In enterprise environments it can be tricky to develop innovative applications leveraging the full value of the hardware. The code signing capabilities on iOS are much more restrictive compared to macOS, and has been for years. Is it really too much to ask for more control over the applications we can use in development environments.
For bespoke applications being able to have control over hardware is something that has been missing for a long time. The ability to sign with com.apple.security.iokit-user-client-class and com.apple.security.temporary-exception.sbpl in development and enterprise solutions would allow for far greater integration with the devices.
What reasons are there to avoid allowing this on iOS when macOS has much less restrictive control, the lack of continuity between the systems does not help the "level playing field".
Entitlements
RSS for tagEntitlements allow specific capabilities or security permissions for your apps.
Post
Replies
Boosts
Views
Activity
We have an iOS project that is configured with automatically managed signing. We cannot get automatic signing to work on our CI (GitHub Actions). To even get xcodebuild to archive we have to force it to not sign at all:
xcrun xcodebuild \
-workspace app.xcworkspace \
-scheme prod \
-configuration 'Release' \
-destination generic/platform=iOS \
-archivePath ./build/prod.xcarchive \
CODE_SIGN_IDENTITY="" \
CODE_SIGNING_REQUIRED=NO \
CODE_SIGNING_ALLOWED=NO \
clean archive
All our attempts to make xcodebuild archive do manual signing have failed.
In order to have the app properly signed with the right entitlements we then call codesign:
codesign -f \
-s Distribution \
--entitlements prod.entitlements \
./build/prod.xcarchive/Products/Applications/prod.app
Then we export the ipa:
xcrun xcodebuild \
-exportArchive \
-archivePath ./build \
-exportOptionsPlist exportOptions.plist \
-exportPath ./build
This seems to work so my question is: Is it supported to do manual signing this way? Is there a better way?
If we omit the codesign step, the app will still be signed - by exportArchive we assume, but then the entitlements are missing.
We have trying to programmatically send data to Final Cut Pro by using Apple Event as decribed in Sending Data Programmatically to Final Cut Pro :
tell application "Final Cut Pro"
activate
open POSIX file "/Users/JohnDoe/Documents/UberMAM/MyEvents.fcpxml"
end tell
This works fine in Script Editor but we run into problems when trying to do the same in our macOS app.
We found interesting information in Workflow Extensions SDK 1.0.2 Release Notes.pdf.
A) Hardened runtime has "Apple Events Enabled" checked.
B) Info.plist contains NSAppleEventsUsageDescription:
<key>NSAppleEventsUsageDescription</key>
<string>Test string</string>
C) We added following entitlements:
<key>com.apple.security.scripting-targets</key>
<dict>
<key>com.apple.FinalCut</key>
<array>
<string>com.apple.FinalCut.library.inspection</string>
</array>
<key>com.apple.FinalCutTrial</key>
<array>
<string>com.apple.FinalCut.library.inspection</string>
</array>
</dict>
<key>com.apple.security.automation.apple-events</key>
<true/>
With this configuration in place, our app is able to call AppleScript to activate Final Cut Pro application but it is unable to open the file. Following error is returned:
Error executing AppleScript: {
NSAppleScriptErrorAppName = "Final Cut Pro Trial";
NSAppleScriptErrorBriefMessage = "A privilege violation occurred.";
NSAppleScriptErrorMessage = "Final Cut Pro Trial got an error: A privilege violation occurred.";
NSAppleScriptErrorNumber = "-10004";
NSAppleScriptErrorRange = "NSRange: {56, 64}";
}
Also there is no prompt asking user to allow Automation from our app to Final Cut. I am not sure whether the prompt is to be expected when developing an application in Xcode.
Our current workaround is to add (or even replace com.apple.security.scripting-targets with): com.apple.security.temporary-exception.apple-events entitlement like this
<key>com.apple.security.temporary-exception.apple-events</key>
<array>
<key>com.apple.FinalCutTrial</key>
</array>
However while this approach might work in development we know this would probably prevent us from publishing the app to Mac App Store.
I think we are missing something obvious. Could you help? :-)
HI!
I am developing an application that should utilize ScriptingBridge.framework to interact with another process. Firstly, I created a separate test application for which I have added Apple Events entitlements via "Signing & Capabilities" section in Xcode and updated its Info.plist to have "Privacy - AppleEvents Sending Usage Description". While the test app works fine (I see an automation request popup and the process executes as expected) the main application where I want to integrate this functionality gets closed immediately after reaching the code interacting with Scripting Bridge.
On its launch, I see the following error message from tccd in Console:
Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=<app bundleID>, ..., binary_path=<path to the app's binary>}
I had no such issues with the test app. Moreover, I should mention that the bundle I want to have with such functionality is stored in another bundle, both main and inner bundles aren't sandboxed, and the target app has Application is agent (UIElement) key set in Info.plist.
Can you suggest any ideas as to why processes behave so differently despite having pretty much the same build configurations?
Hi,
I wanted to use Siri Capability for a WatchOS app, however in xcode on a WatchOS project, the option to add Siri is not present.
In an IOS project this is visible but if you are not part of the ADP or ADEP you do not have access to it, this message appears in red if you try to select it as a personal team.
I am considering paying to join the ADP but I am unsure if it will unlock the ability to use Siri capability on WatchOS. It looks like it is completely unsupported as it cannot be even selected from the capabilities section in xcode , even though Apple states it is supported under ADP and ADEP on their website. I am a little confused.
Does anyone else have this issue, or is Siri present under capabilities for you in a WatchOS project?
Hi, we are a Carrier company (Utility provider) and working on a feature to display real-time Wifi Signal strength of customer devices (connected to Router Gateway) to help customers identify low and high signal areas, and possibly install extenders to improve signal strength at weak points. This feature requires NEHotspotHelper entitlement approval to access signalStrength property. We went through this Apple documentation too and we're open to other recommendations from Apple https://developer.apple.com/forums/thread/721067 .
Since we currently don't have direct point of contact with Apple to discuss this requirement, hence wanted to check it here. Kindly advise. Thanks !
I'm looking to automate device provisioning using App Store Connect API.
Two things are snagging me:
Updating Profiles API: Adding a new device seems clunky (read-all-devices, save, delete profile, recreate with a new device). Is there a simpler way to do it? I looked over the documentation and it seems like there's no streamlined way to do it, am I correct?
Entitlements API: Not public yet? Does anyone know about any plans to open it up soon? I asked Apple Support and they didn't provide any information on this. Specifying entitlements during provisioning is an important step.
Thanks for any help!
I need to obtain the user's EID within my app.
We are a mobile network operator and have also applied for Apple's eSIM development.
Does Apple provide a certified developer access to an API for obtaining EID? I understand that there is no public API available, but I'm unsure if approved operators can access EID. If so, how can I apply for this private API?
Hi,
My application doesn't start playback anymore after signing it with entitlements.
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.files.user-selected.read-only</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.device.microphone</key>
<true/>
<key>com.apple.security.assets.music.read-write</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
</dict>
</plist>
regards, Joël
We have a legacy app written in a mix of C, ObjC, C++ and ObjC++ with .xib files. It is not sandboxed.
It sends an Apple Event to TV (the app of that name from Apple, not a physical TV) using /usr/bin/osascript, calling a compiled Apple Script which is in our app bundle's Resources directory with parameters which we generate in our app at runtime. The first time it does this on a fresh system, the OS puts up a dialog asking for permission to control TV, and after the user clicks Allow, our app appears under Security and Privacy in the Automation section.
That's all fine, but what is unexpected is that the app has no Apple Events entitlement (com.apple.security.automation.apple-events), and it doesn't have a NSAppleEventsUsageDescription string either. The documentation at https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_automation_apple-events says
Your app doesn’t need the Apple Events Entitlement if it only sends Apple events to itself or to other processes signed with the same team ID.
but we're not on the Apple team.
When I filter the log for messages from tccd pertaining to our app, it does indeed complain :
Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=<our bundle id>”
But despite those complaints, everything works - I can send the event, and TV acts upon it. Is this working only by accident, and might fail in some minor future OS update?
tccd also complains about the microphone
Prompting policy for hardened runtime; service: kTCCServiceMicrophone requires entitlement com.apple.security.device.audio-input but it is missing for requesting={TCCDProcess: identifier=<our bundle ID>
but we don't use the microphone
tccd complains about this too
<path-to-our-app> attempted to call TCCAccessRequest for kTCCServiceAccessibility without the recommended com.apple.private.tcc.manager.check-by-audit-token entitlement
What does that mean, and should we be concerned?
Hi,
Can a single domain serve a /.well-known/apple-app-site-association file for multiple apps from different developers?
We currently have our own domain, let's say example.com,
which serves https://example.com/.well-known/apple-app-site-association
which lists our app, let's say "ABCDEFG.com.example.AppA" for path "/app/a".
We're talking with another developer who has another app on the store.
Can we add their app, "MNOPQR.com.different.AppB" on our site, https://example.com/.well-known/apple-app-site-association, add their app ID for path "/app/b",
ask them to add our example.com domain in their associated-domains entitlement,
and would it work?
I mean would https://example.com/app/a open our app "ABCDEFG.com.example.AppA" and https://example.com/app/b open their app "MNOPQR.com.different.AppB" ?
We want to open https://example.com/redirect/app redirect to either /app/a or /app/b depending on the query parameters and launch our or their app.
Thanks in advance!
How to add Additional capabilities in Certificates, Identifiers & Profiles on app store account to Enable the Tap to Pay on iPhone capability.
**Why does using CameraPicker require user authorization through a pop-up? **
Why don't ImagePicker or PhotoPicker require additional pop-up authorizations for accessing the photo library? All of these are implemented using UIImagePickerController, so why does one require a pop-up and the others do not?
Additionally, I thought that by configuring the picker, I would theoretically not need any permissions. If permissions are still required, wouldn’t it make more sense to directly request camera permissions and utilize the native camera functionality? What then are the advantages of using the picker?
Hello,
I am writing a Desktop application for macOS with XCode.
This application will be available on app store. So, i have to put sandbox entitlement.
So, this application won't be able to access Desktop folder. It will be jailed into a specific directory to store datas.
I have installed a macOS application from appstore. When I launched this application, I got a TCC prompt, asking me to allow this application to access Desktop (or Downloads I don't remember). How can this be possible ?
I have tried to write a sandboxed application which tries to access to Desktop folder. I didn't get any TCC prompt: My access was rejected.
How can I ask to access Desktop folder from I sandboxed application ?
Thanks a lot
Hey, I am trying to use Family Controls in Mac Catalyst. On the iOS app it works fine. On macOs using Mac Catalyst it builds fine but I get following console output.
Failed to get service proxy: Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service named com.apple.FamilyControlsAgent was invalidated: failed at lookup with error 159 - Sandbox restriction." UserInfo={NSDebugDescription=The connection to service named com.apple.FamilyControlsAgent was invalidated: failed at lookup with error 159 - Sandbox restriction.}`
When i try to open the FamilyActivityPicker on the macOs app following error is displayed in the GUI.
The operation could not be completed. (FamilyControls.ActivityPickerRemoteView Error error 2.)
Do I need a familyControls capability for macOs? If yes, I only find it for iOS.
Thanks for hints and help :)
Hi All,
I submitted a Family Controls Request Form but haven't heard back. I didn't get any case id when I submitted the request, so how do you track it and know when It is approved?
I'm currently developing an app that requires the main target and also the app extension to both use Family Controls. Does this mean I need to request forms for both app bundles separately or just the main app?
This is really worrying for us as our project is almost ready and we are unable to launch it :( . Would appreciate any responses.
Thanks,
After updating to Xcode 15.3 and Sonoma, I started getting an error when packaging my app:
Provisioning profile failed qualification
Profile doesn't include the com.apple.developer.mail-client entitlement.
There is no indication in the documentation that this has anything to do with the provisioning profile, and there is no capacility that needs to be added.
I was given the "com.apple.developer.mail-client" entitlement from Apple over a year ago as documented in: https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_mail-client, and it worked fine until now.
I requested the com.apple.developer.device-information.user-assigned-device-name entitlement on Feb 11 and received an email reply stating "We’ll contact you within a few weeks with your request status." However, it's been more than a month without any updates.
Can anyone chime in with their experience RE: how long it took for Apple to review their request for this entitlement?
https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_device-information_user-assigned-device-name
I have a macOS app which contains a dext. I'd like to distribute it to external testers using TestFlight, so it has to pass Mac App Store review. It failed, because the App Sandbox entitlement was missing.
I checked the app, it has the entitlement, but the dext does not. However, the .entitlements file used by the dext does contain App Sandbox set to true.
I tried adding a "fake-entitlement" value to the .entitlements file, and that made it into the dext's code signature, but the App Sandbox entitlement appears to be stripped out by the build process?
For a dext target, it isn't possible to add the App Sandbox capability in Xcode's Signing and Capability section. I have to add the entitlement manually in the .entitlement file (or it was put there by the Xcode driver template, I don't remember).
I've tried clean building several times, I've tried Xcode 15.0.1, 15.2 and 15.3, but the result is always the same. I'm inspecting the entitlements using
codesign -dvvv --entitlements -
Does anyone know what I can do to put the App Sandbox entitlement into my dext's signature? Is this happening to anyone else?
Hello everyone!
Since iOS 17.4, it's now easier to set up an eSIM from a browser/email or with a link. We can now longpress the QR code to get the option to add an eSIM. Is it still required to have that private entitlement to enable the same functionality in-app but not in a browser? Seems odd. I can store QR codes on Imgur to install eSIM but can't do the same with my native app by CTCellularPlanProvisioning.addPlan method. Redirecting users to the browser seems like a workaround, but it creates a noticeable discrepancy in usability.
I might have overlooked some SDK updates or new methods. Are there any new approaches to enable in-app eSIM setup with the latest update?
Secondly, in the "Other eSIM activation methods" section of this page, a special link is mentioned, but I couldn't find any examples or resources for that.
Thanks