General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Code Signing Identifiers Explained forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.

I'm posting this here after reading Quinn's post here: https://developer.apple.com/forums/thread/799000 The above entitlement is mentioned in IOUSBHostControllerInterface.h. It isn't an entitlement one can add using the + button on the Capabilities panel in Xcode. If I try to add it by hand, Xcode complains that it isn't in my profile. Is this a managed entitlement? We'd like to create a local USB "device" to represent a real device reachable over a network.

Hi guys, I am building a custom virtualization utility for macOS using the native Virtualization Framework. My goal is to allow local guest virtual machines to run in Bridged Mode (VZBridgedNetworkDeviceAttachment) so they can acquire their own distinct local IP address from my router and expose service ports directly to the local network. When attempting to compile and run my app with the com.apple.vm.networking entitlement, Xcode throws the following error:"Entitlement com.apple.vm.networking not found and could not be included in profile. This likely is not a valid entitlement and should be removed from your entitlements file" I understand that this is a restricted capability that is hidden from the standard Apple Developer Portal by default. I have already reached out via email to Apple Developer Support to request it, but I have not received a definitive answer on the process or exact entitlement string name. For those who have successfully shipped or tested a virtualization app with bridged networking, Is com.apple.vm.networking the correct string name for modern macOS versions, or is there a newer, specific identifier required? What is the actual entitlement that i should see in my developer account? I can't seem to find it in the docs as well. Would it be called "VM Networking" Thanks,

I submitted my Family Controls entitlement request on April 21 for my iOS app and still haven't heard anything back. We have had no approval or status update. It's been close to a month now. This is blocking me from testing and moving forward with the app since it relies on the Screen Time / Family Controls APIs. Has anyone run into delays this long recently? Thanks

Hoping to get visibility on a Family Controls (Distribution) entitlement request pending without status updates after an app transfer. Context: Digital wellbeing app, 500K+ active iOS users Previous team had Family Controls (Distribution) approved and shipping to production App transferred to new team (H2HM68H8PP) ~1 month ago; entitlement re-requested immediately Capability page shows "View Requests (6)" with no approvals, rejections, or updates Developer Support cases opened (102883853173, 20000112879750, 102875975624) — confirmed they cannot check entitlement status Impact: Core app feature depends on Family Controls. Production app for 500K+ users will break once transfer fully propagates at provisioning level. This is a continuity issue, not a new-app launch — entitlement was previously approved on the prior team. Questions: Recommended escalation path for post-transfer entitlement requests? Should I stop resubmitting to avoid queue deprioritization? Could the entitlements team provide a status update? Happy to share bundle ID, previous team ID, and request dates privately with Apple staff.

Subject: Family Controls (Distribution) — 2 pending requests for 9 days, no status update (WA2MPH4572 + HCQXH9P8VM) Tags: family-controls Body: Hello Apple Developer Forums and DTS team, I am requesting visibility on the status of two pending Family Controls (Distribution) entitlement requests submitted 10 days ago with no email confirmation or status update. REQUEST DETAILS App: SHIELD Bundle ID: app.shieldme Team ID: 4452N28RUS Request IDs (both submitted on May 6, 2026): WA2MPH4572 HCQXH9P8VM Status: Both showing "Submitted" in Identifiers → app.shieldme → Family Controls (Distribution) → View Requests USE CASE SHIELD is a Brazilian app focused on personal device usage management. The category covers the scenario the app addresses: device owners who want to apply additional access controls to their own apps in case of phone theft or loss, which are widespread concerns in Brazil. SHIELD is NOT a parental control app and does not facilitate management of devices belonging to other people. The device owner is the sole operator. The owner uses the system-provided picker to select which of their own apps should require additional access controls, configured and controlled exclusively by the owner. The use of FamilyControls + ManagedSettings is the iOS API path that allows a third-party app to offer this access-control layer on user-selected apps for the owner's own protection. Without this entitlement, the iOS version cannot offer parity with the Android version of the same product. ALIGNMENT WITH FAMILY CONTROLS USAGE TERMS Device owner is the sole operator (no third-party monitoring) Owner manages access to their own apps only Use case is personal device usage management No advertising or data broker use of device or usage data No organizational deployment Privacy disclosures complying with Brazilian LGPD law are included in-app at first launch ASK Could a DTS Engineer or the entitlements review team confirm whether the two pending requests are visible in the queue and share an approximate timeline? If additional clarification on the use case would help the review proceed, I will provide it the same day. The Android version of SHIELD is feature-complete and currently in beta testing, approaching public launch. The iOS version is designed to launch alongside Android, since the product relies on a referral mechanism where an existing user can invite a contact who may be on either platform. Releasing only one platform breaks the onboarding flow for invitees on the other. Family Controls (Distribution) is the single remaining blocker on the iOS side. If there is a recommended channel for aligning entitlement timing with a coordinated multi-platform release, please advise. Thank you for your time.

Greetings fellow devs, After accepting the Alternative Terms Addendum for Apps in the EU and adding the Storekit External Purchases or Offers capability via App Store Connect in our app identifier, the entitlement showing up in xcode is com.apple.developer.storekit.custom-purchase-link.allowed-regions and has the value 'jp'. How can we change the value for that entitlement to 'gr'? We tried changing it in xcode, but we get the error <Provisioning profile "iOS Team Provisioning Profile: [app identifier]" doesn't match the entitlements file's value for the com.apple.developer.storekit.custom-purchase-link.allowed-regions entitlement.>. In Certificates, Identifiers and Profiles in the developer account there is no way to configure that capability. We sent a request to support and they only gave a link to documentation and to the forum here. We have a completed every business agreement requested and we have chosen Greece as the organisation region and the app's availability region wherever possible. We haven't found anywhere that Japan would be chosen to explain the entitlement given. So where can this entitlement about allowed regions be configured? Xcode version is 16.4 and iOS minimum deployments is 18

Hi, I submitted my Family Controls entitlement requests on April 21 for my iOS app, but I still haven’t received an approval, rejection, or any status update. This is blocking my ability to properly test and move forward with the app, since it depends on the Screen Time / Family Controls APIs. Has anyone had a similar delay recently? Is the recommended next step to file a code-level support request with my Team ID, or should I continue waiting? Thanks.

I have a live activity and even after a couple of times that it has shown on my lock screen it keeps prompting the user to tap on Don't Allow or Allow. Can someone help me understand why this is happening? I would like my users to only hit Allow once and not be prompted again, otherwise they would not be registered for updates, since update token only generates after selecting Allow.

Hello, I submitted a Family Controls Distribution entitlement request on May 1st, 2026 and received the generic confirmation page. It has now been 13 days with no approval, rejection or status update. Timeline: May 1st: Submitted request via developer.apple.com/contact/ request/family-controls-distribution → Received confirmation page May 8th: Opened Entitlements ticket via Developer Support → No response after 6 days (despite the stated 2 business day response time) My app Knipsi is a parental control app for the DACH market. It helps families manage screen time by letting children earn credits through completing real-world tasks, with parents approving via Face ID. The app is 100% finished and ready for TestFlight — this entitlement is the only remaining blocker. App Details: Team ID: 5GW9CM8T7U Bundle ID: aquilano.Knipsi Case: 102883106983 Frameworks: FamilyControls, ManagedSettings, DeviceActivity I understand the entitlement review takes time — but what concerns me is that the support ticket opened under Entitlements has also gone unanswered for 6 days, despite the advertised 2 business day response time. Could anyone share how long the Family Controls Distribution approval currently takes? And is there a recommended way to follow up when support tickets go unanswered? Thank you

Hi everyone, We are working on an app that requires access to devices on the local network (Bonjour / LAN discovery + direct socket communication). We are currently struggling with the Local Network privacy permission flow introduced by Apple. From our understanding, there is no dedicated public API to explicitly request Local Network permission or to reliably determine the current authorization state before attempting network activity. We have tried several commonly suggested approaches to trigger the permission dialog, including: Bonjour browsing via NWBrowser Publishing/listening with NetService UDP/TCP socket attempts on local subnet NWConnection / NWListener Triggering discovery after app launch and after foreground transitions We already added the required entries in: NSLocalNetworkUsageDescription NSBonjourServices However, the behavior is inconsistent across devices and OS versions: Sometimes the popup appears immediately Sometimes it never appears Sometimes network operations silently fail without callback clarity In some cases callbacks are delayed or ambiguous Reinstalling/resetting permissions changes behavior unpredictably Our main challenges are: What is currently considered the most reliable Apple-approved method to trigger the Local Network permission prompt? Is there any officially recommended way to determine whether permission is: not determined denied granted Is there any reliable callback or state transition API developers should use? Are there known differences between: NWBrowser NetService BSD sockets NWConnection when it comes to triggering the permission dialog? Are there recommended retry/timing patterns to avoid race conditions during app launch? Is Apple planning to introduce a dedicated authorization API similar to: AVAuthorizationStatus CLAuthorizationStatus PHPhotoLibrary.authorizationStatus() Right now it feels difficult to provide a reliable UX because there is no deterministic way to: proactively request access observe authorization state recover gracefully when the prompt does not appear Any guidance, DTS references, WWDC sessions, or recommended implementation patterns would be greatly appreciated. Thanks!

I've been waiting on the Family Controls distribution entitlement for my app for over two weeks with use case to self direct app and sites blocking Setup: Development entitlement: ✅ approved and working Request ID: 27684X55GC The blocker: Xcode warns: "Bundle identifier is using development only version of Family Controls (Development) capability. Please request access to Family Controls (Distribution)." Archiving for App Store fails with provisioning profile errors on all my targets Questions: Is 2+ weeks normal for distribution entitlement approval? Any recommended path to escalate besides the request form and have also emailed apple support?

Hi, I submitted my Family Controls entitlement requests on April 15 for my iOS app, but I still haven’t received an approval, rejection, or any status update. This is blocking my ability to properly test and move forward with the app, since it depends on the Screen Time / Family Controls APIs. I've tried contact to apple developer support and filed a code-level support on app connect dashboard. and still nothing received. Here is the request information: code-level support case id: 19834379 apple developer support case id: 102878196850 Family Controls Distribution RequestId: BT4C47F5VB,SLP56WRZ3J,BZ7MF3R4FF,5HAY5UF5X2,P49SM5C859,KG2T2X2L76,N353H759C4 Thanks.

Hello, I would like to have MSAL login fully working in a Developer ID signed macOS application. I am using the following library for adding MSAL support to my macOS app : https://github.com/AzureAD/microsoft-authentication-library-for-objc . The MSAL login (even silent login via the MSAL broker) works fully via my company Entra ID when I run and test my local dev build. But : when I build and sign and notarize my application with a company Developer ID signature, the login fails, and I see keychain access related issues in the MSAL library log entries. The MSAL library requires the following keychain access groups to be enabled : $(AppIdentifierPrefix)com.company.app.bundle.id $(AppIdentifierPrefix)com.microsoft.identity.universalstorage The above requirement is confirmed under these links: https://learn.microsoft.com/en-us/entra/msal/objc/howto-v2-keychain-objc?tabs=objc and also their sample app : https://github.com/AzureAD/microsoft-authentication-library-for-objc/blob/410256714ee0489d212c0cbd8772259a69e7d862/MSAL/test/app/mac/MSALMacTestApp.entitlements#L18 The problem seems to be that such keychain access groups access cannot be configured for Developer ID signed applications. Would it be possible to enable such Keychain Access groups somehow for a Developer ID signed application? Thank you for any help in advance!

Hi, I'm building a wellness app called that helps users manage their phone usage based on their consumption, using the Screen Time API. I need the Family Controls (Distribution) entitlement to ship it. I've already submitted multiple requests across all my bundle IDs, but due to the lack of confirmation feedback after each submission, I may have submitted more than needed. Regardless, the oldest request submitted was on April 22nd (exactly 2 weeks ago), without any reply or change. Is this normal ? Also, I came across a forum post (https://developer.apple.com/forums/thread/821964?answerId=885672022#885672022) suggesting that the entitlement is now scoped at the team level rather than per bundle ID, and that I should resubmit a single request. I want to do the right thing here but I'm not sure whether to resubmit or wait and I don't want to make the situation worse than it already is. We're about a month away from our launch date and this is the last remaining blocker for both TestFlight and App Store submission. Any guidance on next steps, or help prioritizing this, would mean a lot. Thanks so much,

I requested "DirverKit UserClient Access" Entitlement, But I Distribute App failed. I don't know the reason. I think when I request "DirverKit UserClient Access" I make a mistake. I fill in two Bundle ids in the "Request a System Extension or DriverKit Entitlement" form's "UserClient Bundle IDs" item. The reason is when I Add "DirverKit UserClient Access" Capability in the project of Xcode. The .entitlements file is like this: <string>com.turing.TuringTouch com.turing.TuringTouch.TouchDriver</string> But in "Signing" of Xcode's "Bundle Identifier" can fill in only on "Identifier" therefore they do not match. So I can't Distribute App. I reapply "DirverKit UserClient Access" Entitlement. But decline. The result is "decline". Please help me. Please tell me, how should can I do now? Thank you very much.

Hello, I submitted a request for Family Controls (Distribution) approval, and it has now been over 12 days without any update on the status. I understand that review times can vary, but I wanted to check if this delay is expected or if there’s anything I might need to do on my end to help move the process forward. Could anyone from the Apple team or the community provide insight into: Typical processing times for Family Controls distribution requests Whether delays beyond a few days are common Any steps I should take to follow up or expedite the review For reference: Status: Submitted Submission time: April 29, 2026 Any guidance would be greatly appreciated. Thank you!

We are seeing what looks like a signing / managed-capability mismatch for Contactless Pass Provisioning. Environment Team ID: S7AUTD2C2B Bundle IDs: com.swiftpass.ios com.swiftpass.ios.dev Xcode: 26.4 macOS: 26.4 Problem Our app has had Contactless Pass Provisioning approved by Apple for a long time, and builds were working until a few days ago. Without any intentional signing/capability changes on our side, Xcode started failing with the following error: Provisioning profile "Swiftpass prod Appstore" doesn't include the Contactless Pass Provisioning capability. Contactless Pass Provisioning capability needs to be assigned to your team and bundle identifier by Apple in order to be included in a profile. Observed behavior Xcode marks the relevant provisioning profiles as "Ineligible" in the profile selector. This affects both development/debug and release/App Store builds. If we remove Contactless Pass Provisioning from the app entitlements/capabilities, the exact same profiles immediately become eligible and the signing error disappears. Important detail The downloaded provisioning profiles already contain the entitlement that Xcode claims is missing. We verified the downloaded profile with: security cms -D -i /Users/sergej/Downloads/Swiftpass_prod_Appstore\(1\).mobileprovision and it contains: <key>com.apple.developer.contactless-payment-pass-provisioning</key> <array> <string>shareablecredential</string> </array> So the issue appears to be that the profile contents look correct the capability is still present in the developer portal but Xcode's eligibility check still says the profile does not include the capability What we verified Contactless Pass Provisioning is still enabled for the App ID in the Apple Developer portal Newly recreated / redownloaded profiles still contain the entitlement Both dev and distribution profiles are affected The behavior is reproducible across profile refreshes and local cleanup What we already tried Reinstalled Xcode Updated Xcode and macOS Updated command line tools Cleaned DerivedData Deleted local provisioning profile cache Refreshed/redownloaded profiles from Xcode Recreated provisioning profiles in the developer portal Removed and re-added the capability in Xcode Expected behavior If the downloaded provisioning profile contains com.apple.developer.contactless-payment-pass-provisioning, Xcode should treat that profile as eligible. Actual behavior Xcode reports that the capability is missing and marks the profile as ineligible, even though the entitlement is present in the downloaded profile. Question Has anyone seen this specific mismatch with Contactless Pass Provisioning or other managed capabilities? This currently looks like either: an Apple backend/App ID capability-assignment sync problem, or an Xcode eligibility-validation bug for managed capabilities Feedback Assistant ID: FB22439399. It contains screenshots that showcase the issue as well.

We are implementing an exam mode feature for an educational app used in schools, which restricts device usage during assessments. We requested the Automatic Assessment Configuration capability, received approval from Apple, and confirmed that the capability is listed as Assigned under our App ID in the Apple Developer portal. What works: When using a Development Provisioning Profile (downloaded from the portal), the entitlement key com.apple.developer.automatic-assessment-configuration is included in the profile, and our exam lock feature works correctly in development testing. The problem: When we manually download a Distribution (InHouse/Enterprise) Provisioning Profile from the portal — even after creating a new one — the entitlement key com.apple.developer.automatic-assessment-configuration is not present in the profile. verified this by running: security cms -D -i YourProfile.mobileprovision The key appears in the Development PP but is absent in the manually downloaded Distribution PP, despite the App ID showing the capability as Assigned. Note: When using Xcode's automatic signing, the generated profile does include the entitlement correctly. However, due to our organization's internal security policy, we are required to use manually managed provisioning profiles and cannot use Xcode automatic signing for distribution builds. Questions: Is the com.apple.developer.automatic-assessment-configuration entitlement intentionally restricted to Development profiles only, or is this a known portal issue with managed capabilities not being embedded in manually created Distribution profiles? Is it technically supported and intended to use AEAssessmentSession in an InHouse (Enterprise) distribution environment? If InHouse is not supported, is the correct path to test internally via Development profiles and then submit through App Store distribution to include this entitlement in production? Any guidance on the correct technical direction would be greatly appreciated.