General: DevForums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained DevForums post --deep Considered Harmful DevForums post Don’t Run App Store Distribution-Signed Code DevForums post Resolving errSecInternalComponent errors during code signing DevForums post Finding a Capability’s Distribution Restrictions DevForums post Signing code with a hardware-based code-signing identity DevForums post Mac code signing: DevForums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding Nonstandard Code Structures in a Bundle documentation Embedding a Command-Line Tool in a Sandboxed App documentation Signing a Daemon with a Restricted Entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example DevForums post The Care and Feeding of Developer ID DevForums post TestFlight, Provisioning Profiles, and the Mac App Store DevForums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

I'm seeking help troubleshooting a persistent com.apple.IdentityLookup.error.messagefilter Code=3 error when my Message Filter Extension tries to defer to network. I’ve exhausted Apple documentation and forum posts, and Apple Support has asked me to escalate this via the forums to reach engineering. ✅ My Setup: Xcode: 16.2 macOS: Sequoia 15.3.1 (Apple Silicon Mac mini) Device: iPhone 14 Pro iOS: 18.3.2 (Developer Mode enabled) Tested via: TestFlight install on real device 📦 App Structure: Main App Target (minimal "hello world" logic) Message Filter Extension Target Messages Extension Target Message Reporting Extension Target Notifications Extension Target ✅ Capabilities & Configurations Main App Capabilities: App Groups: group.com.example.shared Network Extensions: Content Filter Associated Domains: messagefilter:my-api.example.com applinks:my-api.example.com Message Filter Capabilities: App Groups: same as main app Network Extensions: Content Filter Associated Domains: same as above 📄 Info.plist Config Main App Info.plist: NSAppTransportSecurity with: NSAllowsArbitraryLoads = YES Exception domain my-api.example.com with: NSIncludesSubdomains = YES NSTemporaryExceptionAllowsInsecureHTTPLoads = YES NSTemporaryExceptionMinimumTLSVersion = TLSv1.2 MessageFilter Info.plist: Same ATS settings as above NSExtension block: <key>NSExtension</key> <dict> <key>NSExtensionAttributes</key> <dict> <key>ILMessageFilterExtensionNetworkURL</key> <string>https://my-api.example.com/api/sms-filter</string> <key>ILClassificationExtensionSMSReportDestination</key> <string>+10000000000</string> </dict> <key>NSExtensionPointIdentifier</key> <string>com.apple.identitylookup.message-filter</string> <key>NSExtensionPrincipalClass</key> <string>$(PRODUCT_MODULE_NAME).MessageFilterExtension</string> </dict> 📜 Entitlements Main App Entitlements <key>com.apple.developer.associated-domains</key> <array> <string>messagefilter:my-api.example.com</string> <string>applinks:my-api.example.com</string> </array> <key>com.apple.developer.networking.networkextension</key> <array> <string>content-filter-provider</string> </array> <key>com.apple.security.application-groups</key> <array> <string>group.com.example.shared</string> </array> Message Filter Extension Entitlements Identical to main app’s, scoped to the extension. 📄 AASA File (Hosted on https://my-api.example.com/.well-known/apple-app-site-association) Serves as application/json, returns 200 OK, and is reachable on device via Safari. Logs confirm AASA is downloaded and installed successfully during TestFlight install. { "applinks": { "apps": [], "details": [ { "appID": "TEAMID.com.example.app", "paths": ["*"] }, { "appID": "TEAMID.com.example.app.MessageFilter", "paths": ["*"] } ] }, "messagefilter": { "apps": [], "details": [ { "appID": "TEAMID.com.example.app", "filterType": "URL", "domains": ["my-api.example.com"] }, { "appID": "TEAMID.com.example.app.MessageFilter", "filterType": "URL", "domains": ["my-api.example.com"] } ] }, "classificationreport": { "apps": [], "details": [ { "appID": "TEAMID.com.example.app", "domains": ["my-api.example.com"] }, { "appID": "TEAMID.com.example.MessageReporting", "domains": ["my-api.example.com"] } ] } } ❌ The Problem When the extension launches and receives an SMS to classify, logs show: deferQueryRequestToNetwork failed: The operation couldn’t be completed. (com.apple.IdentityLookup.error.messagefilter error 3.) The extension loads, network URL is available, the AASA is installed, and yet the extension is not allowed to defer to network. This occurs every time. 🧪 Other Notes Tried rebuilding everything from scratch Archiving to TestFlight, not running via Xcode Clean entitlements verified using codesign -d --entitlements :- Console logs show no issues with AASA download or validation Any help or insights from Apple engineering or others in the community who have successfully deployed a working Message Filter Extension would be hugely appreciated. Thanks in advance 🙏

We requested the com.apple.developer.passkit.pass-presentation-suppression entitlement in our app to suppress the Apple Pay popup when our app is near a reader. This entitlement was approved by Apple and successfully suppresses Apple Pay popups when approaching readers. Currently, we have another use case in the same app: presenting a PKPass (our door key pass) by calling the Wallet from our code using passLibrary.present(pass.secureElementPass!). This should take us to the Wallet and display our pass. This functionality works perfectly in other environments where this entitlement is not in place. We now understand that this entitlement suppresses all passes from our app. Our questions are: How can we suppress the Apple Pay popup while displaying our app key against a reader and also present the pass in the Wallet? Both requirements are essentially the same but implemented in two different ways, and we need both functionalities. Presenting the pass through a URL is not a viable option for us according to our standards. (https://developer.apple.com/forums/content/attachment/c2542a51-fd2c-42ce-88a2-207689b31159)

Hi guys, I'm developing a FinderSync Extension that extends Finder contextual menu with a couple of items doing some trivial file operations. I'm using Xcode 16.2 on macOS Sequoia 15.3.2 I could run the containing app in debug, and in System Preferences -> File Providers the flag is enabled for my app finder extension. Anyway, the contextual menu does not show in Finder, probably because the finder extension crashes immediately. Some output: pluginkit -m | grep "com\.[^a]" + com.mycompany.MyApp.MyAppFinderExtension(1.1.14) codesign -dvvv --entitlements - /Users/me/Library/Developer/Xcode/DerivedData/MyApp-dmzhnwmosboixodalsrrbwvwvmqm/Build/Products/Debug/MyApp.app/Contents/PlugIns/MyApp\ Finder\ Extension.appex Executable=/Users/me/Library/Developer/Xcode/DerivedData/MyApp-dmzhnwmosboixodalsrrbwvwvmqm/Build/Products/Debug/MyApp.app/Contents/PlugIns/MyApp Finder Extension.appex/Contents/MacOS/MyApp Finder Extension Identifier=com.mycompany.MyApp.MyAppFinderExtension Format=bundle with Mach-O thin (arm64) CodeDirectory v=20400 size=659 flags=0x2(adhoc) hashes=9+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=b59538ef9e3b6e8cf462a3e260e3bf26d050deb5 CandidateCDHashFull sha256=b59538ef9e3b6e8cf462a3e260e3bf26d050deb5e21fb27d4fa0a4fe5f3e78b7 Hash choices=sha256 CMSDigest=b59538ef9e3b6e8cf462a3e260e3bf26d050deb5e21fb27d4fa0a4fe5f3e78b7 CMSDigestType=2 CDHash=b59538ef9e3b6e8cf462a3e260e3bf26d050deb5 Signature=adhoc Info.plist entries=23 TeamIdentifier=not set Sealed Resources version=2 rules=13 files=9 Internal requirements count=0 size=12 [Dict] [Key] com.apple.security.app-sandbox [Value] [Bool] true [Key] com.apple.security.application-groups [Value] [Array] [String] [Key] com.apple.security.assets.movies.read-write [Value] [Bool] true [Key] com.apple.security.assets.music.read-write [Value] [Bool] true [Key] com.apple.security.assets.pictures.read-write [Value] [Bool] true [Key] com.apple.security.files.documents.read-write [Value] [Bool] true [Key] com.apple.security.files.downloads.read-write [Value] [Bool] true [Key] com.apple.security.files.user-selected.read-write [Value] [Bool] true [Key] com.apple.security.get-task-allow [Value] [Bool] true [Key] com.apple.security.personal-information.location [Value] [Bool] true The log is showing something very strange: log show --predicate 'eventMessage contains "com.mycompany.MyApp" and messageType = error' --last 1h Filtering the log data using "composedMessage CONTAINS "com.mycompany.MyApp" AND logType == 16" Skipping info and debug messages, pass --info and/or --debug to include. Timestamp Thread Type Activity PID TTL 2025-03-25 10:20:48.428127+0100 0x221af Error 0x53dbe 159 0 tccd: [com.apple.TCC:access] Request message contains a target_token to accessing_process (TCCDProcess: identifier=com.mycompany.MyApp, pid=4140, auid=501, euid=501, binary_path=/Users/me/Library/Developer/Xcode/DerivedData/MyApp-dmzhnwmosboixodalsrrbwvwvmqm/Build/Products/Debug/MyApp.app/Contents/MacOS/MyApp) but TCCDProcess: identifier=com.apple.audio.coreaudiod, pid=184, auid=202, euid=202, binary_path=/usr/sbin/coreaudiod is not a TCC manager for service: kTCCServiceScreenCapture. 2025-03-25 10:20:53.166554+0100 0x22139 Error 0x67ff4 163 0 runningboardd: (RunningBoard) [com.apple.runningboard:general] RBSStateCapture remove item called for untracked item 163-158-7088 (target:[app<application.com.mycompany.MyApp.36628067.36635236.92E24CD3-97A8-4340-A46E-4493456283C7(501)>:4140]) 2025-03-25 10:20:53.166575+0100 0x22139 Error 0x67ff4 163 0 runningboardd: (RunningBoard) [com.apple.runningboard:general] RBSStateCapture remove item called for untracked item 163-158-7087 (target:[app<application.com.mycompany.MyApp.36628067.36635236.92E24CD3-97A8-4340-A46E-4493456283C7(501)>:4140]) 2025-03-25 10:20:53.166582+0100 0x22139 Error 0x67ff4 163 0 runningboardd: (RunningBoard) [com.apple.runningboard:general] RBSStateCapture remove item called for untracked item 163-158-7091 (target:[app<application.com.mycompany.MyApp.36628067.36635236.92E24CD3-97A8-4340-A46E-4493456283C7(501)>:4140]) 2025-03-25 10:20:53.166593+0100 0x22139 Error 0x67ff4 163 0 runningboardd: (RunningBoard) [com.apple.runningboard:general] RBSStateCapture remove item called for untracked item 163-132-7084 (target:[xpcservice<com.apple.finder.FinderSync.IsExtensionEnabled([app<application.com.mycompany.MyApp.36628067.36635236.92E24CD3-97A8-4340-A46E-4493456283C7(501)>:4140])(501)>{vt hash: 0}:4144:4144]) -------------------------------------------------------------------------------------------------------------------- Log - Default: 0, Info: 0, Debug: 0, Error: 13, Fault: 0 Activity - Create: 0, Transition: 0, Actions: 0 Especially the first line: MyApp is not accessing coreaudiod - neither trying to get a ScreenCapture, so ... WTF??? How is it possibile? Why is the system blocking MyApp FinderExtension, or preventing it to run? Thank you in advance _Alex

I keep getting this error: Provisioning profile "iOS Team Provisioning Profile: com.visuallearningaids.craftshowtracker0320" doesn't include the com.apple.developer.in-app-purchase entitlement. I've made several different identifiers and profiles. Thanks Greg

Hello Apple Forum, We were testing out the following entitlements: 'Increased Memory Limit', 'Extended Virtual Addressing', 'Extended Virtual Addressing(Debug)' when we realized the maximum allocation amount of the memory dropped from our previous test of 32GB to 16GB. We were testing these on the following devices: iPad Pro 12.9(6th Gen) 18.4(Beta, 22E4232a) iPad Pro 11 M4 18.3.2 Each device has 16GB of physical RAM and because we are able to reach 16GB of allocation usage until app crashes, we believe the entitlements are applied correctly. Each test device was on charging mode and battery mode with 60, 80 100% battery. We understand allocating memory is complex and os is more optimized for battery efficiency, hence possibly limiting max usage of memory. However, through the same testing method we have done on iPadOS 18.3 and 4, we were able to allocate 31~32GB of RAM on testing done on January this year. (iPadOS 18.0, or maybe 18.1?) which make us wonder, has there been a change in core os that handles memory allocation since 18.0? And what can be the cause of this drop? The code we ran for our memory testing is as follows: private var allocatedMemory: [UnsafeMutableRawPointer] = [] public func allocate1GBMemory() { let sizeInBytes = 1024 * 1024 * 1024 if let pointer = malloc(sizeInBytes) { for i in 0..<sizeInBytes { pointer.advanced(by: i).storeBytes(of: UInt8(i % 256), as: UInt8.self) } allocatedMemory.append(pointer) logger.print("Allocated 1GB of memory. Total allocated: \(allocatedMemory.count)GB") } else { logger.print("Failed to allocate memory") } } Each functions call increases memory usage by allocating 1GB of space and we have called this function until it reaches 16GB then the app crashes.

Hello Apple Developer Community, I have an existing Family Controls entitlement approved for my main app. My app includes the following extensions: AppLimitMonitorExtension ShieldConfigurationExtension ShieldActionExtension I am seeking clarification on whether my existing Family Controls entitlement for the main app automatically covers these extensions, or if I must submit separate entitlement requests for each extension. Because when I try to distribute app on App Store Connect it give me error "Provisioning profile failed qualification". Many developers appear to be facing this issue, and it seems that Apple has not clearly documented this. is information anywhere.

Hi all, I'm developing a sandboxed Mac OS app that generates and compiles AppleScript files to automate tasks in Pages (and other iWork apps). The app creates an AppleScript file and writes it to the NSApplicationScriptsDirectory (i.e., ~/Library/Application Scripts/com.example.app), then compiles and executes it via NSUserAppleScriptTask. On Mac OS Ventura, however, I get the following error in the console when trying to write the file: [PagesModifier] Error creating or compiling the script: You are not allowed to save the file "PagesModifier_...applescript" in the folder "com.example.app" Here are my current entitlements: &lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt; &lt;plist version="1.0"&gt; &lt;dict&gt; &lt;key&gt;com.apple.security.app-sandbox&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.application-groups&lt;/key&gt; &lt;array/&gt; &lt;key&gt;com.apple.security.automation.apple-events&lt;/key&gt; &lt;array&gt; &lt;string&gt;com.apple.iWork.Pages&lt;/string&gt; &lt;string&gt;com.apple.iWork.Numbers&lt;/string&gt; &lt;string&gt;com.apple.iWork.Keynote&lt;/string&gt; &lt;/array&gt; &lt;key&gt;com.apple.security.files.user-selected.read-write&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.scripting-targets&lt;/key&gt; &lt;dict&gt; &lt;key&gt;com.apple.iWork.Keynote&lt;/key&gt; &lt;array&gt; &lt;string&gt;com.apple.iWork.Keynote&lt;/string&gt; &lt;/array&gt; &lt;key&gt;com.apple.iWork.Numbers&lt;/key&gt; &lt;array&gt; &lt;string&gt;com.apple.iWork.Numbers&lt;/string&gt; &lt;/array&gt; &lt;key&gt;com.apple.iWork.Pages&lt;/key&gt; &lt;array&gt; &lt;string&gt;com.apple.iWork.Pages&lt;/string&gt; &lt;/array&gt; &lt;/dict&gt; &lt;key&gt;com.apple.security.temporary-exception.apple-events&lt;/key&gt; &lt;array&gt; &lt;string&gt;com.apple.iWork.Pages&lt;/string&gt; &lt;string&gt;com.apple.iWork.Numbers&lt;/string&gt; &lt;string&gt;com.apple.iWork.Keynote&lt;/string&gt; &lt;/array&gt; &lt;key&gt;com.apple.security.temporary-exception.files.home-relative-path.read-write&lt;/key&gt; &lt;array&gt; &lt;string&gt;Library/Application Scripts/com.example.app&lt;/string&gt; &lt;/array&gt; &lt;/dict&gt; &lt;/plist&gt; I suspect the issue might be due to sandbox restrictions on dynamically creating or modifying the Application Scripts directory on Ventura. Has anyone experienced something similar or have any suggestions on how to work around this? Thanks in advance for your help!

I’ve been working on a Catalyst version of my iOS apps. Finally everything is working apart from the custom intents the user user to configure the widgets. The config UI loads: And changing settings at this level works. But it can’t load the options for the other settings: “No options were provided for this parameter” I see this crash in the intent: Termination Reason: Namespace DYLD, Code 1 Library missing Library not loaded: @rpath/CocoaLumberjack.framework/Versions/A/CocoaLumberjack Referenced from: <E1BF4CC5-4181-3272-828C-86B1CD1A66BF> /Applications/my.app/Contents/PlugIns/Intents.appex/Contents/MacOS/Intents Reason: , (security policy does not allow @ path expansion) (terminated at launch; ignore backtrace) I have added the Hardened Runtime Capability to the Main App Target, the Widget Target and the Intents Target. I also allowed “Disable Library Validation” just in case. What am I missing?

Hello, We have an application that was recently transferred to another team. The original team had the entitlement for the default mail client. We requested the same entitlement for the new team; however, we have yet to receive it after four months. Yesterday, we released an app update without the entitlement. I would like to inquire about how the application will behave for users who have set it as their default mail client. Will there be any issues for those users, or for any other users, moving forward? Thank you.

In my App I want to create a new directory structure in a user selected base directory. In the entitlements com.apple.security.files.user-selected.read-write = true is defined. I call URL.startAccessingSecurityScopedResource( ) and get a true value back. When calling FileManager.createDirectory( at: directoryURL, withIntermediateDirectories: true, attributes: nil ) an error is thrown that write access is missing. User has write permissions in that directory. When the user selects a directory I store a bookmark via an @AppStorage variable. After write attempt URL.stopAccessingSecurityScopedResource() is called. I have also implemented a SharedExtension (especially for the Photo app). When user calls the SharedExtension of my app and the app just uses the bookmark stored with @AppStorage and follows the same process as described above no difficulties appear and directories are created as expected. Changing back to the main app, using again the untouched bookmark and execute the exactly same code as in the first attempt everything works fine and as expected. The phenomenon appears on real devices but not on simulator. Any ideas how to solve the issue of having no write access in first attempt?

In context of entitlements that are applicable on macos platform, I was discussing in another thread about the com.apple.security.cs.allow-unsigned-executable-memory and the com.apple.security.cs.allow-jit entitlements in a hardened runtime https://developer.apple.com/forums/thread/775520?answerId=827440022#827440022 In that thread it was noted that: The hardened runtime enables a bunch of additional security checks. None of them are related to networking. Some of them are very important to a Java VM author, most notably the com.apple.security.cs.allow-jit -> com.apple.security.cs.allow-unsigned-executable-memory -> com.apple.security.cs.disable-executable-page-protection cascade. My advice on that front: This sequence is a trade off between increasing programmer convenience and decreasing security. com.apple.security.cs.allow-jit is the most secure, but requires extra work in your code. Only set one of these entitlements, because each is a superset of its predecessor. com.apple.security.cs.disable-executable-page-protection is rarely useful. Indeed, on Apple silicon [1] it’s the same as com.apple.security.cs.allow-unsigned-executable-memory. If you want to investigate moving from com.apple.security.cs.allow-unsigned-executable-memory to com.apple.security.cs.allow-jit, lemme know because there are a bunch of additional resources on that topic. What that tells me is that com.apple.security.cs.allow-jit is the recommended entitlement that retains enough security and yet provides the necessary programmer convenience for applications. In the OpenJDK project we use both com.apple.security.cs.allow-unsigned-executable-memory and com.apple.security.cs.allow-jit entitlements for the executables shipped in the JDK (for example java). I was told in that other thread that it might be possible to just use the com.apple.security.cs.allow-unsigned-executable-memory, but there are some additional details to consider. I'm starting this thread to understand what those details are.

On MacOS, I know that App Groups (com.apple.security.application-groups) do not require a provisioning profile. I was wondering if it's possible to sign them "ad hoc" and have it work? So maybe use a random TEAMID prefix and have it work? I would only need the app to work locally (for testing), not be distributed in that fashion, of course.

I requested permission to use the Family Controls entitlement two weeks ago, and I have not received a response or status update. I have been to that page where it says "Thank you! We'll get back to you soon!" so many times.

This is on macOS, not iOS. Not sure if that should make a difference? I have a GUI app and a command line tool (that will run a daemon) that I need to share credentials between. The keys/certs will be stored using the GUI app. But, both tools need to utilize them. guard let accessControl = SecAccessControlCreateWithFlags( nil, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, [.privateKeyUsage], nil ) else { throw KeychainCertError.keychainError(errSecAuthFailed, "Failed to create access control for private key") } // Define Key Pair Attributes let privateKeyAttributes: [String: Any] = [ kSecAttrIsPermanent as String: true, kSecAttrApplicationTag as String: privateLabel.data(using: .utf8)!, kSecAttrLabel as String: privateLabel, // kSecAttrAccessControl as String: accessControl, kSecAttrAccessGroup as String: keychainAccessGroup ] With the kSecAttrAccessControl commented out, I am able to generate a private key and generate a self signed certificate that is stored on the user login keychain. If I uncomment that line, I get an error to the affect of "Keychain error (-26275): Failed to generate key pair: A required entitlement isn't present" Also, to share the credentials, don't they need to be NOT on the user keychain for the daemon to access them? Any ideas what I am doing wrong? I think I'm a bit over my head here with the the security, crypto kit and openssl. 😁

We have a macOS app that has a Photos Extension, which shares documents with the app via an app group container. Historically we used to have an iOS-style group identifier (group.${TeamIdentifier}${groupName}), because we were lead by the web interface in the developer portal to believe this to be the right way to name groups. Later with the first macOS 15 betas last year there was a bug with the operating system warning users, our app would access data from different apps, but it was our own app group container directory. Therefore we added a macOS-style group identifier (${TeamIdentifier}${groupName}) and wrote a migration of documents to the new group container directory. So basically we need to have access to these two app group containers for the foreseeable future. Now with the introduction of iOS-style group identifiers for macOS, Xcode Cloud no longer archives our app for TestFlight or AppStore, because it complains: ITMS-90286: Invalid code signing entitlements - Your application bundle’s signature contains code signing entitlements that aren’t supported on macOS. Specifically, the “[group.${TeamIdentifier}${groupName}, ${TeamIdentifier}${groupName}]” value for the com.apple.security.application-groups key in isn’t supported. This value should be a string or an array of strings, where each string is the “group” value or your Team ID, followed by a dot (“.”), followed by the group name. If you're using the “group” prefix, verify that the provisioning profile used to sign the app contains the com.apple.security.application-groups entitlement and its associated value(s). We have included the iOS-style group identifier in the provisioning profile, generated automatically, but can't do the same for the macOS-style group identifier, because the web interface only accepts identifiers starting with "group". How can we get Xcode Cloud to archive our app again using both group identifiers? Thanks in advance

Hello, Our app has already received approval for using the Family Controls API. However, when we added an extension, we were informed that an additional approval was required. Unfortunately, our request was rejected. Apple Support advised us to include "Describing use of required reason API" in the privacyInfo file, but after reviewing the documentation, we couldn't find any relevant information specifically for the Family Controls API. Questions: How should we describe the use of Family Controls API in the privacyInfo file? What does the rejection reason "Enterprise use not approved" specifically mean? Why is additional approval required for the extension, and how can we resolve this? Background: Initial Approval: Our app was approved to use the Family Controls API. Extension Submission: We submitted an extension requiring additional approval, but it was rejected. Follow-up Inquiry: Apple Support instructed us to include a description in privacyInfo, but no relevant details for Family Controls API were found. Further Inquiry: We asked for clarification, and Apple Support referred us to DTS. DTS Response: They requested that we post our question on the Apple Developer Forums before they can review it. If anyone has insights, guidelines, or previous experience with this approval process, we would greatly appreciate your help. Thank you!

I work on an app that has the com.apple.developer.mail-client entitlement. We're interested in trying out Xcode Cloud, and one of the project and workspace requirements is to use automatic code signing. We do not do this at the moment because it's not compatible with the additional entitlement. My understanding is that we can migrate to automatic code signing if we migrate the additional entitlement to a capability and that to accomplish this our account holder needs to submit a request (see the last section of that page). We submitted the request a little over 3 weeks ago, but so far we haven't heard any updates. We also tried reaching out directly to the email address linked in the com.apple.developer.mail-client docs, but have not heard back. We're now posting here to see if anyone can provide some guidance on whether there are other steps to complete or contacts to whom we should reach out. Thanks!

I’m attempting to make an app that uses Disk Arbitration to intercept a disk mount (by creating and returning a dissenter in the appropriate callback) and then mount the disk with certain options (specifically, read-only, nobrowse, or both, depending on user options). For example: DADiskMountWithArguments(disk, nil, DADiskMountOptions(kDADiskMountOptionDefault), nil, nil, kReadOnly) …where kReadOnly is a pointer to an array only containing a “rdonly” CFString. While DADiskMountWithArguments seems to be usable in a sandboxed app for disk images, it doesn’t work when the disk is an external disk (e.g. connected via USB). I see lines like this in Console.app when this happens: Sandbox denied authorizing right 'system.volume.external.mount' by client '/path/to/exe' [17934] (engine 580) I’ve identified two workarounds that allow this to work in a sandbox, but both have their own problems: If a LaunchDaemon (even a sandboxed one, which is required for registration with SMAppService.daemon from the sandboxed app) does the call to DADiskMountWithArguments, it will succeed. But App Store policies don’t allow escalation to root. If I use the undocumented entitlement com.apple.security.temporary-exception.sbpl with a value of (allow authorization-right-obtain (right-name "system.volume.external.mount")), the mount works without escalation to root. But I understand that App Review is likely to reject the use of this entitlement, and that this entitlement isn't supported to begin with. Specifically, these are the behaviors I see on macOS Sequoia 15.3.1 and Xcode 16.2. Since I would like to try to publish this app on the App Store, neither of these seem like acceptable solutions. I don’t see why this should be restricted if the sandboxed app is not declaring a special path (i.e. the path in DADiskMountWithArguments is set to nil) and still does not have access to the mounted filesystem - am I missing something/is there a way to accomplish this?

I am looking for inputs to better understand MacOS entitlements. I ask this in context of OpenJDK project, which builds and ships the JDK. The build process makes uses of make tool and thus doesn't involving building through the XCode product. The JDK itself is a Java language platform providing applications a set of standard APIs. The implementation of these standard APIs internally involves calling platform specific native library functions. In this discussion, I would like to focus on the networking functions that the implementation uses. Almost all of these networking functions and syscalls that the internal implementation uses are BSD socket related. Imagine calls to socket(), connect(), getsockopt(), setsockopt(), getaddrinfo(), sendto(), listen(), accept() and several such. The JDK that's built through make is then packaged and made available for installation. The packaging itself varies, but for this discussion, I'll focus on the .tar.gz archived packaging. Within this archive there are several executables (for example: java, javac and others) and several libraries. My understanding, based on what I have read of MacOS entitlements is that, the entitlements are set on the executable and any libraries that would be loaded and used by that executable will be evaluated against the entitlements of the executable (please correct me if I misunderstand). Reading through the list of entitlements noted here https://developer.apple.com/documentation/bundleresources/entitlements, the relevant entitlements that an executable (like "java") which internally invokes BSD socket related syscalls and library functions, appear to be: com.apple.security.network.client - https://developer.apple.com/documentation/bundleresources/entitlements/com.apple.security.network.client com.apple.security.network.server - https://developer.apple.com/documentation/bundleresources/entitlements/com.apple.security.network.server com.apple.developer.networking.multicast - https://developer.apple.com/documentation/bundleresources/entitlements/com.apple.developer.networking.multicast Is my understanding correct that these are the relevant ones for MacOS? Are there any more entitlements that are of interest? Would it then mean that the executables (java for example) would have to enroll for these entitlements to be allowed to invoke those functions at runtime? Reading through https://developer.apple.com/documentation/bundleresources/entitlements, I believe that even when an executable is configured with these entitlements, when the application is running if that executable makes use of any operations for which it has an entitlement, the user is still prompted (through a UI notification) whether or not to allow the operation. Did I understand it right? The part that isn't clear from that documentation is, if the executable hasn't been configured with a relevant entitlement, what happens when the executable invokes on such operation. Will the user see a UI notification asking permission to allow the operation (just like if an entitlement was configured)? Or does that operation just fail in some behind the scenes way? Coming back to the networking specific entitlements, I found a couple of places in the MacOS documentation where it is claimed that the com.apple.developer.networking.multicast entitlement is only applicable on iOS. In fact, the entitlement definition page for it https://developer.apple.com/documentation/bundleresources/entitlements/com.apple.developer.networking.multicast says: "Your app must have this entitlement to send or receive IP multicast or broadcast on iOS. It also allows your app to browse and advertise arbitrary Bonjour service types." Yet, that same page, a few lines above, shows "macOS 10.0+". So, is com.apple.developer.networking.multicast entitlement necessary for an executable running on MacOS which deals with multicasting using BSD sockets? As a more general comment about the documentation, I see that the main entitlements page here https://developer.apple.com/documentation/bundleresources/entitlements categorizes some of these entitlements under specific categories, for example, notice how some entitlements are categorized under "App Clips". I think it would be useful if there was a category for "BSD sockets" and under that it would list all relevant entitlements that are applicable, even if it means repeating the entitlement names across different categories. I think that will make it easier to identify the relevant entitlements. Finally, more as a long term question, how does one watch or keep track of these required entitlements for these operations. What I mean is, is it expected that application developers keep visiting the macos documentation, like these pages, to know that a new entitlement is now required in a new macos (update) release? Or are there other ways to keep track of it? For example, if a newer macos requires a new entitlement, then when (an already built) executable is run on that version of macos, perhaps generate a notification or some kind of explicit error which makes it clear what entitlement is missing? I have read through https://developer.apple.com/documentation/bundleresources/diagnosing-issues-with-entitlements but that page focuses on identifying such issues when a executable is being built and doesn't explain the case where an executable has already been shipped with X entitlements and a new Y entitlement is now required to run on a newer version of macos.

I'm working on a Password Manager app that integrates with the AutoFill Credential Provider to provide stored passwords and OTPs to the user within Safari and other apps. Password AutoFill works perfectly. I'm unable to get iOS to register that the app supports OTPs though. I've followed the Apple documentation here: https://developer.apple.com/documentation/authenticationservices/providing-one-time-passcodes-to-autofill and added "ProvidesOneTimeCodes" to the AutoFill extension's Info.plist, but iOS just doesn't seem to notice the OTP support. &lt;key&gt;ASCredentialProviderExtensionCapabilities&lt;/key&gt; &lt;dict&gt; &lt;key&gt;ProvidesOneTimeCodes&lt;/key&gt; &lt;true/&gt; &lt;key&gt;ProvidesPasswords&lt;/key&gt; &lt;true/&gt; &lt;/dict&gt; Any help would be greatly appreicated!