Hi,
My application doesn't start playback anymore after signing it with entitlements.
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.files.user-selected.read-only</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.device.microphone</key>
<true/>
<key>com.apple.security.assets.music.read-write</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
</dict>
</plist>
regards, Joël
Entitlements
RSS for tagEntitlements allow specific capabilities or security permissions for your apps.
Post
Replies
Boosts
Views
Activity
I need to obtain the user's EID within my app.
We are a mobile network operator and have also applied for Apple's eSIM development.
Does Apple provide a certified developer access to an API for obtaining EID? I understand that there is no public API available, but I'm unsure if approved operators can access EID. If so, how can I apply for this private API?
I'm looking to automate device provisioning using App Store Connect API.
Two things are snagging me:
Updating Profiles API: Adding a new device seems clunky (read-all-devices, save, delete profile, recreate with a new device). Is there a simpler way to do it? I looked over the documentation and it seems like there's no streamlined way to do it, am I correct?
Entitlements API: Not public yet? Does anyone know about any plans to open it up soon? I asked Apple Support and they didn't provide any information on this. Specifying entitlements during provisioning is an important step.
Thanks for any help!
Hi, we are a Carrier company (Utility provider) and working on a feature to display real-time Wifi Signal strength of customer devices (connected to Router Gateway) to help customers identify low and high signal areas, and possibly install extenders to improve signal strength at weak points. This feature requires NEHotspotHelper entitlement approval to access signalStrength property. We went through this Apple documentation too and we're open to other recommendations from Apple https://developer.apple.com/forums/thread/721067 .
Since we currently don't have direct point of contact with Apple to discuss this requirement, hence wanted to check it here. Kindly advise. Thanks !
Hi,
I wanted to use Siri Capability for a WatchOS app, however in xcode on a WatchOS project, the option to add Siri is not present.
In an IOS project this is visible but if you are not part of the ADP or ADEP you do not have access to it, this message appears in red if you try to select it as a personal team.
I am considering paying to join the ADP but I am unsure if it will unlock the ability to use Siri capability on WatchOS. It looks like it is completely unsupported as it cannot be even selected from the capabilities section in xcode , even though Apple states it is supported under ADP and ADEP on their website. I am a little confused.
Does anyone else have this issue, or is Siri present under capabilities for you in a WatchOS project?
HI!
I am developing an application that should utilize ScriptingBridge.framework to interact with another process. Firstly, I created a separate test application for which I have added Apple Events entitlements via "Signing & Capabilities" section in Xcode and updated its Info.plist to have "Privacy - AppleEvents Sending Usage Description". While the test app works fine (I see an automation request popup and the process executes as expected) the main application where I want to integrate this functionality gets closed immediately after reaching the code interacting with Scripting Bridge.
On its launch, I see the following error message from tccd in Console:
Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=<app bundleID>, ..., binary_path=<path to the app's binary>}
I had no such issues with the test app. Moreover, I should mention that the bundle I want to have with such functionality is stored in another bundle, both main and inner bundles aren't sandboxed, and the target app has Application is agent (UIElement) key set in Info.plist.
Can you suggest any ideas as to why processes behave so differently despite having pretty much the same build configurations?
We have trying to programmatically send data to Final Cut Pro by using Apple Event as decribed in Sending Data Programmatically to Final Cut Pro :
tell application "Final Cut Pro"
activate
open POSIX file "/Users/JohnDoe/Documents/UberMAM/MyEvents.fcpxml"
end tell
This works fine in Script Editor but we run into problems when trying to do the same in our macOS app.
We found interesting information in Workflow Extensions SDK 1.0.2 Release Notes.pdf.
A) Hardened runtime has "Apple Events Enabled" checked.
B) Info.plist contains NSAppleEventsUsageDescription:
<key>NSAppleEventsUsageDescription</key>
<string>Test string</string>
C) We added following entitlements:
<key>com.apple.security.scripting-targets</key>
<dict>
<key>com.apple.FinalCut</key>
<array>
<string>com.apple.FinalCut.library.inspection</string>
</array>
<key>com.apple.FinalCutTrial</key>
<array>
<string>com.apple.FinalCut.library.inspection</string>
</array>
</dict>
<key>com.apple.security.automation.apple-events</key>
<true/>
With this configuration in place, our app is able to call AppleScript to activate Final Cut Pro application but it is unable to open the file. Following error is returned:
Error executing AppleScript: {
NSAppleScriptErrorAppName = "Final Cut Pro Trial";
NSAppleScriptErrorBriefMessage = "A privilege violation occurred.";
NSAppleScriptErrorMessage = "Final Cut Pro Trial got an error: A privilege violation occurred.";
NSAppleScriptErrorNumber = "-10004";
NSAppleScriptErrorRange = "NSRange: {56, 64}";
}
Also there is no prompt asking user to allow Automation from our app to Final Cut. I am not sure whether the prompt is to be expected when developing an application in Xcode.
Our current workaround is to add (or even replace com.apple.security.scripting-targets with): com.apple.security.temporary-exception.apple-events entitlement like this
<key>com.apple.security.temporary-exception.apple-events</key>
<array>
<key>com.apple.FinalCutTrial</key>
</array>
However while this approach might work in development we know this would probably prevent us from publishing the app to Mac App Store.
I think we are missing something obvious. Could you help? :-)
We have an iOS project that is configured with automatically managed signing. We cannot get automatic signing to work on our CI (GitHub Actions). To even get xcodebuild to archive we have to force it to not sign at all:
xcrun xcodebuild \
-workspace app.xcworkspace \
-scheme prod \
-configuration 'Release' \
-destination generic/platform=iOS \
-archivePath ./build/prod.xcarchive \
CODE_SIGN_IDENTITY="" \
CODE_SIGNING_REQUIRED=NO \
CODE_SIGNING_ALLOWED=NO \
clean archive
All our attempts to make xcodebuild archive do manual signing have failed.
In order to have the app properly signed with the right entitlements we then call codesign:
codesign -f \
-s Distribution \
--entitlements prod.entitlements \
./build/prod.xcarchive/Products/Applications/prod.app
Then we export the ipa:
xcrun xcodebuild \
-exportArchive \
-archivePath ./build \
-exportOptionsPlist exportOptions.plist \
-exportPath ./build
This seems to work so my question is: Is it supported to do manual signing this way? Is there a better way?
If we omit the codesign step, the app will still be signed - by exportArchive we assume, but then the entitlements are missing.
In enterprise environments it can be tricky to develop innovative applications leveraging the full value of the hardware. The code signing capabilities on iOS are much more restrictive compared to macOS, and has been for years. Is it really too much to ask for more control over the applications we can use in development environments.
For bespoke applications being able to have control over hardware is something that has been missing for a long time. The ability to sign with com.apple.security.iokit-user-client-class and com.apple.security.temporary-exception.sbpl in development and enterprise solutions would allow for far greater integration with the devices.
What reasons are there to avoid allowing this on iOS when macOS has much less restrictive control, the lack of continuity between the systems does not help the "level playing field".
I have a pretty simply macOS application which I've just been trying to fix since a long time ago. It's origin is really old, using the apple 802.11 framework located in
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Apple80211
and it's supposed to just scan the area and display information about the local networks nearby.
For some reason when I run the application and press the button to scan for local networks (wifi scan) It errors out and in the Xcode console I get
Process WiFiInfo is missing entitlement required for Wi-Fi user-client access: &lt;key&gt;com.apple.private.driverkit.driver-access&lt;/key&gt; &lt;string&gt;com.apple.private.wifi.driverkit&lt;/string&gt;
If I add those two lines to the entitlements, Xcode fails to sign my application and fails to build and run
Provisioning profile "Mac Team Provisioning Profile: com.troger.WiFiInfo" doesn't include the com.apple.private.driverkit.driver-access entitlement.
Any way I can fix this? I would really like to get this application back up to its running state as it once was before but am completely lost on how to fix this
App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "com.xx.pkg/Payload/xx.app//Contents/Resources/ss-local", "ccom.xx.pkg/Payload/xx.app//Contents/Resources/v2ray-plugin" )] Refer to App Sandbox page at https://developer.apple.com/documentation/security/app_sandbox for more information on sandboxing your app. (ID: ca7d4fde-0f0d-4a71-9eee-a01692797549)
A few months ago I requested access to the com.apple.developer.contacts.notes entitlement, which I now have access to.
While running on 'Debug' build configuration, everything works as expected.
When creating a 'Release' build, however, the entitlement does not appear to be included with the app, as the console reports that fetching the note for each contact fails.
When I try to add the "Contact Notes" capability in Xcode, under the 'Release' tab in the project settings, the capability appears for a few seconds, then disappears when I move to a different tab and return. This does not happen for the 'Debug' configuration.
Attempted Resolutions:
Changing the signing configuraiton from 'Automatic' to 'Manual', using a manually generated provisioning profile. I manually inspected the provisioning profile using the terminal to ensure it included the entitlement.
Creating a separate entitlement file with com.apple.developer.contacts.notes, adding it to the root of the project. Ensuring that the path to this file is correct on the 'Release' configuration.
Ensuring 'Contacts Notes Field Access' is enabled under 'Additional Capabilities' in the Developer portal.
Adding the capability on Xcode.
Below is the inspector displaying the provisioning profile for the 'Debug' Configuration:
And the following image below shows the inspector details for the 'Release' Configuration provisioning profile:
When I use a manual provisioning profile and an entitlements file at the root of the project, Xcode displays this strange error:
Hello,I have released macOS version of my game before iOS Version,
after releasing macOS version, cannot run & debug my game on Xcode
getting error ;
Provisioning profile "iOS Team Provisioning Profile: com.codepad.motorush" doesn't include the com.apple.application-identifier entitlement.
please take a look to screenshot view.
We're seeing an issue where our app builds that previously were working suddenly started failing to install through TestFlight. When the user hits Update in TestFlight, they get an error message "The profile can't be installed. Try again.". Double checked the certificates and provisioning profiles, rebuilt and deployed the app, still same issue.
We subsequently tried side loading the ipa file using XCode hoping for more detail. The install failed there as well, with the following error message:
"Attempted to install a Beta profile without the proper entitlement."
Seems like a good lead but haven't found much. Our provisioning profiles have the "beta-reports-active: true" entitlement and anyway haven't changed since it was working previously.
Any idea what could be going on here?
Here's the full error from XCode:
Error installing 'APP.ipa', ERROR: Error Domain=com.apple.dt.CoreDeviceError Code=3002 "Failed to install the app on the device." UserInfo={NSLocalizedDescription=Failed to install the app on the device., NSURL=file:///APP.ipa, NSUnderlyingError=0x60000372ea00 {Error Domain=IXUserPresentableErrorDomain Code=14 "Unable to Install “APP”" UserInfo={NSUnderlyingError=0x60000372e5e0 {Error Domain=MIInstallerErrorDomain Code=13 "Failed to install embedded profile for com.domain.app : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.)" UserInfo={FunctionName=-[MIInstallableBundle _installEmbeddedProfilesWithError:], LegacyErrorString=ApplicationVerificationFailed, SourceFileLine=308, LibMISErrorNumber=-402620385, NSLocalizedDescription=Failed to install embedded profile for com.domain.app : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.)}}, NSLocalizedDescription=Unable to Install “APP”, NSLocalizedRecoverySuggestion=Failed to install embedded profile for com.domain.app : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.), NSLocalizedFailureReason=This app cannot be installed because its integrity could not be verified.}}}
Domain: com.apple.dt.DVTCoreDevice
Code: -1
User Info: {
DVTErrorCreationDateKey = "2024-06-19 19:40:04 +0000";
}
--
System Information
macOS Version 14.2.1 (Build 23C71)
Xcode 15.2 (22503) (Build 15C500b)
Timestamp: 2024-06-19T14:40:04-05:00
Hello, I referred to the official camera extension example at https://developer.apple.com/documentation/coremediaio/creating_a_camera_extension_with_core_media_i_o?language=objc. I'm using CMake to build the camera extension plugin and integrate it into a Qt CMake project. When installing the system extension file, I receive a failure prompt with the following message:
Error Domain=OSSystemExtensionErrorDomain Code=8 "Invalid code signature or missing entitlements" UserInfo={NSLocalizedDescription=Invalid code signature or missing entitlements}
Here are the entitlements files for the camera extension:
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
<plist version=\"1.0\">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>com.yealink.meeting.app</string>
</array>
</dict>
</plist>
The info.List.in file for the camera extension:
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
<plist version=\"1.0\">
<dict>
<key>CMIOExtension</key>
<dict>
<key>CMIOExtensionMachServiceName</key>
<string>$(TeamIdentifierPrefix)$(PRODUCT_BUNDLE_IDENTIFIER)</string>
</dict>
</dict>
</plist>
And the entitlements file for the app:
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">
<plist version=\"1.0\">
<dict>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>com.yealink.meeting.app</string>
</array>
<key>com.apple.security.device.camera</key>
<true/>
<key>com.apple.security.device.microphone</key>
<true/>
<key>com.apple.security.device.usb</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
<key>com.apple.security.personal-information.location</key>
<true/>
</dict>
</plist>
I'm looking forward to your response.
Hi,
I have a PCI DriverKit System Extension project that our team has tested, and the entitlements are not a problem.
Once we decided to place the project to the Apple Store the review team requested to add "App Sandbox" entitlement to the project. Then I added the entitlement manually to the ".entitlements" file ( I couldn't do that using the Xcode add entitlement section because since it is a driverkit project, the "App sandbox" is not visible in the entitlements page ) and re-packaged the project for distribution. Later on, I saw that the entitlement was removed during the packaging process.
I also tried to add that using the "build settings" page in Xcode (the signing section ), but I had no luck.
I feel like I'm being misled by the review team. Do you know if the "App sandbox" entitlement is applicable to a DriverKit project ?
Hello everyone!
I'm developing framework and app for macOS for PCI devices. For communication with driverkit, I'm verifying by giving userclient access entities of system extension to app.
However, the app is just a sample program, and our customer is trying to develop the app using a framework with PCI communication part.
Is there a way to build a framework with my company's signature, and to build and execute it without acquiring userclient access elements by any chance by a customer developer?
Moreover, userclient access is only available to developers who have subscribed to the Apple Developer Program, so I hope that client/developers do not need to obtain separate entries.
My company is developing internal security software to deploy exclusively on corporate Mac endpoints. We are using the Endpoint Security framework, which requires the restricted com.apple.developer.endpoint-security.client entitlement. We were granted development access to this entitlement, but we have been denied distribution access. It's not practical to use ad-hoc provisioning for distributing the app internally to our users. Unfortunately the brief denial message did not provide any advice for a path forward.
If my company signed up for the Apple Developer Enterprise Program (https://developer.apple.com/programs/enterprise/), is it possible to grant the Endpoint Security entitlement for internal enterprise distribution? Otherwise, we appear to be stuck and unable to use Endpoint Security for our internal applications.
Due to changes in macOS 15 Sequoia with respect to container privacy/privileges, I have observed warnings with one of my apps (non-sandboxed) when its subsidiary crash reporter process tries to access the host app's data folder.
I THINK I've worked around this issue by granting the crash reporter and the host app access to the same application group. I'm not 100% sure how all this works except that the problem went away :)
The problem is, once the problem goes away on a given system, it goes away for good! Even with subsequent attempts to open a version of the app before the fix was in place, the system warning is not presented. I've tried to reset SystemPolicyAppBundles on the app via tccutil, but it makes no difference.
Using the wisdom from one of Quinn's posts (https://developer.apple.com/forums/thread/706442) I set up a log stream invocation to try to gather clues, and I notice that when I launch my app now, I see messages like:
Found provenance data on process: TA(82542d1beaf132a6, 2), 51084
Process was already in provenance sandbox, skipping: 51084, TA(82542d1beaf132a6, 2)
I suspect this "provenance" may reflect the change in how the system treats my application.
First: I wonder if it's a bug that any change in "provenance" should retroactively apply to versions of the app before the change was made. Second, I wonder if there's some way to RESET this provenance so that I can reproduce the bug again? I might be able to reproduce it by changing the bundle ID for the app but for purposes of testing against existing, shipped versions of the app, I'd love to be able to reset things for sanity-checking.
In my account, there is already a driver kit usb transport vendor id(4070) in the Identifiers capability . I posted a new request for new usb vendor id(14203) , and there are now 2 driver kit usb transport vendor id entitlement in the account's identifiers, one is for old id (4070), another is not for new id(14203).
so how can I add a new usb vendor id ? or change the old one?