Entitlements

RSS for tag

Entitlements allow specific capabilities or security permissions for your apps.

Entitlements Documentation

Post

Replies

Boosts

Views

Activity

Attempted to install a Beta profile without the proper entitlement.
I'm trying to install from Xcode (15.4) to my physical device but I get the following error: Failed to install embedded profile for : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.) The project was successfully building previously, but after encountering an issue while implementing Infobip (a 3rd party library for push notifications) where we weren't getting notifications sent from the Infobip dashboard, we had to change Provisioning Profile to one with a production setup for the aps-environment (given that the suggestion from the Infobip support team was to ensure that the provisioning profile and environment match). Note that it was development before. After downloading the new Provisioning Profile onto Xcode, the project fails to build now with the error mentioned above. I don't know what to do now, and I'm stuck.
0
1
520
Aug ’24
App Sandbox and UDP broadcast
When using the following API, is it expected that the app would require both incoming and outgoing permissions with App Sandbox? public func sendto(_: Int32, _: UnsafeRawPointer!, _: Int, _: Int32, _: UnsafePointer<sockaddr>!, _: socklen_t) -> Int Since I'm only sending UDP broadcasts, I would have expected outgoing to be sufficient. Thanks!
2
0
354
Aug ’24
How to get a Smart Card reader to run?
Hi, I'm trying to get a smart card reader to run with Xcode. I set up the com.apple.security.smartcard entitlement in the .entitlements file and added it in Bild Settings -> Code Signing Entitlements. But when I run: codesign -d --entitlements - Path/to/App, nothing smart card related shows up. Also the TKSmartCardSlotManager.default isn't nil, but .slotNames are. Do I have to install some drivers manually? Please help.
1
0
345
Aug ’24
Provisioning profile with network extension capability giving error after adding packet tunnel capability in xcode
I am working on mac app development which will be distributed outside the App Store. I added the network extension capability to my project and created a bundle id and provisioning profile with the same feature. When I configured the provisioning profile using Xcode (manual signing), it was configured fine. But when I added the packet tunnel capability to my network extension, it started giving me an error. I have created a Developer ID Application Certificate and use it when creating a provisioning profile. I have followed steps mentioned here for doing same: Distribute outside the Mac App Store (macOS), Network Extensions Entitlement Is this any Xcode bug or am I missing something? Please check screenshot below for error.
1
0
549
Aug ’24
Endpoint Security and Developer ID Application certificate
Hi, We have recently been approved for Endpoint Security entitlement on our account. We have an application (golang) that we need to assign this entitlement and sign manually. We have packaged the entitlement correctly with the application. We have tried using a Developer ID Application certificate that we created before this entitlement was given to our account and also with a newly created certificate. However the application crashes when it is launched and I see the following error in the console logs (the full crash report is too big to post). Is there anything specific we need to do to attach the Endpoint Security entitlement to our certificate? Any help would be much appreciated, we have been stuck on this for a bit. Thanks Sriram Translated Report (Full Report Below) Incident Identifier: EAA48D72-705A-420B-8179-6D9049A81657 CrashReporter Key: 4F18A957-F0B8-BE5D-A1D7-74191ABCF38A Hardware Model: MacBookPro14,1 Process: endpoint-security-example-test [6728] Path: /Users/USER/*/endpoint-security-example-test Identifier: endpoint-security-example-test Version: ??? Code Type: X86-64 (Native) Role: Unspecified Parent Process: zsh [2463] Coalition: com.apple.Terminal [1663] Responsible Process: Terminal [2417] Date/Time: 2024-07-31 13:34:45.7397 -0700 Launch Time: 2024-07-31 13:34:45.7294 -0700 OS Version: macOS 13.6.8 (22G820) Release Type: User Report Version: 104 Exception Type: EXC_CRASH (SIGKILL (Code Signature Invalid)) Exception Codes: 0x0000000000000000, 0x0000000000000000 Termination Reason: CODESIGNING 1 Taskgated Invalid Signature Triggered by Thread: 0 Thread 0 Crashed: 0 0x116b40070 _dyld_start + 0 1 ??? 0x1 ??? Thread 0 crashed with X86 Thread State (64-bit): rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000 rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ff7b0da09d0 r8: 0x0000000000000000 r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000000 r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000 rip: 0x0000000116b40070 rfl: 0x0000000000000200 cr2: 0x0000000000000000 Logical CPU: 0 Error Code: 0x00000000 Trap Number: 0 Binary Images: 0x116b3b000 - 0x116bd6fff () <2b649d59-89d8-3db6-9ba4-a6aecba42f6e> ??? 0x10f15f000 - 0x10f21afff () <9440f210-132b-3da1-b7f5-4d2d62bc8e0d> ??? 0x0 - 0xffffffffffffffff ??? (*) <00000000-0000-0000-0000-000000000000> ??? Error Formulating Crash Report: dyld_process_snapshot_get_shared_cache failed EOF
1
0
580
Jul ’24
Obtaining carrier entitlements for development on behalf of carriers
Hello I work for a company which is not itself a carrier, however we develop applications on behalf of carriers (the relationship between us and several large household name US carriers has existed for many years). The applications that we develop typically need carrier and/or special entitlements, for example: com.apple.CommCenter.fine-grained/public-subscriber-info com.apple.developer.coretelephony.sim-inserted com.apple.developer.pushkit.unrestricted-voip com.apple.developer.usernotifications.filtering com.apple.developer.associated-domains Obtaining those entitlements for the carrier applications that are released to the App Store is itself not a problem as the customers apply for them and they are duly granted and applied to the applications. However, what is a problem is working around the strict Apple development and distribution requirements and limitations, and the consequences that has given that the apps don't belong to our Apple account but the customers. Typically, a customer would provide us a developer certificate and set of provisioning profiles, but they would keep the distribution certificate and do the TestFlight/App Store release themselves. There's two limitations that come into play here, the first is that we can't distribute the app to TestFlight and secondly, we can only install the customer's apps on hardware registered with their Apple account. Given how the limitation for that is 100 in total, and these are large companies, they just don't have slots available and hence we might have a single device on which their app can run. These are very severe limitations given the complex nature of the applications and the need to have several developers/testers involved, which isn't possible. To mitigate those limitations we have "mirror" versions of customers' apps, these are apps which are identical to the customer apps except they have bundle ids registered to our Apple account. This enables the apps to be developed by any number of developers and distributed via Testfight and hence to any number of testers. But the problem is, the functionality of the mirror apps is severely reduced due to the fact they don't have the entitlements of the customers' apps. To get to the point of the post - I would like to know if there any potential solutions to this? For example: could it be possible for our mirror applications to be granted required entitlements (given the relationships we have with the customers. I'm sure the customers could vouch for us as a company and the need for this) could the entitlements be granted if we switched the mirror apps over to an Enterprise account (as enterprise apps can't be released to the App Store)? any other technical options or suggestions? Thank you
1
0
623
Jul ’24
Audio Entitlements stopped working seemingly since macOS 14.5
I have an app that gets successfully notarised with microphone entitlements and everything was working fine (i.e. the app could receive audio input) up to macOS 14.4.1. Since upgrading to 14.5 it seems that none of the versions that were previously working up to 14.4.1 are working anymore with 14.5 with respect to receiving audio input. Ive tried using the microphone entitlement as well as the audio-input entitlement. I should note that im using cmake to build my app through an external git actions CI/CD pipeline and this is the version that no longer seems to be getting the entitlements correctly. When I build using the latest version of Xcode I can see that the app does seem to be getting the correct entitlements but I cant work out what the difference is. Is there anything thats changed with respect to entitlements in macOS 14.5? Should I be using microphone or audio-input entitlements? ( believe one is more for Sandboxed app and the other is for hardened runtime. Is that correct? Note: Im not distributing through the Mac App Store) Any guidance would be greatly appreciated! 🙏
3
0
423
Jul ’24
Can’t sign with com.apple.developer.applesignin
Hi… I’m struggling with Sign in With Apple and the problem is exacerbated by it being in a Qt6 / C++ MacOS app which uses ObjC to do interact with Apple Frameworks. Outsude XCode, of course, because we use QT Creator. I’m pretty sure that I set it up correctly by implementing an @interface CWAppleAuthenticationServiceImpl : NSObject <ASAuthorizationControllerPresentationContextProviding,ASAuthorizationControllerDelegate> - (id)initWithOwner:(MyAppleAuthenticationService *) owner; and all the rest. Code compiles an runs, and when when I call [controller performRequests] the presentationAnchorForAuthorizationController gets called. But nothing visible happens in the app. Instead it jumps right into didCompleteWithError , so I guess I did connect everything correctly – except that it doesn’t work correctly. So I sign the app, providing the entitlements <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.applesignin</key> <array> <string>Default</string> </array> </dict> </plist> Signing and Notarisation works, but when I start the app, it crashes. The entitlesments are part of the app, i checked that with codesign which claims that everything is fine. The crash appears to be the same as described in https://forums.developer.apple.com/forums/thread/698870, i.e. "Error of invalid code signature" . This is backed by me signing it without entitlements, which yields a working and running application, albeit without signIn capabilities. I’m a bit stumped.
2
0
522
Jul ’24
JS JIT crash, Entitlements.plist and CI
I'm getting the following crash in my app Incident Identifier: 5321CD04-430E-4B10-9467-F416E792F3D6 CrashReporter Key: 1414d117f3d2793f073dc033c9395dccac5f6020 Hardware Model: iPad12,1 Process: XxXxXx [591] Path: /private/var/containers/Bundle/Application/8A296C9B-52EF-4288-B102-58868A7FD139/XxXxXx.app/XxXxXx Identifier: co.XxXxXx.XxXxXx.J873G84M8Q Version: 1.10 (1.10.6) Code Type: ARM-64 (Native) Role: Foreground Parent Process: launchd [1] Coalition: uk.co.XxXxXx.XxXxXx.J873G84M8Q [522] Date/Time: 2024-07-22 14:37:00.3901 +0100 Launch Time: 2024-07-22 14:37:00.1082 +0100 OS Version: iPhone OS 17.2 (21C62) Release Type: User Report Version: 104 Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Subtype: KERN_PROTECTION_FAILURE at 0x000000010c61c000 Exception Codes: 0x0000000000000002, 0x000000010c61c000 VM Region Info: 0x10c61c000 is in 0x10c61c000-0x10c620000; bytes after start: 0 bytes before end: 16383 REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL MALLOC_LARGE 10c5e4000-10c61c000 [ 224K] rw-/rwx SM=PRV ---> JS JIT generated code 10c61c000-10c620000 [ 16K] r--/rw- SM=PRV GAP OF 0x613cc000 BYTES Stack Guard 16d9ec000-16d9f0000 [ 16K] ---/rwx SM=NUL Termination Reason: SIGNAL 10 Bus error: 10 Terminating Process: exc handler [591] Triggered by Thread: 0 I'm assuming that I need to add the following entitlement to Entitlements.plist <key>com.apple.security.cs.allow-jit</key> <true/> From within XCode I can see how to do this, what I can't figure out is how to do the same thing on our CI server without manually managing the signing process of the application using codesign. How can I add the above entitlement to my application using xcodebuild or is this even possible?
3
0
495
Jul ’24
Change or Add USB Vendor ID in entitlement
In my account, there is already a driver kit usb transport vendor id(4070) in the Identifiers capability . I posted a new request for new usb vendor id(14203) , and there are now 2 driver kit usb transport vendor id entitlement in the account's identifiers, one is for old id (4070), another is not for new id(14203). so how can I add a new usb vendor id ? or change the old one?
2
0
576
Jul ’24
How to reset system's assessment of an app's container access
Due to changes in macOS 15 Sequoia with respect to container privacy/privileges, I have observed warnings with one of my apps (non-sandboxed) when its subsidiary crash reporter process tries to access the host app's data folder. I THINK I've worked around this issue by granting the crash reporter and the host app access to the same application group. I'm not 100% sure how all this works except that the problem went away :) The problem is, once the problem goes away on a given system, it goes away for good! Even with subsequent attempts to open a version of the app before the fix was in place, the system warning is not presented. I've tried to reset SystemPolicyAppBundles on the app via tccutil, but it makes no difference. Using the wisdom from one of Quinn's posts (https://developer.apple.com/forums/thread/706442) I set up a log stream invocation to try to gather clues, and I notice that when I launch my app now, I see messages like: Found provenance data on process: TA(82542d1beaf132a6, 2), 51084 Process was already in provenance sandbox, skipping: 51084, TA(82542d1beaf132a6, 2) I suspect this "provenance" may reflect the change in how the system treats my application. First: I wonder if it's a bug that any change in "provenance" should retroactively apply to versions of the app before the change was made. Second, I wonder if there's some way to RESET this provenance so that I can reproduce the bug again? I might be able to reproduce it by changing the bundle ID for the app but for purposes of testing against existing, shipped versions of the app, I'd love to be able to reset things for sanity-checking.
2
0
810
Jul ’24
Endpoint Security entitlement for internal distribution
My company is developing internal security software to deploy exclusively on corporate Mac endpoints. We are using the Endpoint Security framework, which requires the restricted com.apple.developer.endpoint-security.client entitlement. We were granted development access to this entitlement, but we have been denied distribution access. It's not practical to use ad-hoc provisioning for distributing the app internally to our users. Unfortunately the brief denial message did not provide any advice for a path forward. If my company signed up for the Apple Developer Enterprise Program (https://developer.apple.com/programs/enterprise/), is it possible to grant the Endpoint Security entitlement for internal enterprise distribution? Otherwise, we appear to be stuck and unable to use Endpoint Security for our internal applications.
1
0
557
Jul ’24
"SYSTEM EXTENSION" entitlements in framework
Hello everyone! I'm developing framework and app for macOS for PCI devices. For communication with driverkit, I'm verifying by giving userclient access entities of system extension to app. However, the app is just a sample program, and our customer is trying to develop the app using a framework with PCI communication part. Is there a way to build a framework with my company's signature, and to build and execute it without acquiring userclient access elements by any chance by a customer developer? Moreover, userclient access is only available to developers who have subscribed to the Apple Developer Program, so I hope that client/developers do not need to obtain separate entries.
3
0
583
Jul ’24
Apple store connect requests sandbox entitlement for the PCI DriverKit System Extension
Hi, I have a PCI DriverKit System Extension project that our team has tested, and the entitlements are not a problem. Once we decided to place the project to the Apple Store the review team requested to add "App Sandbox" entitlement to the project. Then I added the entitlement manually to the ".entitlements" file ( I couldn't do that using the Xcode add entitlement section because since it is a driverkit project, the "App sandbox" is not visible in the entitlements page ) and re-packaged the project for distribution. Later on, I saw that the entitlement was removed during the packaging process. I also tried to add that using the "build settings" page in Xcode (the signing section ), but I had no luck. I feel like I'm being misled by the review team. Do you know if the "App sandbox" entitlement is applicable to a DriverKit project ?
3
1
746
Jun ’24
Building the camera extension using CMake
Hello, I referred to the official camera extension example at https://developer.apple.com/documentation/coremediaio/creating_a_camera_extension_with_core_media_i_o?language=objc. I'm using CMake to build the camera extension plugin and integrate it into a Qt CMake project. When installing the system extension file, I receive a failure prompt with the following message: Error Domain=OSSystemExtensionErrorDomain Code=8 "Invalid code signature or missing entitlements" UserInfo={NSLocalizedDescription=Invalid code signature or missing entitlements} Here are the entitlements files for the camera extension: &lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt; &lt;!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\"&gt; &lt;plist version=\"1.0\"&gt; &lt;dict&gt; &lt;key&gt;com.apple.security.app-sandbox&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.application-groups&lt;/key&gt; &lt;array&gt; &lt;string&gt;com.yealink.meeting.app&lt;/string&gt; &lt;/array&gt; &lt;/dict&gt; &lt;/plist&gt; The info.List.in file for the camera extension: &lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt; &lt;!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\"&gt; &lt;plist version=\"1.0\"&gt; &lt;dict&gt; &lt;key&gt;CMIOExtension&lt;/key&gt; &lt;dict&gt; &lt;key&gt;CMIOExtensionMachServiceName&lt;/key&gt; &lt;string&gt;$(TeamIdentifierPrefix)$(PRODUCT_BUNDLE_IDENTIFIER)&lt;/string&gt; &lt;/dict&gt; &lt;/dict&gt; &lt;/plist&gt; And the entitlements file for the app: &lt;?xml version=\"1.0\" encoding=\"UTF-8\"?&gt; &lt;!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\"&gt; &lt;plist version=\"1.0\"&gt; &lt;dict&gt; &lt;key&gt;com.apple.developer.system-extension.install&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.app-sandbox&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.application-groups&lt;/key&gt; &lt;array&gt; &lt;string&gt;com.yealink.meeting.app&lt;/string&gt; &lt;/array&gt; &lt;key&gt;com.apple.security.device.camera&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.device.microphone&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.device.usb&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.network.client&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.network.server&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.personal-information.location&lt;/key&gt; &lt;true/&gt; &lt;/dict&gt; &lt;/plist&gt; I'm looking forward to your response.
1
0
528
Jun ’24
Attempted to install a Beta profile without the proper entitlement
We're seeing an issue where our app builds that previously were working suddenly started failing to install through TestFlight. When the user hits Update in TestFlight, they get an error message "The profile can't be installed. Try again.". Double checked the certificates and provisioning profiles, rebuilt and deployed the app, still same issue. We subsequently tried side loading the ipa file using XCode hoping for more detail. The install failed there as well, with the following error message: "Attempted to install a Beta profile without the proper entitlement." Seems like a good lead but haven't found much. Our provisioning profiles have the "beta-reports-active: true" entitlement and anyway haven't changed since it was working previously. Any idea what could be going on here? Here's the full error from XCode: Error installing 'APP.ipa', ERROR: Error Domain=com.apple.dt.CoreDeviceError Code=3002 "Failed to install the app on the device." UserInfo={NSLocalizedDescription=Failed to install the app on the device., NSURL=file:///APP.ipa, NSUnderlyingError=0x60000372ea00 {Error Domain=IXUserPresentableErrorDomain Code=14 "Unable to Install “APP”" UserInfo={NSUnderlyingError=0x60000372e5e0 {Error Domain=MIInstallerErrorDomain Code=13 "Failed to install embedded profile for com.domain.app : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.)" UserInfo={FunctionName=-[MIInstallableBundle _installEmbeddedProfilesWithError:], LegacyErrorString=ApplicationVerificationFailed, SourceFileLine=308, LibMISErrorNumber=-402620385, NSLocalizedDescription=Failed to install embedded profile for com.domain.app : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.)}}, NSLocalizedDescription=Unable to Install “APP”, NSLocalizedRecoverySuggestion=Failed to install embedded profile for com.domain.app : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.), NSLocalizedFailureReason=This app cannot be installed because its integrity could not be verified.}}} Domain: com.apple.dt.DVTCoreDevice Code: -1 User Info: { DVTErrorCreationDateKey = "2024-06-19 19:40:04 +0000"; } -- System Information macOS Version 14.2.1 (Build 23C71) Xcode 15.2 (22503) (Build 15C500b) Timestamp: 2024-06-19T14:40:04-05:00
1
3
2.1k
Jun ’24
Contact Note Entitlement Disappearing For 'Release' Build Configuration
A few months ago I requested access to the com.apple.developer.contacts.notes entitlement, which I now have access to. While running on 'Debug' build configuration, everything works as expected. When creating a 'Release' build, however, the entitlement does not appear to be included with the app, as the console reports that fetching the note for each contact fails. When I try to add the "Contact Notes" capability in Xcode, under the 'Release' tab in the project settings, the capability appears for a few seconds, then disappears when I move to a different tab and return. This does not happen for the 'Debug' configuration. Attempted Resolutions: Changing the signing configuraiton from 'Automatic' to 'Manual', using a manually generated provisioning profile. I manually inspected the provisioning profile using the terminal to ensure it included the entitlement. Creating a separate entitlement file with com.apple.developer.contacts.notes, adding it to the root of the project. Ensuring that the path to this file is correct on the 'Release' configuration. Ensuring 'Contacts Notes Field Access' is enabled under 'Additional Capabilities' in the Developer portal. Adding the capability on Xcode. Below is the inspector displaying the provisioning profile for the 'Debug' Configuration: And the following image below shows the inspector details for the 'Release' Configuration provisioning profile: When I use a manual provisioning profile and an entitlements file at the root of the project, Xcode displays this strange error:
3
0
694
Jun ’24
App sandbox not enabled.
App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "com.xx.pkg/Payload/xx.app//Contents/Resources/ss-local", "ccom.xx.pkg/Payload/xx.app//Contents/Resources/v2ray-plugin" )] Refer to App Sandbox page at https://developer.apple.com/documentation/security/app_sandbox for more information on sandboxing your app. (ID: ca7d4fde-0f0d-4a71-9eee-a01692797549)
3
0
766
Jun ’24
Add permissions for private entitlement
I have a pretty simply macOS application which I've just been trying to fix since a long time ago. It's origin is really old, using the apple 802.11 framework located in /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Apple80211 and it's supposed to just scan the area and display information about the local networks nearby. For some reason when I run the application and press the button to scan for local networks (wifi scan) It errors out and in the Xcode console I get Process WiFiInfo is missing entitlement required for Wi-Fi user-client access: &amp;lt;key&amp;gt;com.apple.private.driverkit.driver-access&amp;lt;/key&amp;gt; &amp;lt;string&amp;gt;com.apple.private.wifi.driverkit&amp;lt;/string&amp;gt; If I add those two lines to the entitlements, Xcode fails to sign my application and fails to build and run Provisioning profile "Mac Team Provisioning Profile: com.troger.WiFiInfo" doesn't include the com.apple.private.driverkit.driver-access entitlement. Any way I can fix this? I would really like to get this application back up to its running state as it once was before but am completely lost on how to fix this
2
0
727
Jun ’24