Post not yet marked as solved
I'm looking to automate device provisioning using App Store Connect API.
Two things are snagging me:
Updating Profiles API: Adding a new device seems clunky (read-all-devices, save, delete profile, recreate with a new device). Is there a simpler way to do it? I looked over the documentation and it seems like there's no streamlined way to do it, am I correct?
Entitlements API: Not public yet? Does anyone know about any plans to open it up soon? I asked Apple Support and they didn't provide any information on this. Specifying entitlements during provisioning is an important step.
Thanks for any help!
We have a legacy app written in a mix of C, ObjC, C++ and ObjC++ with .xib files. It is not sandboxed.
It sends an Apple Event to TV (the app of that name from Apple, not a physical TV) using /usr/bin/osascript, calling a compiled Apple Script which is in our app bundle's Resources directory with parameters which we generate in our app at runtime. The first time it does this on a fresh system, the OS puts up a dialog asking for permission to control TV, and after the user clicks Allow, our app appears under Security and Privacy in the Automation section.
That's all fine, but what is unexpected is that the app has no Apple Events entitlement (com.apple.security.automation.apple-events), and it doesn't have a NSAppleEventsUsageDescription string either. The documentation at https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_automation_apple-events says
Your app doesn’t need the Apple Events Entitlement if it only sends Apple events to itself or to other processes signed with the same team ID.
but we're not on the Apple team.
When I filter the log for messages from tccd pertaining to our app, it does indeed complain :
Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=<our bundle id>”
But despite those complaints, everything works - I can send the event, and TV acts upon it. Is this working only by accident, and might fail in some minor future OS update?
tccd also complains about the microphone
Prompting policy for hardened runtime; service: kTCCServiceMicrophone requires entitlement com.apple.security.device.audio-input but it is missing for requesting={TCCDProcess: identifier=<our bundle ID>
but we don't use the microphone
tccd complains about this too
<path-to-our-app> attempted to call TCCAccessRequest for kTCCServiceAccessibility without the recommended com.apple.private.tcc.manager.check-by-audit-token entitlement
What does that mean, and should we be concerned?
Post not yet marked as solved
I need to obtain the user's EID within my app.
We are a mobile network operator and have also applied for Apple's eSIM development.
Does Apple provide a certified developer access to an API for obtaining EID? I understand that there is no public API available, but I'm unsure if approved operators can access EID. If so, how can I apply for this private API?
Post not yet marked as solved
In my sandboxed MacOS app I want to access OSLogStore programmatically to fetch logs for multi-component application (app, libraries, deriver) for further analysis. According to the documentation, - https://developer.apple.com/documentation/oslog/oslogstore/3366102-local the app should have com.apple.logging.local-storeentitlement.
I have added this entitlement "by hand" to the entitlement file as I I can't find a correspondent entry in the Xcode -> Sign & Capabilities interface.
When I run the app, I get Unsatisfied entitlements: com.apple.logging.local-store error and the app doesn't start.
If I remove the entitlement, the app can't get access to the logd subsystem.
How can I add com.apple.logging.local-store to my app?
Should I request this not visible via Xcode configuration UI from apple?
Thanks!
Hi,
My application doesn't start playback anymore after signing it with entitlements.
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.files.user-selected.read-only</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.device.microphone</key>
<true/>
<key>com.apple.security.assets.music.read-write</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
</dict>
</plist>
regards, Joël
Hi All,
I submitted a Family Controls Request Form but haven't heard back. I didn't get any case id when I submitted the request, so how do you track it and know when It is approved?
I'm currently developing an app that requires the main target and also the app extension to both use Family Controls. Does this mean I need to request forms for both app bundles separately or just the main app?
This is really worrying for us as our project is almost ready and we are unable to launch it :( . Would appreciate any responses.
Thanks,
Post not yet marked as solved
Hi,
Can a single domain serve a /.well-known/apple-app-site-association file for multiple apps from different developers?
We currently have our own domain, let's say example.com,
which serves https://example.com/.well-known/apple-app-site-association
which lists our app, let's say "ABCDEFG.com.example.AppA" for path "/app/a".
We're talking with another developer who has another app on the store.
Can we add their app, "MNOPQR.com.different.AppB" on our site, https://example.com/.well-known/apple-app-site-association, add their app ID for path "/app/b",
ask them to add our example.com domain in their associated-domains entitlement,
and would it work?
I mean would https://example.com/app/a open our app "ABCDEFG.com.example.AppA" and https://example.com/app/b open their app "MNOPQR.com.different.AppB" ?
We want to open https://example.com/redirect/app redirect to either /app/a or /app/b depending on the query parameters and launch our or their app.
Thanks in advance!
Post not yet marked as solved
There is an inconsistent issue when views are rendered from the Device Activity Report Extension. This issue is noticeable only on release versions and it works fine in debug mode.
Around 80% of the times, the Report Views return blank screen and this is only the case when a weekly/monthly filter is used. Although, it works as expected for daily report views.
My questions are:
How are all the Report Activity Views working fine in debug mode but not in release mode?
How the daily activity filter works fine in the release mode but the weekly/monthly filters don't work? Is this because of a memory limit issue in the extension?
As of now, I have the family-controls(distribution) entitlement only for the app and for the extensions I only have family-controls(development) entitlement. Do I need to request for family-controls(Distribution) entitlement even for the extensions?
I have seen threads on the forum mentioning the blank screen issue associated with the DeviceActivityReport but haven't found a solution to it. Any suggestions/feedback would be of great help, thanks.
Post not yet marked as solved
How to add Additional capabilities in Certificates, Identifiers & Profiles on app store account to Enable the Tap to Pay on iPhone capability.
Post not yet marked as solved
I have a question regarding the way iOS handles app permissions. Why doesn't Apple provide a feature to review the reasons an app gave for requesting certain permissions after the initial authorization?
There are instances where permissions were granted a long time ago or perhaps inadvertently, and now I can't recall why the app needed those permissions in the first place.
This feature could be helpful for users trying to understand and manage their privacy settings more effectively. Thank you for any insights or information
Post not yet marked as solved
Hi,
I am tying to build the app with increased-memory-limit for vision OS, but I got error while asset validation
Invalid Code Signing Entitlements. Your application bundle's signature contains code signing entitlements that are not supported on visionOS. Specifically, key 'com.apple.developer.kernel.increased-memory-limit' in '[AppName]' is not supported. (ID: 34399486-5b8c-4737-a446-6722fa1f6d98)
how should I fix this error
Thanks,
Max
Post not yet marked as solved
**Why does using CameraPicker require user authorization through a pop-up? **
Why don't ImagePicker or PhotoPicker require additional pop-up authorizations for accessing the photo library? All of these are implemented using UIImagePickerController, so why does one require a pop-up and the others do not?
Additionally, I thought that by configuring the picker, I would theoretically not need any permissions. If permissions are still required, wouldn’t it make more sense to directly request camera permissions and utilize the native camera functionality? What then are the advantages of using the picker?
Hello,
I am writing a Desktop application for macOS with XCode.
This application will be available on app store. So, i have to put sandbox entitlement.
So, this application won't be able to access Desktop folder. It will be jailed into a specific directory to store datas.
I have installed a macOS application from appstore. When I launched this application, I got a TCC prompt, asking me to allow this application to access Desktop (or Downloads I don't remember). How can this be possible ?
I have tried to write a sandboxed application which tries to access to Desktop folder. I didn't get any TCC prompt: My access was rejected.
How can I ask to access Desktop folder from I sandboxed application ?
Thanks a lot
Hey, I am trying to use Family Controls in Mac Catalyst. On the iOS app it works fine. On macOs using Mac Catalyst it builds fine but I get following console output.
Failed to get service proxy: Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service named com.apple.FamilyControlsAgent was invalidated: failed at lookup with error 159 - Sandbox restriction." UserInfo={NSDebugDescription=The connection to service named com.apple.FamilyControlsAgent was invalidated: failed at lookup with error 159 - Sandbox restriction.}`
When i try to open the FamilyActivityPicker on the macOs app following error is displayed in the GUI.
The operation could not be completed. (FamilyControls.ActivityPickerRemoteView Error error 2.)
Do I need a familyControls capability for macOs? If yes, I only find it for iOS.
Thanks for hints and help :)
Post not yet marked as solved
I've heard family controls request forms can take up to weeks and even months...
I'm currently developing an app that requires the main target and also the app extension to both use Family Controls. Does this mean I need to request forms for both app bundles separately or just the main app?
If I have to wait weeks or even months for both then that's a bit painful tbh. Is there a way to distribute to testflight without getting approved for the family controls entitlement? Thanks
Post not yet marked as solved
I've requested for family control via:
https://developer.apple.com/contact/request/family-controls-distribution
& got approved.
I've now created new provision files with family control being checked in the identifiers & uploaded manually. Yet, still get:
Provisioning profile "redoAppStore" doesn't support the Family Controls capability.
Provisioning profile "redoAppStore" doesn't include the com.apple.developer.family-controls entitlement.
The family control capability is added to my main target (IOS app) as well.
What should I do to get it uploaded?
Post not yet marked as solved
After updating to Xcode 15.3 and Sonoma, I started getting an error when packaging my app:
Provisioning profile failed qualification
Profile doesn't include the com.apple.developer.mail-client entitlement.
There is no indication in the documentation that this has anything to do with the provisioning profile, and there is no capacility that needs to be added.
I was given the "com.apple.developer.mail-client" entitlement from Apple over a year ago as documented in: https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_mail-client, and it worked fine until now.
Post not yet marked as solved
We have a huge project.
Until today we didn't use an .app but now we must in order to use Endpoint security and other stuff.
Until today our binary sat in /opt/XYZ/binary.bin
Now because of the .app, looks like it will have to be /opt/XYZ/Cool.app/Content/MacOs/binary.bin
This change really breaks our code and will cause a massive code change.
If I extract the binary from the app and place it in /opt/XYZ/binary.bin and run it, the process is killed.
Is there a way to extract it from the app and run it from /opt/XYZ ?
any tool, command, resource, etc' will be great.
Post not yet marked as solved
Hello Fellow Developers,
I'm reaching out for insights or solutions to a challenge we're encountering with our sync client application, particularly related to maintaining user folder access permissions across app sessions and system restarts.
In our application, we leverage the openFileDialog to enable users to select a folder for file downloads and synchronization. To ensure smooth access on subsequent app launches, we save a security bookmark of the chosen folder. This is crucial for our app to function without repeatedly asking for user permissions, thereby enhancing the user experience.
However, we've hit a snag where the security bookmark expires after a few days or upon a system restart, leading to a less than ideal scenario where users are prompted for reauthorization through a FileDialog. This repetitive process is not the seamless experience we aim to provide.
To address permissions and security, we are currently using two entitlements:
com.apple.security.files.bookmarks.document-scope
com.apple.security.files.bookmarks.app-scope
Despite these, we still face the bookmark expiration issue. We're seeking advice on whether there are other entitlements or methods we should consider to maintain persistent access to the selected folder without the security bookmark expiring. Our goal is to reduce or eliminate the need for users to repeatedly grant access, ensuring a seamless and efficient user experience.
Has anyone faced a similar challenge or can offer guidance on additional entitlements or strategies to achieve persistent folder access? Any suggestions, alternative approaches, or insights would be greatly appreciated. We're keen on exploring all possible solutions to enhance our application's functionality and user satisfaction.
Thank you for your time and assistance. I look forward to any advice or discussions this community can offer.
Post not yet marked as solved
I requested the com.apple.developer.device-information.user-assigned-device-name entitlement on Feb 11 and received an email reply stating "We’ll contact you within a few weeks with your request status." However, it's been more than a month without any updates.
Can anyone chime in with their experience RE: how long it took for Apple to review their request for this entitlement?
https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_device-information_user-assigned-device-name
olgago.
