My development certificate is configured with SensitiveContentAnalysis, and this configuration has also been added to xcode. Error after running:
MAD request(1) returns error: Error Domain=NSOSStatusErrorDomain Code=-18 "User Safety either not entitled for client or not enabled" UserInfo={NSLocalizedDescription=User Safety either not entitled for client or not enabled}
Entitlements
RSS for tagEntitlements allow specific capabilities or security permissions for your apps.
Post
Replies
Boosts
Views
Activity
Hi,
We applied for Tap to Pay on iPhone entitlement and were approved, but on distribution support it's only showing Development.
We can build and debug Tap to Pay on development, but unable to build release.
We opened ticket with Apple support but they were saying it was configured correctly. I attached screenshot of our developer account entitlement for Tap to Pay. It clearly said Development only.
Hello,
What is the key for In-App Purchases entitlement I can add to my app.entitlements file in my project, so that I can autonomously enable the In-App Purchase capability?
I have searched far a wide for this, however, it's unclear where it can be located. I know I can enable this capability manually by opening Xcode -> Selecting the "Signing & Capabilities" tab -> selecting "+ Capability" -> selecting "In-App Purchase" capability.
However, this is not really an ideal solution for adding the capability to my app, especially when automated processes for building, testing, distributing via CI/CD are integrated. It would beneficial to be able to reference some documentation or resources for enabling capabilities (or any other build settings) autonomously in a project as opposed to having to manually click my way through enabling them.
Looking forward to hearing back. Thanks!
Hi, I work for a company that makes an iPad app, and we have requested the user-assigned-device-name entitlement multiple times and been rejected every time.
I am familiar with the requirements listed here. I'm just wondering if anybody else who needed this entitlement ran into any surprises, e.g. "I thought that ____ was in line with their requirements but it turns out they really care about _____".
Alternatively if anyone knows how to get someone at Apple to tell us why it was rejected, that would be cool too.
Thanks!
Hi!
I'm trying to move from CoreMedio I/O DAL Plug-In to CoreMedia I/O camera extensions, announced in macOS 12.3. I created a test extension, placed it inside my app bundle into Contents/Library/SystemExtensions and signed with codesigning certificate. But when I try to install my extension from inside my app, using this code (Swift):
func installDriver()
{
guard let extensionIdentifer = DriverInstaller.extensionBundle().bundleIdentifier else {
return
}
let activationReq = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: extensionIdentifer, queue: .main)
activationReq.delegate = self
OSSystemExtensionManager.shared.submitRequest(activationReq)
}
I'm getting an error:
OSSystemExtensionErrorDomain error 8: Code Signature Invalid
which is rather generic. Can anybody tell me what I am doing wrong? Or at least propose some steps to find it out?
I'm posting here entitlements and codesign output for my extension and containing application for further information.
Executable=../Contents/Library/SystemExtensions/com..RoomDevice.Extension.systemextension/Contents/MacOS/com..RoomDevice.Extension
[Dict]
[Key] com.apple.security.app-sandbox
[Value]
[Bool] true
[Key] com.apple.security.application-groups
[Value]
[Array]
[String] 893K7MTL2H. com..
[Key] com.apple.security.device.camera
[Value]
[Bool] true
Executable=**********/Contents/MacOS/*****
[Dict]
[Key] com.apple.application-identifier
[Value]
[String] 893K7MTL2H.com..RoomDevice
[Key] com.apple.developer.system-extension.install
[Value]
[Bool] true
[Key] com.apple.developer.team-identifier
[Value]
[String] 893K7MTL2H
[Key] com.apple.security.application-groups
[Value]
[Array]
[String] 893K7MTL2H. com..********
Executable=***/Contents/MacOS/****
Identifier=com..RoomDevice
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=1345 flags=0x10000(runtime) hashes=31+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=3584714367d59119b462d0f830247d27ff1fbace
CandidateCDHashFull sha256=3584714367d59119b462d0f830247d27ff1fbace53419d69abaa658fbb7a4f12
Hash choices=sha256
CMSDigest=3584714367d59119b462d0f830247d27ff1fbace53419d69abaa658fbb7a4f12
CMSDigestType=2
Launch Constraints:
None
CDHash=3584714367d59119b462d0f830247d27ff1fbace
Signature size=4688
Authority=Developer ID Application: ****************(893K7MTL2H)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=01-Sep-2023 at 12:00:09 PM
Info.plist entries=22
TeamIdentifier=893K7MTL2H
Runtime Version=13.3.0
Sealed Resources version=2 rules=13 files=6
Internal requirements count=1 size=216
Executable=/Contents/Library/SystemExtensions/com.*****.RoomDevice.Extension.systemextension/Contents/MacOS/com..RoomDevice.Extension
Identifier=com.******.RoomDevice.Extension
Format=bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=3627 flags=0x10000(runtime) hashes=102+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=70580825016b7e262fb15c280ba380ad4e871bc1
CandidateCDHashFull sha256=70580825016b7e262fb15c280ba380ad4e871bc108951adb8cd474d652567f4f
Hash choices=sha256
CMSDigest=70580825016b7e262fb15c280ba380ad4e871bc108951adb8cd474d652567f4f
CMSDigestType=2
Launch Constraints:
None
CDHash=70580825016b7e262fb15c280ba380ad4e871bc1
Signature size=4688
Authority=Developer ID Application: ************ Ltd. (893K7MTL2H)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=01-Sep-2023 at 12:00:05 PM
Info.plist entries=22
TeamIdentifier=893K7MTL2H
Runtime Version=13.3.0
Sealed Resources version=2 rules=13 files=0
Internal requirements count=1 size=224
Please anyone help. Thanks in advance!
I've heard family controls request forms can take up to weeks and even months...
I'm currently developing an app that requires the main target and also the app extension to both use Family Controls. Does this mean I need to request forms for both app bundles separately or just the main app?
If I have to wait weeks or even months for both then that's a bit painful tbh. Is there a way to distribute to testflight without getting approved for the family controls entitlement? Thanks
Following https://developer.apple.com/documentation/coremotion/accessing_submersion_data
I'm trying to "just get it started".
I have a provisioning profile with the Shallow Depth and Pressure active, I have set the com.apple.developer.submerged-depth-and-pressure to true in the entitlements file, and get no errors or warning when compiling and starting the app on my Apple Watch Ultra.
When my view appears, I init the submersion manager with the following code:
guard CMWaterSubmersionManager.waterSubmersionAvailable else {
return
}
submersionManager = CMWaterSubmersionManager()
submersionManager?.delegate = self
Logger.shared.info("SubmersionManager initialized")
I get the printout SubmersionManager initialized, but then I get:
An error occurred: The operation couldn’t be completed. (CMErrorDomain error 110.)
Googling this error tells me this error means: CMErrorNotEntitled
And I cannot find WHY the app is not entitled.. I find no information that this entitlement is not publicly available or anything.
I am trying to sign a DriverKit extension for distribution using a Developer ID provisioning profile, but when I try to import the profile to sign the dext I get the error "Platform: MacOS doesn't match platform DriverKit".
We requested the entitlement from Apple a few months ago and according to Apple Support it was approved (though we did not get any email directly from the DriverKit approval process). The App ID we are using appears to have the DriverKit capabilities that we need under "Additional Capabillities".
Our process right now is this:
Go to Certificates, Identifiers, and Profiles
Create a new Provisioning Profile and select Developer ID Distribution
Select the correct App ID
After creating and downloading the profile, import it into Xcode
Receive the error "Platform: MacOS does not match DriverKit"
According to https://developer.apple.com/documentation/driverkit/requesting_entitlements_for_driverkit_development#3557213, there should perhaps be a prompt adding DriverKit to the provisioning profile and not just the identifier, but we do not see this.
Has anybody else run into a similar issue and resolved it? I see a similar thread at https://developer.apple.com/forums/thread/710713, but that one is eight months old and doesn't appear to have a solution.
Hello,
I am currently facing an issue with my iOS app and its associated Preview extension. I am trying to save a file to a shared container using App Groups, so that my main app can read the file. The code works perfectly on the iOS simulator, but when I run the app on a physical device I encounter a "You don't have permission to save the file" error.
Here's the relevant code snippet:
let appGroupIdentifier = "group.com.yourcompany.yourapp"
func saveDataToSharedContainer(fileName: String, data: Data) -> Bool {
guard let containerURL = FileManager.default.containerURL(forSecurityApplicationGroupIdentifier: appGroupIdentifier) else {
print("Error: Unable to access the shared container.")
return false
}
let fileURL = containerURL.appendingPathComponent(fileName)
do {
try data.write(to: fileURL, options: .atomic)
print("Data saved to shared container successfully.")
return true
} catch {
print("Error: Unable to save data to shared container. \(error)")
return false
}
}
I have already verified the following:
App Groups capability is enabled for both the main app target and the extension target.
The App Group identifier is consistent in both the main app target and the extension target, as well as in the Swift code.
Provisioning profiles and signing certificates are up-to-date, and the issue persists after cleaning the project and resetting the provisioning profiles.
Despite trying these steps, the issue remains unresolved. This error is reproducible in a new project with a Preview extension.
I would greatly appreciate any insights or suggestions from the community to help me resolve this issue.
Thank you in advance!
Hello,
I'm responsible for several apps within my company.
We tried to apply for the user-assigned device name entitlement, but again we didn't get the approval:
"Thank you for your interest in the user-assigned device name entitlement. We are unable to approve your request at this time."
We use in our app the bluetooth connect and want to show the user in the vehicles the device name. Currently it's just "iPhone".
Does somebody know how I can contact Apple to fix this?
I chose this answers:
Will your app display the user assigned device name to the user?
No
Will your app use the device name solely for functionality in a way that the user can easily see and understand?
Yes
Will your app functionality support interaction between multiple devices operated by the same user?
Yes
Will your app share the device name with any service providers or third parties other than a cloud hosting service provider?
No
Would be great to get any feedback with this.
Thanks a lot.
It seems as though requesting External Link Account Entitlement via the form is a bit of a black box. Is there a way to check on the status of our request? The app review team has informed me that they don't have any connection to the Account Entitlement teams so they unfortunately cannot help.
Is there a way to check on our apps status or what we might need to change to have External Link Account Entitlement granted? Thanks
The documentation for CarPlay (https://developer.apple.com/documentation/carplay/requesting_carplay_entitlements) tells you to disable automatic signing in the section titled "Import the CarPlay Provisioning Profile":
Click All in the scope bar, and then deselect “Automatically manage signing”.
There have also been other posts in the past about the inability to use automatic signing with CarPlay: https://developer.apple.com/forums/thread/63468
However in a recent post of mine (https://developer.apple.com/forums/thread/717429?login=true&page=1#732392022) I was instructed how to set it up so that I could use automatic signing for the new user-assigned-device-name entitlement and it worked so I thought "Can I do the same thing for CarPlay?" and it seems to be working so far.
Is automatic signing with CarPlay now possible? We have been able to use automatic signing to archive successfully and run to real devices and verify that CarPlay is working. I'm crossing my fingers that we'll be able to submit and get the build approved and never have to touch manual signing again.
Hopefully it works and the documentation is just out of date.
Is there a way to get the new com.apple.developer.device-information.user-assigned-device-name entitlement to work with automatically managed signing, or is it required to change to manual signing to use this entitlement?
Someone else had the same problem as me in this reply on another post: https://developer.apple.com/forums/thread/708275?answerId=730156022#730156022 but it was suggested they start a new thread but I don't think they started such a thread so I am.
I was hoping, perhaps naively, that after getting approval for the entitlement and adding it to our entitlements file that it would "just work" but i'm getting the error:
Provisioning profile "iOS Team Provisioning Profile: [redacted bundle id]" doesn't include the com.apple.developer.device-information.user-assigned-device-name entitlement.
Really hoping to avoid having to manually manage signing or at least know for sure that it is unavoidable before I move to it.
General:
DevForums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements
Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities.
Developer > Support > Certificates covers some important policy issues
Entitlements documentation
TN3125 Inside Code Signing: Provisioning Profiles — This includes links to other technotes in the Inside Code Signing series.
WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing
Certificate Signing Requests Explained DevForums post
--deep Considered Harmful DevForums post
Don’t Run App Store Distribution-Signed Code DevForums post
Resolving errSecInternalComponent errors during code signing DevForums post
Finding a Capability’s Distribution Restrictions DevForums post
Signing code with a hardware-based code-signing identity DevForums post
Mac code signing:
DevForums tag: Developer ID
Creating distribution-signed code for macOS documentation
Packaging Mac software for distribution documentation
Placing Content in a Bundle documentation
Embedding Nonstandard Code Structures in a Bundle documentation
Embedding a Command-Line Tool in a Sandboxed App documentation
Signing a Daemon with a Restricted Entitlement documentation
Defining launch environment and library constraints documentation
WWDC 2023 Session 10266 Protect your Mac app with environment constraints
TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference.
Manual Code Signing Example DevForums post
The Care and Feeding of Developer ID DevForums post
TestFlight, Provisioning Profiles, and the Mac App Store DevForums post
For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
When I try to add HealthKit capabilities to my app, I get the following signing errors:
Communication with Apple failed. Your account does not have sufficient permissions to modify containers.
Provisioning profile "iOS Team Provisioning Profile: com.domain.app" doesn't support the HealthKit capability.
Provisioning profile "iOS Team Provisioning Profile: com.domain.app" doesn't include the com.apple.developer.healthkit and com.apple.developer.healthkit.access entitlements.
In my developer account, the HK capability is enabled. And the entitlements needed are automatically generated by Xcode when I add HK capability, if I try to add them, it says they're already there.
I have automatically managed signing selected. Clinical health records are not enabled for Health Kit. Common solutions like cleaning, derived data, and restarts don't help.
Does anybody know what this is?
In my sandboxed MacOS app I want to access OSLogStore programmatically to fetch logs for multi-component application (app, libraries, deriver) for further analysis. According to the documentation, - https://developer.apple.com/documentation/oslog/oslogstore/3366102-local the app should have com.apple.logging.local-storeentitlement.
I have added this entitlement "by hand" to the entitlement file as I I can't find a correspondent entry in the Xcode -> Sign & Capabilities interface.
When I run the app, I get Unsatisfied entitlements: com.apple.logging.local-store error and the app doesn't start.
If I remove the entitlement, the app can't get access to the logd subsystem.
How can I add com.apple.logging.local-store to my app?
Should I request this not visible via Xcode configuration UI from apple?
Thanks!