Entitlements

RSS for tag

Entitlements allow specific capabilities or security permissions for your apps.

Entitlements Documentation

Pinned Posts

Posts under Entitlements tag

169 Posts
Sort by:
Post not yet marked as solved
2 Answers
48 Views
Hi. I'm in the process of making changes to a MacOS SwiftUI project in order to have it be deployed using Developer ID. The project is a VPN using a packet tunnel provider so I'm converting the NetworkExtension to the SystemExtension equivalent. I run the exported app from the Applications folder and it starts up fine but I get a log saying that the current bundle does not have a SystemExtensions directory. When I check the contents of the package, it has put the extension in the Plugins folder instead, which tells me that the extension is still being treated as an app extension rather than a system extension. When I try to run the extension from my app, I get a log saying "Provider is an app extension and therefore cannot be signed with a Developer ID certificate" I have followed all steps listed here: https://developer.apple.com/forums/thread/125508 I have packet-tunnel-provider-systemextension in the Network Extensions array in the entitlements for both the main app and the extension. I've got Network Extension entitlements on both identifiers and and System Extension on the main app identifier I've created and imported provisioning profiles for both. No errors on either. In the extension's info.plist, I have made sure to set the bundle type to SYSX The product name for my extension matches it's bundle identifier The extension's wrapper extension is systemextension Can anyone think of anything I have missed which would cause Xcode to continue packaging it as an appex rather than a sysex? Or is there possibly somehow something I need to change in the swift code which Xcode will pick up on when packaging? Let me know if you need more info from me. Thanks in advance
Posted Last updated
.
Post not yet marked as solved
0 Answers
23 Views
We have a notification service extension which does silent login to our backing to get and update notification content. Login response comes with HTTP header Set-Cookie which adds session cookie used to identify login session. Then in the app we have actions registered for the corresponding category identifier. Both actions result in requests to our backend which also require session cookie. Both extension and the app have AppGroup entitlement and use same app group. Then we configure HTTPCookieStorage: let cookieStorage = HTTPCookieStorage.sharedCookieStorage(forGroupContainerIdentifier:<group_id>) let configuration = URLSessionConfiguration.default configuration.httpCookieStorage = NetworkClient.cookieStorage And we do use the very same configuration for all requests in extension / app, however when the app is spawned in the background after user taps one of the notification actions, the cookie storage in the app is empty. Although beforehand the cookie is set in the extension. Tested with with iOS 14.4.2. Also the question would be if it is possible to activate CFNETWORK_DIAGNOSTICS in both app and extension? App works so far. But not getting logs for the extension in the console. Appreciate any help and / or ideas.
Posted
by mneuwert.
Last updated
.
Post not yet marked as solved
0 Answers
31 Views
I need more information about AppTrackingTransparency. I see in the official documentation section overview "if your app collects data about end users and shares it with other companies for purposes of tracking across apps and web sites". So, if user disallow that permission we as developer can't share an event or anything to third party like MoEngage, AppsFlyer, Rudderstack, Amplitude, and etc right? But, I see in MoEngage article https://www.moengage.com/blog/ios-14-reshape-mobile-marketing when user disallow that permission we just can't get IDFA. But, I think we still have tracking user behavior or activity without IDFA. So, we still can track user behavior or activity via event tracked. Anyone can help me about this? Thank you.
Posted
by bezzo.
Last updated
.
Post not yet marked as solved
0 Answers
40 Views
Our (sandboxed, distributed through the Mac App Store) app can optionally run as a CLI tool, to allow users to use it in scripts and other automation contexts. One of the usecases involves being a wrapper for the ssh command, but the ssh binary is not able to enable raw mode for stdin due to a sandbox violation (bug report). As a reduced example, I've created https://github.com/mihaip/sandboxed-cli-test, which has a minimal C program that uses tcsetattr to set attributes on stdin. That fails, and sandboxd logs to the console Sandbox: SandboxedCLI(30110) deny(1) file-ioctl /dev/ttys012. If I disable sandboxing on the binary then it works as expected. Looking through the sandbox profiles on /System/Library/Sandbox/Profiles, I'm not seeing cases where file-ioctl is enabled on /dev/tty. Are we out of luck, or is there a workaround?
Posted
by mihaip.
Last updated
.
Post marked as solved
3 Answers
1.1k Views
Hi! Our app (blink.sh) has a browser integration focused on developers, and since latest changes now requires this entitlement to work properly. I have been trying to reach out over email (default-browser-requests at apple.com) more than five times since before Christmas with no response - not even a "case received" or "confirmation from Apple" which is very strange. I also reached out to "normal" developer relations through email and phone, and they took a deeper look at it. They told me that from information they got in this forum, the request may just take an "undetermined" amount of time, and that they could confirm we are using the right email. Unfortunately we have had to launch the new version of our application and limit some of the functionality, which is causing a stir of support issues from our side. Can anyone share what the process has been for them, and if they have received any confirmations along the way? Is there anyone here who could help us get in touch with the right person? Thanks!
Posted Last updated
.
Post not yet marked as solved
0 Answers
57 Views
I am building an iOS / Swift app for my M1 Mac in XCode by selecting the build target of "My Mac (designed for iPad)" from the drop down list. I was wondering if it is possible to access local files on my mac ( e.g. /Users/Downloads etc ) via the usual FileManager APIs ( or any other way ) I'm NOT trying to access files in the app bundle or app documents directory. I get a permissions error when trying to read a file or directory. I'm pretty sure I had done this in the simulator before, but that approach won't work here because I use some pre-compiled arm64 only libraries. I also tried Mac Catalyst but had similar build issues around my pre-compiled libraries. Maybe there is a way to use arm64 simulator on the M1? Thanks
Posted
by cc4.
Last updated
.
Post not yet marked as solved
0 Answers
62 Views
Hi I have built an application and trying to publish it to App Store Connect to do a TestFlight. My application is called Meeting Reminder App with an SKU of DanD.meeting-reminder. For some reason, every time I try to distribute the app to the App Store Connect, an email gets sent to me with this error: We identified one or more issues with a recent delivery for your app, "Meeting Reminder App" 1.0 (21). Please correct the following issues, then upload again. ITMS-90683: Missing Purpose String in Info.plist - Your app‘s code references one or more APIs that access sensitive user data. The app‘s Info.plist file should contain a NSCalendarsUsageDescription key with a user-facing purpose string explaining clearly and completely why your app needs the data. If you're using external libraries or SDKs, they may reference APIs that require a purpose string. While your app might not use these APIs, a purpose string is still required. For details, visit: https://developer.apple.com/documentation/uikit/protecting_the_user_s_privacy/requesting_access_to_protected_resources I have the key under the name of Privacy - Calendars Usage Description within the info.plist, and I have also made sure that the entitlement: Calendars is in both the Entitlement file for both release and debug. But somehow it still gives me the error. I would also like to point out that the Usage Description and the entitlements are only in the Extension file and not the actual App file. I do not know if that is necessary but please tell me if it is.
Posted Last updated
.
Post marked as solved
2 Answers
136 Views
I have 2 Apps. A sandboxed native Mac App written in AppKit/SwiftUI. A Catalyst App. I would like them to be able to communicate with each other. I assumed I would be able to do this using a shared App Group but I can't get it to work and I think this is because the App Group naming conventions appear to be different. As far as I can make out: A Mac App uses App groups prefixed with the team ID A Catalyst App uses the iOS App groups which are prefixed with group. I have tried multiple combinations of different prefixes to try and make this work but without success. I have been "testing" this by using UserDefaults(suiteName: appGroup) and then attempting to read write values between the 2 Apps but without success so far. My questions are: Is sharing an App Group between Catalyst and native technically possible? If it is possible what is the magic combo of App Group prefixes that makes it work? If it is not possible then do I have any other options for communicating between a sandboxed Mac App and a Catalyst App?
Posted Last updated
.
Post not yet marked as solved
0 Answers
66 Views
Hello Guys, Our application has default web browser entitlement: com.apple.developer.web-browser. However, I am not seeing it in Desktop Safari's Developer menu, I am using iPadOS 16 beta 2(20A5303i), Web Inspector is enabled in Safari's Advanced menu. Do we need to do some additional updates like rebuilding app with Xcode 14 or build that we currently have in AppStore should work without any modifications?
Posted Last updated
.
Post not yet marked as solved
5 Answers
168 Views
Folks; I have a sandboxed macOS app that provides text handling via a service. This app has been for sale in the Mac App Store for several years. The basic mechanics of the service work just fine… To set the scene: user opens a file in some fashion user makes a text selection within this open file user invokes my app’s service In the course of development of this service, I now have established an NSURL (file) for the user’s document. However, when I later attempt to open this url I get a sandbox error: client lacks entitlements? for path: …. NOTE: It does not matter where the file is located! My app already has this entitlement: com.apple.security.files.user-selected.read-write My question: Is there an entitlement that will permit me to programmatically open this fileURL?
Posted
by SwampDog.
Last updated
.
Post not yet marked as solved
0 Answers
107 Views
We requested com.apple.developer.driverkit.transport.usb entitlement a few days ago and it looks like it was granted since we see(can select) it at: App Id -> Additional Capabilities Tab -> DriverKit USB Transport - Vendor ID. We tried to choose both options at Additional Entitlements page Default and Driver Kit and System Extension Template for **** Mac Dev. Generated profile displays DriverKit USB Transport - Vendor ID in Enabled Capabilities in browser. However downloaded profile doesn't include com.apple.developer.driverkit.transport.usb. As a result our Driver fails to start and in Console we see: Driver: Unsatisfied entitlements: com.apple.developer.driverkit.transport.usb /Library/SystemExtensions/675FA894-8985-4D86-B0FF-B892B9AEA27B/Driver.dext/Driver signature not valid: -67671 BTW, we tried to modify existing profile and create a new one. Did we miss something? Is any way to check entitlement status with Apple support?
Posted
by myurik2.
Last updated
.
Post not yet marked as solved
2 Answers
320 Views
In iOS 16, UIDevice.name has changed to only return the model of the device, not the user specified name. There is an entitlement, com.apple.developer.device-information.user-assigned-device-name that can be requested to keep the old behaviour, but I can't find any info on how to request that entitlement. Anyone able to help?
Posted Last updated
.
Post not yet marked as solved
2 Answers
186 Views
Hi, I'm using XCode 13.4.1, but this issue originally started occurring in XCode 13.4. The iOS app I'm working on uses XCode automatic signing for its provisioning profile and within the past couple of days has started including Game Center in its listed capabilities. This is causing failures when I attempt to upload builds of the app to the store, as our app does not and should not support Game Center. I have never added Game Center as a capability in the Signing & Capabilities section of XCode, it is not ticked as a capability on the Apple Developer Portal and it is not included in my entitlements file. Stuff I've tried to fix this: Adding/removing Game Center from Development Portal & in XCode, then re-generating provisioning profile. Updating from XCode 13.4 to 13.4.1. Closing XCode, deleting all installed provisioning profiles from Library and re-opening. No joy so far. Anyone got any advice for how to resolve? Thanks
Posted
by Strafe86.
Last updated
.
Post marked as solved
4 Answers
278 Views
Hi forum! I'm a n00b in apple development, so I apologise in advance if something is very wrong. I have a python app for MacOS that I am deploying with pyinstaller (thus I am NOT using Xcode). The app is to be deployed through github not through the app store. I could sign it and notarize it and it works. However, the app needs to run some external unsigned code (like a plugin). The hardened runtime blocks that, so I need to add entitlements. I've done it as it's explained in many other places with codesign. It seems to work but when I run the app, it crashes immediately with EXC_CRASH (Code signature invalid). The crash doesn't happen unless I add the entitlements. Now my questions: how do I make my situation work? Do I need a provisioning profile? The entitlements I am trying to add (hardened runtime-related) are not restricted AFAIK, so I don't think I do? If I need a provisioning profile, how can I add it to the app after it's bundled with pyinstaller? Thank you so much! Francesco
Posted
by Fsantini.
Last updated
.
Post not yet marked as solved
0 Answers
96 Views
#define KdownloadsPath NSSearchPathForDirectoriesInDomains(NSDownloadsDirectory, NSUserDomainMask, YES).firstObject _downloadedPath = [KdownloadsPath stringByAppendingPathComponent:fileName]; _downloadingPath = [_downloadedPath stringByAppendingString:@".download"]; NSDictionary* info = [NSDictionary dictionaryWithObjectsAndKeys:         @"NSProgressFileOperationKindDownloading", @"NSProgressFileOperationKindKey",         [NSURL fileURLWithPath:_downloadingPath], @"NSProgressFileURLKey",         nil]; self.progress = [[NSProgress alloc] initWithParent:nil userInfo:info]; [self.progress setKind:@"NSProgressKindFile"]; [self.progress setPausable:NO]; [self.progress setCancellable:YES]; [self.progress setTotalUnitCount:_totalBytes]; [self.progress publish]; (updating the progress indicator happens elsewhere) I'm creating an NSProgress object to show a progress indicator underneat a file in my Downloads directory. The entitlements includes com.apple.security.files.downloads.read-write. The indicator does not show when NSProgressFileURLKey points to the sandboxed file path, e.g. /Users/mdbraber/Library/Containers/com.mdbraber.TestApp/Data/Downloads/Test.pptx.download. It does work when NSProgressFileURLKey points to the direct download location which the sandbox links to e.g. /Users/mdbraber/Downloads/Test.pptx.download Is this a bug or should I use something else for NSProgressFileURLKey to make this work?
Posted
by mdbraber.
Last updated
.
Post not yet marked as solved
2 Answers
174 Views
Hello, When it comes to creating application build I've made an application that requires LiDAR to function and knowing that it is possible to restrict an application to iPhone or iPad only for example does a similar situation exist for functionality? Thank you!
Posted
by TonyAmaze.
Last updated
.