authorization for the Family Controls entitlement to even use the APIs in testing/development? Am I missing a prerequisite checkbox somewhere that would add the capability to the available options? I'm using XCode 16.0.

Requirements: Suppose a carrier provides multiple networks and an iPhone can switch to the best network based on signal strength. Questions: In iOS, suppose we need to switch IMSI based on the best network available then is it possible to achieve that. We do have apple carrier entitlements as well. Can we achieve with Applet? if Yes so please describe it like how can we create applet and how applet works to switch IMSI profile.

Hi, we are looking for a solution to install an extension to Microsoft PowerPoint app in a way that's compatible with the new macOS 15 behavior for Group Containers content. PowerPoint extensions Microsoft PowerPoint can be extended by PowerPoint Add-in (.ppam) files. These files must be installed in the app's container at this location: ~/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Add-Ins.localized/ The PPAM file must be also registered in the MicrosoftRegistrationDB.reg file which is a sqlite database stored at this location: ~/Library/Group Containers/UBF8T346G9.Office/MicrosoftRegistrationDB.reg These locations can be access by non-sandboxed app on macOS 14 and earlier. Slido integration Our Slido app for macOS is distributed outside the Mac App Store, it is not sandboxed and it signed and notarized. The Slido app will install the PPAM file to the documented location and register it in the database. This installation did not require additional user approval on macOS 14 and older. With changes to macOS 15, a new permissions dialog is shown with this text: "Slido" would like to access data from other apps. This will allow Slido to integrate with Microsoft PowerPoint app. [Don't Allow] [Allow] We understand this is a security feature, yet we would like to make the experience for customers much better. As users are able to save PPAM files to the location by themselves without additional permissions, they expect the Slido app would be able to do so as well when run in the user context. Slido installs its files to this location: ~/Library/Group Containers/UBF8T346G9.Office/User Content.localized/Add-Ins.localized/SlidoAddin.localized/ Can we obtain com.apple.security.temporary-exception.files.home-relative-path.read-write to the SlidoAddin.localized folder? Even when we are different TeamID? Can we obtain a user permission which will be persisted so next time the Slido app can verify its files and uninstall them without further prompts? By having access to the SlidoAddin.localized folder our app would not be able to access any other data in Microsoft PowerPoint. We understand accessing the MicrosoftRegistrationDB.reg file is more sensitive and getting exception to access it would not be feasible. But we are trying to find out our options to make the experience seamless as that's what is expected by our customers on Apple platform. I am thankfully for any guidance and constructive feedback. Jozef, Tech Leader at Slido integrations team

This post is in response to the information on app groups posted here: https://developer.apple.com/forums/thread/721701 I have a multi-platform (macOS and iOS) app that uses an app group to store the Core Data database, so that extensions and widgets can also access the database. It seems to be impossible to add an app group in Xcode that doesn't start with group.. When I use the team identifier as detailed here , Xcode prepends group. to the app group identifier. So far, I've simply been using an app group identifier that looks like this: group.com.example.MyAppName. This has worked on macOS and iOS. However, I noticed that when the app launches on macOS 15, the user is shown a dialog that says " would like to access data from other apps." If the user selects "Don't Allow", the app will crash, since it can't access the Core Data database located in the app group directory. How can I work around this, considering that this is a multi-platform app, and both the iOS and macOS versions need to store the Core Data database in the app group directory? What is the proper way to configure app groups for multi-platform apps?

From Transporter I got this error: App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "com.abirtz.lnc.pkg/Payload/lnc.app/Contents/MacOS/lnc" )] Refer to App Sandbox page at https://developer.apple.com/documentation/security/app_sandbox for more information on sandboxing your app. The lnc.entitlements file is: What is wrong ? Thank you.

I need to integrate BLE (Bluetooth Low Energy) functionality into an authorization plugin. Specifically, I want to use a beacon to send a notification to the user if the app is not running or has been killed. However, I’ve encountered a significant limitation: Core Bluetooth is not permitted to be used within authorization plugins, whereas the Multipeer Connectivity framework operates without issue which use WiFi. This has led me to a few questions: What are the fundamental differences in entitlements or restrictions between Core Bluetooth and the Multipeer Connectivity(WiFi) framework that could explain why Core Bluetooth is disallowed in authorization plugins? Are there specific technical or security concerns associated with Core Bluetooth that prevent its use in these contexts, while the Multipeer Connectivity framework is allowed? Given that Google’s Nearby Connections API can work within authorization plugins, could there be any similar approaches or best practices for implementing BLE functionality in scenarios involving authorization plugins? For reference, you can check Google’s Nearby Connections API here: Google Nearby Connections - https://developers.google.com/nearby/connections/swift/get-started Any insights or suggestions on how to overcome this limitation or alternative approaches to achieve the desired functionality would be greatly appreciated. Thank you in advance for your help!

I have applied for the app push provider permission in the Network Extension entitlement, but have not received a response yet. How long does it take to apply for authorization?

We have a sandboxed Final Cut Pro (FCP) workflow extension that needs to control FCP to export the current video project. When executing an AppleScript, we encounter the error: "System Events got an error: FCPExtension (Final Cut Pro) is not allowed assistive access." This occurs despite the container app having been granted automation and accessibility permissions by the user. What could be missing from the project to ensure the script runs without issues? AppleScript: shareDestination("Destination") on shareDestination(_dest) tell application "Final Cut Pro" activate end tell tell application "System Events" set frontmost of process "Final Cut Pro" to true tell process "Final Cut Pro" perform action "AXRaise" of (first window whose name contains "Final Cut Pro") click menu bar 1 tell menu bar 1 tell item 3 of menu bar items tell menu 1 tell menu item 12 tell menu 1 set menuItems to menu items whose title is (_dest & "…") if length of menuItems > 0 then set targetMenuItem to item 1 of menuItems if enabled of targetMenuItem then try click targetMenuItem on error errMsg number errNum error errMsg end try else error "Share destination is not enabled." & return & "Please try selecting an item in Final Cut Pro." end if else error "Share destination not found." end if end tell end tell end tell end tell end tell end tell end tell end shareDestination As soon as the script reaches set frontmost of process "Final Cut Pro" to true it launches the error.

We're developing an app for emergency forces for years now. The App is used by thousands of volunteer fire fighters and medical emergency response forces on a daily basis. We want to enable our app to be available in carplay too. The app offers details about an event the emergency staff gets alerted for and also offers routing to the location of the event. Does anybody know the prerequsities to get an app approved for being available and published for CarPlay? Regards Boxson

Hi, We made a MDM Capability request a few months ago and still haven't heard back. Is there a way to check what the status of the request is? Thanks, Dave

Hello, I'm doing some test and I dowload the sample from here https://developer.apple.com/documentation/networkextension/local_push_connectivity/receiving_voice_and_text_communications_on_a_local_network Everything works correctly and the phones are able to exchange messages without problems and the server sends pushes to the devices. Now I would like to modify the server so that, when it sends the push to the mobile device, it can change the sound or add other information as is possible when using APN. Now I would like to modify the server so that, when it sends the push to the mobile device, it can change the sound or add other information as is possible when using APN. Is there any way to send a payload like for APN? Thank's Omar

Hello everyone, I’m developing a VoIP-based application that supports both standard VoIP calls and Push-To-Talk (PTT) calls. The app does not use the unrestricted-voip entitlement since it’s not publicly documented or communicated as a standard by Apple. Previously, I handled PTT calls using CallKit after receiving PushKit notifications, but I’m now migrating PTT functionality to the PushToTalk Framework while keeping CallKit for standard VoIP calls. I’m facing a few challenges that I’d like help with: Handling Incoming Push-To-Talk Calls When the App Is Closed and the Device Is Locked I considered continuing to use PushKit notifications to alert users via CallKit and using CallKit until the user brings the app into the foreground, at which point I’d switch to the PushToTalk Framework. While this could technically work, the user experience is not ideal. Are there any recommended approaches for handling PTT calls in this state? Handling Incoming PTT Calls When the App Is in the Background According to Apple documentation, I cannot join a PTT session unless my app is in the foreground. However, in practical scenarios, we often receive incoming PTT calls while the app is in the background. What’s the best solution for this situation? It feels odd to show notifications or use CallKit until the app is foregrounded. Conflict Between Ongoing PushToTalk Call and Incoming Cellular Call Currently, if there’s an ongoing PushToTalk call using the PTT framework and a cellular call comes in, if I receive a PTT transmission and call requestBeginTransmission, the cellular call is ended. I can handle this within my app, but is this expected behavior? Is this the intended conflict management for concurrent PTT and cellular calls? Lastly, a broader question: when will the unrestricted-voip entitlement stop working? I’m contemplating using this entitlement to handle incoming PTT calls without CallKit, but I’m concerned about its longevity. Some apps have been using it for messaging and other features for over four years, and it’s still functional for them. Any guidance or insights on these points would be greatly appreciated! Thanks in advance!

I’m building an app extension for Final Cut Pro. It includes a main app that doesn't perform any actions, an extension that handles the code execution, and an export app responsible for uploading the exported file. To assist the user, I’ve added an upload button that triggers an AppleScript. This script exports the current project and then uploads it. The AppleScript simply selects the share option and the appropriate share destination. However, the issue arises when I click the upload button: the app asks the user to grant Automation permission, allowing it to control Final Cut Pro and System Events. After granting this permission, the script proceeds to the AppleScript, but an error occurs, stating: System Events got an error: APP is not allowed assistive access. Is there a permission I'm missing?

I am in the process of creating a multiplatform app with a shared code base using swiftUI for iOS and mac. This app has a widget extension target for both iOS and mac and a helper app for mac only. I am trying to share data and userdefaults between the main app and the widget extension for ios, and for the mac share data between the main app, widget extension and the helper app. I have setup an app group container to share data between all targets. However this is only working on iOS. The app group capability is not extended to macOS. I have been researching for weeks now and all the answers I can find are for if the macOS were a different target, which would entail me having the macos group container prefixed with my team identifier. With a multiplatform app, the main app simply won't let me prefix the group container with my team identifier. Which unfortunately xcode prevents me from doing for a multiplatform app. I have no idea of how to solve this issue and any help will be appreciated.

I have an Electron app built for macOS, and it was distributed via 'Developer ID' for years, it worked well and I was able to access the photos in the system Photos library. Surely I already have the 'NSPhotoLibraryUsageDescription' key in Info.plist. Recently we are trying to publish this app to Mac App Store, so I have to turn on the sandbox, after that the app starts giving XPC errors while accessing the Photos library. The errors look like: PHAuthorizationStatus: Authorized CoreData: XPC: sendMessage: failed #0 CoreData: XPC: Unable to sendMessage: to server ... CoreData: XPC: sendMessage: failed #7 CoreData: XPC: Unable to connect to server with options { NSPersistentHistoryTrackingKey = 1; NSXPCStoreServerEndpointFactory = "<PLXPCPhotoLibraryStoreEndpointFactory: 0x7fc67e8af370>"; skipModelCheck = 1; } CoreData: XPC: Unable to load metadata: Error Domain=NSCocoaErrorDomain Code=134060 "A Core Data error occurred." UserInfo={Problem=Unable to send to server; failed after 8 attempts.} CoreData: fault: Unable to create token NSXPCConnection. NSXPCStoreServerEndpointFactory 0x7fc67e8af370 -newEndpoint returned nil CoreData: error: Failed to create NSXPCConnection It seems the app could detect the current PHAuthorizationStatus which is Authorized, but it can't fetch the photos from the Photos library (using PhotoKit). I learned from here that I could look for errors from the sandboxd daemon, so I did that, here is what I saw: Sandbox: Picture Keeper(32625) deny(1) mach-lookup com.apple.photos.service Violation: deny(1) mach-lookup com.apple.photos.service Process: Picture Keeper [32625] Path: /Applications/Picture Keeper.app/Contents/MacOS/Picture Keeper Load Address: 0x103bd3000 Identifier: com.simplifieditproducts.picturekeepermas Version: 4575 (4.5.75) Code Type: x86_64 (Native) Parent Process: Picture Keeper [1] Responsible: /Applications/Picture Keeper.app/Contents/MacOS/Picture Keeper User ID: 501 Date/Time: 2024-08-26 16:16:14.645 EDT OS Version: macOS 14.5 (23F79) Release Type: User Report Version: 8 MetaData: {"process_path":["Users","Kevin","Projects","Electron","picturekeeper-electron","dist","picturekeeper","mas-dev","Picture Keeper.app","Contents","MacOS","Picture Keeper"],"apple-internal":false,"primary-filter":"global-name","policy-description":"Sandbox","flags":5,"platform-policy":false,"build":"macOS 14.5 (23F79)","process-path":"\/Applications\/Picture Keeper.app\/Contents\/MacOS\/Picture Keeper","responsible-process-path":"\/Applications\/Picture Keeper.app\/Contents\/MacOS\/Picture Keeper","primary-filter-value":"com.apple.photos.service","platform_binary":"no","responsible-process-signing-id":"com.simplifieditproducts.picturekeepermas","hardware":"Mac","target":"com.apple.photos.service","action":"deny","mach_namespace":1,"checker-pid":1,"container":"\/Users\/Kevin\/Library\/Containers\/com.simplifieditproducts.picturekeepermas\/Data","binary-in-trust-cache":false,"team-id":"LU744924UY","process":"Picture Keeper","global-name":"com.apple.photos.service","platform-binary":false,"pid":32625,"summary":"deny(1) mach-lookup com.apple.photos.service","checker":"launchd","responsible-process-team-id":"xxxxx","operation":"mach-lookup","normalized_target":["com.apple.photos.service"],"errno":1,"uid":501,"profile-flags":0,"profile-in-collection":false,"sandbox_checker":"launchd","signing-id":"com.simplifieditproducts.picturekeepermas","release-type":"User"} I believe I already have the necessary entitlements for the Photos library, see: codesign -d --entitlements - /Applications/Picture\ Keeper.app/Contents/MacOS/Picture\ Keeper [Dict] [Key] com.apple.application-identifier [Value] [String] xxxx.com.simplifieditproducts.picturekeepermas [Key] com.apple.developer.team-identifier [Value] [String] xxxx [Key] com.apple.security.app-sandbox [Value] [Bool] true [Key] com.apple.security.application-groups [Value] [Array] [String] xxxx.com.simplifieditproducts.picturekeepermas [Key] com.apple.security.assets.movies.read-only [Value] [Bool] true [Key] com.apple.security.assets.music.read-only [Value] [Bool] true [Key] com.apple.security.assets.pictures.read-write [Value] [Bool] true [Key] com.apple.security.cs.allow-dyld-environment-variables [Value] [Bool] true [Key] com.apple.security.cs.allow-jit [Value] [Bool] true [Key] com.apple.security.cs.allow-unsigned-executable-memory [Value] [Bool] true [Key] com.apple.security.cs.disable-executable-page-protection [Value] [Bool] true [Key] com.apple.security.cs.disable-library-validation [Value] [Bool] true [Key] com.apple.security.device.usb [Value] [Bool] true [Key] com.apple.security.files.bookmarks.app-scope [Value] [Bool] true [Key] com.apple.security.files.bookmarks.document-scope [Value] [Bool] true [Key] com.apple.security.files.downloads.read-only [Value] [Bool] true [Key] com.apple.security.files.user-selected.read-write [Value] [Bool] true [Key] com.apple.security.network.client [Value] [Bool] true [Key] com.apple.security.network.server [Value] [Bool] true [Key] com.apple.security.personal-information.location [Value] [Bool] true [Key] com.apple.security.personal-information.photos-library [Value] [Bool] true By the way, the Photos library related code was built into a .node file (which is a dylib), and it will be loaded by the main executable during runtime. Anything I missed? Thank you!

I'm writing an app that uses on-device voice to text for recognising scientific terms. It works fine on my phone but now in beta my first tester cannot make it work. All the permission requests are working: p&s Mic and Speech Recognition are both now enabled on the target device where the user granted the app permission. Is there something else I'm missing? Incidentally, both my phone, the target phone and my XCode are fully up to date. Thanks.