General: Forums topic: Code Signing Forums subtopics: Code Signing > General, Code Signing > Certificates, Identifiers & Profiles, Code Signing > Notarization, Code Signing > Entitlements Forums tags: Code Signing, Signing Certificates, Provisioning Profiles, Entitlements Developer Account Help — This document is good in general but, in particular, the Reference section is chock-full of useful information, including the names and purposes of all certificate types issued by Apple Developer web site, tables of which capabilities are supported by which distribution models on iOS and macOS, and information on how to use managed capabilities. Developer > Support > Certificates covers some important policy issues Bundle Resources > Entitlements documentation TN3125 Inside Code Signing: Provisioning Profiles — This includes links to the other technotes in the Inside Code Signing series. WWDC 2021 Session 10204 Distribute apps in Xcode with cloud signing Certificate Signing Requests Explained forums post --deep Considered Harmful forums post Don’t Run App Store Distribution-Signed Code forums post Resolving errSecInternalComponent errors during code signing forums post Finding a Capability’s Distribution Restrictions forums post Signing code with a hardware-based code-signing identity forums post New Capabilities Request Tab in Certificates, Identifiers & Profiles forums post Isolating Code Signing Problems from Build Problems forums post Investigating Third-Party IDE Code-Signing Problems forums post Determining if an entitlement is real forums post Code Signing Identifiers Explained forums post Mac code signing: Forums tag: Developer ID Creating distribution-signed code for macOS documentation Packaging Mac software for distribution documentation Placing Content in a Bundle documentation Embedding nonstandard code structures in a bundle documentation Embedding a command-line tool in a sandboxed app documentation Signing a daemon with a restricted entitlement documentation Defining launch environment and library constraints documentation WWDC 2023 Session 10266 Protect your Mac app with environment constraints TN2206 macOS Code Signing In Depth archived technote — This doc has mostly been replaced by the other resources linked to here but it still contains a few unique tidbits and it’s a great historical reference. Manual Code Signing Example forums post The Care and Feeding of Developer ID forums post TestFlight, Provisioning Profiles, and the Mac App Store forums post For problems with notarisation, see Notarisation Resources. For problems with the trusted execution system, including Gatekeeper, see Trusted Execution Resources. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com"

You can now easily request access to managed capabilities for your App IDs directly from the new Capability Requests tab in Certificates, Identifiers & Profiles > Identifiers. With this update, view available capabilities in one convenient location, check the status of your requested capabilities, and see any notes from Apple related to your requests. Learn more about capability requests.

I have applied for CarPlay support here Apply here to get your app approved for CarPlay use: https://developer.apple.com/contact/carplay/ but have not received any acceptance or answers. Does anyone know what to do?

Dear Apple Developer Support Team, We are seeking a solution that would allow us to include the CarPlay entitlement while distributing our app using an enterprise profile. Could you please provide guidance on how we might achieve this? Are there any alternative approaches or considerations that could help us navigate this limitation? Your expertise and advice would be greatly appreciated as we work to ensure our app meets the needs of our users while complying with Apple’s guidelines. Thank you for your time and support.

I am developing CarPlay addition on our app. Which is distributed with the Enterprise In distribution method, so we do not have a product in the App Store. I am wondering if CarPlay support can be provided in applications distributed with the Enterprise in distribution method? If this is not possible, I will inform management that this is not possible. I am waiting for your answers, thanks.

Hello, I'm experiencing a significant delay getting the Family Controls entitlement approved for my Shield Configuration Extension, and I'm hoping someone here can help or has experienced something similar. Background: I'm developing an app that uses the Screen Time API with Family Controls. My main app bundle (lukedev.Bloka) was approved for Family Controls (Distribution) and works perfectly. The Problem My Shield Configuration Extension (lukedev.Bloka.Shield) has been stuck waiting for approval for over 2 weeks: Request ID: 6C8LD22UVM Submitted: November 20, 2025 Status: Still "Submitted" Current State: Only shows "Family Controls (Development)" in capabilities What I've Tried ✅ Submitted entitlement request via the proper channels ✅ Contacted Apple Developer Support (case #102762028251) ✅ Verified the main app has full Family Controls approval ✅ Deleted and regenerated all provisioning profiles multiple times ✅ Confirmed the App ID configuration is correct in the Developer Portal The Issue Without Family Controls (Distribution) approval for the Shield extension, I cannot: Test the complete app functionality on physical devices Submit the app to App Store Connect Move forward with development The error I'm getting during provisioning: Provisioning profile failed qualification Profile doesn't include the com.apple.developer.family-controls entitlement Questions Has anyone experienced multi-week delays for Shield extension entitlements? Is this normal? Should Shield extensions automatically inherit entitlements from the main app, or do they really require separate approval? The documentation isn't clear on this. Are there any known workarounds to test Shield Configuration Extensions during development while waiting for distribution approval? How can I escalate this request? Developer Support initially told me I already had approval (for the main app) but didn't address the extension's separate bundle ID. Technical Details Xcode: 16.2 Target: iOS 18+ Main App: Family Controls (Distribution) ✅ Approved Shield Extension: Family Controls (Development only) ❌ Stuck Why This Matters The Shield Configuration Extension is a core component of Screen Time API apps - it's not optional. Without it, the app cannot properly display blocking interfaces. The fact that it requires a separate 2+ week approval process (after the main app was already approved) seems like a significant oversight in Apple's review process. Has anyone successfully navigated this situation or found a way to expedite the review? Any help or insights would be greatly appreciated! Thanks, Luca

General: Forums topic: Family Controls Forums tag: Family Controls Configuring Family Controls documentation Requesting the Family Controls entitlement documentation Screen Time Technology Frameworks documentation FamilyControls documentation What's new in Screen Time API video Meet the Screen Time API video

When setting new entitlements com.apple.developer.networking.carrier-constrained.appcategory and com.apple.developer.networking.carrier-constrained.app-optimized, I have a question about how URLSession should behave. I notice we have a way to specify whether a Network connection should allow ultra-constrained paths via NWParameters allowUltraConstrainedPaths: https://developer.apple.com/documentation/network/nwparameters/allowultraconstrainedpaths There does not appear to be a similar property on URLSessionConfiguration. In an ultra-constrained (eg. satellite) network, should we expect all requests made through an URLSession to fail? Does all network activity when ultra-constrained need to go through a NWConnection or NetworkConnection specifically configured with allowUltraConstrainedPaths, or can URLSession ever be configured to allow ultra-constrained paths?

Hello, I am working to integrate the new com.apple.developer.networking.carrier-constrained.app-optimized entitlement in my iOS 26 app so that my app can use a carrier-provided satellite network, and want to confirm my understanding of how to detect and optimize for satellite network conditions. (Ref: https://developer.apple.com/documentation/bundleresources/entitlements/com.apple.developer.networking.carrier-constrained.app-optimized ) My current approach: I plan to set the entitlement to true once my app is optimized for satellite networks. To detect if the device is connected to a satellite network, I intend to use the Network framework’s NWPath properties: isUltraConstrained — I understand this should be set to true when the device is connected to a satellite network. (Ref: https://developer.apple.com/documentation/network/nwpath/isultraconstrained ) linkQuality == .minimal — I believe this will also be set in satellite scenarios, though it may not be exclusive to satellite connections. (Ref: https://developer.apple.com/documentation/network/nwpath/linkquality-swift.enum/minimal ) Questions: Is it correct that isUltraConstrained will reliably indicate a satellite connection? Should I also check for linkQuality == .minimal, or is isUltraConstrained sufficient? Are there any additional APIs or best practices for detecting and optimizing for satellite connectivity that I should be aware of? Thank you for confirming whether my understanding and approach are correct, and for any additional guidance.

Hi all, I’m building an iOS app that uses CoreNFC to communicate with a YubiKey 5C NFC over ISO14443 / ISO7816 and send APDUs (e.g. select an applet by AID). Environment • Device: iPhone 13 Pro Max • iOS: 18.6.2 • Xcode: 26.1.1 (17B100) • API: NFCTagReaderSession(pollingOption: .iso14443) using NFCTag.iso7816 What I’m trying to do 1. Start NFCTagReaderSession(.iso14443) 2. Detect tag → connect 3. Send ISO7816 APDUs (SELECT AID, etc.) Issue A — Entitlements / signing If I add ISO7816-related NFC entitlements, Xcode fails signing with an error like: • “Provisioning profile … doesn’t match entitlements file value for com.apple.developer.nfc.readersession.formats” When I inspect the generated .mobileprovision, I only see something like: • com.apple.developer.nfc.readersession.formats = [NDEF, TAG, PACE] …and I do not see an ISO7816 / select-identifiers entitlement (and the Developer portal UI doesn’t appear to let me enable it). Questions: 1. Is ISO7816 access under com.apple.developer.nfc.readersession.formats restricted and requires Apple approval? If yes, what’s the correct request process? 2. Is com.apple.developer.nfc.readersession.iso7816.select-identifiers required for sending ISO7816 APDUs? If yes, how do developers obtain it / enable it for an App ID + provisioning profiles? 3. What is the Apple-supported way to configure entitlements/profiles for CoreNFC ISO7816 APDU communication with a token like a YubiKey? Issue B — Runtime NFC error Separately (even when I can run), I intermittently/consistently get: • NFCError Code=104 (“Tag is not connected”) This occurs after the tag is detected/connected when trying to establish a session or send APDUs. I’ve verified: • No phone case interference • Correct placement • Consistent detection “tick” from the phone for "Ready to Scan" prompt after tapping YubiKey 5C NFC device. If helpful, I can share: • A minimal sample project • The exact entitlements I tried • Console logs around the Code 104 failure Thanks!

I want to help contribute a feature in a virtual-machine app in macOS that supports PCIe device passthrough over thunderbolt. I have a question about the entitlements. Since I do not represent the GPU vendors, would I be allowed to get a driver signed that matches GPU vendor IDs? Is there such a thing as wildcard entitlement for PCIDriverKit? I don't want end-users to have to disable SIP to be able to use this. Any suggestions/leads? Thank you.

“Side Button Access” Capability cannot be found under capabilities and when trying to add the entitlement com.apple.developer.side-button-access.allow manually, I got the invalid entitlement error. Xcode: 26.2, MacOS: 26.2.

We are planning to migrate our application from an iOS In‑App Purchase (IAP) subscription flow to an external web purchase flow. The intended user journey is: The user taps a “Subscribe” button in the app. The user is redirected to a web-based checkout to complete the purchase. The user returns to the app, and subscription access is unlocked based on entitlement verification from our backend. Our app is currently listed in the Education category. Before we begin this refactor, we would like confirmation on the following: Entitlements / permissions Do we need to request any specific Apple entitlements or approvals to implement this external purchase flow (e.g., external link or alternative payment related permissions)? Compliance / review requirements Are there any specific App Review compliance checks, disclosures, or review process requirements we must satisfy when moving from IAP to an external purchase flow? If relevant, are there constraints based on app category (Education) or product type (subscription)?

I have an open NFC Value-Added Services entitlement case (17370116) with Apple Wallet Entitlements. My request was acknowledged, information provided, but the case appears to have been split into duplicates and stalled. Is there a way to have the case consolidated and routed back to the Wallet Entitlements team?

Environment: Device: iPhone 15 iOS Version: 26.2 Xcode Version: (add your version) Signing: Automatic with Apple Developer account Problem: When calling NFCTagReaderSession.begin(), the session immediately fails with error code 2: "Missing required entitlement". This happens even though: NFCTagReaderSession.readingAvailable returns true NFCNDEFReaderSession.readingAvailable returns true The session object is created successfully Configuration verified: BonoResidente.entitlements: Info.plist (relevant keys): NFCReaderUsageDescription This app needs NFC permission to read transport cards com.apple.developer.nfc.readersession.iso7816.select-identifiers D2760000850101 Apple Developer Portal: App ID com.acalvoelorri.BonoResidente has "NFC Tag Reading" capability enabled Provisioning profiles were regenerated after enabling the capability Xcode: "Near Field Communication Tag Reading" capability added via Signing & Capabilities CODE_SIGN_ENTITLEMENTS correctly points to the entitlements file Automatic signing enabled with valid Development Team Steps taken: Deleted app from device Clean Build Folder (Cmd+Shift+K) Deleted and re-added the NFC capability in Xcode Manually enabled NFC Tag Reading in Apple Developer Portal Rebuilt and reinstalled the app Code: import CoreNFC class NFCReaderService: NSObject, ObservableObject, NFCTagReaderSessionDelegate { @Published var lastReadData: String = "" @Published var isReading: Bool = false private var session: NFCTagReaderSession? func startReading() { guard NFCTagReaderSession.readingAvailable else { lastReadData = "NFC not available on this device" return } session = NFCTagReaderSession( pollingOption: [.iso14443, .iso15693, .iso18092], delegate: self ) session?.alertMessage = "Hold your transport card near the iPhone" session?.begin() isReading = true } func tagReaderSessionDidBecomeActive(_ session: NFCTagReaderSession) { print("NFC session active") } func tagReaderSession(_ session: NFCTagReaderSession, didInvalidateWithError error: Error) { // Error occurs here immediately after begin() print("Error: \(error)") } func tagReaderSession(_ session: NFCTagReaderSession, didDetect tags: [NFCTag]) { // Never reached } } Console logs: ========== NFC DEBUG INFO ========== iOS Version: 26.2 Device Model: iPhone Device Name: iPhone System Name: iOS NFCTagReaderSession.readingAvailable: true NFCNDEFReaderSession.readingAvailable: true Bundle ID: com.acalvoelorri.BonoResidente Creating NFCTagReaderSession with pollingOption: [.iso14443, .iso15693, .iso18092]... Session created: Optional(<NFCTagReaderSession: 0x110fa50e0>) Setting alertMessage... Calling session.begin()... session.begin() completed, isReading = true ========== NFC ERROR DEBUG ========== Full error: Error Domain=NFCError Code=2 "Missing required entitlement" UserInfo={NSLocalizedDescription=Missing required entitlement} Error type: NFCError Localized: Missing required entitlement NSError domain: NFCError NSError code: 2 NSError userInfo: ["NSLocalizedDescription": Missing required entitlement] Questions: Is there a known issue with NFCTagReaderSession entitlements on iOS 26.2? Are there additional entitlements required beyond com.apple.developer.nfc.readersession.formats with value TAG? How can I verify that the installed app's provisioning profile actually contains the NFC entitlement? Any help would be appreciated. Thank you.

I have opened a case with the apple developer support a month ago and they have not replied, since then I sent multiple other emails and opened more cases requesting them to get a status update about my case. So far I am being ignored, no reply or anything it is very frustrating, what can I do to get someone to help me with the apple developer team?

I have two apps - say A and B in my AppStore account, deployed in the AppStore. App A has obtained the com.apple.developer.usernotifications.filtering entitlement and this is added to my AppStore account by Apple after approval. Note that this is added for the account, and not for the specific app. Now, my app B also wants this functionality. Followed all the steps as done for app A - adding the already approved entitlement to my app B's identifier, regenerating the profiles, adding the key in the entitlements file, calling the completion handler with empty content like - contentHandler(UNNotificationContent()) Still the notifications show, the filtering is not working. Do I have to request the entitlement for App B separately? Even if I do request again, I am not sure if there is going to be any difference in the steps already done. The difference can only be if Apple has a mapping with the app id internally in their system, for the filtering to work? If I have white-labelled versions of apps A or B, do I have to request again then? Or does Apple restrict only one app to have this entitlement from one AppStore account? Please guide on the next steps here.

Hi, Since Xcode 26.2 beta 1, till now (I thought RC or actual release will solve this issue) I have problems exporting archive to appstore via Xcode Cloud (locally everything works and using Xcode 26.2 I was able to submit app to AppStore). Build is archived successfully but during export I get an error Exporting for App Store Distribution failed. Please download the logs artifact for more information. In xcodebuild-export-archive.log I see multiple attempts & errors like this 2025-12-13T08:29:34.040644840Z 2025-12-13 00:29:33.900 xcodebuild[10889:58988] DVTServices: Sending request 9A4173F4-CD87-4A76-95FC-501B4D11EF22 to <http://172.16.55.70:8089/services/v1/capabilities> for session DVTFoundation.DVTServicesSessionProxy. 2025-12-13T08:29:34.040647258Z Method: POST 2025-12-13T08:29:34.040648780Z 2025-12-13T08:29:34.040650230Z Headers: 2025-12-13T08:29:34.040651730Z { 2025-12-13T08:29:34.040653539Z Accept = "application/vnd.api+json"; 2025-12-13T08:29:34.040655403Z "Accept-Encoding" = "gzip, deflate"; 2025-12-13T08:29:34.040673847Z "Content-Length" = 124; 2025-12-13T08:29:34.040675883Z "Content-Type" = "application/vnd.api+json"; 2025-12-13T08:29:34.040677903Z "User-Agent" = Xcode; 2025-12-13T08:29:34.040681998Z "X-HTTP-Method-Override" = GET; 2025-12-13T08:29:34.040684468Z "X-Xcode-Version" = "26.2 (17C52)"; 2025-12-13T08:29:34.040686326Z } 2025-12-13T08:29:34.040688028Z 2025-12-13T08:29:34.040689711Z Payload: 2025-12-13T08:29:34.040692163Z {"urlEncodedQueryParams":"teamId=8CKLLLC9UE&filter%5BreferenceType%5D=bundle&filter%5BincludeRequestable%5D=true&limit=200"} 2025-12-13T08:29:34.308538247Z 2025-12-13 00:29:34.208 xcodebuild[10889:58988] DVTServices: Received response for 9A4173F4-CD87-4A76-95FC-501B4D11EF22 @ <http://172.16.55.70:8089/services/v1/capabilities>. Code = 0 2025-12-13T08:29:34.308555026Z 2025-12-13 00:29:34.208 xcodebuild[10889:58988] DVTServices: Response payload: { 2025-12-13T08:29:34.308557639Z "errors" : [ { 2025-12-13T08:29:34.308569919Z "id" : "0316154c-332b-4f9d-a90a-5770d4f8dc1a", 2025-12-13T08:29:34.308573588Z "status" : "400", 2025-12-13T08:29:34.308575871Z "code" : "PARAMETER_ERROR.INVALID", 2025-12-13T08:29:34.308578343Z "title" : "A parameter has an invalid value", 2025-12-13T08:29:34.308581767Z "detail" : "A parameter 'filter[includeRequestable]' has an invalid value : ''includeRequestable' is not a valid field name.'", 2025-12-13T08:29:34.308584989Z "source" : { 2025-12-13T08:29:34.308587270Z "parameter" : "filter[includeRequestable]" 2025-12-13T08:29:34.308589531Z } 2025-12-13T08:29:34.308591437Z } ] 2025-12-13T08:29:34.308593381Z } 2025-12-13T08:29:34.308595389Z 2025-12-13T08:29:34.308597297Z 2025-12-13T08:29:34.308600188Z 2025-12-13 00:29:34.208 xcodebuild[10889:58988] DVTServices: Could not fetch capabilities from network due to error: error = 'A parameter has an invalid value' When I use Xcode 26.1.1 to export the same commit, eveything works and workflow sends build to AppStoreConnect, any ideas what might cause this issue? Unfortunately I need to use Xcode 26.2 if I want to use tabViewBottomAccessory(isEnabled:content:) bcs even though this api is available since iOS 26.1, it's not available in Xcode 26.1

Hi everyone, I'm trying to add the Side Button Access entitlement to my voice-based conversational app following the documentation, but I'm unable to find it in Xcode. Steps I followed: Selected my app target in Xcode project navigator Went to the Signing & Capabilities tab Clicked the + Capability button Searched for "Side Button Access" Problem: The "Side Button Access" option does not appear in the capabilities list at all. Environment: I'm developing and testing in Japan (where this feature should be available) Xcode version: Xcode 26.2 beta 3 iOS deployment target: iOS 26.2 Questions: Is there any pre-registration or special approval process required from Apple before this entitlement becomes available? Are there any additional requirements or prerequisites I need to meet? Is this feature already available, or is it still in a limited beta phase? Any guidance would be greatly appreciated. Thank you!

I'm developing a watchOS nap app that detects when the user falls asleep by monitoring heart rate changes. == Technical Implementation == HKWorkoutSession (.mindAndBody) for background execution HKAnchoredObjectQuery for real-time heart rate data CoreMotion for movement detection == Battery Considerations == Heart rate monitoring ONLY active when user explicitly starts a session Monitoring continues until user is awakened OR 60-minute limit is reached If no sleep detected within 60 minutes, session auto-ends (user may have abandoned or forgotten to stop) App displays clear UI indicating monitoring is active Typical session: 15-30 minutes, keeping battery usage minimal == The Problem == HKWorkoutSession affects Activity Rings during the session. Users receive "Exercise goal reached" notifications while resting — confusing. == What I've Tried == Not using HKLiveWorkoutBuilder → Activity Rings still affected Using builder but not calling finishWorkout() (per https://developer.apple.com/forums/thread/780220) → Activity Rings still affected WKExtendedRuntimeSession (self-care type) (per https://developer.apple.com/forums/thread/721077) → Only ~10 min runtime, need up to 60 min HKObserverQuery + enableBackgroundDelivery (per https://developer.apple.com/forums/thread/779101) → ~4 updates/hour, too slow for real-time detection Audio background session for continuous processing (suggested in https://developer.apple.com/forums/thread/130287) → Concerned about App Store rejection for non-audio app; if official approves this technical route, I can implement in this direction Some online resources mention "Health Monitoring Entitlement" from WWDC 2019 Session 251, but I could not find any official documentation for this entitlement. Apple Developer Support also confirmed they cannot locate it? == My Question == Is there any supported way to: Monitor heart rate in background for up to 60 minutes WITHOUT affecting Activity Rings or creating workout records? If this requires a special entitlement or API access, please advise on the application process. Or allow me to submit a code-level support request. Any guidance would be greatly appreciated. Thank you!

I´m tring to integrate InApp push provisioning but when I send the information from the issuer to SDK to add my debit card to wallet I saw this error: PKPassKitErrorDomain Code 2 error Looking in the forum I found how to see part of the logs to get more detail on the error and I found: POST https://pr-pod9-smp-device.apple.com:443/broker/v4/devices/04131B65D01590022288082867404947F3CCA674C3D41F3C/cards/683986c983984251b9aecfc8ff51d88a/enable 'Error Domain=PKPaymentWebServiceErrorDomain Code=0 "Error inesperado." UserInfo={PKErrorHTTPResponseStatusCodeKey=500, NSLocalizedDescription=Error inesperado.