Entitlements

RSS for tag

Entitlements allow specific capabilities or security permissions for your apps.

Entitlements Documentation

Post

Replies

Boosts

Views

Activity

Unsatisfied entitlements: com.apple.logging.local-store
In my sandboxed MacOS app I want to access OSLogStore programmatically to fetch logs for multi-component application (app, libraries, deriver) for further analysis. According to the documentation, - https://developer.apple.com/documentation/oslog/oslogstore/3366102-local the app should have com.apple.logging.local-storeentitlement. I have added this entitlement "by hand" to the entitlement file as I I can't find a correspondent entry in the Xcode -> Sign & Capabilities interface. When I run the app, I get Unsatisfied entitlements: com.apple.logging.local-store error and the app doesn't start. If I remove the entitlement, the app can't get access to the logd subsystem. How can I add com.apple.logging.local-store to my app? Should I request this not visible via Xcode configuration UI from apple? Thanks!
4
0
1.5k
Nov ’20
Code Signing Resources
General: DevForums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained DevForums post --deep Considered Harmful DevForums post Don’t Run App Store Distribution-Signed Code DevForums post Resolving errSecInternalComponent errors during code signing DevForums post Finding a Capability’s Distribution Restrictions DevForums post Signing code with a hardware-based code-signing identity DevForums post Mac code signing: DevForums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding Nonstandard Code Structures in a Bundle documentation Embedding a Command-Line Tool in a Sandboxed App documentation Signing a Daemon with a Restricted Entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example DevForums post The Care and Feeding of Developer ID DevForums post TestFlight, Provisioning Profiles, and the Mac App Store DevForums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"
0
0
13k
Jun ’22
user-assigned-device-name entitlement possible with automatically managed signing?
Is there a way to get the new com.apple.developer.device-information.user-assigned-device-name entitlement to work with automatically managed signing, or is it required to change to manual signing to use this entitlement? Someone else had the same problem as me in this reply on another post: https://developer.apple.com/forums/thread/708275?answerId=730156022#730156022 but it was suggested they start a new thread but I don't think they started such a thread so I am. I was hoping, perhaps naively, that after getting approval for the entitlement and adding it to our entitlements file that it would "just work" but i'm getting the error: Provisioning profile "iOS Team Provisioning Profile: [redacted bundle id]" doesn't include the com.apple.developer.device-information.user-assigned-device-name entitlement. Really hoping to avoid having to manually manage signing or at least know for sure that it is unavoidable before I move to it.
7
0
4.3k
Oct ’22
CarPlay automatic signing
The documentation for CarPlay (https://developer.apple.com/documentation/carplay/requesting_carplay_entitlements) tells you to disable automatic signing in the section titled "Import the CarPlay Provisioning Profile": Click All in the scope bar, and then deselect “Automatically manage signing”. There have also been other posts in the past about the inability to use automatic signing with CarPlay: https://developer.apple.com/forums/thread/63468 However in a recent post of mine (https://developer.apple.com/forums/thread/717429?login=true&page=1#732392022) I was instructed how to set it up so that I could use automatic signing for the new user-assigned-device-name entitlement and it worked so I thought "Can I do the same thing for CarPlay?" and it seems to be working so far. Is automatic signing with CarPlay now possible? We have been able to use automatic signing to archive successfully and run to real devices and verify that CarPlay is working. I'm crossing my fingers that we'll be able to submit and get the build approved and never have to touch manual signing again. Hopefully it works and the documentation is just out of date.
3
0
1.8k
Oct ’22
External Link Account Entitlement Status
It seems as though requesting External Link Account Entitlement via the form is a bit of a black box. Is there a way to check on the status of our request? The app review team has informed me that they don't have any connection to the Account Entitlement teams so they unfortunately cannot help. Is there a way to check on our apps status or what we might need to change to have External Link Account Entitlement granted? Thanks
3
0
714
Mar ’23
No approval for User-Assigned Device Name
Hello, I'm responsible for several apps within my company. We tried to apply for the user-assigned device name entitlement, but again we didn't get the approval: "Thank you for your interest in the user-assigned device name entitlement. We are unable to approve your request at this time." We use in our app the bluetooth connect and want to show the user in the vehicles the device name. Currently it's just "iPhone". Does somebody know how I can contact Apple to fix this? I chose this answers: Will your app display the user assigned device name to the user? No Will your app use the device name solely for functionality in a way that the user can easily see and understand? Yes Will your app functionality support interaction between multiple devices operated by the same user? Yes Will your app share the device name with any service providers or third parties other than a cloud hosting service provider? No Would be great to get any feedback with this. Thanks a lot.
3
0
1.3k
Mar ’23
App Group: File saving issue on physical device (works on simulator)
Hello, I am currently facing an issue with my iOS app and its associated Preview extension. I am trying to save a file to a shared container using App Groups, so that my main app can read the file. The code works perfectly on the iOS simulator, but when I run the app on a physical device I encounter a "You don't have permission to save the file" error. Here's the relevant code snippet: let appGroupIdentifier = "group.com.yourcompany.yourapp" func saveDataToSharedContainer(fileName: String, data: Data) -> Bool { guard let containerURL = FileManager.default.containerURL(forSecurityApplicationGroupIdentifier: appGroupIdentifier) else { print("Error: Unable to access the shared container.") return false } let fileURL = containerURL.appendingPathComponent(fileName) do { try data.write(to: fileURL, options: .atomic) print("Data saved to shared container successfully.") return true } catch { print("Error: Unable to save data to shared container. \(error)") return false } } I have already verified the following: App Groups capability is enabled for both the main app target and the extension target. The App Group identifier is consistent in both the main app target and the extension target, as well as in the Swift code. Provisioning profiles and signing certificates are up-to-date, and the issue persists after cleaning the project and resetting the provisioning profiles. Despite trying these steps, the issue remains unresolved. This error is reproducible in a new project with a Preview extension. I would greatly appreciate any insights or suggestions from the community to help me resolve this issue. Thank you in advance!
3
0
1.4k
Mar ’23
Xcode error when trying to sign DriverKit extension
I am trying to sign a DriverKit extension for distribution using a Developer ID provisioning profile, but when I try to import the profile to sign the dext I get the error "Platform: MacOS doesn't match platform DriverKit". We requested the entitlement from Apple a few months ago and according to Apple Support it was approved (though we did not get any email directly from the DriverKit approval process). The App ID we are using appears to have the DriverKit capabilities that we need under "Additional Capabillities". Our process right now is this: Go to Certificates, Identifiers, and Profiles Create a new Provisioning Profile and select Developer ID Distribution Select the correct App ID After creating and downloading the profile, import it into Xcode Receive the error "Platform: MacOS does not match DriverKit" According to https://developer.apple.com/documentation/driverkit/requesting_entitlements_for_driverkit_development#3557213, there should perhaps be a prompt adding DriverKit to the provisioning profile and not just the identifier, but we do not see this. Has anybody else run into a similar issue and resolved it? I see a similar thread at https://developer.apple.com/forums/thread/710713, but that one is eight months old and doesn't appear to have a solution.
1
1
1.1k
May ’23
Shallow Depth and Pressure entitlement
Following https://developer.apple.com/documentation/coremotion/accessing_submersion_data I'm trying to "just get it started". I have a provisioning profile with the Shallow Depth and Pressure active, I have set the com.apple.developer.submerged-depth-and-pressure to true in the entitlements file, and get no errors or warning when compiling and starting the app on my Apple Watch Ultra. When my view appears, I init the submersion manager with the following code: guard CMWaterSubmersionManager.waterSubmersionAvailable else { return } submersionManager = CMWaterSubmersionManager() submersionManager?.delegate = self Logger.shared.info("SubmersionManager initialized") I get the printout SubmersionManager initialized, but then I get: An error occurred: The operation couldn’t be completed. (CMErrorDomain error 110.) Googling this error tells me this error means: CMErrorNotEntitled And I cannot find WHY the app is not entitled.. I find no information that this entitlement is not publicly available or anything.
3
0
1.5k
Aug ’23
Family Controls Request Form
I've heard family controls request forms can take up to weeks and even months... I'm currently developing an app that requires the main target and also the app extension to both use Family Controls. Does this mean I need to request forms for both app bundles separately or just the main app? If I have to wait weeks or even months for both then that's a bit painful tbh. Is there a way to distribute to testflight without getting approved for the family controls entitlement? Thanks
6
2
1.4k
Aug ’23
CMIO Camera Extension Installation Error (Invalid code signature or missing entitlements)
Hi! I'm trying to move from CoreMedio I/O DAL Plug-In to CoreMedia I/O camera extensions, announced in macOS 12.3. I created a test extension, placed it inside my app bundle into Contents/Library/SystemExtensions and signed with codesigning certificate. But when I try to install my extension from inside my app, using this code (Swift): func installDriver() { guard let extensionIdentifer = DriverInstaller.extensionBundle().bundleIdentifier else { return } let activationReq = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: extensionIdentifer, queue: .main) activationReq.delegate = self OSSystemExtensionManager.shared.submitRequest(activationReq) } I'm getting an error: OSSystemExtensionErrorDomain error 8: Code Signature Invalid which is rather generic. Can anybody tell me what I am doing wrong? Or at least propose some steps to find it out? I'm posting here entitlements and codesign output for my extension and containing application for further information. Executable=../Contents/Library/SystemExtensions/com..RoomDevice.Extension.systemextension/Contents/MacOS/com..RoomDevice.Extension [Dict] [Key] com.apple.security.app-sandbox [Value] [Bool] true [Key] com.apple.security.application-groups [Value] [Array] [String] 893K7MTL2H. com.. [Key] com.apple.security.device.camera [Value] [Bool] true Executable=**********/Contents/MacOS/***** [Dict] [Key] com.apple.application-identifier [Value] [String] 893K7MTL2H.com..RoomDevice [Key] com.apple.developer.system-extension.install [Value] [Bool] true [Key] com.apple.developer.team-identifier [Value] [String] 893K7MTL2H [Key] com.apple.security.application-groups [Value] [Array] [String] 893K7MTL2H. com..******** Executable=***/Contents/MacOS/**** Identifier=com..RoomDevice Format=app bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=1345 flags=0x10000(runtime) hashes=31+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=3584714367d59119b462d0f830247d27ff1fbace CandidateCDHashFull sha256=3584714367d59119b462d0f830247d27ff1fbace53419d69abaa658fbb7a4f12 Hash choices=sha256 CMSDigest=3584714367d59119b462d0f830247d27ff1fbace53419d69abaa658fbb7a4f12 CMSDigestType=2 Launch Constraints: None CDHash=3584714367d59119b462d0f830247d27ff1fbace Signature size=4688 Authority=Developer ID Application: ****************(893K7MTL2H) Authority=Developer ID Certification Authority Authority=Apple Root CA Signed Time=01-Sep-2023 at 12:00:09 PM Info.plist entries=22 TeamIdentifier=893K7MTL2H Runtime Version=13.3.0 Sealed Resources version=2 rules=13 files=6 Internal requirements count=1 size=216 Executable=/Contents/Library/SystemExtensions/com.*****.RoomDevice.Extension.systemextension/Contents/MacOS/com..RoomDevice.Extension Identifier=com.******.RoomDevice.Extension Format=bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=3627 flags=0x10000(runtime) hashes=102+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=70580825016b7e262fb15c280ba380ad4e871bc1 CandidateCDHashFull sha256=70580825016b7e262fb15c280ba380ad4e871bc108951adb8cd474d652567f4f Hash choices=sha256 CMSDigest=70580825016b7e262fb15c280ba380ad4e871bc108951adb8cd474d652567f4f CMSDigestType=2 Launch Constraints: None CDHash=70580825016b7e262fb15c280ba380ad4e871bc1 Signature size=4688 Authority=Developer ID Application: ************ Ltd. (893K7MTL2H) Authority=Developer ID Certification Authority Authority=Apple Root CA Signed Time=01-Sep-2023 at 12:00:05 PM Info.plist entries=22 TeamIdentifier=893K7MTL2H Runtime Version=13.3.0 Sealed Resources version=2 rules=13 files=0 Internal requirements count=1 size=224 Please anyone help. Thanks in advance!
10
0
1.6k
Sep ’23
Is anyone able to get the user-assigned-device-name entitlement? Were there specific app changes you had to make?
Hi, I work for a company that makes an iPad app, and we have requested the user-assigned-device-name entitlement multiple times and been rejected every time. I am familiar with the requirements listed here. I'm just wondering if anybody else who needed this entitlement ran into any surprises, e.g. "I thought that ____ was in line with their requirements but it turns out they really care about _____". Alternatively if anyone knows how to get someone at Apple to tell us why it was rejected, that would be cool too. Thanks!
1
0
542
Sep ’23
In-App Purchases Entitlement Key????
Hello, What is the key for In-App Purchases entitlement I can add to my app.entitlements file in my project, so that I can autonomously enable the In-App Purchase capability? I have searched far a wide for this, however, it's unclear where it can be located. I know I can enable this capability manually by opening Xcode -> Selecting the "Signing & Capabilities" tab -> selecting "+ Capability" -> selecting "In-App Purchase" capability. However, this is not really an ideal solution for adding the capability to my app, especially when automated processes for building, testing, distributing via CI/CD are integrated. It would beneficial to be able to reference some documentation or resources for enabling capabilities (or any other build settings) autonomously in a project as opposed to having to manually click my way through enabling them. Looking forward to hearing back. Thanks!
3
0
1.7k
Sep ’23
Tap to Pay Entitlement only for development
Hi, We applied for Tap to Pay on iPhone entitlement and were approved, but on distribution support it's only showing Development. We can build and debug Tap to Pay on development, but unable to build release. We opened ticket with Apple support but they were saying it was configured correctly. I attached screenshot of our developer account entitlement for Tap to Pay. It clearly said Development only.
5
1
1.1k
Oct ’23
SensitiveContentAnalysis iOS 17
My development certificate is configured with SensitiveContentAnalysis, and this configuration has also been added to xcode. Error after running: MAD request(1) returns error: Error Domain=NSOSStatusErrorDomain Code=-18 "User Safety either not entitled for client or not enabled" UserInfo={NSLocalizedDescription=User Safety either not entitled for client or not enabled}
1
0
450
Oct ’23
Shallow Depth and Pressure entitlement
I wrote my app with the entitlement "com.apple.developer.submerged-shallow-depth-and-pressure" and also with underwater-depth for WKBackgroundMode. All is working fine when I tested the app. When I want to put the app in the store I got the following error: **Missing entitlement. The Info.plist for the watchOS app bundle at “Watch App.app” uses the underwater-depth value for WKBackgroundModes without the com.apple.developer.submerged-depth-and-pressure entitlement signed into the bundle. ** I wonder why the entitlement in the error message is without -shallow- and why I get this message.
2
0
985
Oct ’23
Does an Endpoint Security system-extension requires paid app enabled?
Hello! we are trying to request of a new Entitlment for "com.apple.developer.endpoint-security.client" for our desktop app. Issue is that we are not able to insert the request for an "Unathorized" error, with the mesage below in which seems that we lack some agreements on our account: _Unathorized: If you’re a member of a developer program, make sure your Account Holder has agreed the latest license agreement. _ The only agreements we are curretly missing is the one for "Paid app", wiht bank account informaition and so on. Does anyone know anything about it, if it is mandatory to fill this to proceed with the request? Thanks!
4
0
678
Nov ’23
Bug in iOS Keychain Sharing
Consider a scenario: There are two iOS apps, App1: com.example.app1 App2: com.example.app2 App1 has no keychain access groups, other than its default group that is .com.example.app1 However, App2 has keychain access groups added which is bundle identifier of App1 i.e. .com.example.app1, So App2 access groups are as follows: [.com.example.app1, .com.example.app2] This way App2 has access to App1’s private access group. Which means App2 can Create, Read, Update and Delete ALL the keychain items inside App1’s private group. But, Apple’s Developer documentation says otherwise. Referring to this document: https://developer.apple.com/documentation/security/keychain_services/keychain_items/sharing_access_to_keychain_items_among_a_collection_of_apps In section “Establish your app’s private access group” (https://developer.apple.com/documentation/security/keychain_services/keychain_items/sharing_access_to_keychain_items_among_a_collection_of_apps#2974916), it says that “Because app IDs are unique across all apps, and because the app ID is stored in an entitlement protected by code signing, no other app can use it, therefore no other app is in this group”. Focus on “therefore no other app is in this group”. But as proved from above scenario, App2 can be part of App1’s private access group.
2
0
525
Nov ’23